公开(公告)号：US20160294797A1

公开(公告)日：2016-10-06

申请号：US14674938

申请日：2015-03-31

Applicant: Cisco Technology, Inc.

Inventor： Antonio Martin ,  Syam Sundar Appala ,  Joseph Salowey

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/08 ,  H04L63/0236 ,  H04L63/0245 ,  H04L63/0272 ,  H04L63/0815 ,  H04L63/0892 ,  H04L63/1466 ,  H04L63/168 ,  H04L63/30 ,  H04L67/02 ,  H04L67/2814

Abstract: In an embodiment a method is performed by a network access device (NAD). The NAD transfers a first HTTPS request from a client computer (UE) to an identity provider computer (IdP). The NAD transfers, from the IdP, a preceding redirected URL in response to the first HTTPS request, to the UE and configured to cause the UE to redirect to said preceding redirected URL. Over a secure network link, the NAD receives a particular request specifying said preceding redirected URL, from the UE. Responsive to receiving the particular request, the NAD generates a response, comprising a subsequent redirected URL and a session identifier, and configured to cause the UE to redirect to the IdP over an HTTPS connection. The NAD transfers said subsequent redirected URL over the secure network link to the UE. The NAD transfers a second HTTPS request, comprising the session identifier, from the UE to the IdP.

Abstract translation: 在一个实施例中，一种方法由网络接入设备（NAD）来执行。 NAD将第一个HTTPS请求从客户端计算机（UE）传送到身份提供者计算机（IdP）。 NAD从IdP将响应于第一HTTPS请求的先前重定向的URL传送到UE并且被配置为使得UE重定向到所述先前的重定向URL。 通过安全网络链路，NAD从UE接收指定所述先前重定向URL的特定请求。 响应于接收到特定请求，NAD生成响应，包括随后的重定向URL和会话标识符，并且被配置为使得UE通过HTTPS连接重定向到IdP。 NAD通过安全网络链路将所述后续的重定向URL传送给UE。 NAD将包括会话标识符的第二HTTPS请求从UE传送到IdP。

公开(公告)号：US20150106617A1

公开(公告)日：2015-04-16

申请号：US14572075

申请日：2014-12-16

Applicant: Cisco Technology, Inc.

Inventor： Nathan Sowatskey ,  Nancy Cam-Winget ,  Susan E. Thomson ,  David Jones ,  Morteza Ansari ,  Klaas Wierenga ,  Joseph Salowey

IPC: H04L29/06

CPC classification number: H04L63/0823 ,  H04L63/08

Abstract: Techniques are provided for authenticating a subject of a client device to access a software-as-a-service (SaaS) server. A network access device receives a request from a client device to establish a network session and transfers identity information of the subject, the client device and the network session to a session directory database. A request is sent to access an application on a SaaS server. If it does not contain an identity assertion that identifies the subject, the request is redirected to an identity provider device, to provide identity assertion services to the subject. A network session identifier is inserted into the request by a network access device and the request is forwarded to the identity provider device. The identity provider device uses the network session identifier to query the session directory database for the identity information to be used for a security assertion of the subject to the SaaS server.

Abstract translation: 提供了用于验证客户端设备的主体以访问软件即服务（SaaS）服务器的技术。 网络接入设备从客户端设备接收建立网络会话的请求，并将主体，客户端设备和网络会话的身份信息传送到会话目录数据库。 发送请求以访问SaaS服务器上的应用程序。 如果它不包含识别主题的身份断言，则将请求重定向到身份提供者设备，以向主题提供身份声明服务。 网络会话标识符被网络接入设备插入到请求中，该请求被转发给身份提供者设备。 身份提供者设备使用网络会话标识符来查询会话目录数据库，以获得要用于SaaS服务器的对象的安全断言的身份信息。

公开(公告)号：US20140237247A1

公开(公告)日：2014-08-21

申请号：US14263148

申请日：2014-04-28

Applicant: Cisco Technology, Inc.

