公开(公告)号：US08934419B2

公开(公告)日：2015-01-13

申请号：US12668935

申请日：2007-07-13

申请人： Wassim Haddad ,  Mats Näslund ,  András Méhes

发明人： Wassim Haddad ,  Mats Näslund ,  András Méhes

IPC分类号： H04W4/00 ,  H04L29/06 ,  H04W60/00 ,  H04W80/04

CPC分类号： H04L63/1458 ,  H04L2463/141 ,  H04W60/005 ,  H04W80/04

摘要： A system, method, and node for protecting a telecommunication system against a mobile and multi-homed attacker, MMA (10). The telecommunication system includes one or more correspondent nodes, CN, (102, 104) for transferring data packets. A mobile and multi-homed network node, MMN, (108) associated with the MMA communicates and receives data packets with the CN. An access router, AR, (106) transferring data between the MMN and the CN performs a reachability test with the MMN to determine if the MMN is still reachable. The AR sends a message to the CN to flush cached information associated with the MMN if the MMN is not reachable by the AR. The CN, upon receiving the message to flush cached information, flushes binding cache entries associated with the MMN from the CN.

摘要翻译： 一种用于保护电信系统免受移动和多宿主攻击者MMA（10）的系统，方法和节点。 电信系统包括用于传送数据分组的一个或多个通信节点CN（102,104）。 与MMA相关联的移动和多归属网络节点MMN（108）与CN通信和接收数据分组。 在MMN和CN之间传送数据的接入路由器AR（106）利用MMN执行可达性测试，以确定MMN是否仍然可达。 如果无法通过AR访问MMN，则AR向CN发送消息来刷新与MMN相关联的缓存信息。 CN接收到刷新缓存信息的消息时，CN从CN中刷新与MMN相关联的绑定缓存条目。

公开(公告)号：US20100031044A1

公开(公告)日：2010-02-04

申请号：US12531659

申请日：2008-02-26

申请人： Wassim Haddad ,  Mats Näslund

发明人： Wassim Haddad ,  Mats Näslund

IPC分类号： H04L9/32 ,  G06F21/20 ,  G06F15/16

CPC分类号： H04L63/1416 ,  H04L9/30 ,  H04L63/061 ,  H04L63/123 ,  H04L63/1466 ,  H04L2209/24

摘要： There is disclosed a method, and a communication system, and a communication node for implementing the claimed method, for attempting to enhance legitimacy assessment and thwart a man-in-the middle or similar false-location attack by evaluating the topology of a communication-session requesting node relative to the proposed communication path through a network between the requesting node and the requested node. Upon receiving the request, a PRD (Prefix Reachability Detection) protocol is initiated, either after or during a secure key exchange, if any, which if performed preferably includes an ART (address reachability text). The PRD is executed by sending a message to the communication node challenging the location-authenticity of the requesting device. The communication node, which may be for example an access router through which the requesting node accesses the network, determines if the requesting node is positioned behind the communication node topologically, and reports the result to the requested node. The requested node may then make a decision on whether to permit the communication. If so, the PRD may be repeated one or more times while the communication session is in progress.

摘要翻译： 公开了一种用于实现所要求保护的方法的方法，通信系统和通信节点，用于通过评估通信的拓扑来尝试增强合法性评估并阻止中间或类似的假位置攻击中的人员， 会话请求节点相对于所提出的通信路径通过请求节点和请求节点之间的网络。 在接收到请求后，在安全密钥交换之后或期间，如果执行了PRD（前缀可达性检测）协议，如果执行的话，优先包括ART（地址可达性文本）。 通过向通信节点发送消息来执行请求设备的位置真实性来执行PRD。 通信节点，其可以是例如请求节点访问网络的接入路由器，确定请求节点是否在拓扑结构中位于通信节点后面，并将结果报告给所请求的节点。 所请求的节点然后可以决定是否允许通信。 如果是，则通信会话正在进行时，PRD可以重复一次或多次。

公开(公告)号：US08863236B2

公开(公告)日：2014-10-14

申请号：US12531659

申请日：2008-02-26

申请人： Wassim Haddad ,  Mats Näslund

发明人： Wassim Haddad ,  Mats Näslund

IPC分类号： H04L29/06

CPC分类号： H04L63/1416 ,  H04L9/30 ,  H04L63/061 ,  H04L63/123 ,  H04L63/1466 ,  H04L2209/24

摘要： There is disclosed a method, and a communication system, and a communication node for implementing the claimed method, for attempting to enhance legitimacy assessment and thwart a man-in-the middle or similar false-location attack by evaluating the topology of a communication-session requesting node relative to the proposed communication path through a network between the requesting node and the requested node. Upon receiving the request, a PRD (Prefix Reachability Detection) protocol is initiated, either after or during a secure key exchange, if any, which if performed preferably includes an ART (address reachability text). The PRD is executed by sending a message to the communication node challenging the location-authenticity of the requesting device. The communication node, which may be for example an access router through which the requesting node accesses the network, determines if the requesting node is positioned behind the communication node topologically, and reports the result to the requested node. The requested node may then make a decision on whether to permit the communication. If so, the PRD may be repeated one or more times while the communication session is in progress.

