Cryptographic peer discovery, authentication, and authorization for on-path signaling
    1.
    发明授权
    Cryptographic peer discovery, authentication, and authorization for on-path signaling 有权
    路由信令的密码对等体发现,认证和授权

    公开(公告)号:US08122482B2

    公开(公告)日:2012-02-21

    申请号:US12019541

    申请日:2008-01-24

    IPC分类号: G06F17/00 H04L29/06

    摘要: A method is disclosed for cryptographic peer discovery, authentication, and authorization. According to one embodiment, a data packet, which is addressed to a destination device other than an intermediary network device, is intercepted at the intermediary network device. The data packet contains a request and a group identifier. A shared secret cryptographic key, which is mapped to the group identifier, is selected. A challenge is sent toward an upstream device from whence the data packet came. A response is received. A verification value is generated based on the cryptographic key and the challenge. It is determined whether the response matches the verification value. If the response matches the verification value, then it is determined whether the request is allowed by an authorization set that is mapped to the group identifier. If the request is allowed, then a policy of the intermediary network device is configured based on the request.

    摘要翻译: 公开了一种用于加密对等体发现,认证和授权的方法。 根据一个实施例,寻址到中继网络设备之外的目的地设备的数据分组在中间网络设备处被截取。 数据包包含请求和组标识符。 选择映射到组标识符的共享密钥加密密钥。 从数据包来自何时向上游设备发送一个挑战。 收到回复。 基于加密密钥和挑战生成验证值。 确定响应是否匹配验证值。 如果响应匹配验证值,则确定该映射到组标识符的授权集是否允许该请求。 如果允许请求,则根据请求配置中间网络设备的策略。

    CRYPTOGRAPHIC PEER DISCOVERY, AUTHENTICATION, AND AUTHORIZATION FOR ON-PATH SIGNALING
    2.
    发明申请
    CRYPTOGRAPHIC PEER DISCOVERY, AUTHENTICATION, AND AUTHORIZATION FOR ON-PATH SIGNALING 有权
    CRIPAPHIC PEER发现,认证和授权用于路上信号

    公开(公告)号:US20090193506A1

    公开(公告)日:2009-07-30

    申请号:US12019541

    申请日:2008-01-24

    IPC分类号: G06F7/04

    摘要: A method is disclosed for cryptographic peer discovery, authentication, and authorization. According to one embodiment, a data packet, which is addressed to a destination device other than an intermediary network device, is intercepted at the intermediary network device. The data packet contains a request and a group identifier. A shared secret cryptographic key, which is mapped to the group identifier, is selected. A challenge is sent toward an upstream device from whence the data packet came. A response is received. A verification value is generated based on the cryptographic key and the challenge. It is determined whether the response matches the verification value. If the response matches the verification value, then it is determined whether the request is allowed by an authorization set that is mapped to the group identifier. If the request is allowed, then a policy of the intermediary network device is configured based on the request.

    摘要翻译: 公开了一种用于加密对等体发现,认证和授权的方法。 根据一个实施例,寻址到中继网络设备之外的目的地设备的数据分组在中间网络设备处被截取。 数据包包含请求和组标识符。 选择映射到组标识符的共享密钥加密密钥。 从数据包来自何时向上游设备发送一个挑战。 收到回复。 基于加密密钥和挑战生成验证值。 确定响应是否匹配验证值。 如果响应匹配验证值,则确定该映射到组标识符的授权集是否允许该请求。 如果允许请求,则根据请求配置中间网络设备的策略。

    Cryptographic peer discovery, authentication, and authorization for on-path signaling
    3.
    发明授权
    Cryptographic peer discovery, authentication, and authorization for on-path signaling 有权
    路由信令的密码对等体发现,认证和授权

    公开(公告)号:US07350227B2

    公开(公告)日:2008-03-25

    申请号:US11115542

    申请日:2005-04-26

    摘要: A method is disclosed for cryptographic peer discovery, authentication, and authorization. According to one embodiment, a data packet, which is addressed to a destination device other than an intermediary network device, is intercepted at the intermediary network device. The data packet contains a request and a group identifier. A shared secret cryptographic key, which is mapped to the group identifier, is selected. A challenge is sent toward an upstream device from whence the data packet came. A response is received. A verification value is generated based on the cryptographic key and the challenge. It is determined whether the response matches the verification value. If the response matches the verification value, then it is determined whether the request is allowed by an authorization set that is mapped to the group identifier. If the request is allowed, then a policy of the intermediary network device is configured based on the request.

