-
公开(公告)号:US20150134965A1
公开(公告)日:2015-05-14
申请号:US14399393
申请日:2012-05-24
CPC分类号: H04L63/0435 , G06F9/45533 , G06F9/45558 , G06F21/57 , G06F2009/45587 , G06F2221/034 , H04L63/08 , H04L63/0807
摘要: In a method of provisioning a virtual machine (VM) to a computing network (401), a VM manager or provisioner (403, 408) encrypts a virtual machine using a key bound to at least one security profile indicative of one or more security requirements that a computing resource (402) of the computing network (401) must satisfy in order to be able to decrypt the VM. A key for use in decrypting the VM has previously been sealed into multiple (and preferably into all) computing resources (402) in the network into which the VM is to be provisioned, and has been sealed such that a computing resource can obtain the key only if it is in a state that satisfies the security profile, or at least one security profile, to which the key is bound The VM manager or provisioner (403, 408) creates a VM launch package that includes the encrypted VM and that also includes a key that may be used in decrypting the encrypted VM. When the VM launch package is received at a computing resource (402), the computing resource will not be able to recover the key for use in decrypting the VM—and hence will be unable to decrypt the VM—unless the computing resource satisfies the security requirements indicated by the security profile. The VM manager or provisioner can thus be sure that the VM will not be launched on a computing resource that does not meet the desired security profile. Alternatively the VM manager or provisioner (403, 408) may send a token corresponding to a desired security profile with an encrypted VM. A computing resource uses the token to obtain a key to decrypt the VM but the computing resource will not be able to recover the key unless the computing resource satisfies the security requirements indicated by the token.
摘要翻译: 在将虚拟机(VM)配置到计算网络(401)的方法中,VM管理器或供应器(403,408)使用绑定到指示一个或多个安全要求的至少一个安全简档的密钥来加密虚拟机 计算网络(401)的计算资源(402)必须满足以便能够解密VM。 用于解密VM的密钥先前已经被密封成虚拟机要被提供的网络中的多个(并且优选地到所有的)计算资源(402),并且已经被密封,使得计算资源可以获得密钥 只有当它处于满足密钥被绑定的安全简档或至少一个安全简档的状态时,VM管理器或供应器(403,408)创建包括加密的VM的VM启动包,并且还包括 可用于解密加密的VM的密钥。 当在计算资源(402)处接收到VM启动包时,计算资源将无法恢复用于解密VM的密钥,因此将不能对VM进行解密,除非计算资源满足安全性 要求由安全性配置文件表示。 因此,VM管理器或配置器可以确保不会在不满足期望的安全配置文件的计算资源上启动VM。 或者,VM管理器或供应器(403,408)可以向加密的VM发送与期望的安全简档对应的令牌。 计算资源使用令牌来获取解密VM的密钥,但计算资源将无法恢复密钥,除非计算资源满足令牌所指示的安全性要求。
-
公开(公告)号:US20140032920A1
公开(公告)日:2014-01-30
申请号:US14111212
申请日:2011-04-26
申请人: Christian Gehrmann , András Méhes
发明人: Christian Gehrmann , András Méhes
CPC分类号: H04L9/006 , G06F21/53 , G06F21/57 , G06F2009/45587 , G06F2221/2149 , G06F2221/2153 , H04L9/08 , H04L9/0822 , H04L9/0825 , H04L9/3247 , H04L63/0442 , H04L63/0876 , H04L2209/127
摘要: A device and method in a provisioning unit of secure provisioning of a virtual machine on a target platform having a specific configuration is provided. The method comprising: receiving (404) a public binding key from the target platform (107), the public binding key being bound to the specific configuration, encrypting (410) a virtual machine provisioning command using the public binding key, and sending (412) the encrypted virtual machine provisioning command, to the target platform (107). By the provided device and method secure provisioning of a virtual machine on a target platform is enabled.
