公开(公告)号：US5519706A

公开(公告)日：1996-05-21

申请号：US267689

申请日：1994-06-28

申请人： David Bantz ,  Frederic Bauchot ,  Eliane D. Bello ,  Shay Kutten ,  Hugo Krawczyk

发明人： David Bantz ,  Frederic Bauchot ,  Eliane D. Bello ,  Shay Kutten ,  Hugo Krawczyk

IPC分类号： G09C1/00 ,  H04J13/00 ,  H04L9/06 ,  H04L9/08 ,  H04L9/14 ,  H04L9/16 ,  H04L9/30 ,  H04L9/32 ,  H04J3/02

CPC分类号： H04L9/0844 ,  H04L9/0891 ,  H04L2209/80

摘要： In a communications system comprising a number of base stations, each base station communicating over a shared communication channel with a plurality of registered stations and controlling the network cell formed by said plurality of registered stations, a method is described for dynamically registering and deregistering mobile stations. Each station owns a unique address and is allocated a local identifier at registration time. Each network cell owns a unique cell identifier known to all registered stations belonging to this network cell. Base stations manage cell members data uniquely associating the unique address and the local identifier corresponding to each one of the mobile stations belonging to their network cell. A registration request is sent to a selected base station by a registering mobile station, comprising the unique cell identifier of the network cell controlled by the selected base station and the unique address of the registering mobile station; the selected base station detects in its cell members data any conflicting registered station whose unique address matches the unique address of the registering mobile station and sends an address check packet to any conflicting registered station, comprising the unique address of the conflicting registered station, its local identifier and the identifier of the network cell it controls. A receiving registered mobile station sends to the selected base station, an acknowledgement to the address check packet if its unique address, the local identifier of its owning base station and its network cell identifier all match with the ones carried by the address check packet. The selected base station rejects the registration request it it receives an acknowledgement to its address check packet. The same address check packet is used to deregister inactive stations.

摘要翻译： 在包括多个基站的通信系统中，每个基站通过共享通信信道与多个注册站进行通信并控制由所述多个注册站形成的网络小区，描述了一种动态登记和注销移动站的方法 。 每个站拥有唯一的地址，并在注册时分配一个本地标识符。 每个网络小区拥有属于该网络小区的所有注册站所知的唯一小区标识符。 基站管理对应于属于其网络小区的移动站中的每一个的唯一地址和本地标识的小区成员数据。 注册请求由注册移动台发送到所选择的基站，包括由所选择的基站控制的网络小区的唯一小区标识符和注册移动台的唯一地址; 所选择的基站在其小区成员数据中检测其唯一地址与注册移动站的唯一地址匹配的冲突注册站，并将地址检查分组发送到任何冲突的注册站，包括冲突注册站的唯一地址，其本地 标识符及其控制的网络单元的标识符。 接收登记的移动台如果其唯一地址，其拥有的基站的本地标识符及其网络小区标识符与地址检查分组携带的唯一地址一致，则向所选择的基站发送对地址检查分组的确认。 所选择的基站拒绝其接收到其地址检查分组的确认的注册请求。 相同的地址检查数据包用于取消注册非活动站。

公开(公告)号：US5369705A

公开(公告)日：1994-11-29

申请号：US892852

申请日：1992-06-03

申请人： Raymond F. Bird ,  Amir Herzberg ,  Philippe A. Janson ,  Shay Kutten ,  Refik A. Molva ,  Marcel M. Yung

发明人： Raymond F. Bird ,  Amir Herzberg ,  Philippe A. Janson ,  Shay Kutten ,  Refik A. Molva ,  Marcel M. Yung

IPC分类号： G06F13/00 ,  G09C1/00 ,  H04L9/08 ,  H04L9/32

CPC分类号： H04L9/0833

摘要： A method and apparatus for providing authentication among a dynamically selected group of users in a communication system with a dynamically changing network topology. With this invention, freshness information and alleged identity information are transmitted from each of the users in the group using available paths in the network. A group key is then generated, and coded information, derived from the group key and the above transmitted information, is sent to each of the users. Each unit of coded information is accompanied by an identifying tag so as to identify which of the users is to use the appropriate unit of coded information. Each alleged user will then extract the group key from a corresponding coded information unit only if it shares an appropriate secret with a server. Without knowledge of the group key, a user cannot be authenticated.

