公开(公告)号：US20140032905A1

公开(公告)日：2014-01-30

申请号：US13916027

申请日：2013-06-12

申请人： Men Long ,  Jesse Walker ,  Karanvir S. Grewal

发明人： Men Long ,  Jesse Walker ,  Karanvir S. Grewal

IPC分类号： H04L29/06

CPC分类号： H04L9/0866 ,  H04L9/0631 ,  H04L63/0428 ,  H04L63/06 ,  H04L2209/125

摘要： Both end-to-end security and traffic visibility may be achieved by a system using a controller that derives a cryptographic key that is different for each client based on a derivation key and a client identifier that is conveyed in each data packet. The controller distributes the derivation key to information technology monitoring devices and a server to provide traffic visibility. For large key sizes, the key may be derived using a derivation formula as follows: client_key_MSB=AES128(base_key_1,client_ID),  (1) client_key_LSB=AES128(base_key_2,client_ID+pad),and  (2) client_key=client_key_MSB∥client_key_LSB, where (1) and (2) are executed in parallel. The client key and a client identifier may be used so that end-to-end security may be achieved.

摘要翻译： 端到端安全性和流量可见性可以由使用控制器的系统来实现，所述控制器基于在每个数据分组中传送的导出密钥和客户端标识符来导出每个客户端不同的密码密钥。 控制器将派生密钥分发到信息技术监控设备和服务器，以提供流量可视性。 对于较大的密钥大小，可以使用如下的推导公式来导出密钥：client_key_MSB = AES128（base_key_1，client_ID），（1）client_key_LSB = AES128（base_key_2，client_ID + pad）和（2）cli​​ent_key =client_key_MSB‖client_key_LSB， 其中（1）和（2）并行执行。 可以使用客户端密钥和客户端标识符，以便可以实现端到端的安全性。

公开(公告)号：US20140044258A1

公开(公告)日：2014-02-13

申请号：US13977529

申请日：2012-03-31

申请人： Karanvir S. Grewal ,  David Durham ,  Xiaozhu Kang ,  Men Long ,  Prashant Dewan

发明人： Karanvir S. Grewal ,  David Durham ,  Xiaozhu Kang ,  Men Long ,  Prashant Dewan

IPC分类号： H04N21/647

CPC分类号： H04N21/64715 ,  H04N21/23476 ,  H04N21/2541 ,  H04N21/266 ,  H04N21/4405 ,  H04N21/4627 ,  H04N21/8355

摘要： Methods and systems for cryptographic access control of multimedia video, include embedding as metadata access control policy (ACP) information, including authorization rules and cryptographic information tied to an encryption policy, into encrypted video. An authorized receiver device having credentials and/or capabilities matched to the authorization rules is able to extract the ACP information from the encrypted video and use it to decrypt and properly render the video.

摘要翻译： 多媒体视频的密码访问控制方法和系统包括嵌入作为元数据访问控制策略（ACP）信息，包括与加密策略相关的授权规则和加密信息，加密视频。 具有与授权规则匹配的凭证和/或能力的授权的接收机设备能够从加密的视频中提取ACP信息，并使用它来解密并适当地呈现视频。

公开(公告)号：US20130279690A1

公开(公告)日：2013-10-24

申请号：US13976298

申请日：2011-12-15

申请人： David M. Durham ,  Men Long ,  Karanvir S. Grewal ,  Prashant Dewan ,  Xiaozhu Kang

发明人： David M. Durham ,  Men Long ,  Karanvir S. Grewal ,  Prashant Dewan ,  Xiaozhu Kang

IPC分类号： H04L9/28

CPC分类号： H04L9/28 ,  G06F21/6263 ,  G06F2221/2107 ,  H04L9/065 ,  H04L63/0428 ,  H04N1/4486 ,  H04N21/2743 ,  H04N21/4405 ,  H04N21/4408 ,  H04N21/4788 ,  H04N21/8153

摘要： An apparatus and method for preserving image privacy when manipulated by cloud services includes middleware for receiving an original image, splitting the original image into two sub-images, where the RGB pixel values of the sub-images have a bit value that is less than RGB pixel values of the original image. The sub-images are encrypted by adding a keystream to the RGB pixel values of the sub-images. The sub-image data is transmitted to a cloud service such as a social network or photo-sharing site, which manipulate the images by resizing, cropping, filtering, or the like. The sub-image data is received by the middleware and is successfully decrypted irrespective of the manipulations performed by the cloud services. In an alternative embodiment, the blocks of the original image are permutated when encrypted, and then reverse-permutated when decrypted.

