公开(公告)号：US08505097B1

公开(公告)日：2013-08-06

申请号：US13173877

申请日：2011-06-30

申请人： Ari Juels ,  Orran Krieger ,  Dennis Moreau

发明人： Ari Juels ,  Orran Krieger ,  Dennis Moreau

IPC分类号： G06F7/04 ,  G06F11/00

CPC分类号： G06F21/552

摘要： A processing device comprises a processor coupled to a memory and implements a refresh-and-rotation process to protect a system comprising information technology infrastructure from a persistent security threat. The processing device is configured to replace one or more identified resources of a resource pool of the information technology infrastructure with one or more corresponding refreshed resources so as to provide a refreshed resource pool, and to remap elements of a set of workloads running on the information technology infrastructure to elements of the refreshed resource pool in order to deter the persistent security threat. The processing device may maintain within the resource pool a set of reserve resource pool elements that have no workload elements mapped to them, and can add resource pool elements to and remove resource pool elements from the set of reserve resource pool elements in conjunction with the remapping of workload elements to resource pool elements.

摘要翻译： 处理设备包括处理器，其耦合到存储器并且实现刷新和旋转过程，以保护包括信息技术基础设施的系统免受持久的安全威胁。 处理设备被配置为用一个或多个对应的刷新资源来替换信息技术基础设施的资源池中的一个或多个所识别的资源，以便提供刷新的资源池，并重新映射在信息上运行的一组工作负载的元素 技术基础设施到更新的资源池的元素，以阻止持续的安全威胁。 处理设备可以在资源池内维护一组没有工作负载元素映射到它们的备用资源池元素，并且可以将资源池元素从该组备用资源池元素中与重新映射相结合添加资源池元素 的工作量元素到资源池元素。

公开(公告)号：US09471777B1

公开(公告)日：2016-10-18

申请号：US13404839

申请日：2012-02-24

申请人： Ari Juels ,  Marten Erik van Dijk ,  Alina M. Oprea ,  Ronald L. Rivest

发明人： Ari Juels ,  Marten Erik van Dijk ,  Alina M. Oprea ,  Ronald L. Rivest

IPC分类号： H04L29/06 ,  G06F21/55

CPC分类号： G06F21/55 ,  G06F21/45 ,  H04L9/002 ,  H04L63/1441

摘要： A processing device is configured to identify a plurality of defensive security actions to be taken to address a persistent security threat to a system comprising information technology infrastructure, and to determine a schedule for performance of the defensive security actions based at least in part on a selected distribution derived from a game-theoretic model, such as a delayed exponential distribution or other type of modified exponential distribution. The system subject to the persistent security threat is configured to perform the defensive security actions in accordance with the schedule in order to deter the persistent security threat. The distribution may be selected so as to optimize defender benefit in the context of the game-theoretic model, where the game-theoretic model may comprise a stealthy takeover game in which attacker and defender entities can take actions at any time but cannot determine current game state without taking an action.

摘要翻译： 处理设备被配置为识别要采取的多个防御性安全措施以解决对包括信息技术基础设施的系统的持续安全威胁，并且至少部分地基于所选择的确定用于执行防御性安全动作的调度 衍生自游戏理论模型的分布，例如延迟指数分布或其他类型的修改指数分布。 受到持续安全威胁的系统被配置为根据时间表执行防御性安全措施，以便阻止持续的安全威胁。 可以选择分配，以便在游戏理论模型的上下文中优化后卫利益，其中游戏理论模型可以包括隐形收购游戏，其中攻击者和后卫实体可以随时采取行动但不能确定当前游戏 状态而不采取行动。

公开(公告)号：US09467293B1

公开(公告)日：2016-10-11

申请号：US12975474

申请日：2010-12-22

申请人： John G. Brainard ,  Ari Juels

发明人： John G. Brainard ,  Ari Juels

IPC分类号： G06F17/30 ,  H04L9/32 ,  G06Q20/38

CPC分类号： H04L9/3234 ,  G06Q20/3823 ,  G06Q20/40 ,  H04L9/3228 ,  H04L9/3231

摘要： A method and system for use in generating authentication codes associated with devices is disclosed. In at least one embodiment, the method and system may generate a secret value that depends on event state data that specifies an operating condition of a device, and may generate a series of authentication codes that depends on the secret value and a series of dynamic values.

