公开(公告)号：US20120047361A1

公开(公告)日：2012-02-23

申请号：US13318690

申请日：2010-04-26

申请人： Bozena Erdmann ,  Philip Andrew Rudland ,  Klaus Kursawe ,  Oscar Garcia Morchon

发明人： Bozena Erdmann ,  Philip Andrew Rudland ,  Klaus Kursawe ,  Oscar Garcia Morchon

IPC分类号： H04L9/00 ,  H04L29/06 ,  H04W12/02

CPC分类号： H04W12/02 ,  H04L63/0428

摘要： The present invention relates to a method for securing communications between a resource-restricted device (1) and a receiving device (2) according to a wireless protocol, the method comprising the following steps: -storing, in a first part (11) of a non-volatile memory of the resource-restricted device (1), at least one encrypted payload, -storing, in a second part (12) of the non-volatile memory of the resource-restricted device (1), a pointer pointing towards an encrypted payload stored in the memory, -when a transmission is to be performed by the resource-restricted device (1), sending the encrypted payload indicated by the pointer, and storing, in the second part (12) of the non-volatile memory an updated pointer indicating a next-to-be-used encrypted payload stored in the memory.

摘要翻译： 本发明涉及一种根据无线协议来确保资源受限设备（1）和接收设备（2）之间的通信的方法，所述方法包括以下步骤： - 在第一部分（11）中， 资源受限设备（1）的非易失性存储器的非易失性存储器，在资源受限设备（1）的非易失性存储器的第二部分（12）中的至少一个加密有效载荷，指向指向 朝向存储在存储器中的加密有效载荷， - 当由资源受限设备（1）执行传输时，发送由指针指示的加密有效载荷，并存储在非易失性存储器的第二部分（12）中， 易失性存储器，指示存储在存储器中的下一个要使用的加密有效载荷的更新指针。

公开(公告)号：US20110317838A1

公开(公告)日：2011-12-29

申请号：US13254462

申请日：2010-03-16

申请人： Oscar Garcia Morchon ,  Bozena Erdmann ,  Klaus Kursawe

发明人： Oscar Garcia Morchon ,  Bozena Erdmann ,  Klaus Kursawe

IPC分类号： H04L9/00

CPC分类号： H04L9/083 ,  H04L9/085 ,  H04L2209/80 ,  H04W12/04

摘要： A method for securing communications between a first node (N1) and a second node (N2) in a network (1) further comprising a management device (2) provided with root keying materials, the method comprising the following steps: the management device generating, based on root keying materials, a first node keying material shares comprising a number of sub-elements and the first node keying material shares being arranged for generating a first complete key, the management device selecting a subset of sub-elements of the first keying material shares, the number of sub-elements selected being less or equal than the total number of sub-elements of the first keying material shares, and the selected sub-elements forming a first node partial keying material shares or symmetric-key generation engine, the first node generating, based on the first node symmetric-key generation engine and on an identifier of the second node, a first key, used for securing communications with the second node.

摘要翻译： 一种用于保护网络（1）中的第一节点（N1）和第二节点（N2）之间的通信的方法，还包括具有根密钥材料的管理设备（2），所述管理设备（2）包括以下步骤：所述管理设备生成 基于根密钥材料，第一节点密钥材料共享包括多个子元素，并且所述第一节点密钥资源共享被布置用于生成第一完整密钥，所述管理设备选择所述第一密钥的子元素的子集 选择的子元素的数量小于或等于第一密钥材料共享的子元素的总数的数量，以及形成第一节点部分密钥材料共享或对称密钥生成引擎的所选择的子元素， 所述第一节点基于所述第一节点对称密钥生成引擎和所述第二节点的标识符生成用于保护与所述第二节点的通信的第一密钥。