摘要翻译： 一种用于在由云服务操作时保护图像隐私的装置和方法包括用于接收原始图像的中间件，将原始图像分割成两个子图像，其中子图像的RGB像素值具有小于RGB的比特值 原始图像的像素值。 通过向子图像的RGB像素值添加密钥流来加密子图像。 子图像数据被发送到诸如社交网络或照片共享站点的云服务，其通过调整大小，裁剪，过滤等来操纵图像。 子图像数据由中间件接收，并且被成功解密，而与云服务执行的操作无关。 在替代实施例中，原始图像的块在加密时被置换，然后在被解密时反向排列。

公开(公告)号：US08281122B2

公开(公告)日：2012-10-02

申请号：US12396125

申请日：2009-03-02

申请人： David M. Durham ,  Men Long ,  Karanvir S. Grewal

发明人： David M. Durham ,  Men Long ,  Karanvir S. Grewal

IPC分类号： H04L29/06

CPC分类号： H04L63/0428 ,  H04L9/0827

摘要： An embodiment may include circuitry to generate, at least in part, and/or receive, at least in part, a packet. The packet may include at least one field and an encrypted payload. The at least one field may include, at least in part, a first key and/or at least one value. The first key and at least one value, as included in the at least one field, may be encrypted by a second key. The encrypted payload may be capable of being decrypted, at least in part, based, at least in part, upon the first key and/or the at least one value to yield an unencrypted payload. The unencrypted payload may include at least a portion of application layer data that is to be communicated in a secure session.

摘要翻译： 一个实施例可以包括至少部分地和至少部分地生成分组的电路。 分组可以包括至少一个字段和加密的有效载荷。 至少一个场可以至少部分地包括第一密钥和/或至少一个值。 包括在至少一个字段中的第一密钥和至少一个值可以由第二密钥加密。 加密的有效载荷至少部分地可以至少部分地基于第一密钥和/或至少一个值来解密，以产生未加密的有效载荷。 未加密的有效载荷可以包括要在安全会话中通信的应用层数据的至少一部分。

公开(公告)号：US20110182427A1

公开(公告)日：2011-07-28

申请号：US12695853

申请日：2010-01-28

申请人： Men Long ,  Karanvir S. Grewal

发明人： Men Long ,  Karanvir S. Grewal

IPC分类号： H04L9/14

CPC分类号： H04L9/0827 ,  H04L9/0838 ,  H04L9/14 ,  H04L63/0281 ,  H04L63/0428 ,  H04L63/06 ,  H04L2209/60 ,  H04L2209/76

摘要： An embodiment may include circuitry to establish, at least in part, a secure communication channel between, at least in part, a client in a first domain and a server in a second domain. The channel may include a first and second domain sessions in the first and second domains. The circuitry may generate first and second domain session keys that may encrypt, at least in part, respectively, the first and second domain sessions. The first domain session key may be generated based upon a first domain key assigned to the first domain and a first data set associated with the first domain session. The second domain session key may be generated based upon a second domain key assigned to the second domain and a second data set associated with the second domain session.

摘要翻译： 实施例可以包括至少部分地在至少部分地建立第一域中的客户端和第二域中的服务器之间的安全通信信道的电路。 频道可以包括第一和第二域中的第一和第二域会话。 电路可以产生可以分别至少部分地加密第一和第二域会话的第一和第二域会话密钥。 可以基于分配给第一域的第一域密钥和与第一域会话相关联的第一数据集来生成第一域会话密钥。 可以基于分配给第二域的第二域密钥和与第二域会话相关联的第二数据集来生成第二域会话密钥。

公开(公告)号：US09276745B2

公开(公告)日：2016-03-01

申请号：US13976298

申请日：2011-12-15

申请人： David M. Durham ,  Men Long ,  Karanvir S. Grewal ,  Prashant Dewan ,  Xiaozhu Kang

发明人： David M. Durham ,  Men Long ,  Karanvir S. Grewal ,  Prashant Dewan ,  Xiaozhu Kang

IPC分类号： H04L29/06 ,  G06F21/10 ,  H04L9/28 ,  H04L9/06 ,  H04N1/44 ,  G06F21/62 ,  H04N21/2743 ,  H04N21/4405 ,  H04N21/4408 ,  H04N21/4788 ,  H04N21/81

