公开(公告)号：US08867747B2

公开(公告)日：2014-10-21

申请号：US12414772

申请日：2009-03-31

申请人： David A. McGrew ,  Brian E. Weis

发明人： David A. McGrew ,  Brian E. Weis

IPC分类号： H04L9/08

CPC分类号： H04L9/0869 ,  H04L9/083

摘要： Systems, methods, and other embodiments associated with key generation for networks are described. One example method includes configuring a key server with a pseudo-random function (PRF). The key server may provide keying material to gateways. The method may also include controlling the key server to generate a cryptography data structure (e.g., D-matrix) based, at least in part, on the PRF and a seed value. The method may also include controlling the key server to selectively distribute a portion of the cryptography data structure and/or data derived from the cryptography data structure to a gateway. The gateway may then encrypt communications based, at least in part, on the portion of the cryptography data structure. The method may also include selectively distributing an epoch value to members of the set of gateways that may then decrypt an encrypted communication based, at least in part, on the epoch value.

摘要翻译： 描述了与网络的密钥生成相关联的系统，方法和其他实施例。 一个示例性方法包括配置具有伪随机函数（PRF）的密钥服务器。 密钥服务器可以向网关提供密钥材料。 该方法还可以包括：至少部分地基于PRF和种子值来控制密钥服务器以生成加密数据结构（例如，D矩阵）。 该方法还可以包括控制密钥服务器以选择性地将加密数据结构的一部分和/或从加密数据结构导出的数据分发到网关。 网关可以至少部分地基于加密数据结构的一部分加密通信。 该方法还可以包括选择性地将时代值分配到该组网关的成员，该网关组可以至少部分地基于时期值来解密加密的通信。

公开(公告)号：US07676679B2

公开(公告)日：2010-03-09

申请号：US11059178

申请日：2005-02-15

申请人： Brian E. Weis ,  David A. McGrew

发明人： Brian E. Weis ,  David A. McGrew

IPC分类号： H04L9/00 ,  H04L9/32

CPC分类号： H04L9/12 ,  H04L9/3297 ,  H04L63/126 ,  H04L63/1466

摘要： Nodes in a network include a pseudo-timestamp in messages or packets, derived from local pseudo-time clocks. When a packet is received, a first time is determined representing when the packet was sent and a second time is determined representing when the packet was received. If the difference between the second time and the first time is greater than a predetermined amount, the packet is considered to be stale and is rejected, thereby deterring replay. Because each node maintains its own clock and time, to keep the clocks relatively synchronized, if a time associated with a timestamp of a received packet is later than a certain amount with respect to the time at the receiver, the receiver's clock is set ahead by an amount that expected to synchronize the receiver's and the sender's clocks. However, a receiver never sets its clock back, to deter attacks.

摘要翻译： 网络中的节点包括从本地伪时间时钟导出的消息或分组中的伪时间戳。 当接收到分组时，确定第一次表示何时发送分组，并且确定表示何时接收分组的第二时间。 如果第二时间和第一时间之间的差异大于预定量，则该分组被认为是陈旧的并且被拒绝，从而阻止重放。 由于每个节点保持其自身的时钟和时间，为了保持时钟相对同步，如果与接收到的分组的时间戳相关联的时间相对于接收机的时间晚于一定量，则将接收机的时钟设置在 预计会使接收器和发送器的时钟同步的量。 然而，接收机从未将其时钟重新设置为阻止攻击。

公开(公告)号：US20100169645A1

公开(公告)日：2010-07-01

申请号：US12604221

申请日：2009-10-22

申请人： David A. McGrew ,  Brian E. Weis ,  Fabio R. Maino

发明人： David A. McGrew ,  Brian E. Weis ,  Fabio R. Maino

IPC分类号： H04L9/32 ,  H04L9/06 ,  H04L9/28

CPC分类号： H04L9/0637 ,  H04L9/0822 ,  H04L9/0833 ,  H04L9/3242

摘要： A computer system for authenticating, encrypting, and transmitting a secret communication, where the encryption key is transmitted along with the encrypted message, is disclosed. In an embodiment, a first transmitting processor encrypts a plaintext message to a ciphertext message using a data key, encrypts the data key using a key encrypting key, and sends a communication comprising the encrypted data key and the ciphertext message. A second receiving processor receives the communication and then decrypts the encrypted data key using the key encrypting key and decrypts the ciphertext message using the data key to recover the plaintext message.