公开(公告)号：US09077520B2

公开(公告)日：2015-07-07

申请号：US13254462

申请日：2010-03-16

申请人： Oscar Garcia Morchon ,  Bozena Erdmann ,  Klaus Kursawe

发明人： Oscar Garcia Morchon ,  Bozena Erdmann ,  Klaus Kursawe

IPC分类号： H04L9/00 ,  H04L9/08 ,  H04W12/04

CPC分类号： H04L9/083 ,  H04L9/085 ,  H04L2209/80 ,  H04W12/04

摘要： A method for securing communications between a first node (N1) and a second node (N2) in a network (1) further comprising a management device (2) provided with root keying materials, the method comprising the following steps: the management device generating, based on root keying materials, a first node keying material shares comprising a number of sub-elements and the first node keying material shares being arranged for generating a first complete key, the management device selecting a subset of sub-elements of the first keying material shares, the number of sub-elements selected being less or equal than the total number of sub-elements of the first keying material shares, and the selected sub-elements forming a first node partial keying material shares or symmetric-key generation engine, the first node generating, based on the first node symmetric-key generation engine and on an identifier of the second node, a first key, used for securing communications with the second node.

摘要翻译： 一种用于保护网络（1）中的第一节点（N1）和第二节点（N2）之间的通信的方法，还包括具有根密钥材料的管理设备（2），所述管理设备（2）包括以下步骤：所述管理设备生成 基于根密钥材料，第一节点密钥材料共享包括多个子元素，并且所述第一节点密钥资源共享被布置用于生成第一完整密钥，所述管理设备选择所述第一密钥的子元素的子集 选择的子元素的数量小于或等于第一密钥材料共享的子元素的总数的数量，以及形成第一节点部分密钥材料共享或对称密钥生成引擎的所选择的子元素， 所述第一节点基于所述第一节点对称密钥生成引擎和所述第二节点的标识符生成用于保护与所述第二节点的通信的第一密钥。

公开(公告)号：US20110206201A1

公开(公告)日：2011-08-25

申请号：US13124721

申请日：2009-10-08

申请人： Oscar Garcia Morchon ,  Bozena Erdmann

发明人： Oscar Garcia Morchon ,  Bozena Erdmann

IPC分类号： H04L9/00

CPC分类号： H04L9/0838 ,  H04L9/3026 ,  H04L9/3066 ,  H04L2209/805

摘要： The present invention relates to security systems for communication networks. More precisely, the invention relates to a method for generating a shared key between a first node (D1) and a second node (D2) for secure communication in a network (1), the first node storing a first node keying material share based on a root keying material and the method comprising the following steps: a) the first node receiving an identifier of the second node, b) the first node evaluating the first node keying material share at a second node's identifier, to generate the shared key, wherein the first node keying material share is a polynomial-based keying material over a finite field Fq and step b) comprises: b1) the first node applying a Horner's rule to factorize the first node keying material under the form of a combination of monomials, b2) the first node computing the result of each monomial operation by evaluating at a predetermined point a polynomial of degree r−1 with coefficients in a sub-field of Fq. The invention also relates to a network and a computer program thereof.

摘要翻译： 本发明涉及通信网络的安全系统。 更准确地说，本发明涉及一种用于在第一节点（D1）和第二节点（D2）之间生成用于网络（1）中的安全通信的共享密钥的方法，所述第一节点存储基于 根密钥材料和方法，包括以下步骤：a）第一节点接收第二节点的标识符，b）第一节点在第二节点的标识符处评估第一节点密钥资源共享，以生成共享密钥，其中 第一节点密钥资源共享是在有限域Fq上的基于多项式的密钥材料，并且步骤b）包括：b1）第一节点应用霍纳规则以单项式组合b2的形式对第一节点密钥资源进行因子分解 ）第一节点通过在预定点处评估具有在Fq的子场中的系数的度r-1的多项式来计算每个单项式运算的结果。 本发明还涉及一种网络及其计算机程序。

公开(公告)号：US09185133B2

公开(公告)日：2015-11-10

申请号：US14234451

申请日：2012-07-24

申请人： Sye Loong Keoh ,  Oscar Garcia Morchon ,  Sandeep Shankaran Kumar ,  Martina Brachmann ,  Bozena Erdmann

发明人： Sye Loong Keoh ,  Oscar Garcia Morchon ,  Sandeep Shankaran Kumar ,  Martina Brachmann ,  Bozena Erdmann