摘要翻译: 提供了具有特定配置的目标平台上的虚拟机的安全供应的供应单元中的设备和方法。 所述方法包括:从所述目标平台(107)接收(404)公钥绑定密钥,所述公共绑定密钥被绑定到所述特定配置,使用所述公共绑定密钥加密(410)虚拟机配置命令,以及发送(412 )加密的虚拟机配置命令到目标平台(107)。 通过提供的设备和方法,能够在目标平台上安全地提供虚拟机。
-
公开(公告)号:US09264220B2
公开(公告)日:2016-02-16
申请号:US14111212
申请日:2011-04-26
申请人: Christian Gehrmann , András Méhes
发明人: Christian Gehrmann , András Méhes
IPC分类号: G06F12/14 , G06F11/30 , H04L9/00 , G06F21/57 , H04L29/06 , H04L9/08 , H04L9/32 , G06F21/53 , G06F9/455
CPC分类号: H04L9/006 , G06F21/53 , G06F21/57 , G06F2009/45587 , G06F2221/2149 , G06F2221/2153 , H04L9/08 , H04L9/0822 , H04L9/0825 , H04L9/3247 , H04L63/0442 , H04L63/0876 , H04L2209/127
摘要: A device and method in a provisioning unit of secure provisioning of a virtual machine on a target platform having a specific configuration is provided. The method comprising: receiving (404) a public binding key from the target platform (107), the public binding key being bound to the specific configuration, encrypting (410) a virtual machine provisioning command using the public binding key, and sending (412) the encrypted virtual machine provisioning command, to the target platform (107). By the provided device and method secure provisioning of a virtual machine on a target platform is enabled.
摘要翻译: 提供了具有特定配置的目标平台上的虚拟机的安全供应的供应单元中的设备和方法。 所述方法包括:从所述目标平台(107)接收(404)公钥绑定密钥,所述公共绑定密钥被绑定到所述特定配置,使用所述公共绑定密钥加密(410)虚拟机配置命令,以及发送(412 )加密的虚拟机配置命令到目标平台(107)。 通过提供的设备和方法,能够在目标平台上安全地提供虚拟机。
-
公开(公告)号:US20090299836A1
公开(公告)日:2009-12-03
申请号:US12295892
申请日:2006-04-04
申请人: Joachim Sachs , Göran Selander , András Méhes , Teemu Rinta-Aho , Johan Lundsjö , Jari Arkko , Per Magnusson , Mikael Prytz
发明人: Joachim Sachs , Göran Selander , András Méhes , Teemu Rinta-Aho , Johan Lundsjö , Jari Arkko , Per Magnusson , Mikael Prytz
IPC分类号: G06Q30/00
摘要: The present invention aims at an effective approach to radio access system attachment in a heterogeneous communication network environment. According to the present invention, cooperation between different radio access systems is executed to advertise one radio access system in another. After receipt of a secure advertisement from a control unit of the advertising radio access system, a broadcasting unit of the receiving radio access system broadcasts advertisement information in relation to the secure advertisement in the communication network. Therefore, according to the present invention, a user terminal may at any time receive broadcasted advertisement information while establishing a trusted relationship with advertiser.
摘要翻译: 本发明旨在在异构通信网络环境中的无线电接入系统附着的有效方法。 根据本发明,执行不同无线电接入系统之间的协作以在另一个中广播一个无线电接入系统。 在从广告无线电接入系统的控制单元接收到安全广告之后,接收无线电接入系统的广播单元在通信网络中广播与安全广告相关的广告信息。 因此,根据本发明,用户终端可以随时接收广播的广告信息,同时建立与广告商的可信关系。
-
5.发明申请公开(公告)号:US20140373012A1
公开(公告)日:2014-12-18
申请号:US14369455
申请日:2011-12-29
申请人: Jukka Ylitalo , András Méhes , Patrik Salmela , Kristian Slavov
发明人: Jukka Ylitalo , András Méhes , Patrik Salmela , Kristian Slavov
CPC分类号: G06F9/45533 , G06F9/45558 , G06F2009/45595 , H04W4/60 , H04W4/70 , H04W12/04
摘要: A method is presented of establishing communications with a Virtual Machine, VM, in a virtualised computing environment using a 3GPPcommunications network. The method includes establishing a Machine-to-Machine Equipment Platform, M2MEP, which comprises a Communications Module, CM, providing an end-point of a communication channel between the 3GPP network and the VM. A virtual Machine-to-Machine Equipment is established that comprises a VM running on the M2MEP and a downloadable Subscriber Identity Module, associated with the CM. The Subscriber Identity Module includes security data and functions for enabling access via the 3GPP network. The CM utilises data in the Subscriber Identity Module for controlling communication over the communication channel between the VM and the 3GPP network.
