-
公开(公告)号:US20100318800A1
公开(公告)日:2010-12-16
申请号:US12483095
申请日:2009-06-11
IPC分类号: H04L9/00
CPC分类号: H04L9/0836 , H04L9/0866 , H04L9/0869 , H04L9/3226 , H04L63/0272 , H04L63/0428 , H04L63/064 , H04L63/164
摘要: A hierarchical key generation and distribution mechanism for a computer system in which devices are organized into secure enclaves. The mechanism enables network access to be tailored to approximate minimum needed privileges for each device. At the lowest level of the hierarchy, keys are used to form security associations between devices. Keys at each level of the hierarchy are generated from keys at a higher level of the hierarchy and key derivation information. Key derivation information is readily ascertainable, either from identifiers for devices or from within messages, supporting hardware offload of cryptographic functions. Because keys may be generated based on the enclaves in which the hosts participating in a security association are located, the system includes a mechanism by which devices can discover the enclave in which they are located.
摘要翻译: 用于计算机系统的分层密钥生成和分发机制,其中设备被组织成安全的飞地。 该机制使网络访问能够被定制,以达到每个设备所需的最低权限。 在层次结构的最低层,密钥用于形成设备之间的安全关联。 层次结构的每个级别的密钥都是从层次较高级别的密钥和密钥导出信息生成的。 密钥导出信息可以从设备的标识符或消息内容中确定,从而支持加密功能的硬件卸载。 因为可以基于参与安全关联的主机所在的包围来生成密钥,所以系统包括一种机构,通过该机制,设备可以发现它们所在的飞地。
-
公开(公告)号:US20100318799A1
公开(公告)日:2010-12-16
申请号:US12483052
申请日:2009-06-11
IPC分类号: H04L9/32
CPC分类号: H04L9/0836 , H04L9/0861 , H04L9/14 , H04L9/32 , H04L63/0272 , H04L63/0281 , H04L63/0464 , H04L63/061 , H04L63/064 , H04L63/164 , H04L2463/061
摘要: A hierarchical key generation and distribution mechanism for a computer system in which devices are organized into secure enclaves. The mechanism enables network access to be tailored to approximate minimum needed privileges for each device. At the lowest level of the hierarchy, keys are used to form security associations between devices. Keys at each level of the hierarchy are generated from keys at a higher level of the hierarchy and key derivation information. Key derivation information is readily ascertainable, either from identifiers for devices or from within messages, supporting hardware offload of cryptographic functions. Because keys may be generated based on the enclaves in which the hosts participating in a security association are located, the system includes a mechanism by which devices can discover the enclave in which they are located.
摘要翻译: 用于计算机系统的分层密钥生成和分发机制,其中设备被组织成安全的飞地。 该机制使网络访问能够被定制,以达到每个设备所需的最低权限。 在层次结构的最低层,密钥用于形成设备之间的安全关联。 层次结构的每个级别的密钥都是从层次较高级别的密钥和密钥导出信息生成的。 密钥导出信息可以从设备的标识符或消息内容中确定,从而支持加密功能的硬件卸载。 因为可以基于参与安全关联的主机所在的包围来生成密钥,所以系统包括一种机构,通过该机制,设备可以发现它们所在的飞地。
-
公开(公告)号:US20100228962A1
公开(公告)日:2010-09-09
申请号:US12400281
申请日:2009-03-09
IPC分类号: H04L9/06
CPC分类号: H04L9/0844 , H04L63/0428 , H04L63/0471 , H04L63/0485 , H04L63/061
摘要: Some embodiments are directed to processing packet data sent according to a security protocol between a first computer and a second computer via a forwarding device. The forwarding device performs a portion of the processing, and forwards the packet data to a third computer, connected to the forwarding device, for other processing. The third computer may support non-standard extensions to the security protocol, such as extensions used in authorizing and establishing a connection over the secure protocol. The packet data may be subject to policies, such as firewall policies or security policies, that may be detected by the third computer. The third computer sends the results of its processing, such as a cryptographic key, or a detected access control policy, to the forwarding device.