IPC分类号： G06F12/00 ,  H04L29/06

CPC分类号： H04L63/166 ,  H04L63/123

摘要： The invention provides methods, devices (102, 110, 124, 136) and communication systems (100) for establishing end-to-end secure connections and for securely communicating data packets. Such a communication system (100) comprises a first device (124, 136), an intermediate device (110) and a second device (102). The first device (124, 136) communications via a first network (120), which is based on a first transport protocol and a first transport security protocol with the intermediate device (110). The second device (102) communications via a second network, which is based on a second transport protocol and a second transport security protocol with the intermediate device (110). The intermediate device (110) modifies packets received via first network to packets suitable for communication via the second network, and vice versa. The first device (124, 136) is able to reconstruct a header of a received packet as if the packet was sent via the second network (108) and its transport and security protocols. Further, the first device (124) is able to verify, on basis of the reconstructed header, verification fields which are generated on basis of the second transport security protocol.

摘要翻译： 本发明提供了用于建立端到端安全连接和用于安全地传送数据分组的方法，设备（102,110,124,136）和通信系统（100）。 这种通信系统（100）包括第一设备（124,136），中间设备（110）和第二设备（102）。 第一设备（124,136）经由第一网络（120）进行通信，第一网络（120）基于第一传输协议和与中间设备（110）的第一传输安全协议。 第二设备（102）经由第二网络进行通信，第二网络基于第二传输协议和与中间设备（110）的第二传输安全协议。 中间设备（110）将经由第一网络接收的分组修改为适合于经由第二网络进行通信的分组，反之亦然。 第一设备（124,136）能够重建接收到的分组的报头，好像分组是经由第二网络（108）及其传输和安全协议发送的。 此外，第一设备（124）能够基于重构的报头来验证基于第二传输安全协议生成的验证字段。

公开(公告)号：US20110197064A1

公开(公告)日：2011-08-11

申请号：US13122767

申请日：2009-09-28

申请人： Oscar Garcia Morchon ,  Bozena Erdmann

发明人： Oscar Garcia Morchon ,  Bozena Erdmann

IPC分类号： H04L9/32

CPC分类号： H04W12/04 ,  H04L9/083 ,  H04L9/0841 ,  H04L9/3093 ,  H04L63/061 ,  H04L63/0823 ,  H04L2209/56 ,  H04L2209/805 ,  H04L2463/061 ,  H04W84/10

摘要： The present invention relates to a method for operating a network comprising communicating devices representing nodes of the network. More precisely, the invention relates to a method for operating a network (1), comprising a node (D1) and a system management device (3), the system management device comprising a root keying material being a set of alpha-secure functions having a degree of complexity of, and the node being provided with a node keying material share of degree of complexity α derived from the root keying material. The method comprises the following steps, upon receipt at the system management device of a request for an external user (4) to gain access to the node (D1): the system management device generates an external user keying material share of degree of complexity α from the root keying material and an access identifier, the system management device generates an access keying material of degree of complexity less than α, from the external user keying material share and an identifier of the node, the system management device provides the external user with the access keying material share and the access identifier, the external user derives a key from the access keying material share, and transmitting this key and the access certificate to the node, the node computes a key from the access identifier and the node keying material share, and the node compares the key transmitted by the external user and the key computed by the node, so as to authenticate the external user.

摘要翻译： 本发明涉及一种用于操作网络的方法，包括：传送代表网络节点的设备。 更准确地说，本发明涉及一种用于操作网络（1）的方法，所述网络（1）包括节点（D1）和系统管理设备（3），所述系统管理设备包括根密钥材料，所述根密钥材料是一组α安全功能， 复杂程度，并且节点被提供有从根密钥材料导出的复杂度α的节点密钥材料份额。 该方法包括以下步骤：在系统管理装置接收到对外部用户（4）进行访问节点（D1）的请求时：系统管理装置产生复杂程度α的外部用户密钥材料份额 从根密钥材料和访问标识符，系统管理设备从外部用户密钥材料共享和节点的标识符生成小于α的复杂度的访问密钥材料，系统管理设备向外部用户提供 访问密钥材料共享和访问标识符，外部用户从访问密钥材料共享中导出密钥，并将该密钥和访问证书发送给节点，节点从访问标识符和节点密钥资料共享中计算密钥 ，并且节点将外部用户发送的密钥与节点计算的密钥进行比较，以便对外部用户进行认证。

