公开(公告)号：US07284062B2

公开(公告)日：2007-10-16

申请号：US10313084

申请日：2002-12-06

申请人： Anton W. Krantz ,  Timothy M. Moore ,  Dalen M. Abraham ,  Shai Guday ,  Pradeep Bahl ,  Bernard D. Aboba

发明人： Anton W. Krantz ,  Timothy M. Moore ,  Dalen M. Abraham ,  Shai Guday ,  Pradeep Bahl ,  Bernard D. Aboba

IPC分类号： G06F15/16

CPC分类号： H04L63/08 ,  H04L63/0272 ,  H04L63/162 ,  H04L67/306 ,  H04L69/329

摘要： A computer system attempts to authenticate with a server to gain authorization to access a first network. It is determined by the server that the computer system is not authorized to access the first network. The computer system is given authorization to access a second network for at least the purpose of downloading files (e.g., signup and configuration files) needed to access the first network. A user-interface for receiving user-entered signup information is automatically presented at the computer system. A first schema-based document including user-entered information is transferred to the server. If the server determines that the user-entered information is appropriate, a second-schema document, which includes an indication of authorization to access the first network (e.g., a user-identifier and password), is received. A third schema-based document is executed at the computer system to compatibly configure the computer system for accessing the first network.

摘要翻译： 计算机系统尝试使用服务器进行身份验证以获得访问第一个网络的授权。 由服务器确定计算机系统未被授权访问第一个网络。 计算机系统被授权访问第二网络，用于至少下载访问第一网络所需的文件（例如，注册和配置文件）的目的。 用于接收用户输入的注册信息的用户界面在计算机系统中自动呈现。 包含用户输入的信息的第一个基于模式的文档被传送到服务器。 如果服务器确定用户输入的信息是适当的，则接收包括访问第一网络的授权指示（例如，用户标识符和密码）的第二模式文档。 在计算机系统上执行第三基于模式的文档，以兼容地配置用于访问第一网络的计算机系统。

公开(公告)号：US07464265B2

公开(公告)日：2008-12-09

申请号：US10138868

申请日：2002-05-03

申请人： Arun Ayyagari ,  Daniel R. Simon ,  Bernard D. Aboba ,  Krishna Ganugapati ,  Timothy M. Moore ,  Pradeep Bahl

发明人： Arun Ayyagari ,  Daniel R. Simon ,  Bernard D. Aboba ,  Krishna Ganugapati ,  Timothy M. Moore ,  Pradeep Bahl

IPC分类号： H04L9/00

CPC分类号： H04L9/0833 ,  H04L9/0841 ,  H04L63/065 ,  H04L63/08 ,  H04L63/104 ,  H04L67/14 ,  H04L2209/80 ,  H04L2463/061

摘要： Disclosed are methods for a client, having established one set of security keys, to establish a new set without having to communicate with an authentication server. When the client joins a group, master session security keys are derived and made known to the client and to the group's access server. From the master session security keys, the access server and client each derive transient session security keys, used for authentication and encryption. To change the transient session security keys, the access server creates “liveness” information and sends it to the client. New master session security keys are derived from the liveness information and the current set of transient session security keys. From these new master session security keys are derived new transient session security keys. This process limits the amount of data sent using one set of transient session security keys and thus limits the effectiveness of any statistical attacker.

摘要翻译： 已经公开了已经建立了一组安全密钥的客户端的方法来建立新的集合而不必与认证服务器进行通信。 当客户端加入一个组时，主会话安全密钥被导出，并被客户机和组的访问服务器所知。 从主会话安全密钥，访问服务器和客户端都派生用于认证和加密的瞬态会话安全密钥。 要更改瞬态会话安全密钥，访问服务器创建“活动”信息并将其发送给客户端。 新的主会话安全密钥来源于活动信息和当前的一组暂存会话安全密钥。 从这些新的主会话安全密钥导出新的临时会话安全密钥。 此过程限制使用一组瞬态会话安全密钥发送的数据量，从而限制任何统计攻击者的有效性。

公开(公告)号：US07743408B2

公开(公告)日：2010-06-22

申请号：US10734817

申请日：2003-12-12

申请人： Bernard D. Aboba ,  Timothy M. Moore

发明人： Bernard D. Aboba ,  Timothy M. Moore

IPC分类号： G06F7/04

CPC分类号： H04W48/20 ,  H04L63/0823 ,  H04L63/0869 ,  H04W12/06

摘要： Network devices access a communications network and engage in secure associations with one or more network access points upon authenticating the access points and upon verifying the discovery information that is broadcast by the access point. Once a secure association is created, management frames that are subsequently transmitted between the network devices and the access points and that are used to control the secure association are verified to further enhance the security of the communications network.