摘要翻译： 公开了一种用于认证，加密和发送秘密通信的计算机系统，其中加密密钥与加密消息一起发送。 在一个实施例中，第一发送处理器使用数据密钥将明文消息加密为密文消息，使用密钥加密密钥加密数据密钥，并发送包括加密数据密钥和密文消息的通信。 第二接收处理器接收通信，然后使用密钥加密密钥解密加密的数据密钥，并使用数据密钥解密密文消息以恢复明文消息。

公开(公告)号：US08356177B2

公开(公告)日：2013-01-15

申请号：US12604221

申请日：2009-10-22

申请人： David A. McGrew ,  Brian E. Weis ,  Fabio R. Maino

发明人： David A. McGrew ,  Brian E. Weis ,  Fabio R. Maino

IPC分类号： H04L9/00

CPC分类号： H04L9/0637 ,  H04L9/0822 ,  H04L9/0833 ,  H04L9/3242

摘要： A computer system for authenticating, encrypting, and transmitting a secret communication, where the encryption key is transmitted along with the encrypted message, is disclosed. In an embodiment, a first transmitting processor encrypts a plaintext message to a ciphertext message using a data key, encrypts the data key using a key encrypting key, and sends a communication comprising the encrypted data key and the ciphertext message. A second receiving processor receives the communication and then decrypts the encrypted data key using the key encrypting key and decrypts the ciphertext message using the data key to recover the plaintext message.

摘要翻译： 公开了一种用于认证，加密和发送秘密通信的计算机系统，其中加密密钥与加密消息一起发送。 在一个实施例中，第一发送处理器使用数据密钥将明文消息加密为密文消息，使用密钥加密密钥加密数据密钥，并发送包括加密数据密钥和密文消息的通信。 第二接收处理器接收通信，然后使用密钥加密密钥解密加密的数据密钥，并使用数据密钥解密密文消息以恢复明文消息。

公开(公告)号：US08341250B2

公开(公告)日：2012-12-25

申请号：US12475487

申请日：2009-05-30

申请人： Max Pritikin ,  David A. McGrew ,  Jan Vilhuber ,  Brian E. Weis

发明人： Max Pritikin ,  David A. McGrew ,  Jan Vilhuber ,  Brian E. Weis

IPC分类号： G06F15/177

CPC分类号： H04L41/0806 ,  H04L63/0823

摘要： Systems, methods and other embodiments associated with network device provisioning are described. One example method includes storing a set of device specific identification data in a network device. The example method may also include storing an association between the network device and a set of device specific provisioning data. The example method may also include providing the set of device specific provisioning data to the network device. The set of device specific provisioning data may be provided in response to receiving a provisioning data request from the network device.

摘要翻译： 描述了与网络设备供应相关联的系统，方法和其他实施例。 一个示例性方法包括将一组设备特定标识数据存储在网络设备中。 示例性方法还可以包括存储网络设备与一组设备特定供应数据之间的关联。 示例性方法还可以包括向网络设备提供设备特定供应数据集。 响应于从网络设备接收供应数据请求，可以提供该设备特定供应数据集。