摘要翻译： 一种在具有动态变化的网络拓扑的通信系统中的动态选择的用户组之间提供认证的方法和装置。 利用本发明，使用网络中的可用路径从组中的每个用户发送新鲜度信息和所指称的身份信息。 然后生成组密钥，并将从组密钥和上述发送的信息导出的编码信息发送给每个用户。 编码信息的每个单元都附有识别标签，以便识别哪个用户使用适当的编码信息单元。 然后，每个被指称的用户只有在与服务器共享适当的秘密时，才从相应的编码信息单元中提取组密钥。 不知道组密钥，用户不能被认证。

公开(公告)号：US5539824A

公开(公告)日：1996-07-23

申请号：US348656

申请日：1994-12-02

申请人： Ronald E. Bjorklund ,  Frederic Bauchot ,  Michele M. Wetterwald ,  Shay Kutten ,  Amir Herzberg

发明人： Ronald E. Bjorklund ,  Frederic Bauchot ,  Michele M. Wetterwald ,  Shay Kutten ,  Amir Herzberg

IPC分类号： G09C1/00 ,  H04L9/08 ,  H04L9/32 ,  H04N9/32

CPC分类号： H04L9/0836 ,  H04L9/321 ,  H04L2209/80

摘要： This invention deals with a safe key distribution and authentication in a data communication network (e.g. wireless LAN type of network).The network includes a network manager to which are connected, via a LAN wired circuit, one or more base stations. Individual remote stations are, in turn, wirelessly connected to an installed base station.One essential function for achieving security in such a network, is a mechanism to reliably authenticate the exchanges of data between communicating parties. This involves the establishment of session keys, which keys need to be distributed safely to the network components. An original and safe method is provided with this invention for key distribution and authentication during network installation, said method including using the first installed base station for generating a network key and a backbone key, and then using said first installed base station for subsequent remote station or additional base station installations while avoiding communicating said network key.

摘要翻译： 本发明涉及数据通信网络（例如，无线LAN类型的网络）中的安全密钥分发和认证。 该网络包括经由LAN有线电路连接到一个或多个基站的网络管理器。 反过来，各个远程站无线连接到已安装的基站。 在这种网络中实现安全性的一个基本功能是可靠地认证通信方之间数据交换的机制。 这涉及建立会话密钥，这些密钥需要安全地分发给网络组件。 本发明提供了一种用于网络安装期间的密钥分发和认证的原始和安全的方法，所述方法包括使用第一安装的基站生成网络密钥和骨干密钥，然后使用所述第一安装的基站用于后续的远程站 或附加的基站安装，同时避免通信所述网络密钥。

公开(公告)号：US5515439A

公开(公告)日：1996-05-07

申请号：US336605

申请日：1994-11-09

申请人： David Bantz ,  Frederic Bauchot ,  Eliane D. Bello ,  Shay Kutten ,  Hugo Krawczyk ,  Amir Herzberg ,  Yishay Mansour

发明人： David Bantz ,  Frederic Bauchot ,  Eliane D. Bello ,  Shay Kutten ,  Hugo Krawczyk ,  Amir Herzberg ,  Yishay Mansour

