利索-全球专利检索

  1. 登录
  2. 注册

搜索结果

79 条记录 (耗时 0.049 秒)

    Strategies for investigating and mitigating vulnerabilities caused by the acquisition of credentials
    3.
    发明授权
    Strategies for investigating and mitigating vulnerabilities caused by the acquisition of credentials 有权
    调查和减轻获取证书所造成的漏洞的策略

    公开(公告)号:US08380841B2

    公开(公告)日:2013-02-19

    申请号:US11608126

    申请日:2006-12-07

    申请人: John Dunagan Gregory D. Hartrell Daniel R. Simon

    发明人: John Dunagan Gregory D. Hartrell Daniel R. Simon

    IPC分类号: G06F15/173 G06F11/00

    CPC分类号: H04L63/1433 G06F21/577 G06F2221/2101

    摘要: A strategy is described for assessing and mitigating vulnerabilities within a data processing environment. The strategy collects access data that reflects actual log-in behavior exhibited by users in the environment. The strategy also collects rights data that reflects the rights possessed by one or more administrators within the environment. Based on the access data and rights data, the strategy identifies how a user or other entity that gains access to one part of the environment can potentially compromise additional parts of the environment. The strategy can recommend and implement steps aimed at reducing any identified vulnerabilities.

    摘要翻译: 描述了一种用于评估和减轻数据处理环境中的漏洞的策略。 该策略收集反映用户在环境中展示的实际登录行为的访问数据。 该策略还收集反映环境中一个或多个管理员拥有的权利的权限数据。 根据访问数据和权限数据,该策略将识别获得对环境一部分访问权限的用户或其他实体如何潜在地危及环境的其他部分。 该策略可以推荐并实施旨在减少任何已识别的漏洞的步骤。

    Network accountability among autonomous systems
    4.
    发明授权
    Network accountability among autonomous systems 有权
    自主系统之间的网络责任

    公开(公告)号:US08205252B2

    公开(公告)日:2012-06-19

    申请号:US11460929

    申请日:2006-07-28

    申请人: Daniel R. Simon Sharad Agarwal David A. Maltz

    发明人: Daniel R. Simon Sharad Agarwal David A. Maltz

    IPC分类号: H04L29/06

    CPC分类号: H04L63/1433 H04L12/66 H04L45/74 H04L63/0227 H04L63/0236 H04L63/0263 H04L63/1408 H04L63/1416 H04L63/1441 H04L63/1458 H04L2463/146

    摘要: Accountability among Autonomous Systems (ASs) in a network ensures reliable identification of various customers within the ASs and provides defensibility against malicious customers within the ASs. In one implementation, reliable identification is achieved by implementing ingress filtering on data packets originating within individual ASs and defensibility is provided by filtering data packets on request. To facilitate on-request filtering, individual ASs are equipped with a Filter Request Server (FRS) to filter data packets from certain customers identified in a filter request. Thus, when a requesting customer makes a filter request against an offending customer, the FRS within the AS to which the offending customer belongs conducts on-request filtering and installs an on-request filter on a first-hop network infrastructure device for the offending customer. Consequently, the first-hop network infrastructure device filters any data packet sent from the offending customer to the requesting customer.

    摘要翻译: 网络中的自治系统(AS)的责任确保对AS内各种客户的可靠识别,并为AS内的恶意客户提供防御性。 在一个实现中,通过对源自各个AS的数据分组进行入口过滤来实现可靠的识别,并且通过根据请求过滤数据分组来提供防御性。 为了便于按需请求过滤,单个AS配备了过滤器请求服务器(FRS),用于过滤来自过滤请求中标识的某些客户端的数据包。 因此,当请求客户对违规客户进行过滤请求时,违规客户所属的AS内的FRS进行按需请求过滤,并在违规客户的第一跳网络基础设施设备上安装请求过滤器 。 因此,第一跳网络基础设施设备将从违规客户发送的任何数据包过滤到请求的客户。

    Use of hashing in a secure boot loader
    5.
    发明授权
    Use of hashing in a secure boot loader 失效
    在安全引导加载程序中使用散列

    公开(公告)号:US07676840B2

    公开(公告)日:2010-03-09

    申请号:US11030825

    申请日:2005-01-07

    申请人: Dinarte Morais Jon Lange Daniel R. Simon Ling Tony Chen Josh D. Benaloh

    发明人: Dinarte Morais Jon Lange Daniel R. Simon Ling Tony Chen Josh D. Benaloh

    IPC分类号: G06F11/00

    CPC分类号: G06F21/575

    摘要: Machine instructions comprising a bootstrap code are buried within a critical component of an electronic game console where they cannot readily be accessed or modified. A preloader portion in a read only memory (ROM) is hashed by the bootstrap code and the result is compared to an expected hash value maintained in the bootstrap code. Further verification of the boot-up process is carried out by the preloader, which hashes the code in ROM to obtain a hash value for the code. The result is verified against a digital signature value that defines an expected value for this hash. Failure to obtain any expected result terminates the boot-up process. Since the bootstrap code confirms the preloader, and the preloader confirms the remainder of the code in ROM, this technique is useful for ensuring that the code used for booting up the device has not been modified or replaced.

