摘要:
Methods and apparatus are provided for authenticating a remote service to another service on behalf of a user. A user client authorizes a remote application client to perform one or more actions with a server on behalf of the user client. The user client provides one or more keys to a remote authentication service; receives an identifier of the remote application client, where the remote authentication client is remote from the server; and notifies the remote authentication service that the remote application client is authorized to obtain a response from the remote authentication service regarding a challenge from the server, where the response is based on at least one of the one or more keys stored by the remote authentication service on behalf of the user client. The remote application client provides a challenge that is received from a server that the remote application client is attempting to access for the user client and an identifier of the user client to a remote authentication service and receives a response to the challenge from the remote authentication service, wherein the response is based on one or more keys stored by the remote authentication service on behalf of the user client.
摘要:
A system for managing security keys in a wireless network includes a manufacturer certification authority (MCA) for providing a signed digital MCA certificate for installation into a new network element (NE) at the manufacturer's facility prior to the new NE being installed and initialized in the network. The MCA also provides a source of trusted authority for authenticating legacy NEs in the network. The system includes a service provider certification authority for managing certificates and files used by the NEs to communicate securely within the network, a signing server for providing signing services to NEs for authentication, an element manager for providing security key and digital certificate management, and a management agent (MA) for providing proxy functionality of the EM security key services to NEs not directly connected to the EM.
摘要:
A method and apparatus for defending against a Denial of Service attack wherein a target victim of an attack has recognized the existence of an attack and identified its source. The carrier network which provides service to the victim automatically receives one or more IP (Internet Protocol) source/destination IP address pairs from the victim, and then limits (e.g., blocks) the transmission of packets from the identified source address to the identified destination address. The carrier may implement this filtering capability as a stand-alone box included in the network, or as a line card incorporated into otherwise conventional network elements already present in the network. The source/destination address pairs to be blocked may be advantageously communicated from the victim with use of security signatures and with use of redundant connections from the victim to the carrier network to ensure receipt even under congested network conditions.
摘要:
Disclosed is a method and apparatus for filtering received data packets. A hierarchical tree is maintained. The tree includes nodes organized in a plurality of levels. Each level above a root node of the tree has one or more of the nodes, with each of the one or more of the nodes corresponding to a particular value of a segment of an Internet Protocol (IP) address. The segment is the same for each node of a particular level of the tree. Each node at a particular level of the tree stores a number representative of the number of received packets having the same value for the segment of the IP address associated with the particular level. Some of the received data packets are filtered out based on the hierarchical tree.
摘要:
Disclosed is a method and apparatus for filtering received data packets. A hierarchical tree is maintained. The tree includes nodes organized in a plurality of levels. Each level above a root node of the tree has one or more of the nodes, with each of the one or more of the nodes corresponding to a particular value of a segment of an Internet Protocol (IP) address. The segment is the same for each node of a particular level of the tree. Each node at a particular level of the tree stores a number representative of the number of received packets having the same value for the segment of the IP address associated with the particular level. Some of the received data packets are filtered out based on the hierarchical tree.
摘要:
A method and apparatus for enhanced data storage in peer-to-peer (P2P) networks. Users subscribe to a P2P storage network that allows each user to store files on the storage network by swapping blocks of the user's files with blocks from storage of a peer, or peers, on the network. A user desiring to utilize the storage network for a certain data block must take back an equal, or substantially equal, storage block from another peer on the network thereby insuring no net change, or minimal net change, in total storage across the P2P storage network. In addition, the diffusion of data blocks throughout the storage network is employed whereby individual peers swap data blocks on a random basis thereby further enhancing the security of the swapped blocks from direct attacks.