公开(公告)号：US08381062B1

公开(公告)日：2013-02-19

申请号：US12115145

申请日：2008-05-05

申请人： Ari Juels ,  Burton S. Kaliski, Jr. ,  Kevin D. Bowers ,  Alina M. Oprea

发明人： Ari Juels ,  Burton S. Kaliski, Jr. ,  Kevin D. Bowers ,  Alina M. Oprea

IPC分类号： G06F11/00

CPC分类号： G06F21/602 ,  G06F11/10 ,  G06F21/64 ,  H04L9/3221 ,  H04L63/123 ,  H04L63/126

摘要： A proof of retrievability (POR) mechanism is applicable to a file for providing assurances of file possession to a requesting client by transmitting only a portion of the entire file. The client compares or examines validation values returned from predetermined validation segments of the file with previously computed validation attributes for assessing the existence of the file. Since the archive server does not have access to the validation function prior to the request, or challenge, from the client, the archive server cannot anticipate the validation values expected from the validation function. Further, since the validation segments from which the validation attributes, and hence the validation values were derived, are also unknown to the server, the server cannot anticipate which portions of the file will be employed for validation.

摘要翻译： 可检索性（POR）机制的证明适用于通过传送整个文件的一部分来向请求客户端提供文件拥有保证的文件。 客户端比较或检查从文件的预定验证段返回的验证值与先前计算的验证属性，以评估文件的存在。 由于存档服务器在请求之前无法访问验证函数，或者从客户端询问，归档服务器无法预期验证函数预期的验证值。 此外，由于从其导出验证属性以及因此导出验证值的验证段对于服务器而言也是未知的，所以服务器不能预期该文件的哪些部分将用于验证。

公开(公告)号：US08813234B1

公开(公告)日：2014-08-19

申请号：US13171759

申请日：2011-06-29

申请人： Kevin D. Bowers ,  Marten E. van Dijk ,  Ari Juels ,  Alina M. Oprea ,  Ronald L. Rivest ,  Nikolaos Triandopoulos

发明人： Kevin D. Bowers ,  Marten E. van Dijk ,  Ari Juels ,  Alina M. Oprea ,  Ronald L. Rivest ,  Nikolaos Triandopoulos

IPC分类号： G06F21/00

CPC分类号： G06F21/552 ,  H04L63/1408 ,  H04L63/1441 ,  H04L63/20

摘要： A processing device comprises a processor coupled to a memory and implements a graph-based approach to protection of a system comprising information technology infrastructure from a persistent security threat. Attack-escalation states of the persistent security threat are assigned to respective nodes in a graph, and defensive costs for preventing transitions between pairs of the nodes are assigned to respective edges in the graph. A minimum cut of the graph is computed, and a defensive strategy is determined based on the minimum cut. The system comprising information technology infrastructure subject to the persistent security threat is configured in accordance with the defensive strategy in order to deter the persistent security threat.

摘要翻译： 处理设备包括处理器，其耦合到存储器并且实现基于图的方法以保护包括信息技术基础设施的系统免受持久的安全威胁。 持续性安全威胁的攻击升级状态被分配给图中的相应节点，并且用于防止节点对之间的转换的防御成本被分配给图中的相应边缘。 计算图的最小值，并根据最小值确定防御策略。 包含受到持续安全威胁的信息技术基础架构的系统是根据防御策略配置的，以便阻止持续的安全威胁。

公开(公告)号：US07725730B2

公开(公告)日：2010-05-25

申请号：US10216030

申请日：2002-08-09

申请人： Ari Juels ,  Burton S. Kaliski, Jr.

发明人： Ari Juels ,  Burton S. Kaliski, Jr.

IPC分类号： H04L29/06 ,  H04L9/32 ,  G06F21/00 ,  G06F7/04 ,  G06F12/14 ,  G08B29/00

CPC分类号： H04L63/083 ,  H04L9/0844 ,  H04L9/3218 ,  H04L9/3226 ,  H04L63/1441 ,  H04L63/1458 ,  H04L2209/04 ,  H04L2209/42 ,  H04L2209/80 ,  H04L2209/805 ,  H04W12/06 ,  H04W12/12

摘要： Secure authentication protocols, particularly well-suited for use in authenticating mobile communications devices having limited computational resources, are disclosed. In an illustrative embodiment, a network-based communication system includes a client device and at least two servers. First and second shares are generated from a first password associated with the client device, and stored in respective first and second servers. The client device submits additional information associated therewith to at least one of the first and second servers. Each of the first and second shares has the property that it is infeasible to determine solely therefrom correspondence of the additional information with the first password. The first and second servers then utilize the respective first and second shares to collectively determine said correspondence of the additional information with the first password.