摘要翻译： 公开了一种用于生成与设备相关联的认证码的方法和系统。 在至少一个实施例中，该方法和系统可以生成依赖于指定设备的操作条件的事件状态数据的秘密值，并且可以生成取决于秘密值和一系列动态值的一系列认证码 。

公开(公告)号：US09009844B1

公开(公告)日：2015-04-14

申请号：US13436080

申请日：2012-03-30

申请人： Thomas S. Corn ,  Ari Juels ,  Nikolaos Triandopoulos

发明人： Thomas S. Corn ,  Ari Juels ,  Nikolaos Triandopoulos

IPC分类号： H04L29/06

CPC分类号： H04L9/0675 ,  H04L9/3271

摘要： Knowledge-based authentication (KBA) is provided using historically-aware questionnaires. The KBA can obtain a plurality of historically different answers from the user to at least one question; challenge the user with the question for a given period of time; receive a response from the user to the question; and grant access to the restricted resource if the response is accurate for the given period of time based on the historically different answers. Alternatively, the KBA can be based on historically aware answers to a set of inter-related questions. The user is challenged with the inter-related questions for a given period of time. Historically different answers can comprise answers with applicable dates, or correct answers to the question over time. Historically aware answers can comprise an answer that is accurate for an indicated date or period of time. An accurate response demonstrates knowledge of multiple related personal events.

摘要翻译： 基于知识的认证（KBA）是使用历史感知的问卷调查表提供的。 KBA可以从用户获得多个历史上不同的答案至少一个问题; 在给定的时间内质疑用户的问题; 接收用户对该问题的回复; 并且如果响应在给定时间段内基于历史上不同的答案准确，则授予对受限资源的访问。 或者，KBA可以基于历史上意识到的一系列相互关联的问题的答案。 用户在给定的时间内受到相互关联的问题的挑战。 历史上不同的答案可以包括适用日期的答案，或者随着时间的推移对问题的正确答案。 历史上意识到的答案可以包含对于指定的日期或时间段的准确的答案。 准确的答复表明了多个相关个人事件的知识。

公开(公告)号：US08635465B1

公开(公告)日：2014-01-21

申请号：US13432577

申请日：2012-03-28

申请人： Ari Juels ,  Alina M. Oprea

发明人： Ari Juels ,  Alina M. Oprea

IPC分类号： G06F12/14

CPC分类号： H04L63/0428 ,  G06F21/602 ,  H04L67/10

摘要： A processing device is configured to maintain counters for respective stored data blocks, and to encrypt a given one of the data blocks utilizing a value of the data block in combination with a value of its associated counter. The encryption may comprise a homomorphic encryption operation performed on the given data block as a function of the value of that data block and the value of its associated counter, with the homomorphic encryption operation comprising an operation such as addition or multiplication performed over a designated field. A given one of the counters is incremented each time the corresponding data block is subject to an update operation. The data block can be encrypted, for example, by combining a value of that data block with an additional value determined using the associated counter value, such as a one-time pad value determined as a function of the counter value.

摘要翻译： 处理设备被配置为维护相应存储的数据块的计数器，并且利用与其相关联的计数器的值相结合的数据块的值来加密给定的一个数据块。 加密可以包括对给定数据块执行的同态加密操作，作为该数据块的值和其相关联的计数器的值的函数，同形加密操作包括在指定字段上执行的加法或乘法 。 每当对应的数据块进行更新操作时，给定的一个计数器递增。 数据块可以被加密，例如通过将该数据块的值与使用相关联的计数器值确定的附加值组合，例如作为计数器值的函数确定的一次性填充值。

公开(公告)号：US07472093B2

公开(公告)日：2008-12-30

申请号：US09802278

申请日：2001-03-08

申请人： Ari Juels

发明人： Ari Juels

IPC分类号： G06F17/60

CPC分类号： G06Q30/02 ,  G06Q40/04 ,  G06Q50/188

摘要： A system and method for enabling use of detailed consumer profiles for the purposes of targeted information delivery while protecting these profiles from disclosure to information providers or hostile third parties are disclosed herein. Rather than gathering data about a consumer in order to decide which information to send her, an information provider makes use of a client-side executable software module called a negotiant function. The negotiant function acts as a client-side proxy to protect consumer data, and it also directs the targeting of information, requesting items of information from the information provider that are tailored to the profile provided by the consumer.

