公开(公告)号：US20090164783A1

公开(公告)日：2009-06-25

申请号：US11961542

申请日：2007-12-20

申请人： John Solis ,  Kari Timo Juhani Kostiainen ,  Philip Ginzboorg ,  Nadarajah Asokan ,  Joerg Ott ,  Cheng Luo

发明人： John Solis ,  Kari Timo Juhani Kostiainen ,  Philip Ginzboorg ,  Nadarajah Asokan ,  Joerg Ott ,  Cheng Luo

IPC分类号： H04L9/00

CPC分类号： H04L9/3236 ,  H04L2209/80

摘要： An apparatus for authentication of fragments using hash trees may include a processor. The processor may be configured to provide one or more data fragments and a hash tree representing the one or more fragments, send at least one first fragment accompanied by any nodes of the hash tree necessary to authenticate the one or more first sent fragments, and send one or more subsequent fragments accompanied by only some, but not all, of the nodes of the hash tree necessary to authenticate the one or more subsequent fragments with the other nodes that are not sent but are necessary for authentication having been previously sent in conjunction with a prior fragment.

摘要翻译： 用于使用散列树验证片段的装置可以包括处理器。 处理器可以被配置为提供表示一个或多个片段的一个或多个数据片段和散列树，发送伴随着认证一个或多个第一发送片段所需的散列树的任何节点的至少一个第一片段，并发送 一个或多个随后的片段仅伴随着一些但不是全部的散列树节点，用于认证一个或多个后续片段与其他节点不被发送，但是先前已经与 先前的片段。

公开(公告)号：US08352737B2

公开(公告)日：2013-01-08

申请号：US11961542

申请日：2007-12-20

申请人： John Solis ,  Kari Timo Juhani Kostiainen ,  Philip Ginzboorg ,  Nadarajah Asokan ,  Joerg Ott ,  Cheng Luo

发明人： John Solis ,  Kari Timo Juhani Kostiainen ,  Philip Ginzboorg ,  Nadarajah Asokan ,  Joerg Ott ,  Cheng Luo

IPC分类号： H04L29/06

CPC分类号： H04L9/3236 ,  H04L2209/80

摘要： An apparatus for authentication of fragments using hash trees may include a processor. The processor may be configured to provide one or more data fragments and a hash tree representing the one or more fragments, send at least one first fragment accompanied by any nodes of the hash tree necessary to authenticate the one or more first sent fragments, and send one or more subsequent fragments accompanied by only some, but not all, of the nodes of the hash tree necessary to authenticate the one or more subsequent fragments with the other nodes that are not sent but are necessary for authentication having been previously sent in conjunction with a prior fragment.

摘要翻译： 用于使用散列树验证片段的装置可以包括处理器。 处理器可以被配置为提供表示一个或多个片段的一个或多个数据片段和散列树，发送伴随着认证一个或多个第一发送片段所需的散列树的任何节点的至少一个第一片段，并发送 一个或多个随后的片段仅伴随着一些但不是全部的散列树节点，用于认证一个或多个后续片段与其他节点不被发送，但是先前已经与 先前的片段。

公开(公告)号：US07913086B2

公开(公告)日：2011-03-22

申请号：US11812635

申请日：2007-06-20

申请人： Kari Timo Juhani Kostiainen ,  Nadarajah Asokan

发明人： Kari Timo Juhani Kostiainen ,  Nadarajah Asokan

IPC分类号： H04L29/06

CPC分类号： H04L63/123 ,  G06F21/57 ,  H04L9/0877 ,  H04L9/3234

摘要： The invention relates to a method for remote attestation. In the method is created a first asymmetric key pair in a trusted platform module in an electronic device. A first public key and software platform state information are certified with an attestation identity key associated with the trusted platform module to produce a first certificate. A second asymmetric key pair is produced in an application within the electronic device. The second public key is certified with said first secret key to produce a second certificate. A message is signed with the second secret key to provide a message signature in the first electronic device. The message and the message signature, software platform state information, the first certificate and the second certificate are sent to a second electronic device.