摘要翻译： 公开了特别适合于认证具有有限计算资源的移动通信设备的安全认证协议。 在说明性实施例中，基于网络的通信系统包括客户端设备和至少两个服务器。 从与客户端设备相关联的第一密码生成第一和第二共享，并存储在相应的第一和第二服务器中。 客户端设备将与其相关联的附加信息提交给第一和第二服务器中的至少一个。 第一和第二股份中的每一个都具有不可能仅从其确定附加信息与第一密码的对应关系的属性。 然后，第一和第二服务器利用相应的第一和第二份共同确定附加信息与第一密码的所述对应关系。

公开(公告)号：US09137012B2

公开(公告)日：2015-09-15

申请号：US11671264

申请日：2007-02-05

申请人： Daniel Vernon Bailey ,  John G. Brainard ,  Ari Juels ,  Burton S. Kaliski, Jr.

发明人： Daniel Vernon Bailey ,  John G. Brainard ,  Ari Juels ,  Burton S. Kaliski, Jr.

IPC分类号： H04W24/00 ,  H04L9/08 ,  H04L29/06 ,  H04W12/06 ,  H04L9/32

CPC分类号： H04L9/0861 ,  H04L9/3228 ,  H04L9/3234 ,  H04L63/0492 ,  H04L63/08 ,  H04L63/0838 ,  H04L2209/805 ,  H04W12/06

摘要： A first processing device, which may be, for example, a wireless authentication token or an RFID tag, transmits information in a wireless network in a manner that emulates standard communications of an access point of the wireless network, although the first processing device is not configured to operate as an actual access point of the wireless network. A second processing device, which may be, for example, a computer or other station of the wireless network, receives the transmitted information and is able to determine therefrom that the information originates from an emulated access point rather than an actual access point. The second processing device responds to this condition by utilizing the transmitted information in a manner distinct from its utilization of similar information received from the actual access point of the wireless network.

摘要翻译： 可以是例如无线认证令牌或RFID标签的第一处理设备以模拟无线网络的接入点的标准通信的方式在无线网络中发送信息，尽管第一处理设备不是 被配置为作为无线网络的实际接入点进行操作。 可以是例如无线网络的计算机或其他站的第二处理设备接收所发送的信息，并且能够从其确定信息源自仿真接入点而不是实际接入点。 第二处理装置以与从无线网络的实际接入点接收到的类似信息不同的方式利用所发送的信息来响应该条件。

公开(公告)号：US07502933B2

公开(公告)日：2009-03-10

申请号：US10724034

申请日：2003-11-26

申请人： Markus Jakobsson ,  Ari Juels ,  Burton S. Kaliski, Jr.

发明人： Markus Jakobsson ,  Ari Juels ,  Burton S. Kaliski, Jr.

IPC分类号： H04L9/00

CPC分类号： G07F7/1008 ,  G06Q20/341 ,  G06Q20/40975 ,  H04L9/3226 ,  H04L2209/60 ,  H04L2209/80

摘要： A method and system for generating an authentication code that depends at least in part on a dynamic value that changes over time, an event state associated with the occurrence of an event, and a secret associated with an authentication device. By generating the authentication code responsive to an event state, an identity authentication code can be used to verify identity and to communicate event state information, and to do so in a secure manner.