公开(公告)号：US20140143855A1

公开(公告)日：2014-05-22

申请号：US14234451

申请日：2012-07-24

申请人： Sye Loong Keoh ,  Oscar Garcia Morchon ,  Sandeep Shankaran Kumar ,  Martina Brachmann ,  Bozena Erdmann

发明人： Sye Loong Keoh ,  Oscar Garcia Morchon ,  Sandeep Shankaran Kumar ,  Martina Brachmann ,  Bozena Erdmann

IPC分类号： H04L29/06

CPC分类号： H04L63/166 ,  H04L63/123

摘要： The invention provides methods, devices (102, 110, 124, 136) and communication systems (100) for establishing end-to-end secure connections and for securely communicating data packets. Such a communication system (100) comprises a first device (124, 136), an intermediate device (110) and a second device (102). The first device (124, 136) communications via a first network (120), which is based on a first transport protocol and a first transport security protocol with the intermediate device (110). The second device (102) communications via a second network, which is based on a second transport protocol and a second transport security protocol with the intermediate device (110). The intermediate device (110) modifies packets received via first network to packets suitable for communication via the second network, and vice versa. The first device (124, 136) is able to reconstruct a header of a received packet as if the packet was sent via the second network (108) and its transport and security protocols. Further, the first device (124) is able to verify, on basis of the reconstructed header, verification fields which are generated on basis of the second transport security protocol.

摘要翻译： 本发明提供了用于建立端到端安全连接和用于安全地传送数据分组的方法，设备（102,110,124,136）和通信系统（100）。 这种通信系统（100）包括第一设备（124,136），中间设备（110）和第二设备（102）。 第一设备（124,136）经由第一网络（120）进行通信，第一网络（120）基于第一传输协议和与中间设备（110）的第一传输安全协议。 第二设备（102）经由第二网络进行通信，第二网络基于第二传输协议和与中间设备（110）的第二传输安全协议。 中间设备（110）将经由第一网络接收的分组修改为适合于经由第二网络进行通信的分组，反之亦然。 第一设备（124,136）能够重建接收到的分组的报头，好像分组是经由第二网络（108）及其传输和安全协议发送的。 此外，第一设备（124）能够基于重构的报头来验证基于第二传输安全协议生成的验证字段。

公开(公告)号：US08539235B2

公开(公告)日：2013-09-17

申请号：US13122767

申请日：2009-09-28

申请人： Oscar Garcia Morchon ,  Bozena Erdmann

发明人： Oscar Garcia Morchon ,  Bozena Erdmann

IPC分类号： H04L9/32

CPC分类号： H04W12/04 ,  H04L9/083 ,  H04L9/0841 ,  H04L9/3093 ,  H04L63/061 ,  H04L63/0823 ,  H04L2209/56 ,  H04L2209/805 ,  H04L2463/061 ,  H04W84/10

摘要： The present invention relates to a method for operating a network comprising communicating devices representing nodes of the network. More precisely, the invention relates to a method for operating a network (1), comprising a node (D1) and a system management device (3), the system management device comprising a root keying material being a set of alpha-secure functions having a degree of complexity of, and the node being provided with a node keying material share of degree of complexity α derived from the root keying material. The method comprises the following steps, upon receipt at the system management device of a request for an external user (4) to gain access to the node (D1): the system management device generates an external user keying material share of degree of complexity α from the root keying material and an access identifier, the system management device generates an access keying material of degree of complexity less than α, from the external user keying material share and an identifier of the node, the system management device provides the external user with the access keying material share and the access identifier, the external user derives a key from the access keying material share, and transmitting this key and the access certificate to the node, the node computes a key from the access identifier and the node keying material share, and the node compares the key transmitted by the external user and the key computed by the node, so as to authenticate the external user.