摘要翻译： 本发明涉及一种用于远程认证的方法。 在该方法中，在电子设备中的可信平台模块中创建第一非对称密钥对。 第一个公钥和软件平台状态信息通过与可信平台模块相关联的认证身份密钥进行认证，以生成第一个证书。 在电子设备内的应用中产生第二非对称密钥对。 第二个公钥通过第一个密钥进行认证，产生第二个证书。 用第二密钥签名消息以在第一电子设备中提供消息签名。 将消息和消息签名，软件平台状态信息，第一证书和第二证书发送到第二电子设备。

公开(公告)号：US20120239936A1

公开(公告)日：2012-09-20

申请号：US13513662

申请日：2009-12-18

申请人： Silke Holtmanns ,  Nadarajah Asokan ,  Kari Timo Juhani Kostiainen

发明人： Silke Holtmanns ,  Nadarajah Asokan ,  Kari Timo Juhani Kostiainen

IPC分类号： G06F21/00 ,  H04L9/32 ,  H04L9/30

CPC分类号： H04L9/3242 ,  H04L9/3213 ,  H04L9/3226 ,  H04L9/3263 ,  H04L2209/76 ,  H04W12/0023 ,  H04W12/00403 ,  H04W12/04

摘要： Methods and apparatus, including computer program products, are provided for credential transfer. In one aspect there is provided a method. The method may include receiving, at a first device, an authorization token; determining, at the first device, a delegation token, one or more credentials, and metadata; and providing, by the first device to a second device, the delegation token, the one or more credentials, and the metadata. Related apparatus, systems, methods, and articles are also described.

摘要翻译： 提供方法和设备，包括计算机程序产品，用于凭证转移。 在一个方面，提供了一种方法。 该方法可以包括在第一设备处接收授权令牌; 在第一设备处确定委托令牌，一个或多个凭证和元数据; 以及由第一设备向第二设备提供委托令牌，一个或多个凭证和元数据。 还描述了相关装置，系统，方法和制品。

公开(公告)号：US20120324214A1

公开(公告)日：2012-12-20

申请号：US13579013

申请日：2011-02-16

申请人： Nadarajah Asokan ,  Jan-Erik Ekberg ,  Kari Timo Juhani Kostiainen

发明人： Nadarajah Asokan ,  Jan-Erik Ekberg ,  Kari Timo Juhani Kostiainen

IPC分类号： G06F21/00

CPC分类号： G06F21/57 ,  H04L9/3234 ,  H04L9/3247 ,  H04L9/3271

摘要： The exemplary embodiments or the invention provide at least a method, apparatus, and program of computer instructions to perform operations including receiving a challenge from a prover device, reading and saving an old value of a selected platform configuration register, obtaining at least one measurement or property and forming a new platform configuration register value, where the forming includes calculating a cryptographic hash over the old value of the platform configuration register and the obtained at least one measurement or property, triggering, with the trusted software, an attestation by sending a challenge to a trusted platform module/mobile platform module, and sending by the prover device a device certificate, attestation, at least one measurement or property, and old platform configuration register value to the verifier. Further, the exemplary embodiments or the invention teach sending a challenge to a trusted software of a prover device, and receiving by the verifier device a device certificate, attestation, at least one measurement or property, and an old platform configuration register value from the prover device, checking by the verifier device that extending the old platform configuration register value with the at least one measurement or property results in a new platform configuration register value that has been attested, and using the new platform configuration register value in attestation of the prover device.

摘要翻译： 示例性实施例或本发明提供至少一种计算机指令的方法，装置和程序，以执行操作，包括从证明者设备接收挑战，读取和保存所选择的平台配置寄存器的旧值，获得至少一个测量或 属性并形成新的平台配置寄存器值，其中形成包括计算平台配置寄存器的旧值和所获得的至少一个测量或属性的加密散列，通过发送挑战触发与可信软件的认证 到可信任的平台模块/移动平台模块，并且由验证者设备向验证者发送设备证书，认证，至少一个测量或属性以及旧平台配置寄存器值。 此外，示例性实施例或本发明教导了向验证器设备的可信软件发送挑战，并且由验证器设备从验证器接收设备证书，认证，至少一个测量或属性以及旧平台配置寄存器值 设备，由验证者设备检查扩展旧的平台配置寄存器值与至少一个测量或属性导致已经被证明的新的平台配置寄存器值，并且使用新的平台配置寄存器值来证明证明器设备 。