IPC分类号： G09C1/00 ,  H04J13/00 ,  H04L9/06 ,  H04L9/08 ,  H04L9/14 ,  H04L9/16 ,  H04L9/30 ,  H04L9/32

CPC分类号： H04L9/0844 ,  H04L9/0891 ,  H04L2209/80

摘要： In a communications system, a method is described allowing two users having established a communication session identified by a unique session freshness proof, to transmit and validate a new value of a variable by using an exchange certificate which combines the following elements: the new value of the variable, a common secret key known by both users, an exchange counter representative of the number of values of said variable transmitted between the two users during the current communication session and a session freshness proof. Protection against potential eavesdroppers and intruders is provided by combining cryptographically the elements of the exchange certificate. Further protection is obtained by interrupting the current communication session and opening a new one characterized by a new unique session freshness proof when the exchange counter reaches its maximum value; thus avoiding the risk that the same value of the session freshness keeps being used when the exchange counter is reset to its initial value. Consequently a given pair of values of the session freshness proof and of the exchange counter will never be used more than one time, making eavesdropping and, replaying attacks from intruders more difficult. Preferably, the method used for opening a new communication session uses already known authentication methods based on the common secret key.

摘要翻译： 在通信系统中，描述了允许两个用户已经建立了通过唯一会话新鲜度证明来识别的通信会话的方法，通过使用组合以下元素的交换证书来发送和验证变量的新值：新值 所述变量，两个用户已知的公用秘密密钥，表示在当前通信会话期间在两个用户之间传送的所述变量的值的数量的交换计数器和会话新鲜度证明。 通过加密地组合交换证书的元素来提供对潜在窃听者和入侵者的保护。 当交换计数器达到最大值时，通过中断当前通信会话并打开一个新特性的新特性会话新鲜度证明来获得进一步的保护; 从而避免当交换计数器重置为其初始值时会话新鲜度相同的值被使用的风险。 因此，会话新鲜度证明和交换计数器的一对给定的值将永远不会被使用一次以上，从而使得窃听和重播来自入侵者的攻击更加困难。 优选地，用于打开新的通信会话的方法使用已知的基于公用秘密密钥的认证方法。

公开(公告)号：US5699427A

公开(公告)日：1997-12-16

申请号：US494615

申请日：1995-06-23

申请人： Chee-Seng Chow ,  Shay Kutten ,  Marcell Mordechay Yung

发明人： Chee-Seng Chow ,  Shay Kutten ,  Marcell Mordechay Yung

IPC分类号： G11B20/00 ,  G11B23/28 ,  H04N1/32

CPC分类号： G11B23/283 ,  G11B20/00086 ,  G11B20/00123 ,  H04N1/32144 ,  H04N2201/3205 ,  H04N2201/3233 ,  H04N2201/327 ,  H04N2201/3274 ,  H04N2201/3278

摘要： A system for identifying the authorized receiver of any particular copy of a document. More specifically, each particular copy of a document is fingerprinted by applying a set of variations to a document, where each variation is a change in data contents, but does not change the meaning or perusal experience of the document. A database associating a set of variants to a receiver is maintained. Thus any variant or copy of that variant can be traced to an authorized receiver.

摘要翻译： 用于识别文档的任何特定副本的授权接收者的系统。 更具体地，文档的每个特定副本通过将一组变体应用于文档进行指纹识别，其中每个变体是数据内容的改变，但不改变文档的含义或阅读体验。 保持将一组变体与接收器相关联的数据库。 因此，该变体的任何变体或副本可以被追溯到授权的接收者。

公开(公告)号：US5459725A

公开(公告)日：1995-10-17

申请号：US215534

申请日：1994-03-22

申请人： Rachel A. Bodner ,  Chee-Seng Chow ,  Israel Cidon ,  John G. Dudley ,  Allan K. Edwards ,  Inder S. Gopal ,  Chandra P. Immanuel ,  Marc A. Kaplan ,  Shay Kutten ,  Theodore E. Tedijanto

发明人： Rachel A. Bodner ,  Chee-Seng Chow ,  Israel Cidon ,  John G. Dudley ,  Allan K. Edwards ,  Inder S. Gopal ,  Chandra P. Immanuel ,  Marc A. Kaplan ,  Shay Kutten ,  Theodore E. Tedijanto

