公开(公告)号：US20100169645A1

公开(公告)日：2010-07-01

申请号：US12604221

申请日：2009-10-22

申请人： David A. McGrew ,  Brian E. Weis ,  Fabio R. Maino

发明人： David A. McGrew ,  Brian E. Weis ,  Fabio R. Maino

IPC分类号： H04L9/32 ,  H04L9/06 ,  H04L9/28

CPC分类号： H04L9/0637 ,  H04L9/0822 ,  H04L9/0833 ,  H04L9/3242

摘要： A computer system for authenticating, encrypting, and transmitting a secret communication, where the encryption key is transmitted along with the encrypted message, is disclosed. In an embodiment, a first transmitting processor encrypts a plaintext message to a ciphertext message using a data key, encrypts the data key using a key encrypting key, and sends a communication comprising the encrypted data key and the ciphertext message. A second receiving processor receives the communication and then decrypts the encrypted data key using the key encrypting key and decrypts the ciphertext message using the data key to recover the plaintext message.

摘要翻译： 公开了一种用于认证，加密和发送秘密通信的计算机系统，其中加密密钥与加密消息一起发送。 在一个实施例中，第一发送处理器使用数据密钥将明文消息加密为密文消息，使用密钥加密密钥加密数据密钥，并发送包括加密数据密钥和密文消息的通信。 第二接收处理器接收通信，然后使用密钥加密密钥解密加密的数据密钥，并使用数据密钥解密密文消息以恢复明文消息。

公开(公告)号：US08356177B2

公开(公告)日：2013-01-15

申请号：US12604221

申请日：2009-10-22

申请人： David A. McGrew ,  Brian E. Weis ,  Fabio R. Maino

发明人： David A. McGrew ,  Brian E. Weis ,  Fabio R. Maino

IPC分类号： H04L9/00

CPC分类号： H04L9/0637 ,  H04L9/0822 ,  H04L9/0833 ,  H04L9/3242

摘要： A computer system for authenticating, encrypting, and transmitting a secret communication, where the encryption key is transmitted along with the encrypted message, is disclosed. In an embodiment, a first transmitting processor encrypts a plaintext message to a ciphertext message using a data key, encrypts the data key using a key encrypting key, and sends a communication comprising the encrypted data key and the ciphertext message. A second receiving processor receives the communication and then decrypts the encrypted data key using the key encrypting key and decrypts the ciphertext message using the data key to recover the plaintext message.

摘要翻译： 公开了一种用于认证，加密和发送秘密通信的计算机系统，其中加密密钥与加密消息一起发送。 在一个实施例中，第一发送处理器使用数据密钥将明文消息加密为密文消息，使用密钥加密密钥加密数据密钥，并发送包括加密数据密钥和密文消息的通信。 第二接收处理器接收通信，然后使用密钥加密密钥解密加密的数据密钥，并使用数据密钥解密密文消息以恢复明文消息。

公开(公告)号：US08867747B2

公开(公告)日：2014-10-21

申请号：US12414772

申请日：2009-03-31

申请人： David A. McGrew ,  Brian E. Weis

发明人： David A. McGrew ,  Brian E. Weis

IPC分类号： H04L9/08

CPC分类号： H04L9/0869 ,  H04L9/083

摘要： Systems, methods, and other embodiments associated with key generation for networks are described. One example method includes configuring a key server with a pseudo-random function (PRF). The key server may provide keying material to gateways. The method may also include controlling the key server to generate a cryptography data structure (e.g., D-matrix) based, at least in part, on the PRF and a seed value. The method may also include controlling the key server to selectively distribute a portion of the cryptography data structure and/or data derived from the cryptography data structure to a gateway. The gateway may then encrypt communications based, at least in part, on the portion of the cryptography data structure. The method may also include selectively distributing an epoch value to members of the set of gateways that may then decrypt an encrypted communication based, at least in part, on the epoch value.