公开(公告)号：US07509491B1

公开(公告)日：2009-03-24

申请号：US10867266

申请日：2004-06-14

申请人： W. Scott Wainner ,  James N. Guichard ,  Brian E. Weis ,  David A. McGrew

发明人： W. Scott Wainner ,  James N. Guichard ,  Brian E. Weis ,  David A. McGrew

IPC分类号： H04L9/00

CPC分类号： H04L63/0272 ,  H04L9/0833 ,  H04L9/321 ,  H04L63/0435 ,  H04L63/065 ,  H04L63/08 ,  H04L63/164

摘要： Conventional mechanisms exist for denoting such a communications group (group) and for establishing point-to-point, or unicast, secure connections between members of the communications group. In a particular arrangement, group members employ a group key operable for multicast security for unicast communication, thus avoiding establishing additional unicast keys for each communication between group members. Since the recipient of such a unicast message may not know the source, however, the use of the group key assures the recipient that the sender is a member of the same group. Accordingly, a system which enumerates a set of subranges (subnets) included in a particular group, such as a VPN, and establishing a group key corresponding to the group applies the group key to communications from the group members in the subnet. The group key is associated with the group ID by enumerating the address prefixes corresponding to each of the subnets in the group, and examining outgoing transmissions for destination addresses matching one of the address prefixes corresponding to the group.

摘要翻译： 存在用于表示这样的通信组（组）和用于在通信组的成员之间建立点对点或单播安全连接的常规机制。 在特定的布置中，组成员使用可用于单播通信的组播安全性的组密钥，从而避免为组成员之间的每个通信建立附加的单播密钥。 由于这样的单播消息的接收者可能不知道源，所以使用组密钥确保接收方发送者是同一组的成员。 因此，枚举包括在特定组（例如VPN）中的一组子范围（子网）的系统并且建立与该组相对应的组密钥的组密钥用于从子网中的组成员进行通信。 通过列举与组中的每个子网相对应的地址前缀，并且检查与对应于该组的一个地址前缀匹配的目的地地址的传出传输，组密钥与组ID相关联。

公开(公告)号：US07620975B2

公开(公告)日：2009-11-17

申请号：US11059736

申请日：2005-02-17

申请人： James N. Guichard ,  W. Scott Wainner ,  Brian E. Weis ,  David A. McGrew

发明人： James N. Guichard ,  W. Scott Wainner ,  Brian E. Weis ,  David A. McGrew

IPC分类号： G06F7/04 ,  G06F15/16 ,  G06F17/30 ,  H04F29/06

CPC分类号： H04L45/00 ,  H04L45/04 ,  H04L63/0428 ,  H04L63/065 ,  H04L63/102

摘要： A method and apparatus for providing routing protocol support for distributing encryption information is presented. Subnet prefixes reachable on a first customer site in an encrypted manner are identified, as are security groups the subnet prefixes belong to. An advertisement is received at a first Customer Edge (CE) device in the first customer site, the advertisement originating from a Customer (C) device in the first customer site. The advertisement indicates links, subnets to be encrypted, and security group identifiers. The prefixes and the security group identifiers are then propagated across a service provider network to a second CE device located in a second customer site. In such a manner, encryption and authentication is expanded further into a customer site, as customer devices are able to indicate to a service provider network infrastructure and other customer devices in other customer sites which local destinations require encryption/authentication.

摘要翻译： 提出了一种用于提供分发加密信息的路由协议支持的方法和装置。 标识第一个客户站点上加密方式的子网前缀，以及子网前缀所属的安全组。 在第一客户站点的第一客户边缘（CE）设备处接收广告，该广告源自第一客户站点中的客户（C）设备。 该广告指示要加密的链接，子网，以及安全组标识符。 然后，前缀和安全组标识符通过服务提供商网络传播到位于第二客户站点中的第二CE设备。 以这种方式，加密和认证进一步扩展到客户站点，因为客户设备能够向服务提供商指示本地目的地需要加密/认证的其他客户站点中的网络基础设施和其他客户设备。

公开(公告)号：US07468981B2

公开(公告)日：2008-12-23

申请号：US11059295

申请日：2005-02-15

申请人： Brian E. Weis ,  David A. McGrew

发明人： Brian E. Weis ,  David A. McGrew

IPC分类号： H04L12/28

CPC分类号： H04L63/1458 ,  H04J3/0661 ,  H04L63/123

摘要： Nodes in a network include a pseudo-timestamp in messages or packets, derived from local pseudo-time clocks. When a packet is received, a first time is determined representing when the packet was sent and a second time is determined representing when the packet was received. If the difference between the second time and the first time is greater than a predetermined amount, the packet is considered to be stale and is rejected, thereby deterring replay. Because each node maintains its own clock and time, to keep the clocks relatively synchronized, if a time associated with a timestamp of a received packet is later than a certain amount with respect to the time at the receiver, the receiver's clock is set ahead by an amount that expected to synchronize the receiver's and the sender's clocks. However, a receiver never sets its clock back, to deter attacks.