摘要翻译： 网络设备访问通信网络并且在认证接入点之后并且在验证由接入点广播的发现信息时，与一个或多个网络接入点进行安全关联。 一旦创建了安全关联，则验证随后在网络设备和接入点之间传输并用于控制安全关联的管理帧，以进一步增强通信网络的安全性。

公开(公告)号：US07549048B2

公开(公告)日：2009-06-16

申请号：US10804591

申请日：2004-03-19

申请人： Trevor William Freeman ,  Timothy M. Moore ,  Bernard D. Aboba ,  Daniel R. Simon

发明人： Trevor William Freeman ,  Timothy M. Moore ,  Bernard D. Aboba ,  Daniel R. Simon

IPC分类号： H04L9/00

CPC分类号： H04L63/0428 ,  G06F21/31 ,  H04L63/0838 ,  H04L63/0846 ,  H04L63/166 ,  H04L63/205

摘要： The principles of the present invention relate to systems, methods, and computer program products for more efficiently and securely authenticating computing systems. In some embodiments, a limited use credential is used to provision more permanent credentials. A client receives a limited-use (e.g., a single-use) credential and submits the limited-use credential over a secure link to a server. The server provisions an additional credential (for subsequent authentication) and sends the additional credential to the client over the secure link. In other embodiments, computing systems automatically negotiate authentication methods using an extensible protocol. A mutually deployed authentication method is selected and secure authentication is facilitated with a tunnel key that is used encrypt (and subsequently decrypt) authentication content transferred between a client and a server. The tunnel key is derived from a shared secret (e.g., a session key) and nonces.

摘要翻译： 本发明的原理涉及用于更有效和安全地认证计算系统的系统，方法和计算机程序产品。 在一些实施例中，使用有限使用凭证来提供更多的永久证书。 客户端接收有限使用（例如，一次性使用）凭证，并通过安全链接提交有限使用凭证到服务器。 服务器提供附加证书（用于后续认证），并通过安全链路将附加证书发送给客户端。 在其他实施例中，计算系统使用可扩展协议自动协商认证方法。 选择相互部署的认证方法，并且利用在客户机和服务器之间传送的认证内容进行加密（并且随后解密）的隧道密钥来促进安全认证。 隧道密钥从共享秘密（例如，会话密钥）和随机数导出。

公开(公告)号：US07876735B2

公开(公告)日：2011-01-25

申请号：US11193245

申请日：2005-07-29

申请人： Anton W. Krantz ,  Ari Pekka Niikkonen ,  Mohammad Shabbir Alam ,  Timothy M. Moore

发明人： Anton W. Krantz ,  Ari Pekka Niikkonen ,  Mohammad Shabbir Alam ,  Timothy M. Moore

IPC分类号： H04W4/00

CPC分类号： H04L12/5692 ,  H04W48/08 ,  H04W84/12 ,  H04W88/08

摘要： A wireless access point may be configured to advertise, to mobile user devices, multiple wireless networks available through the wireless access point. For example, service set identifiers (SSIDs) may be specified within an information element (IE) of a communication such as, for example, an 802.11 beacon, broadcasted to mobile user devices. Such an IE may utilize the capability provided by IEEE 802.11 itself to use additional and flexible numbers of information elements within a beacon. Accordingly, networks that would otherwise remain hidden due to limitations of known wireless access points are made visible to mobile user devices. Configuring a wireless access point to advertise multiple available wireless networks, for example, by firmware upgrades, may serve as a viable and cost-effective interim solution and/or alternative to replacing a wireless access point with a wireless access point configured to implement virtual wireless access points.