摘要翻译： 描述了与网络的密钥生成相关联的系统，方法和其他实施例。 一个示例性方法包括配置具有伪随机函数（PRF）的密钥服务器。 密钥服务器可以向网关提供密钥材料。 该方法还可以包括：至少部分地基于PRF和种子值来控制密钥服务器以生成加密数据结构（例如，D矩阵）。 该方法还可以包括控制密钥服务器以选择性地将加密数据结构的一部分和/或从加密数据结构导出的数据分发到网关。 网关可以至少部分地基于加密数据结构的一部分加密通信。 该方法还可以包括选择性地将时代值分配到该组网关的成员，该网关组可以至少部分地基于时期值来解密加密的通信。

公开(公告)号：US07676679B2

公开(公告)日：2010-03-09

申请号：US11059178

申请日：2005-02-15

申请人： Brian E. Weis ,  David A. McGrew

发明人： Brian E. Weis ,  David A. McGrew

IPC分类号： H04L9/00 ,  H04L9/32

CPC分类号： H04L9/12 ,  H04L9/3297 ,  H04L63/126 ,  H04L63/1466

摘要： Nodes in a network include a pseudo-timestamp in messages or packets, derived from local pseudo-time clocks. When a packet is received, a first time is determined representing when the packet was sent and a second time is determined representing when the packet was received. If the difference between the second time and the first time is greater than a predetermined amount, the packet is considered to be stale and is rejected, thereby deterring replay. Because each node maintains its own clock and time, to keep the clocks relatively synchronized, if a time associated with a timestamp of a received packet is later than a certain amount with respect to the time at the receiver, the receiver's clock is set ahead by an amount that expected to synchronize the receiver's and the sender's clocks. However, a receiver never sets its clock back, to deter attacks.

摘要翻译： 网络中的节点包括从本地伪时间时钟导出的消息或分组中的伪时间戳。 当接收到分组时，确定第一次表示何时发送分组，并且确定表示何时接收分组的第二时间。 如果第二时间和第一时间之间的差异大于预定量，则该分组被认为是陈旧的并且被拒绝，从而阻止重放。 由于每个节点保持其自身的时钟和时间，为了保持时钟相对同步，如果与接收到的分组的时间戳相关联的时间相对于接收机的时间晚于一定量，则将接收机的时钟设置在 预计会使接收器和发送器的时钟同步的量。 然而，接收机从未将其时钟重新设置为阻止攻击。

公开(公告)号：US08341250B2

公开(公告)日：2012-12-25

申请号：US12475487

申请日：2009-05-30

申请人： Max Pritikin ,  David A. McGrew ,  Jan Vilhuber ,  Brian E. Weis

发明人： Max Pritikin ,  David A. McGrew ,  Jan Vilhuber ,  Brian E. Weis

IPC分类号： G06F15/177

CPC分类号： H04L41/0806 ,  H04L63/0823

摘要： Systems, methods and other embodiments associated with network device provisioning are described. One example method includes storing a set of device specific identification data in a network device. The example method may also include storing an association between the network device and a set of device specific provisioning data. The example method may also include providing the set of device specific provisioning data to the network device. The set of device specific provisioning data may be provided in response to receiving a provisioning data request from the network device.

摘要翻译： 描述了与网络设备供应相关联的系统，方法和其他实施例。 一个示例性方法包括将一组设备特定标识数据存储在网络设备中。 示例性方法还可以包括存储网络设备与一组设备特定供应数据之间的关联。 示例性方法还可以包括向网络设备提供设备特定供应数据集。 响应于从网络设备接收供应数据请求，可以提供该设备特定供应数据集。

公开(公告)号：US07509491B1

公开(公告)日：2009-03-24

申请号：US10867266

申请日：2004-06-14

申请人： W. Scott Wainner ,  James N. Guichard ,  Brian E. Weis ,  David A. McGrew

发明人： W. Scott Wainner ,  James N. Guichard ,  Brian E. Weis ,  David A. McGrew

IPC分类号： H04L9/00

CPC分类号： H04L63/0272 ,  H04L9/0833 ,  H04L9/321 ,  H04L63/0435 ,  H04L63/065 ,  H04L63/08 ,  H04L63/164

摘要： Conventional mechanisms exist for denoting such a communications group (group) and for establishing point-to-point, or unicast, secure connections between members of the communications group. In a particular arrangement, group members employ a group key operable for multicast security for unicast communication, thus avoiding establishing additional unicast keys for each communication between group members. Since the recipient of such a unicast message may not know the source, however, the use of the group key assures the recipient that the sender is a member of the same group. Accordingly, a system which enumerates a set of subranges (subnets) included in a particular group, such as a VPN, and establishing a group key corresponding to the group applies the group key to communications from the group members in the subnet. The group key is associated with the group ID by enumerating the address prefixes corresponding to each of the subnets in the group, and examining outgoing transmissions for destination addresses matching one of the address prefixes corresponding to the group.