Inventor： Nancy C. Winget ,  Hao Zhou ,  Mark Krischer ,  Joseph Salowey ,  Jeremy Stieglitz ,  Saar Gillai ,  Padmanabha Jakkahalli

IPC: H04L29/06 ,  H04L9/08

CPC classification number: H04L63/08 ,  H04L9/0838 ,  H04L63/0435 ,  H04L63/0442 ,  H04L63/0869 ,  H04L63/1458 ,  H04W12/0023 ,  H04W12/02 ,  H04W12/08 ,  H04W12/12

Abstract: System architecture and corresponding method for securing communication via a network (e.g. IEEE 802.11) is provided. In accordance with one embodiment, the present system and method protocol, may be suitably configured to achieve mutual authentication by using a shared secret to establish a tunnel used to protect weaker authentication methods (e.g. user names and passwords). The shared secret, referred to in this embodiment as the protected access credential may be advantageously used to mutually authenticate a server and a peer upon securing a tunnel for communication via a network. The present system and method disclosed and claimed herein, in one aspect thereof, comprises the steps of 1) providing a communication implementation between a first and a second party; 2) provisioning a secure credential between the first and the second party; and 3) establishing a secure tunnel between the first and the second party using the secure credential.

Abstract translation: 提供了用于通过网络（例如IEEE 802.11）保护通信的系统架构和相应的方法。 根据一个实施例，本系统和方法协议可以被适当地配置为通过使用共享秘密来建立用于保护较弱认证方法（例如，用户名和密码）的隧道来实现相互认证。 在本实施例中被称为受保护的访问凭证的共享秘密可以有利地用于在保护用于经由网络进行通信的隧道的相互认证服务器和对等体之间。 在本文中公开和要求保护的本系统和方法在其一个方面包括以下步骤：1）提供第一方和第二方之间的通信实现; 2）在第一方和第二方之间提供安全证书; 以及3）使用安全证书在第一方和第二方之间建立安全隧道。

公开(公告)号：US09578007B2

公开(公告)日：2017-02-21

申请号：US14674938

申请日：2015-03-31

Applicant: Cisco Technology, Inc.

Inventor： Antonio Martin ,  Syam Sundar Appala ,  Joseph Salowey

IPC: H04L29/00 ,  H04L29/06 ,  H04L29/08

CPC classification number: H04L63/08 ,  H04L63/0236 ,  H04L63/0245 ,  H04L63/0272 ,  H04L63/0815 ,  H04L63/0892 ,  H04L63/1466 ,  H04L63/168 ,  H04L63/30 ,  H04L67/02 ,  H04L67/2814

Abstract: In an embodiment a method is performed by a network access device (NAD). The NAD transfers a first HTTPS request from a client computer (UE) to an identity provider computer (IdP). The NAD transfers, from the IdP, a preceding redirected URL in response to the first HTTPS request, to the UE and configured to cause the UE to redirect to said preceding redirected URL. Over a secure network link, the NAD receives a particular request specifying said preceding redirected URL, from the UE. Responsive to receiving the particular request, the NAD generates a response, comprising a subsequent redirected URL and a session identifier, and configured to cause the UE to redirect to the IdP over an HTTPS connection. The NAD transfers said subsequent redirected URL over the secure network link to the UE. The NAD transfers a second HTTPS request, comprising the session identifier, from the UE to the IdP.

Abstract translation: 在一个实施例中，一种方法由网络接入设备（NAD）来执行。 NAD将第一个HTTPS请求从客户端计算机（UE）传送到身份提供者计算机（IdP）。 NAD从IdP将响应于第一HTTPS请求的先前重定向的URL传送到UE并且被配置为使得UE重定向到所述先前的重定向URL。 通过安全网络链路，NAD从UE接收指定所述先前重定向URL的特定请求。 响应于接收到特定请求，NAD生成响应，包括随后的重定向URL和会话标识符，并且被配置为使得UE通过HTTPS连接重定向到IdP。 NAD通过安全网络链路将所述后续的重定向URL传送给UE。 NAD将包括会话标识符的第二HTTPS请求从UE传送到IdP。

公开(公告)号：US20140122242A1

公开(公告)日：2014-05-01

申请号：US14034819

申请日：2013-09-24

Applicant: Cisco Technology, Inc.

Inventor： David Stephenson ,  Esteban Raul Torres ,  Joseph Salowey ,  Chetin Ersoy ,  Nancy Cam-Winget

IPC: G06Q30/02

CPC classification number: G06Q30/0267 ,  G06Q30/0241 ,  H04L63/0823 ,  H04L63/12 ,  H04L63/1441 ,  H04W4/21 ,  H04W4/23 ,  H04W12/10 ,  H04W12/12 ,  H04W48/14

Abstract: In an example embodiment, an apparatus comprising a transceiver configured to send and receive data and logic coupled to the transceiver. The logic is configured to determine from a signal received by the transceiver whether an associated device sending the signal supports a protocol for advertising available services. The logic is configured to send a request for available services from the associated device via the transceiver responsive to determining the associated device supports the protocol. The logic is configured to receive a response to the request via the transceiver, the response comprising at least one service advertisement and a signature. The logic is configured to validate the response by confirming the signature.

