-
1.发明授权Cookie-based mechanism providing lightweight authentication of layer-2 frames 失效基于Cookie的机制提供了第2层框架的轻量级认证公开(公告)号:US07685420B2
公开(公告)日:2010-03-23
申请号:US10939378
申请日:2004-09-14
IPC分类号: H04L9/32
CPC分类号: H04L63/12 , H04L63/1466 , H04L63/162 , H04W12/10 , H04W12/12
摘要: Methods and apparatus for improving the resilience of wireless packet-switched networks to Layer-2 attacks is provided via a lightweight mechanism for detecting spoofed frames. The mechanism enables a receiving node to detect spoofed frames from information contained in cookies sent with frames. A first cookie, containing initial information, is sent to the receiving station from the transmitting node along with the first frame of a frame set. For each received frame, spoofing detection includes applying a function to information received via a corresponding cookie received with the subject frame, the result of which function is compared with information received via a previous cookie. The validity of the subject frame is asserted if the result of applying the function to information received in the corresponding subject cookie correlates with previous or initial information received in a previous or the first cookie, respectively. An exemplary implementation includes using a one-way hashing function. Advantages are derived from a low computational overhead in effecting spoofed frame detection and from an ability of the proposed solution to co-exist with other standardized security mechanisms.
摘要翻译: 通过用于检测欺骗性帧的轻量级机制来提供用于将无线分组交换网络的弹性提高到二层攻击的方法和装置。 该机制使得接收节点能够从包含在与帧发送的cookie中的信息中检测欺骗帧。 包含初始信息的第一个cookie与帧集合的第一帧一起从发送节点发送到接收站。 对于每个接收的帧,欺骗检测包括将函数应用于通过与主体帧接收的相应cookie接收的信息,其结果与通过先前cookie接收的信息进行比较。 如果对相应主题曲中接收到的信息应用功能的结果分别与先前或第一个cookie中接收的先前或初始信息相关联,则主题帧的有效性被断言。 示例性实现包括使用单向散列函数。 优点来源于实现欺骗性帧检测的低计算开销,以及所提出的解决方案与其他标准化安全机制共存的能力。
-
2.发明申请Cookie-based mechanism providing lightweight authentication of layer-2 frames 失效基于Cookie的机制提供了第2层框架的轻量级认证公开(公告)号:US20060056402A1
公开(公告)日:2006-03-16
申请号:US10939378
申请日:2004-09-14
IPC分类号: H04L12/56
CPC分类号: H04L63/12 , H04L63/1466 , H04L63/162 , H04W12/10 , H04W12/12
摘要: Methods and apparatus for improving the resilience of wireless packet-switched networks to Layer-2 attacks is provided via a lightweight mechanism for detecting spoofed frames. The mechanism enables a receiving node to detect spoofed frames from information contained in cookies sent with frames. A first cookie, containing initial information, is sent to the receiving station from the transmitting node along with the first frame of a frame set. For each received frame, spoofing detection includes applying a function to information received via a corresponding cookie received with the subject frame, the result of which function is compared with information received via a previous cookie. The validity of the subject frame is asserted if the result of applying the function to information received in the corresponding subject cookie correlates with previous or initial information received in a previous or the first cookie, respectively. An exemplary implementation includes using a one-way hashing function. Advantages are derived from a low computational overhead in effecting spoofed frame detection and from an ability of the proposed solution to co-exist with other standardized security mechanisms.
摘要翻译: 通过用于检测欺骗性帧的轻量级机制来提供用于将无线分组交换网络的弹性提高到二层攻击的方法和装置。 该机制使得接收节点能够从包含在与帧发送的cookie中的信息中检测欺骗帧。 包含初始信息的第一个cookie与帧集合的第一帧一起从发送节点发送到接收站。 对于每个接收的帧,欺骗检测包括将函数应用于通过与主体帧接收的相应cookie接收的信息,其结果与通过先前cookie接收的信息进行比较。 如果对相应主题曲中接收到的信息应用功能的结果分别与先前或第一个cookie中接收的先前或初始信息相关联,则主题帧的有效性被断言。 示例性实现包括使用单向散列函数。 优点来源于实现欺骗性帧检测的低计算开销,以及所提出的解决方案与其他标准化安全机制共存的能力。
-
3.发明申请公开(公告)号:US20050144544A1
公开(公告)日:2005-06-30
申请号:US10731029
申请日:2003-12-10
申请人: Frederic Gariador , Vinod Choyi , Andrew Robison
发明人: Frederic Gariador , Vinod Choyi , Andrew Robison
CPC分类号: H04W12/12 , H04L63/1408 , H04L63/1466
摘要: An impersonation detection system for a wireless node of a wireless communication network is described. The system comprises an intrusion detection module for correlating the original data frames transmitted by the wireless node with incoming data frames received over the air interface. The wireless node is connected to the intrusion detection module over a secure link, for receiving a copy of the original data frames. A method for detecting impersonation based attacks at a wireless node is also disclosed.