摘要翻译： 存在用于表示这样的通信组（组）和用于在通信组的成员之间建立点对点或单播安全连接的常规机制。 在特定的布置中，组成员使用可用于单播通信的组播安全性的组密钥，从而避免为组成员之间的每个通信建立附加的单播密钥。 由于这样的单播消息的接收者可能不知道源，所以使用组密钥确保接收方发送者是同一组的成员。 因此，枚举包括在特定组（例如VPN）中的一组子范围（子网）的系统并且建立与该组相对应的组密钥的组密钥用于从子网中的组成员进行通信。 通过列举与组中的每个子网相对应的地址前缀，并且检查与对应于该组的一个地址前缀匹配的目的地地址的传出传输，组密钥与组ID相关联。

公开(公告)号：US07620975B2

公开(公告)日：2009-11-17

申请号：US11059736

申请日：2005-02-17

申请人： James N. Guichard ,  W. Scott Wainner ,  Brian E. Weis ,  David A. McGrew

发明人： James N. Guichard ,  W. Scott Wainner ,  Brian E. Weis ,  David A. McGrew

IPC分类号： G06F7/04 ,  G06F15/16 ,  G06F17/30 ,  H04F29/06

CPC分类号： H04L45/00 ,  H04L45/04 ,  H04L63/0428 ,  H04L63/065 ,  H04L63/102

摘要： A method and apparatus for providing routing protocol support for distributing encryption information is presented. Subnet prefixes reachable on a first customer site in an encrypted manner are identified, as are security groups the subnet prefixes belong to. An advertisement is received at a first Customer Edge (CE) device in the first customer site, the advertisement originating from a Customer (C) device in the first customer site. The advertisement indicates links, subnets to be encrypted, and security group identifiers. The prefixes and the security group identifiers are then propagated across a service provider network to a second CE device located in a second customer site. In such a manner, encryption and authentication is expanded further into a customer site, as customer devices are able to indicate to a service provider network infrastructure and other customer devices in other customer sites which local destinations require encryption/authentication.

摘要翻译： 提出了一种用于提供分发加密信息的路由协议支持的方法和装置。 标识第一个客户站点上加密方式的子网前缀，以及子网前缀所属的安全组。 在第一客户站点的第一客户边缘（CE）设备处接收广告，该广告源自第一客户站点中的客户（C）设备。 该广告指示要加密的链接，子网，以及安全组标识符。 然后，前缀和安全组标识符通过服务提供商网络传播到位于第二客户站点中的第二CE设备。 以这种方式，加密和认证进一步扩展到客户站点，因为客户设备能够向服务提供商指示本地目的地需要加密/认证的其他客户站点中的网络基础设施和其他客户设备。

公开(公告)号：US07468981B2

公开(公告)日：2008-12-23

申请号：US11059295

申请日：2005-02-15

申请人： Brian E. Weis ,  David A. McGrew

发明人： Brian E. Weis ,  David A. McGrew

IPC分类号： H04L12/28

CPC分类号： H04L63/1458 ,  H04J3/0661 ,  H04L63/123

摘要： Nodes in a network include a pseudo-timestamp in messages or packets, derived from local pseudo-time clocks. When a packet is received, a first time is determined representing when the packet was sent and a second time is determined representing when the packet was received. If the difference between the second time and the first time is greater than a predetermined amount, the packet is considered to be stale and is rejected, thereby deterring replay. Because each node maintains its own clock and time, to keep the clocks relatively synchronized, if a time associated with a timestamp of a received packet is later than a certain amount with respect to the time at the receiver, the receiver's clock is set ahead by an amount that expected to synchronize the receiver's and the sender's clocks. However, a receiver never sets its clock back, to deter attacks.