公开(公告)号：US20080320308A1

公开(公告)日：2008-12-25

申请号：US11812635

申请日：2007-06-20

申请人： Kari Timo Juhani Kostiainen ,  Nadarajah Asokan

发明人： Kari Timo Juhani Kostiainen ,  Nadarajah Asokan

IPC分类号： H04L9/32 ,  H04L9/30

CPC分类号： H04L63/123 ,  G06F21/57 ,  H04L9/0877 ,  H04L9/3234

摘要： The invention relates to a method for remote attestation. In the method is created a first asymmetric key pair in a trusted platform module in an electronic device. A first public key and software platform state information are certified with an attestation identity key associated with the trusted platform module to produce a first certificate. A second asymmetric key pair is produced in an application within the electronic device. The second public key is certified with said first secret key to produce a second certificate. A message is signed with the second secret key to provide a message signature in the first electronic device. The message and the message signature, software platform state information, the first certificate and the second certificate are sent to a second electronic device.

摘要翻译： 本发明涉及一种用于远程认证的方法。 在该方法中，在电子设备中的可信平台模块中创建第一非对称密钥对。 第一个公钥和软件平台状态信息通过与可信平台模块相关联的认证身份密钥进行认证，以生成第一个证书。 在电子设备内的应用中产生第二非对称密钥对。 第二个公钥通过第一个密钥进行认证，产生第二个证书。 用第二密钥签名消息以在第一电子设备中提供消息签名。 将消息和消息签名，软件平台状态信息，第一证书和第二证书发送到第二电子设备。

公开(公告)号：US09300641B2

公开(公告)日：2016-03-29

申请号：US11352058

申请日：2006-02-10

申请人： Pekka Laitinen ,  Philip Ginzboorg ,  Nadarajah Asokan ,  Gabor Bajko

发明人： Pekka Laitinen ,  Philip Ginzboorg ,  Nadarajah Asokan ,  Gabor Bajko

IPC分类号： H04L29/06 ,  H04W12/04 ,  H04W12/06

CPC分类号： H04L63/0892 ,  G06F9/4416 ,  H04L9/0844 ,  H04L63/06 ,  H04L63/061 ,  H04L63/0807 ,  H04L63/083 ,  H04L63/0876 ,  H04L63/12 ,  H04L63/123 ,  H04L63/166 ,  H04L2209/80 ,  H04W12/04 ,  H04W12/06

摘要： An approach is provided for performing authentication in a communication system. In one embodiment, a key is established with a terminal in a communication network according to a key agreement protocol. The agreed key is tied to an authentication procedure to provide a security association that supports reuse of the key. A master key is generated based on the agreed key. In another embodiment, digest authentication is combined with key exchange parameters (e.g., Diffie-Hellman parameters) in the payload of the digest message, in which a key (e.g., SMEKEY or MN-AAA) is utilized as a password. In yet another embodiment, an authentication algorithm (e.g., Cellular Authentication and Voice Encryption (CAVE)) is employed with a key agreement protocol with conversion functions to support bootstrapping.

公开(公告)号：US08484466B2

公开(公告)日：2013-07-09

申请号：US11575967

申请日：2006-11-16

申请人： Janne Marin ,  Kari Kostiainen ,  Nadarajah Asokan ,  Seamus Moloney ,  Philip Ginzboorg ,  Javier Lafuente

发明人： Janne Marin ,  Kari Kostiainen ,  Nadarajah Asokan ,  Seamus Moloney ,  Philip Ginzboorg ,  Javier Lafuente

IPC分类号： H04L29/06

CPC分类号： H04L9/0841 ,  H04L63/061 ,  H04L2209/80 ,  H04W12/04 ,  H04W84/12 ,  H04W84/18

摘要： A system and method for efficiently enabling local security connectivity between electronic devices over multiple bearers. Electronic devices are configured to advertise, over each bearer, their respective configuration parameters for each bearer. After a connection has been established between the electronic devices over a first bearer, the two electronic devices use the first bearer to establish connections over the other bearers using the configuration parameters contained in the advertisements and advertised over the first bearer. Shared keys are established for the other bearers either using keys derived from the first shared key or by using the first secure connection as an out-of-band channel. The present invention also provides for the creation of an ad hoc WLAN connection once a Bluetooth connection has been established.