摘要翻译： 无线接入点可以被配置为向移动用户设备通告通过无线接入点可用的多个无线网络。 例如，可以在广播到移动用户设备的通信例如802.11信标的信息元素（IE）内指定服务集标识符（SSID）。 这样的IE可以利用由IEEE 802.11本身提供的能力来使用信标内的附加和灵活数量的信息元素。 因此，由于已知无线接入点的限制而否则将保持隐藏的网络对于移动用户设备是可见的。 配置无线接入点以发布多个可用的无线网络，例如通过固件升级，可以作为可配置和成本有效的临时解决方案和/或替代无线接入点的替代方案，该无线接入点被配置为实现虚拟无线 接入点

公开(公告)号：US07555663B2

公开(公告)日：2009-06-30

申请号：US11330766

申请日：2006-01-12

申请人： Anton W. Krantz ,  Abhishek Abhishek ,  Arun Ayyagari ,  Jiandong Ruan ,  Timothy M. Moore ,  Avi R. Geiger ,  Warren V. Barkley

发明人： Anton W. Krantz ,  Abhishek Abhishek ,  Arun Ayyagari ,  Jiandong Ruan ,  Timothy M. Moore ,  Avi R. Geiger ,  Warren V. Barkley

IPC分类号： G06F1/32

CPC分类号： H04W52/0216 ,  G06F1/3203 ,  G06F1/3209 ,  G06F1/325 ,  H04M2250/06 ,  H04W52/0225 ,  Y02D70/1222 ,  Y02D70/1224 ,  Y02D70/142 ,  Y02D70/144 ,  Y02D70/162 ,  Y02D70/22

摘要： A method and system for managing power consumption in a portable computing device having a network interface module is presented. A power management module receives inputs from other modules and determines when the network interface module is to be put in a doze state for a predetermined number of beacon intervals to conserve power consumption in the network interface module. The network interface module in a device that is associated with a network is put in the doze state after an event has occurred including when a scan has been performed, after a delayed sleep timer has expired, and after a beacon transmission has been completed and no traffic is buffered for the device. The delayed sleep time is set based on the estimated round trip time of a packet.

公开(公告)号：US07529957B2

公开(公告)日：2009-05-05

申请号：US11331399

申请日：2006-01-12

申请人： Anton W. Krantz ,  Abhishek Abhishek ,  Arun Ayyagari ,  Jiandong Ruan ,  Timothy M. Moore ,  Avi R. Geiger ,  Warren V. Barkley

发明人： Anton W. Krantz ,  Abhishek Abhishek ,  Arun Ayyagari ,  Jiandong Ruan ,  Timothy M. Moore ,  Avi R. Geiger ,  Warren V. Barkley

IPC分类号： G06F1/00

CPC分类号： H04W52/0216 ,  G06F1/3203 ,  G06F1/3209 ,  G06F1/325 ,  H04M2250/06 ,  H04W52/0225 ,  Y02D70/1222 ,  Y02D70/1224 ,  Y02D70/142 ,  Y02D70/144 ,  Y02D70/162 ,  Y02D70/22

摘要： A method and system for managing power consumption in a portable computing device having a network interface module is presented. A power management module receives inputs from other modules and determines when the network interface module is to be put in a doze state for a predetermined number of beacon intervals to conserve power consumption in the network interface module. The network interface module in a device that is associated with a network is put in the doze state after an event has occurred including when a scan has been performed, after a delayed sleep timer has expired, and after a beacon transmission has been completed and no traffic is buffered for the device. The delayed sleep time is set based on the estimated round trip time of a packet.

摘要翻译： 提出了一种用于管理具有网络接口模块的便携式计算设备中的功耗的方法和系统。 电源管理模块从其他模块接收输入，并且确定何时将网络接口模块置于打盹状态以达到预定数量的信标间隔以节省网络接口模块中的功耗。 在事件发生之后，与网络相关联的设备中的网络接口模块在执行扫描之后，在延迟的睡眠定时器期满之后以及在信标传输完成之后并且没有 流量被缓冲为设备。 基于分组的估计往返时间来设置延迟睡眠时间。

公开(公告)号：US07451331B2

公开(公告)日：2008-11-11

申请号：US11330785

申请日：2006-01-12

申请人： Anton W. Krantz ,  Abhishek Abhishek ,  Arun Ayyagari ,  Jiandong Ruan ,  Timothy M. Moore ,  Avi R. Geiger ,  Warren V. Barkley

发明人： Anton W. Krantz ,  Abhishek Abhishek ,  Arun Ayyagari ,  Jiandong Ruan ,  Timothy M. Moore ,  Avi R. Geiger ,  Warren V. Barkley