摘要翻译： 本文公开了一种用于为了有针对性的信息传递目的而使用详细的消费者简档的系统和方法，同时保护这些简档免于向信息提供者或敌对的第三方的披露。 信息提供商不是收集关于消费者的数据，以决定哪些信息发送给她，而是使用称为协商功能的客户端可执行软件模块。 协商功能充当客户端代理来保护消费者数据，并且还指导信息的定位，从信息提供商处请求与消费者提供的简档相匹配的信息。

公开(公告)号：US07356696B1

公开(公告)日：2008-04-08

申请号：US09630711

申请日：2000-08-01

申请人： Bjorn Markus Jakobsson ,  Ari Juels

发明人： Bjorn Markus Jakobsson ,  Ari Juels

IPC分类号： H04L9/00 ,  H04L9/32 ,  G06F7/04

CPC分类号： H04L9/3218

摘要： The bread pudding protocol of the present invention represents a novel use of proofs of work and is based upon the same principle as the dish from which it takes its name, namely, that of reuse to minimize waste. Whereas the traditional bread pudding recipe recycles stale bread, our bread pudding protocol recycles the “stale” computations in a POW to perform a separate and useful task, while also maintaining privacy in the task. In one advantageous embodiment of our bread pudding protocol, we consider the computationally intensive operation of minting coins in the MicroMint scheme of Rivest and Shamir and demonstrate how the minting operation can be partitioned into a collection of POWs, which are then used to shift the burden of the minting operation onto a large group of untrusted computational devices. Thus, the computational effort invested in the POWs is recycled to accomplish the minting operation.

摘要翻译： 本发明的面包布丁方案代表了工作证明的新颖用途，并且基于与其名称相同的原理，即重复使用以最小化废物的原理。 而传统的面包布丁配方回收陈旧的面包，我们的面包布丁协议回收了一个POW中的“陈旧”计算，以执行一个单独和有用的任务，同时保持任务中的隐私。 在我们的面包布丁协议的一个有利的实施例中，我们考虑在Rivest和Shamir的MicroMint方案中的铸币的计算密集操作，并且演示了铸造操作如何被划分成一组POWs，然后将其用于转移负担 的铸造操作到一大堆不可信的计算设备上。 因此，投资于战俘的计算工作被循环利用，以完成造币操作。

公开(公告)号：US07298243B2

公开(公告)日：2007-11-20

申请号：US10915189

申请日：2004-08-10

申请人： Ari Juels ,  John G. Brainard

发明人： Ari Juels ,  John G. Brainard

IPC分类号： H04Q5/22

CPC分类号： G06K7/10019 ,  G06K7/0008

摘要： Methods and apparatus are disclosed for use in an RFID system comprising a plurality of RFID devices and at least one reader which communicates with one or more of the devices. In accordance with an aspect of the invention, identifiers transmitted by the RFID devices are received by the reader. The system determines a classification of at least one of the received identifiers, and implements a privacy policy for data associated with one or more of the received identifiers based at least in part on the determined classification. For example, the given RFID device may be configurable into at least a first state indicative of a first classification, such as a private classification, and a second state indicative of a second classification, such as a public classification. The reader may alter a type of query that it issues based at least in part on the determined classification. Alternatively or additionally, response by the given RFID device to a query received from the reader may be conditioned on the state of the RFID device. The reader may be configured, dynamically or otherwise, so as to issue queries causing such selective responses by the RFID devices.