摘要翻译: 提出了一种使用3GPP通信网络在虚拟化计算环境中与虚拟机VM建立通信的方法。 该方法包括建立一个机器到机器设备平台,M2MEP,其包括通信模块CM,其提供3GPP网络和VM之间的通信信道的端点。 建立了虚拟机对机器设备,其包括在M2MEP上运行的VM和与CM相关联的可下载的订户身份模块。 订户身份模块包括用于通过3GPP网络访问的安全数据和功能。 CM利用订户身份模块中的数据来控制在VM与3GPP网络之间的通信信道上的通信。
-
公开(公告)号:US20150180898A1
公开(公告)日:2015-06-25
申请号:US14363484
申请日:2012-04-02
申请人: Michael Liljenstam , András Méhes , Patrik Salmela
发明人: Michael Liljenstam , András Méhes , Patrik Salmela
CPC分类号: H04L63/1441 , G06F21/56 , H04L43/16 , H04L63/1425 , H04L63/145 , H04W12/12
摘要: The present invention relates to methods and devices for detecting persistency of a first network node (12). In a first aspect of the invention, a method is provided comprising the steps of monitoring (S101), during a specified observation period, whether the first network node has established a connection to a second network node (13), and determining (S102) a total number of sessions of connectivity occurring during said specified observation period in which the first network node connects to the second network node. Further, the method comprises the steps of determining (S103), from the total number of sessions, a number of sessions comprising at least one communication flow between the first network node and the second network node, and determining (S104) inter-session persistence of the first network node on the basis of the total number of sessions and the number of sessions comprising at least one communication flow.
摘要翻译: 本发明涉及用于检测第一网络节点(12)的持续性的方法和设备。 在本发明的第一方面中,提供了一种方法,包括以下步骤:在指定的观察期间,监视(S101)第一网络节点是否建立了与第二网络节点(13)的连接,并确定(S102) 在第一网络节点连接到第二网络节点的所述指定观察期期间发生的连接会话的总数。 此外,该方法包括以下步骤:从总会话数量确定(S103)包括第一网络节点和第二网络节点之间的至少一个通信流的会话数量,并且确定(S104)会话间持续性 基于会话的总数和包括至少一个通信流的会话的数量的第一网络节点。
-
公开(公告)号:US09380071B2
公开(公告)日:2016-06-28
申请号:US14363484
申请日:2012-04-02
申请人: Michael Liljenstam , András Méhes , Patrik Salmela
发明人: Michael Liljenstam , András Méhes , Patrik Salmela
CPC分类号: H04L63/1441 , G06F21/56 , H04L43/16 , H04L63/1425 , H04L63/145 , H04W12/12
摘要: The present invention relates to methods and devices for detecting persistency of a first network node (12). In a first aspect of the invention, a method is provided comprising the steps of monitoring (S101), during a specified observation period, whether the first network node has established a connection to a second network node (13), and determining (S102) a total number of sessions of connectivity occurring during said specified observation period in which the first network node connects to the second network node. Further, the method comprises the steps of determining (S103), from the total number of sessions, a number of sessions comprising at least one communication flow between the first network node and the second network node, and determining (S104) inter-session persistence of the first network node on the basis of the total number of sessions and the number of sessions comprising at least one communication flow.
摘要翻译: 本发明涉及用于检测第一网络节点(12)的持续性的方法和设备。 在本发明的第一方面中,提供了一种方法,包括以下步骤:在指定的观察期间,监视(S101)第一网络节点是否建立了与第二网络节点(13)的连接,并且确定(S102) 在第一网络节点连接到第二网络节点的所述指定观察期期间发生的连接会话的总数。 此外,该方法包括以下步骤:从总会话数量确定(S103)包括第一网络节点和第二网络节点之间的至少一个通信流的会话数,并且确定(S104)会话间持续性 基于会话的总数和包括至少一个通信流的会话的数量的第一网络节点。
-
8.发明申请SYSTEMS AND METHOD FOR PROVIDING TRUSTED SYSTEM FUNCTIONALITIES IN A CLUSTER BASED SYSTEM 审中-公开在基于群集的系统中提供信用系统功能的系统和方法公开(公告)号:US20110138475A1
公开(公告)日:2011-06-09
申请号:US13056750
申请日:2008-07-30
申请人: David Gordon , András Méhes , Makan Pourzandi
发明人: David Gordon , András Méhes , Makan Pourzandi
IPC分类号: G06F21/00
CPC分类号: H04L9/085 , G06F11/2023 , H04L9/0897
摘要: A framework for providing cluster-wide cryptographic operations, including: signing, sealing, binding, unsealing, and unbinding. The framework includes an interface module (a.k.a., HAT agent) on each of a plurality of nodes in the cluster. Each HAT agent is configured to respond to an application's request for a cluster crypto operation by communication with other HAT agents in the cluster and utilizing a trusted platform module local to the node where the HAT agent resides.