IPC分类号： G06F1/26

CPC分类号： H04W52/0216 ,  G06F1/3203 ,  G06F1/3209 ,  G06F1/325 ,  H04M2250/06 ,  H04W52/0225 ,  Y02D70/1222 ,  Y02D70/1224 ,  Y02D70/142 ,  Y02D70/144 ,  Y02D70/162 ,  Y02D70/22

摘要： A method and system for managing power consumption in a portable computing device having a network interface module is presented. A power management module receives inputs from other modules and determines when the network interface module is to be put in a doze state for a predetermined number of beacon intervals to conserve power consumption in the network interface module. The network interface module in a device that is associated with a network is put in the doze state after an event has occurred including when a scan has been performed, after a delayed sleep timer has expired, and after a beacon transmission has been completed and no traffic is buffered for the device. The delayed sleep time is set based on the estimated round trip time of a packet.

公开(公告)号：US08116287B2

公开(公告)日：2012-02-14

申请号：US11193670

申请日：2005-07-29

申请人： Anton W. Krantz ,  Ari Pekka Niikkonen ,  Mohammad Shabbir Alam ,  Timothy M. Moore

发明人： Anton W. Krantz ,  Ari Pekka Niikkonen ,  Mohammad Shabbir Alam ,  Timothy M. Moore

IPC分类号： H04W4/00

CPC分类号： H04W48/08 ,  H04W8/26 ,  H04W84/12 ,  H04W88/08

摘要： A wireless access point may be configured to advertise, to mobile user devices, multiple wireless networks available through the wireless access point. For example, service set identifiers (SSIDs) may be specified within an information element (IE) of a communication such as, for example, an 802.11 beacon, broadcasted to mobile user devices. Such an IE may utilize the capability provided by IEEE 802.11 itself to use additional and flexible numbers of information elements within a beacon. Accordingly, networks that would otherwise remain hidden due to limitations of known wireless access points are made visible to mobile user devices. Configuring a wireless access point to advertise multiple available wireless networks, for example, by firmware upgrades, may serve as a viable and cost-effective interim solution and/or alternative to replacing a wireless access point with a wireless access point configured to implement virtual wireless access points.

摘要翻译： 无线接入点可以被配置为向移动用户设备通告通过无线接入点可用的多个无线网络。 例如，可以在广播到移动用户设备的通信例如802.11信标的信息元素（IE）内指定服务集标识符（SSID）。 这样的IE可以利用由IEEE 802.11本身提供的能力来使用信标内的附加和灵活数量的信息元素。 因此，由于已知无线接入点的限制而否则将保持隐藏的网络对于移动用户设备是可见的。 配置无线接入点以发布多个可用的无线网络，例如通过固件升级，可以作为一种可行和具有成本效益的临时解决方案和/或替代无线接入点的替代方案，该无线接入点配置为实现虚拟无线 接入点

公开(公告)号：US07506188B2

公开(公告)日：2009-03-17

申请号：US11699838

申请日：2007-01-30

申请人： Anton W. Krantz ,  Abhishek Abhishek ,  Arun Ayyagari ,  Jiandong Ruan ,  Timothy M. Moore ,  Avi R. Geiger ,  Warren Vincent Barkley

发明人： Anton W. Krantz ,  Abhishek Abhishek ,  Arun Ayyagari ,  Jiandong Ruan ,  Timothy M. Moore ,  Avi R. Geiger ,  Warren Vincent Barkley

IPC分类号： G06F1/32

CPC分类号： H04W52/0216 ,  G06F1/3203 ,  G06F1/3209 ,  G06F1/325 ,  H04M2250/06 ,  H04W52/0225 ,  Y02D70/1222 ,  Y02D70/1224 ,  Y02D70/142 ,  Y02D70/144 ,  Y02D70/162 ,  Y02D70/22

摘要： A method and system for managing power consumption in a portable computing device having a network interface module is presented. A power management module receives inputs from other modules and determines when the network interface module is to be put in a doze state for a predetermined number of beacon intervals to conserve power consumption in the network interface module. The network interface module in a device that is associated with a network is put in the doze state after an event has occurred including when a scan has been performed, after a delayed sleep timer has expired, and after a beacon transmission has been completed and no traffic is buffered for the device. The delayed sleep time is set based on the estimated round trip time of a packet.