摘要翻译： 一种用于生成认证码的方法和系统，所述认证码至少部分取决于随时间变化的动态值，与事件发生相关联的事件状态以及与认证设备相关联的秘密。 通过响应于事件状态生成认证码，可以使用身份认证码来验证身份并传达事件状态信息，并以安全的方式进行。

公开(公告)号：US09280871B2

公开(公告)日：2016-03-08

申请号：US11774857

申请日：2007-07-09

申请人： Daniel Vernon Bailey ,  Burton S. Kaliski, Jr. ,  Ari Juels ,  Ronald L. Rivest

发明人： Daniel Vernon Bailey ,  Burton S. Kaliski, Jr. ,  Ari Juels ,  Ronald L. Rivest

IPC分类号： G07F17/32

CPC分类号： G07F17/3251 ,  G07F17/32

摘要： Techniques for providing authentication functionality in a gaming system are disclosed. In one aspect, a gaming system is configured such that, at a given point during a current session of a game in progress that involves at least one user previously granted access by the system to participate in the current session, information available from an authentication token associated with the user is obtained prior to allowing the user to take a particular action in the game. A determination is made as to whether or not the user will be allowed to take the particular action in the game, based on the obtained information. The obtained information may comprise, for example, at least a portion of a one-time password generated by a hardware or software authentication token.

摘要翻译： 公开了一种用于在游戏系统中提供认证功能的技术。 在一个方面，游戏系统被配置为使得在正在进行的游戏的当前会话期间的给定点处涉及至少一个用户先前被系统授权参与当前会话的访问，来自认证令牌的信息 在允许用户在游戏中采取特定动作之前获得与用户相关联。 根据所获得的信息确定用户是否将被允许在游戏中采取特定动作。 获得的信息可以包括例如由硬件或软件认证令牌生成的一次性密码的至少一部分。

公开(公告)号：US08495372B2

公开(公告)日：2013-07-23

申请号：US11939232

申请日：2007-11-13

申请人： Daniel Vernon Bailey ,  John G. Brainard ,  Ari Juels ,  Burton S. Kaliski, Jr.

发明人： Daniel Vernon Bailey ,  John G. Brainard ,  Ari Juels ,  Burton S. Kaliski, Jr.

IPC分类号： H04L9/32 ,  H04L9/00

CPC分类号： H04L9/0861 ,  H04L9/3228 ,  H04L9/3234 ,  H04L63/0492 ,  H04L63/08 ,  H04L63/0838 ,  H04L2209/805 ,  H04W12/06

摘要： In one aspect, a first processing device, which may be an authentication token, establishes a shared key through a pairing protocol carried out between the first processing device and a second processing device. The pairing protocol also involves communication between the second processing device and an authentication server. As part of the pairing protocol, the first processing device sends identifying information to the second processing device, and the second processing device utilizes the identifying information to obtain the shared key from the authentication server. The first processing device encrypts authentication information utilizing the shared key, and transmits the encrypted authentication information from the first processing device to the second processing device. The second processing device utilizes the shared key to decrypt the encrypted authentication information.

摘要翻译： 一方面，可以是认证令牌的第一处理设备通过在第一处理设备和第二处理设备之间执行的配对协议来建立共享密钥。 配对协议还涉及第二处理设备和认证服务器之间的通信。 作为配对协议的一部分，第一处理设备向第二处理设备发送识别信息，并且第二处理设备利用识别信息从认证服务器获得共享密钥。 第一处理装置利用共享密钥加密认证信息，并将加密的认证信息从第一处理装置发送到第二处理装置。 第二处理装置利用共享密钥对加密的认证信息进行解密。

公开(公告)号：US08689282B1

公开(公告)日：2014-04-01

申请号：US13336692

申请日：2011-12-23

申请人： Alina M. Oprea ,  Yinqian Zhang ,  Vijay Ganti ,  John P. Field ,  Ari Juels ,  Michael Kendrick Reiter

发明人： Alina M. Oprea ,  Yinqian Zhang ,  Vijay Ganti ,  John P. Field ,  Ari Juels ,  Michael Kendrick Reiter

IPC分类号： H04L29/06

CPC分类号： H04L63/20

摘要： Cloud infrastructure of a cloud service provider comprises a processing platform implementing a security policy enforcement framework. The security policy enforcement framework comprises a policy analyzer that is configured to identify at least one security policy associated with at least one tenant of the cloud service provider, to analyze the security policy against configuration information characterizing the cloud infrastructure of the cloud service provider, and to control execution of one or more applications of said at least one tenant within the cloud infrastructure in accordance with the security policy, based at least in part on one or more results of the analysis of the security policy. The security policy enforcement framework may be implemented in a platform-as-a-service (PaaS) layer of the cloud infrastructure, and may comprise a runtime controller, an operating system controller, a hypervisor controller and a PaaS controller.