    摘要翻译: 公开了一种用于加密对等体发现,认证和授权的方法。 根据一个实施例,寻址到中继网络设备之外的目的地设备的数据分组在中间网络设备处被截取。 数据包包含请求和组标识符。 选择映射到组标识符的共享密钥加密密钥。 从数据包来自何时向上游设备发送一个挑战。 收到回复。 基于加密密钥和挑战生成验证值。 确定响应是否匹配验证值。 如果响应匹配验证值,则确定该映射到组标识符的授权集是否允许该请求。 如果允许请求,则根据请求配置中间网络设备的策略。

    Key generation for networks
    4.
    发明授权
    Key generation for networks 有权
    网络的关键一代

    公开(公告)号:US08867747B2

    公开(公告)日:2014-10-21

    申请号:US12414772

    申请日:2009-03-31

    IPC分类号: H04L9/08

    CPC分类号: H04L9/0869 H04L9/083

    摘要: Systems, methods, and other embodiments associated with key generation for networks are described. One example method includes configuring a key server with a pseudo-random function (PRF). The key server may provide keying material to gateways. The method may also include controlling the key server to generate a cryptography data structure (e.g., D-matrix) based, at least in part, on the PRF and a seed value. The method may also include controlling the key server to selectively distribute a portion of the cryptography data structure and/or data derived from the cryptography data structure to a gateway. The gateway may then encrypt communications based, at least in part, on the portion of the cryptography data structure. The method may also include selectively distributing an epoch value to members of the set of gateways that may then decrypt an encrypted communication based, at least in part, on the epoch value.

    摘要翻译: 描述了与网络的密钥生成相关联的系统,方法和其他实施例。 一个示例性方法包括配置具有伪随机函数(PRF)的密钥服务器。 密钥服务器可以向网关提供密钥材料。 该方法还可以包括:至少部分地基于PRF和种子值来控制密钥服务器以生成加密数据结构(例如,D矩阵)。 该方法还可以包括控制密钥服务器以选择性地将加密数据结构的一部分和/或从加密数据结构导出的数据分发到网关。 网关可以至少部分地基于加密数据结构的一部分加密通信。 该方法还可以包括选择性地将时代值分配到该组网关的成员,该网关组可以至少部分地基于时期值来解密加密的通信。

    Protecting digital data such as images on a device with image acquisition capabilities
    5.
    发明授权
    Protecting digital data such as images on a device with image acquisition capabilities 有权
    保护具有图像采集功能的设备上的数字数据(如图像)

    公开(公告)号:US08473757B2

    公开(公告)日:2013-06-25

    申请号:US12388387

    申请日:2009-02-18

    IPC分类号: G06F21/00

    CPC分类号: H04L9/0891 H04L9/0894

    摘要: Digital data, such as images on a digital camera, is typically protected (e.g., encrypted and/or authenticated) based on a master key stored off the device. The original master key can be acquired in a number of different ways, including being generated by the device or by another device. A one-way, progressive series of keys are derived from the master key such that only images or data of a same session can be authenticated or decrypted for viewing, export or manipulation of the decrypted image/data. In order to decrypt images or data of a previous session on the device, the master key must be imported to the device, such as by, but not limited to, taking a picture of a representation of the key and interpreting the image to reacquire the master key.

    摘要翻译: 数字数据,例如数字照相机上的图像,通常基于存储在设备上的主密钥进行保护(例如,加密和/或认证)。 原始主密钥可以以多种不同的方式获取,包括由设备或另一设备生成。 从主密钥导出单向,渐进的一系列密钥,使得仅能够认证或解密相同会话的图像或数据以查看,导出或操纵解密的图像/数据。 为了对设备上的先前会话的图像或数据进行解密,主密钥必须被导入到设备中,例如通过但不限于获取密钥的表示的图片并解释图像来重新获取 主密钥。

    Method for self-synchronizing time between communicating networked systems using timestamps
    6.
    发明授权
    Method for self-synchronizing time between communicating networked systems using timestamps 有权
    使用时间戳通信网络系统之间的自同步时间的方法

    公开(公告)号:US07676679B2

    公开(公告)日:2010-03-09

    申请号:US11059178

    申请日:2005-02-15

    IPC分类号: H04L9/00 H04L9/32

    摘要: Nodes in a network include a pseudo-timestamp in messages or packets, derived from local pseudo-time clocks. When a packet is received, a first time is determined representing when the packet was sent and a second time is determined representing when the packet was received. If the difference between the second time and the first time is greater than a predetermined amount, the packet is considered to be stale and is rejected, thereby deterring replay. Because each node maintains its own clock and time, to keep the clocks relatively synchronized, if a time associated with a timestamp of a received packet is later than a certain amount with respect to the time at the receiver, the receiver's clock is set ahead by an amount that expected to synchronize the receiver's and the sender's clocks. However, a receiver never sets its clock back, to deter attacks.