CPC分类号： H04L9/28 ,  G06F21/6263 ,  G06F2221/2107 ,  H04L9/065 ,  H04L63/0428 ,  H04N1/4486 ,  H04N21/2743 ,  H04N21/4405 ,  H04N21/4408 ,  H04N21/4788 ,  H04N21/8153

摘要： An apparatus and method for preserving image privacy when manipulated by cloud services includes middleware for receiving an original image, splitting the original image into two sub-images, where the RGB pixel values of the sub-images have a bit value that is less than RGB pixel values of the original image. The sub-images are encrypted by adding a keystream to the RGB pixel values of the sub-images. The sub-image data is transmitted to a cloud service such as a social network or photo-sharing site, which manipulate the images by resizing, cropping, filtering, or the like. The sub-image data is received by the middleware and is successfully decrypted irrespective of the manipulations performed by the cloud services. In an alternative embodiment, the blocks of the original image are permutated when encrypted, and then reverse-permutated when decrypted.

摘要翻译： 一种用于在由云服务操作时保护图像隐私的装置和方法包括用于接收原始图像的中间件，将原始图像分割成两个子图像，其中子图像的RGB像素值具有小于RGB的比特值 原始图像的像素值。 通过向子图像的RGB像素值添加密钥流来加密子图像。 子图像数据被发送到诸如社交网络或照片共享站点的云服务，其通过调整大小，裁剪，过滤等来操纵图像。 子图像数据由中间件接收，并且被成功解密，而与云服务执行的操作无关。 在替代实施例中，原始图像的块在加密时被置换，然后在被解密时反向排列。

公开(公告)号：US20140032924A1

公开(公告)日：2014-01-30

申请号：US13562046

申请日：2012-07-30

申请人： David M. Durham ,  Xiaozhu Kang ,  Prashant Dewan ,  Men Long ,  Karanvir S. Grewal

发明人： David M. Durham ,  Xiaozhu Kang ,  Prashant Dewan ,  Men Long ,  Karanvir S. Grewal

IPC分类号： G06F21/00

CPC分类号： G06F21/10 ,  G06F21/32 ,  H04L9/0866 ,  H04L63/045 ,  H04L63/0861

摘要： Embodiments of techniques and systems for biometric-data-based media encryption are described. In embodiments, an encryption key may be created for a recipient user based at least in part on biometric data of the recipient user. This encryption key may be maintained on a key maintenance component and used by a sharing user to encrypt a media file for access by the recipient user. One or more access policies associated with recipient user may be encrypted in the encrypted media file as well. In embodiments, the media file may be encrypted for use by multiple recipient users. When a recipient user desires to access the encrypted media file, a decryption key may be generated in real time based on contemporaneously captured biometric data and used to provide access to the encrypted media file. Other embodiments may be described and claimed.

摘要翻译： 描述了用于基于生物特征数据的媒体加密的技术和系统的实施例。 在实施例中，可以至少部分地基于接收者用户的生物特征数据为接收者用户创建加密密钥。 该加密密钥可以维护在密钥维护组件上，并由共享用户使用以加密媒体文件以供接收用户访问。 与接收者用户相关联的一个或多个访问策略也可以在加密的媒体文件中被加密。 在实施例中，媒体文件可以被加密以供多个接收者用户使用。 当收件人用户希望访问加密的媒体文件时，可以基于同时捕获的生物特征数据实时地生成解密密钥，并且用于提供对加密的媒体文件的访问。 可以描述和要求保护其他实施例。

公开(公告)号：US20100223457A1

公开(公告)日：2010-09-02

申请号：US12396125

申请日：2009-03-02

申请人： David M. Durham ,  Men Long ,  Karanvir S. Grewal

发明人： David M. Durham ,  Men Long ,  Karanvir S. Grewal

IPC分类号： H04L29/06 ,  H04L9/08 ,  H04L9/14

CPC分类号： H04L63/0428 ,  H04L9/0827

摘要： An embodiment may include circuitry to generate, at least in part, and/or receive, at least in part, a packet. The packet may include at least one field and an encrypted payload. The at least one field may include, at least in part, a first key and/or at least one value. The first key and at least one value, as included in the at least one field, may be encrypted by a second key. The encrypted payload may be capable of being decrypted, at least in part, based, at least in part, upon the first key and/or the at least one value to yield an unencrypted payload. The unencrypted payload may include at least a portion of application layer data that is to be communicated in a secure session.