摘要翻译: 描述了一种用于无线通信网络的无线节点的模拟检测系统。 该系统包括入侵检测模块,用于将由无线节点发送的原始数据帧与通过空中接口接收的输入数据帧相关联。 无线节点通过安全链路连接到入侵检测模块,用于接收原始数据帧的副本。 还公开了一种用于在无线节点处检测基于模拟的攻击的方法。
-
公开(公告)号:US20060274643A1
公开(公告)日:2006-12-07
申请号:US11143620
申请日:2005-06-03
申请人: Vinod Choyi , Bertrand Marquet , Frederic Gariador
发明人: Vinod Choyi , Bertrand Marquet , Frederic Gariador
CPC分类号: H04L29/12009 , H04L9/3228 , H04L29/12783 , H04L61/35 , H04L63/1466 , H04L2209/80 , H04W8/26 , H04W12/12 , H04W48/20
摘要: Mechanisms and methods for providing a mobile/wireless device with protection against false access-point/base-station attacks using MAC address protection are presented. The mobile/wireless device known as mobile client (MC) gains access to wireless network by discovering and selectively associating with an access point (AP). The MAC addresses of both the AP and the MC are protected during all communications between the AP and MC during the discovery phase. This protection mitigates MAC address spoofing type attacks on both the AP and the MC.
摘要翻译: 提出了使用MAC地址保护为移动/无线设备提供防止虚假接入点/基站攻击的机制和方法。 称为移动客户端(MC)的移动/无线设备通过发现和选择性地与接入点(AP)关联来获得对无线网络的接入。 在发现阶段,在AP和MC之间的所有通信期间,AP和MC两者的MAC地址都受到保护。 这种保护可以减轻AP和MC两者的MAC地址欺骗类型攻击。
-
公开(公告)号:US08315951B2
公开(公告)日:2012-11-20
申请号:US11979304
申请日:2007-11-01
IPC分类号: G06Q20/00
CPC分类号: G06Q20/425 , G06F21/42 , G06Q20/12 , G06Q20/382 , G06Q20/42 , G06Q30/06 , G06Q30/0601
摘要: A method and apparatus are provided for providing authentication of an e-commerce server to a user engaging in e-commerce transactions. When the user begins an e-commerce session, the e-commerce server requests an authentication token from an authentication proxy with which it has registered. If the authentication proxy recognizes the e-commerce server, the authentication proxy generates an authentication token in the form of a simple image, and sends the authentication token to the e-commerce server over a trusted path. The e-commerce server sends the authentication token to the user. The authentication proxy also sends a copy of the authentication token to the user over a second trusted path to a second device or application accessible by the user. The user can then see that the authentication token presented by the e-commerce server matches the authentication token presented by the authentication proxy. Since the user has received the two authentication proxies over separate channels, one of which is typically secure, the user can be assured that the e-commerce server has been authenticated by the authentication proxy, and that the e-commerce server is therefore legitimate.