    摘要翻译: 网络中的节点包括从本地伪时间时钟导出的消息或分组中的伪时间戳。 当接收到分组时,确定第一次表示何时发送分组,并且确定表示何时接收分组的第二时间。 如果第二时间和第一时间之间的差异大于预定量,则该分组被认为是陈旧的并且被拒绝,从而阻止重放。 由于每个节点保持其自身的时钟和时间,为了保持时钟相对同步,如果与接收到的分组的时间戳相关联的时间相对于接收机的时间晚于一定量,则将接收机的时钟设置在 预计会使接收器和发送器的时钟同步的量。 然而,接收机从未将其时钟重新设置为阻止攻击。

    Virtual machine memory compartmentalization in multi-core architectures
    7.
    发明授权
    Virtual machine memory compartmentalization in multi-core architectures 有权
    多核架构虚拟机内存分区

    公开(公告)号:US08990582B2

    公开(公告)日:2015-03-24

    申请号:US12789207

    申请日:2010-05-27

    摘要: Techniques for memory compartmentalization for trusted execution of a virtual machine (VM) on a multi-core processing architecture are described. Memory compartmentalization may be achieved by encrypting layer 3 (L3) cache lines using a key under the control of a given VM within the trust boundaries of the processing core on which that VMs is executed. Further, embodiments described herein provide an efficient method for storing and processing encryption related metadata associated with each encrypt/decrypt operation performed for the L3 cache lines.

    摘要翻译: 描述了用于多核处理架构上的虚拟机(VM)的可信执行的用于存储器区分的技术。 可以通过使用在执行VM的处理核心的信任边界内的给定VM的控制下的密钥来加密层3(L3)高速缓存线来实现内存区分。 此外,本文描述的实施例提供了一种用于存储和处理与针对L3高速缓存行执行的每个加密/解密操作相关联的加密相关元数据的有效方法。

    Protecting Digital Data such as Images on a Device with Image Acquisition Capabilities
    9.
    发明申请
    Protecting Digital Data such as Images on a Device with Image Acquisition Capabilities 有权
    保护具有图像采集功能的设备上的数字数据(如图像)

    公开(公告)号:US20100211799A1

    公开(公告)日:2010-08-19

    申请号:US12388387

    申请日:2009-02-18

    IPC分类号: H04L9/16 G06F12/14

    CPC分类号: H04L9/0891 H04L9/0894

    摘要: Digital data, such as images on a digital camera, is typically protected (e.g., encrypted and/or authenticated) based on a master key stored off the device. The original master key can be acquired in a number of different ways, including being generated by the device or by another device. A one-way, progressive series of keys are derived from the master key such that only images or data of a same session can be authenticated or decrypted for viewing, export or manipulation of the decrypted image/data. In order to decrypt images or data of a previous session on the device, the master key must be imported to the device, such as by, but not limited to, taking a picture of a representation of the key and interpreting the image to reacquire the master key.

    摘要翻译: 数字数据,例如数字照相机上的图像,通常基于存储在设备上的主密钥进行保护(例如,加密和/或认证)。 原始主密钥可以以多种不同的方式获取,包括由设备或另一设备生成。 从主密钥导出单向,渐进的一系列密钥,使得仅能够认证或解密相同会话的图像或数据以查看,导出或操纵解密的图像/数据。 为了对设备上的先前会话的图像或数据进行解密,主密钥必须被导入到设备中,例如通过但不限于获取密钥的表示的图片并解释图像来重新获取 主密钥。

    KEY TRANSPORT IN AUTHENTICATION OR CRYPTOGRAPHY
    10.
    发明申请
    KEY TRANSPORT IN AUTHENTICATION OR CRYPTOGRAPHY 有权
    关键运输在认证或CRYPTOGRAPHY

    公开(公告)号:US20100169645A1

    公开(公告)日:2010-07-01

    申请号:US12604221

    申请日:2009-10-22

    IPC分类号: H04L9/32 H04L9/06 H04L9/28

    摘要: A computer system for authenticating, encrypting, and transmitting a secret communication, where the encryption key is transmitted along with the encrypted message, is disclosed. In an embodiment, a first transmitting processor encrypts a plaintext message to a ciphertext message using a data key, encrypts the data key using a key encrypting key, and sends a communication comprising the encrypted data key and the ciphertext message. A second receiving processor receives the communication and then decrypts the encrypted data key using the key encrypting key and decrypts the ciphertext message using the data key to recover the plaintext message.

    摘要翻译: 公开了一种用于认证,加密和发送秘密通信的计算机系统,其中加密密钥与加密消息一起发送。 在一个实施例中,第一发送处理器使用数据密钥将明文消息加密为密文消息,使用密钥加密密钥加密数据密钥,并发送包括加密数据密钥和密文消息的通信。 第二接收处理器接收通信,然后使用密钥加密密钥解密加密的数据密钥,并使用数据密钥解密密文消息以恢复明文消息。