摘要翻译： 网络中的节点包括从本地伪时间时钟导出的消息或分组中的伪时间戳。 当接收到分组时，确定第一次表示何时发送分组，并且确定表示何时接收分组的第二时间。 如果第二时间和第一时间之间的差异大于预定量，则该分组被认为是陈旧的并且被拒绝，从而阻止重放。 由于每个节点保持其自身的时钟和时间，为了保持时钟相对同步，如果与接收到的分组的时间戳相关联的时间相对于接收机的时间晚于一定量，则将接收机的时钟设置在 预计会使接收器和发送器的时钟同步的量。 然而，接收机从未将其时钟重新设置为阻止攻击。

公开(公告)号：US20110258431A1

公开(公告)日：2011-10-20

申请号：US12762204

申请日：2010-04-16

申请人： Srinath Gundavelli ,  Brian E. Weis

发明人： Srinath Gundavelli ,  Brian E. Weis

IPC分类号： H04L12/56 ,  H04L29/06

CPC分类号： H04L61/2007 ,  H04L29/12254 ,  H04L29/12283 ,  H04L29/12933 ,  H04L45/00 ,  H04L45/72 ,  H04L61/2038 ,  H04L61/2061 ,  H04L61/6068 ,  H04L63/0428 ,  H04L67/12 ,  H04W8/04 ,  H04W72/04

摘要： An example method includes receiving an Internet protocol (IP) address request in a network and selecting an IP address associated with a prefix that represents an IP subnet. The prefix includes a color attribute to be provided as part of a communication session that includes a plurality of packets. The prefix defines one or more properties associated with an application for the session. The prefix is communicated to a network element in a signaling plane, the prefix is configured to be used to make a routing decision for at least some of the plurality of packets. In more specific embodiments, the method can include applying one or more network policies based on the prefix associated with the IP address. The method could also include decrypting an encryption protocol in order to identify the prefix of a subsequent communication flow, and executing a routing decision based on the prefix.

摘要翻译： 示例性方法包括在网络中接收因特网协议（IP）地址请求，并且选择与表示IP子网的前缀相关联的IP地址。 前缀包括要作为包括多个分组的通信会话的一部分提供的颜色属性。 前缀定义与会话的应用程序相关联的一个或多个属性。 前缀被传送到信令平面中的网元，前缀被配置为用于为多个分组中的至少一些分组做出路由决定。 在更具体的实施例中，该方法可以包括基于与IP地址相关联的前缀应用一个或多个网络策略。 该方法还可以包括解密加密协议以便识别后续通信流的前缀，以及基于前缀执行路由决定。

公开(公告)号：US20110164752A1

公开(公告)日：2011-07-07

申请号：US12652324

申请日：2010-01-05

申请人： Warren Scott Wainner ,  Sheela D. Rowles ,  Brian E. Weis ,  David Arthur McGrew ,  Scott R. Fluhrer ,  Kavitha Kamarthy

发明人： Warren Scott Wainner ,  Sheela D. Rowles ,  Brian E. Weis ,  David Arthur McGrew ,  Scott R. Fluhrer ,  Kavitha Kamarthy

IPC分类号： H04L9/00 ,  G06F15/173 ,  G06F21/00

CPC分类号： H04L63/0428 ,  H04L9/0833 ,  H04L9/0891 ,  H04L12/1818 ,  H04L63/061 ,  H04L63/104 ,  H04L63/20

摘要： Various techniques that allow group members to detect the use of stale encryption policy by other group members are disclosed. One method involves receiving a message from a first group member via a network. The message is received by a second group member. The method then detects that the first group member is not using a most recent policy update supplied by a key server, in response to information in the message. In response, a notification message can be sent from the second group member. The notification message indicates that at least one group member is not using the most recently policy update. The notification message can be sent to the key server or towards the first group member.

摘要翻译： 公开了允许组成员检测到其他组成员使用过时加密策略的各种技术。 一种方法涉及经由网络从第一组成员接收消息。 该消息由第二组成员接收。 然后该方法检测到第一组成员不响应于消息中的信息使用由密钥服务器提供的最新策略更新。 作为响应，可以从第二组成员发送通知消息。 通知消息表示至少有一个组成员没有使用最近的策略更新。 通知消息可以发送到密钥服务器或朝向第一个组成员。