摘要翻译： 云服务提供商的云基础设施包括实施安全策略实施框架的处理平台。 安全策略实施框架包括策略分析器，其被配置为识别与云服务提供商的至少一个租户相关联的至少一个安全策略，以针对表征云服务提供商的云基础设施的配置信息来分析安全策略;以及 至少部分地基于对安全策略的分析的一个或多个结果来根据安全策略来控制云基础设施内的所述至少一个租户的一个或多个应用的​​执行。 安全策略实施框架可以在云基础架构的平台即服务（PaaS）层中实现，并且可以包括运行时控制器，操作系统控制器，管理程序控制器和PaaS控制器。

公开(公告)号：US09471777B1

公开(公告)日：2016-10-18

申请号：US13404839

申请日：2012-02-24

申请人： Ari Juels ,  Marten Erik van Dijk ,  Alina M. Oprea ,  Ronald L. Rivest

发明人： Ari Juels ,  Marten Erik van Dijk ,  Alina M. Oprea ,  Ronald L. Rivest

IPC分类号： H04L29/06 ,  G06F21/55

CPC分类号： G06F21/55 ,  G06F21/45 ,  H04L9/002 ,  H04L63/1441

摘要： A processing device is configured to identify a plurality of defensive security actions to be taken to address a persistent security threat to a system comprising information technology infrastructure, and to determine a schedule for performance of the defensive security actions based at least in part on a selected distribution derived from a game-theoretic model, such as a delayed exponential distribution or other type of modified exponential distribution. The system subject to the persistent security threat is configured to perform the defensive security actions in accordance with the schedule in order to deter the persistent security threat. The distribution may be selected so as to optimize defender benefit in the context of the game-theoretic model, where the game-theoretic model may comprise a stealthy takeover game in which attacker and defender entities can take actions at any time but cannot determine current game state without taking an action.

摘要翻译： 处理设备被配置为识别要采取的多个防御性安全措施以解决对包括信息技术基础设施的系统的持续安全威胁，并且至少部分地基于所选择的确定用于执行防御性安全动作的调度 衍生自游戏理论模型的分布，例如延迟指数分布或其他类型的修改指数分布。 受到持续安全威胁的系统被配置为根据时间表执行防御性安全措施，以便阻止持续的安全威胁。 可以选择分配，以便在游戏理论模型的上下文中优化后卫利益，其中游戏理论模型可以包括隐形收购游戏，其中攻击者和后卫实体可以随时采取行动但不能确定当前游戏 状态而不采取行动。

公开(公告)号：US08635465B1

公开(公告)日：2014-01-21

申请号：US13432577

申请日：2012-03-28

申请人： Ari Juels ,  Alina M. Oprea

发明人： Ari Juels ,  Alina M. Oprea

IPC分类号： G06F12/14

CPC分类号： H04L63/0428 ,  G06F21/602 ,  H04L67/10

摘要： A processing device is configured to maintain counters for respective stored data blocks, and to encrypt a given one of the data blocks utilizing a value of the data block in combination with a value of its associated counter. The encryption may comprise a homomorphic encryption operation performed on the given data block as a function of the value of that data block and the value of its associated counter, with the homomorphic encryption operation comprising an operation such as addition or multiplication performed over a designated field. A given one of the counters is incremented each time the corresponding data block is subject to an update operation. The data block can be encrypted, for example, by combining a value of that data block with an additional value determined using the associated counter value, such as a one-time pad value determined as a function of the counter value.

摘要翻译： 处理设备被配置为维护相应存储的数据块的计数器，并且利用与其相关联的计数器的值相结合的数据块的值来加密给定的一个数据块。 加密可以包括对给定数据块执行的同态加密操作，作为该数据块的值和其相关联的计数器的值的函数，同形加密操作包括在指定字段上执行的加法或乘法 。 每当对应的数据块进行更新操作时，给定的一个计数器递增。 数据块可以被加密，例如通过将该数据块的值与使用相关联的计数器值确定的附加值组合，例如作为计数器值的函数确定的一次性填充值。