摘要翻译: 提供了一种用于向参与电子商务交易的用户提供电子商务服务器的认证的方法和装置。 当用户开始电子商务会话时,电子商务服务器从其已注册的认证代理请求认证令牌。 如果认证代理识别电子商务服务器,则认证代理以简单图像的形式生成认证令牌,并通过可信路径将认证令牌发送到电子商务服务器。 电子商务服务器向用户发送认证令牌。 认证代理还通过第二可信路径将用户认证令牌的副本发送给用户可访问的第二设备或应用。 然后,用户可以看到电子商务服务器呈现的认证令牌与认证代理所呈现的认证令牌相匹配。 由于用户已经通过单独的信道接收到两个认证代理,其中一个通常是安全的,用户可以确保电子商务服务器已经被认证代理认证,因此电子商务服务器是合法的。
-
6.发明授权Method of authenticating a mobile network node in establishing a peer-to-peer secure context between a pair of communicating mobile network nodes 有权在一对通信移动网络节点之间建立对等安全上下文的步骤中认证移动网络节点的方法公开(公告)号:US07974234B2
公开(公告)日:2011-07-05
申请号:US10970137
申请日:2004-10-22
CPC分类号: H04L63/0853 , H04L63/04 , H04L63/0869 , H04W12/06 , H04W76/14
摘要: Methods for authenticating peer mobile network nodes for establishing a secure peer-to-peer communications context in an ad-hoc network are presented. The methods include accessing wireless infrastructure network entities at low bandwidth and for a short time duration to obtain cryptographic information regarding a peer mobile network node for the purpose of establishing secure peer-to-peer communications therewith ad-hoc network. Having received cryptographic information regarding a peer mobile network node, the method further includes challenging the peer network node with a challenge phrase derived from the cryptographic information received, receiving a response, and establishing a secure communications context to the peer mobile network node based on the validity of the received response. Advantages are derived from addressing security threats encountered in provisioning ad-hoc networking, by leveraging wireless infrastructure network security architecture, exemplary deployed in UMTS/GSM infrastructure networks, enabling seamless mobile network node authentication through the existing UMTS and/or GSM authentication infrastructure, while pervasively communicating with peer mobile network nodes in an ad-hoc network.
摘要翻译: 提出了用于认证对等移动网络节点以在自组织网络中建立安全的对等通信上下文的方法。 这些方法包括以低带宽和短时间的时间访问无线基础设施网络实体以获得关于对等移动网络节点的加密信息,以便与其自组织网络建立安全的对等通信。 已经接收到关于对等移动网络节点的加密信息,该方法还包括利用从所接收的加密信息导出的挑战短语来挑战对等网络节点,接收响应,以及基于所述对等移动网络节点向对等移动网络节点建立安全通信上下文 接收到的响应的有效性。 优点来自于通过利用无线基础设施网络安全架构,部署在UMTS / GSM基础设施网络中的示例性部署,通过现有的UMTS和/或GSM认证基础设施实现无缝移动网络节点认证,从而解决了提供自组织网络中遇到的安全威胁,同时 与ad-hoc网络中的对等移动网络节点进行广泛的通信。
-
7.发明授权公开(公告)号:US07409715B2
公开(公告)日:2008-08-05
申请号:US10731029
申请日:2003-12-10
CPC分类号: H04W12/12 , H04L63/1408 , H04L63/1466
摘要: An impersonation detection system for a wireless node of a wireless communication network is described. The system comprises an intrusion detection module for correlating the original data frames transmitted by the wireless node with incoming data frames received over the air interface. The wireless node is connected to the intrusion detection module over a secure link, for receiving a copy of the original data frames. A method for detecting impersonation based attacks at a wireless node is also disclosed.
摘要翻译: 描述了一种用于无线通信网络的无线节点的模拟检测系统。 该系统包括入侵检测模块,用于将由无线节点发送的原始数据帧与通过空中接口接收的输入数据帧相关联。 无线节点通过安全链路连接到入侵检测模块,用于接收原始数据帧的副本。 还公开了一种用于在无线节点处检测基于模拟的攻击的方法。
-
8.发明申请Method of authenticating a mobile network node in establishing a peer-to-peer secure context between a pair of communicating mobile network nodes 有权在一对通信移动网络节点之间建立对等安全上下文的步骤中认证移动网络节点的方法公开(公告)号:US20060087999A1
公开(公告)日:2006-04-27
申请号:US10970137
申请日:2004-10-22
IPC分类号: H04Q7/00
CPC分类号: H04L63/0853 , H04L63/04 , H04L63/0869 , H04W12/06 , H04W76/14
摘要: Methods for authenticating peer mobile network nodes for establishing a secure peer-to-peer communications context in an ad-hoc network are presented. The methods include accessing wireless infrastructure network entities at low bandwidth and for a short time duration to obtain cryptographic information regarding a peer mobile network node for the purpose of establishing secure peer-to-peer communications therewith ad-hoc network. Having received cryptographic information regarding a peer mobile network node, the method further includes challenging the peer network node with a challenge phrase derived from the cryptographic information received, receiving a response, and establishing a secure communications context to the peer mobile network node based on the validity of the received response. Advantages are derived from addressing security threats encountered in provisioning ad-hoc networking, by leveraging wireless infrastructure network security architecture, exemplary deployed in UMTS/GSM infrastructure networks, enabling seamless mobile network node authentication through the existing UMTS and/or GSM authentication infrastructure, while pervasively communicating with peer mobile network nodes in an ad-hoc network.