    摘要翻译: 包括引导代码的机器指令被埋在电子游戏控制台的关键部件内,在这些部件中它们不能容易地被访问或修改。 只读存储器(ROM)中的预加载器部分由引导代码散列,并将结果与​​引导代码中维护的预期散列值进行比较。 启动过程的进一步验证由预加载器执行,预加载器将ROM中的代码散列,以获得代码的哈希值。 结果是针对定义此散列值的期望值的数字签名值进行验证。 无法获得任何预期的结果将终止启动过程。 由于引导代码确认了预加载器,并且预加载器确认了ROM中的其余代码,所以该技术对于确保用于引导设备的代码未被修改或替换是有用的。

    Manifest-based trusted agent management in a trusted operating system environment
    6.
    发明授权
    Manifest-based trusted agent management in a trusted operating system environment 有权
    在受信任的操作系统环境中进行基于清单的可信代理管理

    公开(公告)号:US07634661B2

    公开(公告)日:2009-12-15

    申请号:US11206585

    申请日:2005-08-18

    申请人: Paul England Marcus Peinado Daniel R. Simon Josh D. Benaloh

    发明人: Paul England Marcus Peinado Daniel R. Simon Josh D. Benaloh

    IPC分类号: G06F12/14 H04L9/32 H04L29/06

    CPC分类号: G06F21/54 G06F21/53 G06F21/57

    摘要: Manifest-based trusted agent management in a trusted operating system environment includes receiving a request to execute a process is received and setting up a virtual memory space for the process. Additionally, a manifest corresponding to the process is accessed, and which of a plurality of binaries can be executed in the virtual memory space is limited based on indicators, of the binaries, that are included in the manifest.

    摘要翻译: 在受信任的操作系统环境中的基于清单的可信代理管理包括接收接收到的执行进程的请求,并为进程设置虚拟内存空间。 此外,访问对应于进程的清单,并且可以基于二进制文件中包括在清单中的指示符限制在虚拟存储器空间中执行多个二进制文件中的哪一个。

    Transferring application secrets in a trusted operating system environment
    7.
    发明授权
    Transferring application secrets in a trusted operating system environment 有权

    公开(公告)号:US07577840B2

    公开(公告)日:2009-08-18

    申请号:US11068007

    申请日:2005-02-28

    申请人: Paul England Marcus Peinado Daniel R. Simon Josh D. Benaloh

    发明人: Paul England Marcus Peinado Daniel R. Simon Josh D. Benaloh

    IPC分类号: H04L9/00

    CPC分类号: G06F21/57 G06F21/606

    摘要: Transferring application secrets in a trusted operating system environment involves receiving a request to transfer application data from a source computing device to a destination computing device. A check is made as to whether the application data can be transferred to the destination computing device, and if so, whether the application data can be transferred under control of the user or a third party. If these checks succeed, a check is also made as to whether the destination computing device is a trustworthy device running known trustworthy software. Input is also received from the appropriate one of the user or third party to control transferring of the application data to the destination computing device. Furthermore, application data is stored on the source computing device in a manner that facilitates determining whether the application data can be transferred, and that facilitates transferring the application data if it can be transferred.

    System and method of inkblot authentication
    8.
    发明授权
    System and method of inkblot authentication 有权
    墨迹认证的系统和方法

    公开(公告)号:US07549170B2

    公开(公告)日:2009-06-16

    申请号:US10427452

    申请日:2003-04-30

    申请人: Adam Stubblefield Daniel R. Simon

    发明人: Adam Stubblefield Daniel R. Simon

    IPC分类号: H04L9/32 G06F7/04

    CPC分类号: G06F21/36

    摘要: A system and method that uses authentication inkblots to help computer system users first select and later recall authentication information from high entropy information spaces. An inkblot authentication module generates authentication inkblots from authentication inkblot seeds. On request, a security authority generates, stores and supplies an authentication inkblot seed set for a user. In response to an authentication inkblot, a user inputs one or more alphanumeric characters. The responses to one or more authentication inkblots serve as authentication information. A user-computable hash of the natural language description of the authentication inkblot is utilized to speed authentication information entry and provide for compatibility with conventional password-based authentication. Authentication with an authentication information match ratio of less than 100% is possible. Authentication inkblot generation methods are disclosed, as well as a detailed inkblot authentication protocol which makes it difficult for users to opt-out of high entropy authentication information generation.