IPC分类号： H04L1/00 ,  H04L1/16 ,  H04L1/18 ,  H04L12/18 ,  H04L1/12

CPC分类号： H04L12/1868 ,  H04L1/1685 ,  H04L1/188 ,  H04L12/1854 ,  H04L2001/0093 ,  H04L2001/125

摘要： A packet communications network in which multicast transmissions are made reliable by transmitting acknowledgements to all neighbors of every receiving node, including the source node. This allows the relinquishment of message holding buffers as soon as all near neighbors acknowledge receipt of the message after only tile longest round trip time to the nearest neighbors, rather than the round trip to the furthest destination. Moreover, highly reliable ancillary point-to-point transmission facilities can be used to retransmit multicast messages indicated as being lost by failure of acknowledgment. Finally, network partitions occurring during the multicast procedure do not necessarily lose the multicast message to the remote partitions since any node receiving the message can insure delivery to all other nodes in that partition.

摘要翻译： 一种分组通信网络，其中通过向包括源节点的每个接收节点的所有邻居发送确认使多播传输变得可靠。 一旦所有邻近的邻居都确认在最近的往返时间最长的往返时间之后确认接收到消息，而不是最远的目的地的往返行程，则可以放弃信息保持缓冲区。 此外，高度可靠的辅助点对点传输设施可以用于重传由确认失败指示为丢失的多播消息。 最后，在多播过程中发生的网络分区不一定会丢失到远程分区的多播消息，因为接收消息的任何节点都可以确保传送到该分区中的所有其他节点。

公开(公告)号：US5148479A

公开(公告)日：1992-09-15

申请号：US672226

申请日：1991-03-20

申请人： Raymond F. Bird ,  Inder S. Gopal ,  Philippe A. Janson ,  Shay Kutten ,  Refik A. Molva ,  Marcel M. Yung

发明人： Raymond F. Bird ,  Inder S. Gopal ,  Philippe A. Janson ,  Shay Kutten ,  Refik A. Molva ,  Marcel M. Yung

IPC分类号： H04L9/06 ,  G06F21/00 ,  G09C1/00 ,  H04L9/14 ,  H04L9/32 ,  H04L12/22

CPC分类号： H04L63/08 ,  G06F21/445 ,  H04L9/002 ,  H04L9/3218 ,  H04L9/3271 ,  G06F2221/2103

摘要： An arrangement of authenticating communications network users and means for carrying out the arrangement. A first challenge N1 is transmitted from a first user A to a second user B. In response to the first challenge, B transmits a first response and second challenge N2 to A. A verifies the first response. A then generates and transmits a second response to the second challenge to B, where the second response is verified. The first response must be of a minimum formf(S1, N1, . . . ),and the second response must be of the minimum formg(S2, N2, . . . ).S1 and S2 are shared secrets between A and B. f() and g() are selected such that the equationf'(s1,N1', . . . )=g(S2, N2)cannot be solved for N1' without knowledge of S1 and S2. f'() and N1' represent expressions on a second reference connection. Preferably, the function f() may include the direction D1 of the flow of the message containing f(), as in f(s1, N1, D1, . . . ). In such a case, f() is selected such that the equationf'(S,N1',D1', . . . )=f(S, N2, D1, . . . )cannot be solved for N1' without knowledge of S1 and S2 and D1' is the flow direction indicator of the message containing f'() on the reference connection.

公开(公告)号：USRE38375E1

公开(公告)日：2003-12-30

申请号：US09560334

申请日：2000-04-27

申请人： Amir Herzberg ,  Hugo Mario Krawczyk ,  Shay Kutten ,  An Van Le ,  Stephen Michael Matyas ,  Marcel Mordechay Yung

发明人： Amir Herzberg ,  Hugo Mario Krawczyk ,  Shay Kutten ,  An Van Le ,  Stephen Michael Matyas ,  Marcel Mordechay Yung

IPC分类号： H04L900

CPC分类号： G06F21/10 ,  G06F2211/007 ,  G06F2211/008

摘要： A method and system for detecting authorized programs within a data processing system. The present invention creates a validation structure for validating a program. The validation structure is embedded in the program and in response to an initiation of the program, a determination is made as to whether the program is an authorized program. The determination is made using the validation structure.