摘要翻译： 公开了用于RFID系统中的方法和装置，所述RFID系统包括多个RFID设备和至少一个与一个或多个设备通信的读取器。 根据本发明的一个方面，读取器接收由RFID设备发送的标识符。 系统确定所接收的标识符中的至少一个的分类，并且至少部分地基于所确定的分类，针对与一个或多个所接收的标识符相关联的数据实施隐私策略。 例如，给定的RFID设备可以被配置为指示诸如私有分类的第一分类的第一状态和指示诸如公共分类的第二分类的第二状态。 读者可以至少部分地基于所确定的分类来改变它所发出的查询的类型。 或者或另外，由给定的RFID设备对从读取器接收的查询的响应可以根据RFID设备的状态进行调节。 可以动态地或以其他方式配置读取器，以便发出引起RFID设备的这种选择性响应的查询。

公开(公告)号：US20060022799A1

公开(公告)日：2006-02-02

申请号：US11191633

申请日：2005-07-28

申请人： Ari Juels

发明人： Ari Juels

IPC分类号： H04Q5/22

CPC分类号： G06K7/10019 ,  G06K7/0008

摘要： Methods and apparatus are disclosed for use in an RFID system comprising a plurality of RFID devices and at least one reader which communicates with one or more of the devices. In one aspect of the invention, an identifier transmitted by a given one of the RFID devices is received by a reader or by an associated verifier via the reader. At least first and second codes are determined, by the reader or verifier, with the first code being a valid code for the identifier, and the second code being an invalid code for the identifier. The reader, or verifier via the reader, communicates with the given device to determine if the device is able to confirm that the first code is a valid code and the second code is an invalid code.

摘要翻译： 公开了用于RFID系统中的方法和装置，所述RFID系统包括多个RFID设备和至少一个与一个或多个设备通信的读取器。 在本发明的一个方面，由RFID读取器中的给定的一个发送的标识符由读取器或相关联的验证器经由读取器接收。 至少第一和第二代码由读取器或验证者确定，第一代码是标识符的有效代码，第二代码是标识符的无效代码。 读取器或验证器经由读取器与给定设备通信以确定设备是否能够确认第一代码是有效代码，而第二代码是无效代码。

公开(公告)号：US06772339B1

公开(公告)日：2004-08-03

申请号：US09524337

申请日：2000-03-13

申请人： Bjorn Markus Jakobsson ,  Ari Juels

发明人： Bjorn Markus Jakobsson ,  Ari Juels

IPC分类号： H04L900

CPC分类号： H04L9/0841

摘要： A method for secure multiparty computation is disclosed. In one embodiment, participants to a secure computation agree upon a function to be computed and a representation of the function as a circuit with at least one gate. Logical tables are then generated for each gate. A logical table includes all possible input and output values for the gate based on the function. These input and output values are then encoded and the encoded tables are passed through a mix network, which generates a blinded table for each encoded logical table. A blinded table corresponds to the encoded logical table except that its rows are randomly permuted and entries are encrypted. After this initial blinding round, participants provide encryptions of their encoded secret inputs. The participants then jointly compute the function of interest using the encrypted secret inputs and the representative circuit. To simulate a gate therein, the participants compare the encrypted inputs to the gate with each encrypted input entry in the blinded table until a match is detected. When a match is detected, the corresponding output entry in the matched row is taken to be the output of the gate. This method of mixing and matching is performed in an identical manner for every gate in the circuit, irrespective of the layer in which it resides or the function being computed, until the output of the last gate is identified.

摘要翻译： 公开了一种用于安全多方计算的方法。 在一个实施例中，安全计算的参与者将要被计算的功能和作为具有至少一个门的电路的功能的表示一致。 然后为每个门产生逻辑表。 逻辑表包括基于该功能的门的所有可能的输入和输出值。 然后对这些输入和输出值进行编码，并且编码表通过混合网络传递，该混合网络为每个编码的逻辑表生成盲目表。 盲表对应于编码的逻辑表，除了其行被随机排列并且条目被加密。 在这个初始盲目的轮次之后，参与者提供对其编码的秘密输入的加密。 参与者然后使用加密的秘密输入和代表性电路联合计算感兴趣的功能。 为了模拟其中的门，参与者将加密的输入与门中的每个加密输入条目进行比较，直到检测到匹配。 当检测到匹配时，匹配行中的相应输出条目被认为是门的输出。 这种混合和匹配的方法以与电路中的每个门相同的方式执行，而不管其所在的层或正在计算的功能，直到识别出最后一个门的输出。