摘要翻译: 一些实施例涉及经由转发设备处理根据第一计算机和第二计算机之间的安全协议发送的分组数据。 转发设备执行处理的一部分,并将分组数据转发到连接到转发设备的第三计算机,以进行其他处理。 第三台计算机可能支持安全协议的非标准扩展,例如用于通过安全协议建立和建立连接的扩展。 分组数据可能受到可能由第三计算机检测到的策略,例如防火墙策略或安全策略。 第三台计算机向转发设备发送其处理结果,如加密密钥或检测到的访问控制策略。
-
公开(公告)号:US09742560B2
公开(公告)日:2017-08-22
申请号:US12483095
申请日:2009-06-11
CPC分类号: H04L9/0836 , H04L9/0866 , H04L9/0869 , H04L9/3226 , H04L63/0272 , H04L63/0428 , H04L63/064 , H04L63/164
摘要: A hierarchical key generation and distribution mechanism for a computer system in which devices are organized into secure enclaves. The mechanism enables network access to be tailored to approximate minimum needed privileges for each device. At the lowest level of the hierarchy, keys are used to form security associations between devices. Keys at each level of the hierarchy are generated from keys at a higher level of the hierarchy and key derivation information. Key derivation information is readily ascertainable, either from identifiers for devices or from within messages, supporting hardware offload of cryptographic functions. Because keys may be generated based on the enclaves in which the hosts participating in a security association are located, the system includes a mechanism by which devices can discover the enclave in which they are located.
-
公开(公告)号:US08352741B2
公开(公告)日:2013-01-08
申请号:US12483052
申请日:2009-06-11
IPC分类号: H04L9/32
CPC分类号: H04L9/0836 , H04L9/0861 , H04L9/14 , H04L9/32 , H04L63/0272 , H04L63/0281 , H04L63/0464 , H04L63/061 , H04L63/064 , H04L63/164 , H04L2463/061
摘要: A hierarchical key generation and distribution mechanism for a computer system in which devices are organized into secure enclaves. The mechanism enables network access to be tailored to approximate minimum needed privileges for each device. At the lowest level of the hierarchy, keys are used to form security associations between devices. Keys at each level of the hierarchy are generated from keys at a higher level of the hierarchy and key derivation information. Key derivation information is readily ascertainable, either from identifiers for devices or from within messages, supporting hardware offload of cryptographic functions. Because keys may be generated based on the enclaves in which the hosts participating in a security association are located, the system includes a mechanism by which devices can discover the enclave in which they are located.
摘要翻译: 用于计算机系统的分层密钥生成和分发机制,其中设备被组织成安全的飞地。 该机制使网络访问能够被定制,以达到每个设备所需的最低权限。 在层次结构的最低层,密钥用于形成设备之间的安全关联。 层次结构的每个级别的密钥都是从层次较高级别的密钥和密钥导出信息生成的。 密钥导出信息可以从设备的标识符或消息内容中确定,从而支持加密功能的硬件卸载。 因为可以基于参与安全关联的主机所在的包围来生成密钥,所以系统包括一种机构,通过该机制,设备可以发现它们所在的飞地。
-
6.发明授权Method of negotiating security parameters and authenticating users interconnected to a network 有权协商安全参数和认证与网络互连的用户的方法公开(公告)号:US08275989B2
公开(公告)日:2012-09-25
申请号:US12500381
申请日:2009-07-09
IPC分类号: H04L29/06
CPC分类号: H04L63/061 , H04L9/0844 , H04L63/0823 , H04L63/164 , H04L63/20
摘要: A method for authenticating and negotiating security parameters among two or more network devices is disclosed. The method has a plurality of modes including a plurality of messages exchanged between the two or more network devices. In a main mode, the two or more network devices establish a secure channel and select security parameters to be used during a quick mode and a user mode. In the quick mode, the two or more computers derive a set of keys to secure data sent according to a security protocol. The optional user mode provides a means of authenticating one or more users associated with the two or more network devices. A portion of the quick mode is conducted during the main mode thereby minimizing the plurality of messages that need to be exchanged between the initiator and the responder.
摘要翻译: 公开了一种用于在两个或多个网络设备之间认证和协商安全参数的方法。 该方法具有多个模式,包括在两个或多个网络设备之间交换的多个消息。 在主模式中,两个或多个网络设备建立安全通道并选择在快速模式和用户模式期间使用的安全参数。 在快速模式下,两台或多台计算机派生一组密钥来保护根据安全协议发送的数据。 可选的用户模式提供了认证与两个或多个网络设备相关联的一个或多个用户的手段。 快速模式的一部分在主模式期间进行,从而最小化需要在启动器和应答器之间交换的多个消息。
-
公开(公告)号:US08289970B2
公开(公告)日:2012-10-16
申请号:US12505074
申请日:2009-07-17
申请人: Brian D. Swander , Daniel R. Simon
发明人: Brian D. Swander , Daniel R. Simon
CPC分类号: H04L63/02 , H04L63/164 , H04L63/20
摘要: Described are embodiments directed to negotiating an encapsulation mode between an initiator and a responder. As part of the negotiation of the security association, an encapsulation mode is negotiated that allows packets to be sent between the initiator and responder without encapsulation. The ability to send packets without encapsulation allows intermediaries, such as a firewall, at the responder to easily inspect the packets and implement additional features such as security filtering.