摘要翻译： 一个实施例可以包括至少部分地和至少部分地生成分组的电路。 分组可以包括至少一个字段和加密的有效载荷。 至少一个场可以至少部分地包括第一密钥和/或至少一个值。 包括在至少一个字段中的第一密钥和至少一个值可以由第二密钥加密。 加密的有效载荷至少部分地可以至少部分地基于第一密钥和/或至少一个值来解密，以产生未加密的有效载荷。 未加密的有效载荷可以包括要在安全会话中通信的应用层数据的至少一部分。

公开(公告)号：US09094733B2

公开(公告)日：2015-07-28

申请号：US13977529

申请日：2012-03-31

申请人： Karanvir S. Grewal ,  David Durham ,  Xiaozhu Kang ,  Men Long ,  Prashant Dewan

发明人： Karanvir S. Grewal ,  David Durham ,  Xiaozhu Kang ,  Men Long ,  Prashant Dewan

IPC分类号： G06F21/62 ,  H04N21/647 ,  H04N21/266 ,  H04N21/4405 ,  H04N21/4627 ,  H04N21/8355 ,  H04L9/18

CPC分类号： H04N21/64715 ,  H04N21/23476 ,  H04N21/2541 ,  H04N21/266 ,  H04N21/4405 ,  H04N21/4627 ,  H04N21/8355

摘要： Cryptographic access control of multimedia video is presented. A method includes generating as metadata an access control policy (ACP) associated with video, the ACP including authorization rules and cryptographic information associated with an encryption policy; encrypting the video according to the encryption policy; and encoding the encrypted video with the authorization rules and the cryptographic information, which may be used to decrypt and render the encoded video. As an example, an authorized receiver device having credentials and/or capabilities matched to the authorization rules may extract the ACP information from the encrypted video and use it to decrypt and properly render the video. The method may further include visually encoding the encrypted video with at least portions of the authorization rules and the cryptographic information, such that the visually encoded video is renderable as the video by an authorized device, but is renderable as visually unintelligible video by an unauthorized device.

摘要翻译： 介绍了多媒体视频的密码访问控制。 一种方法包括：生成与视频相关联的访问控制策略（ACP）作为元数据，所述ACP包括与加密策略相关联的授权规则和加密信息; 根据加密策略加密视频; 并使用可用于解密和呈现编码视频的授权规则和密码信息对加密的视频进行编码。 作为示例，具有与授权规则匹配的凭证和/或能力的授权接收机设备可以从加密的视频中提取ACP信息，并使用它来解密并适当地呈现视频。 该方法还可以包括使用授权规则和密码信息的至少一部分来视觉地编码加密的视频，使得视觉编码的视频可以由授权设备呈现为视频，但是可被未经授权的设备呈现为视觉上难以理解的视频 。

公开(公告)号：US08873746B2

公开(公告)日：2014-10-28

申请号：US12695853

申请日：2010-01-28

申请人： Men Long ,  Karanvir S. Grewal

发明人： Men Long ,  Karanvir S. Grewal

IPC分类号： H04L29/06 ,  H04L9/08

CPC分类号： H04L9/0827 ,  H04L9/0838 ,  H04L9/14 ,  H04L63/0281 ,  H04L63/0428 ,  H04L63/06 ,  H04L2209/60 ,  H04L2209/76

摘要： An embodiment may include circuitry to establish, at least in part, a secure communication channel between, at least in part, a client in a first domain and a server in a second domain. The channel may include a first and second domain sessions in the first and second domains. The circuitry may generate first and second domain session keys that may encrypt, at least in part, respectively, the first and second domain sessions. The first domain session key may be generated based upon a first domain key assigned to the first domain and a first data set associated with the first domain session. The second domain session key may be generated based upon a second domain key assigned to the second domain and a second data set associated with the second domain session.

摘要翻译： 实施例可以包括至少部分地在至少部分地建立第一域中的客户端和第二域中的服务器之间的安全通信信道的电路。 频道可以包括第一和第二域中的第一和第二域会话。 电路可以产生可以分别至少部分地加密第一和第二域会话的第一和第二域会话密钥。 可以基于分配给第一域的第一域密钥和与第一域会话相关联的第一数据集来生成第一域会话密钥。 可以基于分配给第二域的第二域密钥和与第二域会话相关联的第二数据集来生成第二域会话密钥。