公开(公告)号：US5745678A

公开(公告)日：1998-04-28

申请号：US914911

申请日：1997-08-18

申请人： Amir Herzberg ,  Hugo Mario Krawczyk ,  Shay Kutten ,  An Van Le ,  Stephen Michael Matyas ,  Marcel Mordechay Yung

发明人： Amir Herzberg ,  Hugo Mario Krawczyk ,  Shay Kutten ,  An Van Le ,  Stephen Michael Matyas ,  Marcel Mordechay Yung

IPC分类号： G06F21/22 ,  G06F1/00 ,  G06F21/00 ,  H04L9/00

CPC分类号： G06F21/10 ,  G06F2211/007 ,  G06F2211/008

摘要： A method and system for detecting authorized programs within a data processing system. The present invention creates a validation structure for validating a program. The validation structure is embedded in the program and in response to an initiation of the program, a determination is made as to whether the program is an authorized program. The determination is made using the validation structure.

摘要翻译： 一种用于检测数据处理系统内的授权程序的方法和系统。 本发明创建用于验证程序的验证结构。 验证结构嵌入在程序中并且响应于程序的启动，确定程序是否是授权程序。 确定使用验证结构。

公开(公告)号：US5634011A

公开(公告)日：1997-05-27

申请号：US517305

申请日：1995-08-21

申请人： Joshua S. Auerbach ,  John E. Drake, Jr. ,  Prabandham M. Gopal ,  Elizabeth A. Hervatic ,  Marc A. Kaplan ,  Shay Kutten ,  Marcia L. Peters ,  Michael J. Ward

发明人： Joshua S. Auerbach ,  John E. Drake, Jr. ,  Prabandham M. Gopal ,  Elizabeth A. Hervatic ,  Marc A. Kaplan ,  Shay Kutten ,  Marcia L. Peters ,  Michael J. Ward

IPC分类号： H04L12/18 ,  H04L12/24 ,  H04L12/56 ,  H01H67/00

CPC分类号： H04L12/1854 ,  H04L41/042 ,  H04L12/185 ,  H04L12/1877 ,  H04L2012/5626

摘要： A multinode, multicast communications network has a distributed control for the creation, administration and operational mode selection operative in each of the nodes of the network. Each node is provided with a Set Manager for controlling either creation of, administration or access to a set of users to whom a multicast is to be directed. The Set Manager maintains a record of the local membership of all users associated with the node in which the Set Manager resides. A given Set Manager for each designated set of users is assigned the task of being the Set Leader to maintain membership information about the entire set of users in the multicast group. One of the Set Managers in the communications network is designated to be the Registrar which maintains a list of all the Set Leaders in the network. The Registrar insures that there is one and only one Set Leader for each set of users, answers inquiries about the membership of the sets and directs inquiries to appropriate Set Leaders if necessary. All of the set creation, administration and control functions can therefore be carried out by any node of the system and provision is made to assume the function at a new node when failure or partition in the network occurs.

摘要翻译： 多节点组播通信网络具有分布式控制，用于在网络的每个节点中操作的创建，管理和操作模式选择。 每个节点都设有一个集管理器，用于控制要组播多路广播的一组用户的创建，管理或访问。 集管理器维护与Set Manager所在节点相关联的所有用户的本地成员资格记录。 为每个指定的用户组给定的集合管理器被分配为作为集合领导者的任务以维护关于组播组中的整个用户组的成员关系信息。 通信网络中的一个集合管理器被指定为注册服务商，该服务器维护网络中所有集团领导者的列表。 注册服务机构确保每组用户只有一个，只有一个集合领导，回答关于集合成员的查询，并在必要时向相应的集合领导者查询。 因此，所有的创建，管理和控制功能都可以由系统的任何节点执行，并且在网络中发生故障或分区时，将提供在新节点上承担功能。