摘要翻译: 提出了用于认证对等移动网络节点以在自组织网络中建立安全的对等通信上下文的方法。 这些方法包括以低带宽和短时间的时间访问无线基础设施网络实体以获得关于对等移动网络节点的加密信息,以便与其自组织网络建立安全的对等通信。 已经接收到关于对等移动网络节点的加密信息,该方法还包括利用从所接收的加密信息导出的挑战短语来挑战对等网络节点,接收响应,以及基于所述对等移动网络节点向对等移动网络节点建立安全通信上下文 接收到的响应的有效性。 优点来自于通过利用无线基础设施网络安全架构,部署在UMTS / GSM基础设施网络中的示例性部署,通过现有的UMTS和/或GSM认证基础设施实现无缝移动网络节点认证,从而解决了提供自组织网络中遇到的安全威胁,同时 与ad-hoc网络中的对等移动网络节点进行广泛的通信。
-
公开(公告)号:US20060020787A1
公开(公告)日:2006-01-26
申请号:US10899251
申请日:2004-07-26
申请人: Vinod Choyi , Andrew Robison , Frederic Gariador
发明人: Vinod Choyi , Andrew Robison , Frederic Gariador
IPC分类号: H04L9/00
CPC分类号: H04L63/0236 , H04L63/0272 , H04L63/0428 , H04L63/164 , H04L63/20 , H04L67/14 , H04L69/329 , H04W12/02 , H04W80/04
摘要: Methods and systems for secure communications are provided. Secure end-to-end connections are established as separate multiple secure connections, illustratively between a first system and an intermediate system and between a second system and an intermediate system. The multiple secure connections may be bound, by binding Internet Protocol Security Protocol (IPSec) Security Associations (SAs) for the multiple connections, for example, to establish the end-to-end connection. In the event of a change in operating conditions which would normally require the entire secure connection to be re-established, only one of the multiple secure connections which form the end-to-end connection is re-established. Separation of end-to-end connections in this manner may reduce processing resource requirements and latency normally associated with re-establishing secure connections.
摘要翻译: 提供了安全通信的方法和系统。 安全的端对端连接被建立为单独的多个安全连接,示例性地在第一系统和中间系统之间以及在第二系统和中间系统之间。 可以通过绑定多个连接的因特网协议安全协议(IPSec)安全关联(SA)来绑定多个安全连接,例如建立端到端连接。 在通常需要重新建立整个安全连接的操作条件改变的情况下,重新建立形成端对端连接的多个安全连接中的一个。 以这种方式分离端到端连接可以减少通常与重新建立安全连接相关联的处理资源需求和延迟。
-
公开(公告)号:US07783756B2
公开(公告)日:2010-08-24
申请号:US11143620
申请日:2005-06-03
IPC分类号: G06F15/173
CPC分类号: H04L29/12009 , H04L9/3228 , H04L29/12783 , H04L61/35 , H04L63/1466 , H04L2209/80 , H04W8/26 , H04W12/12 , H04W48/20
摘要: Mechanisms and methods for providing a mobile/wireless device with protection against false access-point/base-station attacks using MAC address protection are presented. The mobile/wireless device known as mobile client (MC) gains access to wireless network by discovering and selectively associating with an access point (AP). The MAC addresses of both the AP and the MC are protected during all communications between the AP and MC during the discovery phase. This protection mitigates MAC address spoofing type attacks on both the AP and the MC.
摘要翻译: 提出了使用MAC地址保护为移动/无线设备提供防止虚假接入点/基站攻击的机制和方法。 称为移动客户端(MC)的移动/无线设备通过发现和选择性地与接入点(AP)关联来获得对无线网络的接入。 在发现阶段,在AP和MC之间的所有通信期间,AP和MC两者的MAC地址都受到保护。 这种保护可以减轻AP和MC两者的MAC地址欺骗类型攻击。
-
-
-
-
-
-
-
-
-
搜索结果
13 条记录 (耗时 0.018 秒)