摘要翻译： 本发明涉及一种用于操作网络的方法，包括：传送代表网络节点的设备。 更准确地说，本发明涉及一种用于操作网络（1）的方法，所述网络（1）包括节点（D1）和系统管理设备（3），所述系统管理设备包括根密钥材料，所述根密钥材料是一组α安全功能， 复杂程度，并且节点被提供有从根密钥材料导出的复杂度α的节点密钥材料份额。 该方法包括以下步骤：在系统管理装置接收对外部用户（4）的请求以获得对节点（D1）的访问时：系统管理装置产生复杂度α的外部用户密钥材料份额 从根密钥材料和访问标识符，系统管理设备从外部用户密钥材料共享和节点的标识符生成小于α的复杂度的访问密钥材料，系统管理设备向外部用户提供 访问密钥材料共享和访问标识符，外部用户从访问密钥材料共享中导出密钥，并将该密钥和访问证书发送给节点，节点根据访问标识符和节点密钥资源共享来计算密钥 ，并且节点将外部用户发送的密钥与节点计算的密钥进行比较，以便对外部用户进行认证。

公开(公告)号：US08495373B2

公开(公告)日：2013-07-23

申请号：US13124721

申请日：2009-10-08

申请人： Oscar Garcia Morchon ,  Bozena Erdmann

发明人： Oscar Garcia Morchon ,  Bozena Erdmann

IPC分类号： H04L9/30

CPC分类号： H04L9/0838 ,  H04L9/3026 ,  H04L9/3066 ,  H04L2209/805

摘要： The present invention relates to security systems for communication networks. More precisely, the invention relates to a method for generating a shared key between a first node (D1) and a second node (D2) for secure communication in a network (1), the first node storing a first node keying material share based on a root keying material and the method comprising the following steps: a) the first node receiving an identifier of the second node, b) the first node evaluating the first node keying material share at a second node's identifier, to generate the shared key, wherein the first node keying material share is a polynomial-based keying material over a finite field Fq and step b) comprises: b1) the first node applying a Horner's rule to factorize the first node keying material under the form of a combination of monomials, b2) the first node computing the result of each monomial operation by evaluating at a predetermined point a polynomial of degree r−1 with coefficients in a sub-field of Fq. The invention also relates to a network and a computer program thereof.

摘要翻译： 本发明涉及通信网络的安全系统。 更准确地说，本发明涉及一种用于在第一节点（D1）和第二节点（D2）之间生成用于网络（1）中的安全通信的共享密钥的方法，所述第一节点存储基于 根密钥材料和方法，包括以下步骤：a）第一节点接收第二节点的标识符，b）第一节点在第二节点的标识符处评估第一节点密钥资源共享，以生成共享密钥，其中 第一节点密钥资源共享是在有限域Fq上的基于多项式的密钥材料，并且步骤b）包括：b1）第一节点应用霍纳规则以单项式组合b2的形式对第一节点密钥资源进行因子分解 ）第一节点通过在预定点处评估具有在Fq的子场中的系数的度r-1的多项式来计算每个单项式运算的结果。 本发明还涉及一种网络及其计算机程序。

公开(公告)号：US20110113475A1

公开(公告)日：2011-05-12

申请号：US12674950

申请日：2008-09-04

申请人： Oscar Garcia Morchon ,  Bozena Erdmann ,  Axel Guenther Huebner ,  Heribert Baldus

发明人： Oscar Garcia Morchon ,  Bozena Erdmann ,  Axel Guenther Huebner ,  Heribert Baldus

IPC分类号： G06F17/30

CPC分类号： H04W12/08 ,  H04L12/282 ,  H04L63/083 ,  H04L63/10 ,  H04W12/06 ,  H05B37/0272

摘要： The invention relates to a node (100) for a network such as a wireless control network or the like. In this network, each node (100) comprises a identifier (104) and keying material (102), means for authenticating (112) the node's identifier based on the node's keying material and means for checking (114) the access control rights of the node in a distributed manner based on the node's multidimensional identity and access rights corresponding to the node's identity. Additionally, the invention allows the node to generate a common key with any other node in the first keying first network that can be used to enable further material identifier secure communications.

摘要翻译： 本发明涉及一种诸如无线控制网络等网络的节点（100）。 在该网络中，每个节点（100）包括标识符（104）和密钥材料（102），用于基于节点的密钥材料认证（112）节点的标识符的装置和用于检查（114）所述节点的标识符的访问控制权限的装置 节点以分布式方式基于节点的多维身份和与节点身份相对应的访问权限。 此外，本发明允许节点与第一密钥第一网络中的任何其他节点一起生成公共密钥，其可以用于实现进一步的材料标识符安全通信。