摘要翻译： 网络中的节点包括从本地伪时间时钟导出的消息或分组中的伪时间戳。 当接收到分组时，确定第一次表示何时发送分组，并且确定表示何时接收分组的第二时间。 如果第二时间和第一时间之间的差异大于预定量，则该分组被认为是陈旧的并且被拒绝，从而阻止重放。 由于每个节点保持其自身的时钟和时间，为了保持时钟相对同步，如果与接收到的分组的时间戳相关联的时间相对于接收机的时间晚于一定量，则将接收机的时钟设置在 预计会使接收器和发送器的时钟同步的量。 然而，接收机从未将其时钟重新设置为阻止攻击。

公开(公告)号：US08473757B2

公开(公告)日：2013-06-25

申请号：US12388387

申请日：2009-02-18

申请人： Philip John Steuart Gladstone ,  David A. McGrew

发明人： Philip John Steuart Gladstone ,  David A. McGrew

IPC分类号： G06F21/00

CPC分类号： H04L9/0891 ,  H04L9/0894

摘要： Digital data, such as images on a digital camera, is typically protected (e.g., encrypted and/or authenticated) based on a master key stored off the device. The original master key can be acquired in a number of different ways, including being generated by the device or by another device. A one-way, progressive series of keys are derived from the master key such that only images or data of a same session can be authenticated or decrypted for viewing, export or manipulation of the decrypted image/data. In order to decrypt images or data of a previous session on the device, the master key must be imported to the device, such as by, but not limited to, taking a picture of a representation of the key and interpreting the image to reacquire the master key.

摘要翻译： 数字数据，例如数字照相机上的图像，通常基于存储在设备上的主密钥进行保护（例如，加密和/或认证）。 原始主密钥可以以多种不同的方式获取，包括由设备或另一设备生成。 从主密钥导出单向，渐进的一系列密钥，使得仅能够认证或解密相同会话的图像或数据以查看，导出或操纵解密的图像/数据。 为了对设备上的先前会话的图像或数据进行解密，主密钥必须被导入到设备中，例如通过但不限于获取密钥的表示的图片并解释图像来重新获取 主密钥。

公开(公告)号：US08990582B2

公开(公告)日：2015-03-24

申请号：US12789207

申请日：2010-05-27

申请人： Fabio R. Maino ,  Pere Monclus ,  David A. McGrew

发明人： Fabio R. Maino ,  Pere Monclus ,  David A. McGrew

IPC分类号： G06F21/00 ,  G06F12/14 ,  G06F21/12 ,  G06F12/08

CPC分类号： G06F12/1408 ,  G06F12/0811 ,  G06F12/084 ,  G06F12/0848 ,  G06F21/123

摘要： Techniques for memory compartmentalization for trusted execution of a virtual machine (VM) on a multi-core processing architecture are described. Memory compartmentalization may be achieved by encrypting layer 3 (L3) cache lines using a key under the control of a given VM within the trust boundaries of the processing core on which that VMs is executed. Further, embodiments described herein provide an efficient method for storing and processing encryption related metadata associated with each encrypt/decrypt operation performed for the L3 cache lines.

摘要翻译： 描述了用于多核处理架构上的虚拟机（VM）的可信执行的用于存储器区分的技术。 可以通过使用在执行VM的处理核心的信任边界内的给定VM的控制下的密钥来加密层3（L3）高速缓存线来实现内存区分。 此外，本文描述的实施例提供了一种用于存储和处理与针对L3高速缓存行执行的每个加密/解密操作相关联的加密相关元数据的有效方法。