摘要翻译: 提供集群范围的加密操作的框架,包括:签名,密封,绑定,开封和取消绑定。 该框架包括集群中的多个节点中的每一个上的接口模块(a.k.a.,HAT代理)。 每个HAT代理被配置为通过与群集中的其他HAT代理的通信并利用HAT代理驻留的节点本地的可信平台模块来响应应用程序对群集加密操作的请求。
-
9.发明授权公开(公告)号:US09569237B2
公开(公告)日:2017-02-14
申请号:US14369455
申请日:2011-12-29
申请人: Jukka Ylitalo , András Méhes , Patrik Salmela , Kristian Slavov
发明人: Jukka Ylitalo , András Méhes , Patrik Salmela , Kristian Slavov
IPC分类号: G06F15/173 , G06F15/16 , G06F9/455 , H04W4/00
CPC分类号: G06F9/45533 , G06F9/45558 , G06F2009/45595 , H04W4/60 , H04W4/70 , H04W12/04
摘要: A method is presented of establishing communications with a Virtual Machine, VM, in a virtualized computing environment using a 3GPPcommunications network. The method includes establishing a Machine-to-Machine Equipment Platform, M2MEP, which comprises a Communications Module, CM, providing an end-point of a communication channel between the 3GPP network and the VM. A virtual Machine-to-Machine Equipment is established that comprises a VM running on the M2MEP and a downloadable Subscriber Identity Module, associated with the CM. The Subscriber Identity Module includes security data and functions for enabling access via the 3GPP network. The CM utilizes data in the Subscriber Identity Module for controlling communication over the communication channel between the VM and the 3GPP network.
摘要翻译: 提出了一种使用3GPP通信网络在虚拟化计算环境中与虚拟机VM建立通信的方法。 该方法包括建立一个机器到机器设备平台,M2MEP,其包括通信模块CM,其提供3GPP网络和VM之间的通信信道的端点。 建立了虚拟机对机器设备,其包括在M2MEP上运行的VM和与CM相关联的可下载的订户身份模块。 订户身份模块包括用于通过3GPP网络访问的安全数据和功能。 CM利用订户身份模块中的数据来控制在VM与3GPP网络之间的通信信道上的通信。
-
10.发明授权System and method of providing denial of service protection in a telecommunication system 有权在电信系统中提供拒绝服务保护的系统和方法公开(公告)号:US08934419B2
公开(公告)日:2015-01-13
申请号:US12668935
申请日:2007-07-13
申请人: Wassim Haddad , Mats Näslund , András Méhes
发明人: Wassim Haddad , Mats Näslund , András Méhes
CPC分类号: H04L63/1458 , H04L2463/141 , H04W60/005 , H04W80/04
摘要: A system, method, and node for protecting a telecommunication system against a mobile and multi-homed attacker, MMA (10). The telecommunication system includes one or more correspondent nodes, CN, (102, 104) for transferring data packets. A mobile and multi-homed network node, MMN, (108) associated with the MMA communicates and receives data packets with the CN. An access router, AR, (106) transferring data between the MMN and the CN performs a reachability test with the MMN to determine if the MMN is still reachable. The AR sends a message to the CN to flush cached information associated with the MMN if the MMN is not reachable by the AR. The CN, upon receiving the message to flush cached information, flushes binding cache entries associated with the MMN from the CN.
摘要翻译: 一种用于保护电信系统免受移动和多宿主攻击者MMA(10)的系统,方法和节点。 电信系统包括用于传送数据分组的一个或多个通信节点CN(102,104)。 与MMA相关联的移动和多归属网络节点MMN(108)与CN通信和接收数据分组。 在MMN和CN之间传送数据的接入路由器AR(106)利用MMN执行可达性测试,以确定MMN是否仍然可达。 如果无法通过AR访问MMN,则AR向CN发送消息来刷新与MMN相关联的缓存信息。 CN接收到刷新缓存信息的消息时,CN从CN中刷新与MMN相关联的绑定缓存条目。
-
-
-
-
-
-
-
-
-
搜索结果
11 条记录 (耗时 0.015 秒)