摘要翻译: 描述了旨在协商发起者和应答者之间的封装模式的实施例。 作为安全关联协商的一部分,协商一种封装模式,允许在发起者和应答者之间发送数据包,而无需封装。 发送数据包而不封装的能力允许响应方的中间人(如防火墙)轻松检查数据包,并实现其他功能,如安全过滤。
-
公开(公告)号:US20110013634A1
公开(公告)日:2011-01-20
申请号:US12505074
申请日:2009-07-17
申请人: Brian D. Swander , Daniel R. Simon
发明人: Brian D. Swander , Daniel R. Simon
CPC分类号: H04L63/02 , H04L63/164 , H04L63/20
摘要: Described are embodiments directed to negotiating an encapsulation mode between an initiator and a responder. As part of the negotiation of the security association, an encapsulation mode is negotiated that allows packets to be sent between the initiator and responder without encapsulation. The ability to send packets without encapsulation allows intermediaries, such as a firewall, at the responder to easily inspect the packets and implement additional features such as security filtering.
摘要翻译: 描述了旨在协商发起者和应答者之间的封装模式的实施例。 作为安全关联协商的一部分,协商一种封装模式,允许在发起者和应答者之间发送数据包,而无需封装。 发送数据包而不封装的能力允许响应方的中间人(如防火墙)轻松检查数据包,并实现其他功能,如安全过滤。
-
9.发明申请公开(公告)号:US20090276828A1
公开(公告)日:2009-11-05
申请号:US12500381
申请日:2009-07-09
IPC分类号: G06F21/00
CPC分类号: H04L63/061 , H04L9/0844 , H04L63/0823 , H04L63/164 , H04L63/20
摘要: A method for authenticating and negotiating security parameters among two or more network devices is disclosed. The method has a plurality of modes including a plurality of messages exchanged between the two or more network devices. In a main mode, the two or more network devices establish a secure channel and select security parameters to be used during a quick mode and a user mode. In the quick mode, the two or more computers derive a set of keys to secure data sent according to a security protocol. The optional user mode provides a means of authenticating one or more users associated with the two or more network devices. A portion of the quick mode is conducted during the main mode thereby minimizing the plurality of messages that need to be exchanged between the initiator and the responder.
摘要翻译: 公开了一种用于在两个或多个网络设备之间认证和协商安全参数的方法。 该方法具有多个模式,包括在两个或多个网络设备之间交换的多个消息。 在主模式中,两个或多个网络设备建立安全通道并选择在快速模式和用户模式期间使用的安全参数。 在快速模式下,两台或多台计算机派生一组密钥来保护根据安全协议发送的数据。 可选的用户模式提供了认证与两个或多个网络设备相关联的一个或多个用户的手段。 快速模式的一部分在主模式期间进行,从而最小化需要在启动器和应答器之间交换的多个消息。
-
10.发明授权Method of negotiating security parameters and authenticating users interconnected to a network 有权协商安全参数和认证与网络互连的用户的方法公开(公告)号:US07574603B2
公开(公告)日:2009-08-11
申请号:US10713980
申请日:2003-11-14
IPC分类号: H04L9/00
CPC分类号: H04L63/061 , H04L9/0844 , H04L63/0823 , H04L63/164 , H04L63/20
摘要: A method for authenticating and negotiating security parameters among two or more network devices is disclosed. The method has a plurality of modes including a plurality of messages exchanged between the two or more network devices. In a main mode, the two or more network devices establish a secure channel and select security parameters to be used during a quick mode and a user mode. In the quick mode, the two or more computers derive a set of keys to secure data sent according to a security protocol. The optional user mode provides a means of authenticating one or more users associated with the two or more network devices. A portion of the quick mode is conducted during the main mode thereby minimizing the plurality of messages that need to be exchanged between the initiator and the responder.
摘要翻译: 公开了一种用于在两个或多个网络设备之间认证和协商安全参数的方法。 该方法具有多个模式,包括在两个或多个网络设备之间交换的多个消息。 在主模式中,两个或多个网络设备建立安全通道并选择在快速模式和用户模式期间使用的安全参数。 在快速模式下,两台或多台计算机派生一组密钥来保护根据安全协议发送的数据。 可选的用户模式提供了认证与两个或多个网络设备相关联的一个或多个用户的手段。 快速模式的一部分在主模式期间进行,从而最小化需要在启动器和应答器之间交换的多个消息。
-
-
-
-
-
-
-
-
-
搜索结果
28 条记录 (耗时 0.024 秒)