摘要翻译： 一种用于在多个承载上有效地实现电子设备之间的本地安全连接的系统和方法。 电子设备被配置为在每个承载上通告每个承载的各自的配置参数。 在通过第一承载在电子设备之间建立连接之后，两个电子设备使用第一承载通过使用包含在广告中并通过第一承载通告的配置参数在其他承载上建立连接。 使用从第一共享密钥导出的密钥或通过使用第一安全连接作为带外信道为其他承载建立共享密钥。 一旦建立蓝牙连接，本发明还提供了创建自组织WLAN连接。

公开(公告)号：US08532304B2

公开(公告)日：2013-09-10

申请号：US11169328

申请日：2005-06-29

申请人： Nadarajah Asokan ,  Philip Ginzboorg ,  Seamus Moloney ,  Kari Ti. Kostiainen ,  Sampo Sovio ,  Jan-Erik Ekberg ,  Jari Takala

发明人： Nadarajah Asokan ,  Philip Ginzboorg ,  Seamus Moloney ,  Kari Ti. Kostiainen ,  Sampo Sovio ,  Jan-Erik Ekberg ,  Jari Takala

IPC分类号： H04L29/06

CPC分类号： H04W12/04 ,  H04L9/0838 ,  H04L9/3215 ,  H04L63/065 ,  H04L63/18 ,  H04L2209/80 ,  H04W12/06 ,  H04W48/20 ,  H04W84/12 ,  H04W88/08

摘要： Methods and systems for managing access to a wireless local area network are provided. A wireless access point (AP) may use a unified approach that utilizes an out-of-band channel to communicate authentication key and network address information to a guest device, and utilizes an in-band channel to establish communications with the guest device, and also provides support for in-band setup on all devices. The ability to use out-of-band where possible provides for an increase to security and usability, and the possibility of delegating access from one device to another. The unified approach thereby also provides easy management of guest access to the WLAN.

摘要翻译： 提供了用于管理对无线局域网的访问的方法和系统。 无线接入点（AP）可以使用利用带外信道将认证密钥和网络地址信息传送到来宾设备的统一方法，并且利用带内信道来建立与来宾设备的通信，以及 还支持所有设备上的带内设置。 在可能的情况下使用带外的能力提高了安全性和可用性，以及将访问权限从一个设备委派给另一个设备的可能性。 因此，统一的方法也可以方便地管理访客访问WLAN。

公开(公告)号：US20060251256A1

公开(公告)日：2006-11-09

申请号：US11169328

申请日：2005-06-29

申请人： Nadarajah Asokan ,  Philip Ginzboorg ,  Seamus Moloney ,  Kari Kostiainen ,  Sampo Sovio ,  Jan-Erik Ekberg ,  Jari Takala

发明人： Nadarajah Asokan ,  Philip Ginzboorg ,  Seamus Moloney ,  Kari Kostiainen ,  Sampo Sovio ,  Jan-Erik Ekberg ,  Jari Takala

IPC分类号： H04K1/00

CPC分类号： H04W12/04 ,  H04L9/0838 ,  H04L9/3215 ,  H04L63/065 ,  H04L63/18 ,  H04L2209/80 ,  H04W12/06 ,  H04W48/20 ,  H04W84/12 ,  H04W88/08

摘要： Methods and systems for managing access to a wireless local area network are provided. A wireless access point (AP) may use a unified approach that utilizes an out-of-band channel to communicate authentication key and network address information to a guest device, and utilizes an in-band channel to establish communications with the guest device, and also provides support for in-band setup on all devices. The ability to use out-of-band where possible provides for an increase to security and usability, and the possibility of delegating access from one device to another. The unified approach thereby also provides easy management of guest access to the WLAN.