Abstract translation: 在示例实施例中，一种包括收发器的装置，其被配置为发送和接收耦合到收发器的数据和逻辑。 该逻辑被配置为根据收发机接收的信号确定发送信号的相关设备是否支持用于广告可用服务的协议。 逻辑被配置为响应于确定相关联的设备支持协议，经由收发机从相关联的设备发送可用服务的请求。 逻辑被配置为经由收发器接收对请求的响应，该响应包括至少一个服务广告和签名。 该逻辑被配置为通过确认签名来验证响应。

公开(公告)号：US10515391B2

公开(公告)日：2019-12-24

申请号：US14034819

申请日：2013-09-24

Applicant: Cisco Technology, Inc.

Inventor： David Stephenson ,  Esteban Raul Torres ,  Joseph Salowey ,  Chetin Ersoy ,  Nancy Cam-Winget

IPC: G06Q30/02 ,  H04W4/21 ,  H04W4/23 ,  H04L29/06 ,  H04W12/12 ,  H04W48/14 ,  H04W12/10

Abstract: In an example embodiment, an apparatus comprising a transceiver configured to send and receive data and logic coupled to the transceiver. The logic is configured to determine from a signal received by the transceiver whether an associated device sending the signal supports a protocol for advertising available services. The logic is configured to send a request for available services from the associated device via the transceiver responsive to determining the associated device supports the protocol. The logic is configured to receive a response to the request via the transceiver, the response comprising at least one service advertisement and a signature. The logic is configured to validate the response by confirming the signature.

公开(公告)号：US09356928B2

公开(公告)日：2016-05-31

申请号：US14572075

申请日：2014-12-16

Applicant: Cisco Technology, Inc.

Inventor： Nathan Sowatskey ,  Nancy Cam-Winget ,  Susan E. Thomson ,  David Jones ,  Morteza Ansari ,  Klaas Wierenga ,  Joseph Salowey

IPC: H04L29/06

CPC classification number: H04L63/0823 ,  H04L63/08

Abstract: Techniques are provided for authenticating a subject of a client device to access a software-as-a-service (SaaS) server. A network access device receives a request from a client device to establish a network session and transfers identity information of the subject, the client device and the network session to a session directory database. A request is sent to access an application on a SaaS server. If it does not contain an identity assertion that identifies the subject, the request is redirected to an identity provider device, to provide identity assertion services to the subject. A network session identifier is inserted into the request by a network access device and the request is forwarded to the identity provider device. The identity provider device uses the network session identifier to query the session directory database for the identity information to be used for a security assertion of the subject to the SaaS server.

Abstract translation: 提供了用于验证客户端设备的主体以访问软件即服务（SaaS）服务器的技术。 网络接入设备从客户端设备接收建立网络会话的请求，并将主体，客户端设备和网络会话的身份信息传送到会话目录数据库。 发送请求以访问SaaS服务器上的应用程序。 如果它不包含识别主题的身份断言，则将请求重定向到身份提供者设备，以向主题提供身份声明服务。 网络会话标识符被网络接入设备插入到请求中，该请求被转发给身份提供者设备。 身份提供者设备使用网络会话标识符来查询会话目录数据库，以获得要用于SaaS服务器的对象的安全断言的身份信息。

公开(公告)号：US09298923B2

公开(公告)日：2016-03-29

申请号：US14017896

申请日：2013-09-04

Applicant: Cisco Technology, Inc.

Inventor： Joseph Salowey ,  Max Pritikin

IPC: G06F21/57 ,  G06F21/12 ,  H04L9/32

CPC classification number: G06F21/57 ,  G06F21/12 ,  H04L9/3268

Abstract: In one implementation, software components include an identity of a revocation authority. Prior to loading of the software in a given platform, the revocation authority is checked for any revocation messages. The revocation authority creates software component specific messages for any software components to be revoked, rather than using certificate revocation or individual licenses. The messages include mitigation information, such as instructions for automatically configuring already installed software without requiring an update or change in code.

Abstract translation: 在一个实现中，软件组件包括撤销授权的身份。 在给定平台上加载软件之前，检查撤销权限是否有任何撤销消息。 撤销权限为要撤销的任何软件组件创建软件组件特定消息，而不是使用证书吊销或单个许可证。 消息包括缓解信息，例如用于自动配置已安装软件的指令，而不需要更新或更改代码。