    摘要翻译: 一种使用认证墨迹帮助计算机系统用户首先选择并随后从高熵信息空间中回收认证信息的系统和方法。 墨迹认证模块从认证墨迹种子生成认证墨迹。 根据请求,安全机构为用户生成,存储和提供验证墨迹种子集。 响应于认证墨迹,用户输入一个或多个字母数字字符。 对一个或多个认证墨迹的响应用作验证信息。 认证墨迹的自然语言描述的用户可计算的哈希用于加速认证信息输入,并提供与传统的基于密码的认证的兼容性。 认证信息匹配率小于100%的认证是可能的。 公开了认证墨迹生成方法,以及详细的墨迹认证协议,使得用户难以选择退出高熵认证信息生成。

    TLS tunneling
    9.
    发明授权
    TLS tunneling 有权
    TLS隧道

    公开(公告)号:US07529933B2

    公开(公告)日:2009-05-05

    申请号:US10157806

    申请日:2002-05-30

    申请人: Ashwin Palekar Arun Ayyagari Daniel R. Simon

    发明人: Ashwin Palekar Arun Ayyagari Daniel R. Simon

    IPC分类号: H04L9/00 H04K1/00

    CPC分类号: H04L63/0428 H04L63/08 H04L63/162

    摘要: An authentication protocol can be used to establish a secure method of communication between two devices on a network. Once established, the secure communication can be used to authenticate a client through various authentication methods, providing security in environments where intermediate devices cannot be trusted, such as wireless networks, or foreign network access points. Additionally, the caching of session keys and other relevant information can enable the two securely communicating endpoints to quickly resume their communication despite interruptions, such as when one endpoint changes the access point through which it is connected to the network. Also, the secure communication between the two devices can enable users to roam off of their home network, providing a mechanism by which access through foreign networks can be granted, while allowing the foreign network to monitor and control the use of its bandwidth.

    摘要翻译: 可以使用认证协议来建立网络上的两个设备之间的安全通信方法。 一旦建立,安全通信可以用于通过各种认证方法认证客户端,在中间设备不能被信任的环境中提供安全性,例如无线网络或外部网络接入点。 此外,会话密钥和其他相关信息的高速缓存可以使得两个安全通信的端点能够快速恢复其通信,尽管中断,例如当一个端点改变其连接到网络的接入点时。 而且,两台设备之间的安全通信可以使用户能够从家庭网络中漫游,从而提供通过外部网络进行访问的机制,同时允许外部网络监视和控制其带宽的使用。

    Methods for iteratively deriving security keys for communications sessions
    10.
    发明授权
    Methods for iteratively deriving security keys for communications sessions 有权
    用于迭代地导出通信会话的安全密钥的方法

    公开(公告)号:US07464265B2

    公开(公告)日:2008-12-09

    申请号:US10138868

    申请日:2002-05-03

    申请人: Arun Ayyagari Daniel R. Simon Bernard D. Aboba Krishna Ganugapati Timothy M. Moore Pradeep Bahl

    发明人: Arun Ayyagari Daniel R. Simon Bernard D. Aboba Krishna Ganugapati Timothy M. Moore Pradeep Bahl

    IPC分类号: H04L9/00

    CPC分类号: H04L9/0833 H04L9/0841 H04L63/065 H04L63/08 H04L63/104 H04L67/14 H04L2209/80 H04L2463/061

    摘要: Disclosed are methods for a client, having established one set of security keys, to establish a new set without having to communicate with an authentication server. When the client joins a group, master session security keys are derived and made known to the client and to the group's access server. From the master session security keys, the access server and client each derive transient session security keys, used for authentication and encryption. To change the transient session security keys, the access server creates “liveness” information and sends it to the client. New master session security keys are derived from the liveness information and the current set of transient session security keys. From these new master session security keys are derived new transient session security keys. This process limits the amount of data sent using one set of transient session security keys and thus limits the effectiveness of any statistical attacker.

    摘要翻译: 已经公开了已经建立了一组安全密钥的客户端的方法来建立新的集合而不必与认证服务器进行通信。 当客户端加入一个组时,主会话安全密钥被导出,并被客户机和组的访问服务器所知。 从主会话安全密钥,访问服务器和客户端都派生用于认证和加密的瞬态会话安全密钥。 要更改瞬态会话安全密钥,访问服务器创建“活动”信息并将其发送给客户端。 新的主会话安全密钥来源于活动信息和当前的一组暂存会话安全密钥。 从这些新的主会话安全密钥导出新的临时会话安全密钥。 此过程限制使用一组瞬态会话安全密钥发送的数据量,从而限制任何统计攻击者的有效性。