摘要翻译： 公开了一种用于实现所要求保护的方法的方法，通信系统和通信节点，用于通过评估通信的拓扑来尝试增强合法性评估并阻止中间或类似的假位置攻击中的人员， 会话请求节点相对于所提出的通信路径通过请求节点和请求节点之间的网络。 在接收到请求后，在安全密钥交换之后或期间，如果执行了PRD（前缀可达性检测）协议，如果执行的话，优先包括ART（地址可达性文本）。 通过向通信节点发送消息来执行请求设备的位置真实性来执行PRD。 通信节点，其可以是例如请求节点访问网络的接入路由器，确定请求节点是否在拓扑结构中位于通信节点后面，并将结果报告给所请求的节点。 所请求的节点然后可以决定是否允许通信。 如果是，则通信会话正在进行时，PRD可以重复一次或多次。

公开(公告)号：US09432349B2

公开(公告)日：2016-08-30

申请号：US14125859

申请日：2012-06-13

申请人： Bernard Smeets ,  Mats Näslund

发明人： Bernard Smeets ,  Mats Näslund

IPC分类号： H04L29/06

CPC分类号： H04L63/08 ,  H04L63/0815 ,  H04L63/0884

摘要： An access authentication system for authenticating a subscriber of a service, the access authentication system comprising an operator access authentication system and one or more private access authentication systems, each private access authentication system being communicatively connectable with the operator access authentication system, the operator access authentication system being adapted to provide one or more authentication functions for facilitating authentication of subscribers of the service based on respective subscriber authentication data items associated with credentials of the subscriber; wherein each private access authentication system is adapted to communicate one or more subscriber authentication data items to said operator access authentication system; and wherein each private access authentication system is further adapted to communicate one or more verification data items indicative of the private access authentication system operating in at least one predetermined state.

摘要翻译： 一种用于认证服务订户的接入认证系统，所述接入认证系统包括操作者接入认证系统和一个或多个专用接入认证系统，每个专用接入认证系统与所述接入认证系统可通信地连接，所述接入认证系统 系统适于提供一个或多个认证功能，用于基于与所述订户的凭证相关联的相应订户认证数据项促进所述服务的订户的认证; 其中每个专用接入认证系统适于将一个或多个用户认证数据项传送到所述操作员接入认证系统; 并且其中每个专用接入认证系统进一步适于通信指示在至少一个预定状态下操作的私有接入认证系统的一个或多个验证数据项。

公开(公告)号：US08837729B2

公开(公告)日：2014-09-16

申请号：US11883879

申请日：2006-02-10

申请人： Pekka Nikander ,  Jari Arrko ,  Mats Näslund

发明人： Pekka Nikander ,  Jari Arrko ,  Mats Näslund

IPC分类号： H04L9/00 ,  H04L9/08 ,  H04L29/06 ,  H04W12/04

CPC分类号： H04L63/0414 ,  H04L9/0844 ,  H04L63/0272 ,  H04L63/164 ,  H04L2209/38 ,  H04L2209/80 ,  H04W12/02 ,  H04W12/04

摘要： A method of improving privacy by hiding, in an ordered sequence of messages M[x(1), D(1)], M[x(2), D(2)], etc, communicated between a first and at least one second party sharing a key k, metadata x(i) descriptive of message processing, wherein D(i) denotes payload data. The method comprises the first and the second party agreeing on a pseudo random mapping depending on a shared key k, Fk, mapping at least x(i) to y(i), and the first party modifying the messages by replacing x(i) by y(i) in each message M(x(i), D(i)). The first party then transmits the modified messages maintaining their original order, and on reception of a message M(y(m), D), the second party uses a mapping Gk to retrieve position m of received value and the original value x(m).

摘要翻译： 一种通过以有序的消息M [x（1），D（1）]，M [x（2），D（2）]等的顺序隐藏来提高隐私的方法，在第一和至少一个 共享密钥k的第二方，元数据x（i）描述消息处理，其中D（i）表示有效载荷数据。 该方法包括第一方和第二方根据共享密钥k，F k映射到至少x（i）至y（i）的伪随机映射，并且第一方通过替换x（i）来修改消息， 在每个消息M（x（i），D（i））中由y（i）表示。 第一方然后发送修改的消息保持其原始顺序，并且在接收到消息M（y（m），D）时，第二方使用映射G k来检索接收值的位置m，并且原始值x ）。

公开(公告)号：US20130291071A1

公开(公告)日：2013-10-31

申请号：US13979476

申请日：2011-07-19

申请人： Rolf Blom ,  Mats Näslund ,  Karl Norrman

发明人： Rolf Blom ,  Mats Näslund ,  Karl Norrman

IPC分类号： H04L29/06

CPC分类号： H04L63/08 ,  H04L9/0833 ,  H04L9/321 ,  H04L9/3271 ,  H04L63/104 ,  H04L63/107 ,  H04L2209/80 ,  H04W4/70 ,  H04W12/06

摘要： According to an aspect of the present invention there is provided a method of operating a communication device, the communication device being part of a group comprising two or more communication devices that share a subscription to a communication network. The method comprises receiving a group authentication challenge from the network, at least part of the group authentication challenge having been generated using group authentication information that is associated with the shared subscription. The device then generates a device specific response to the group authentication challenge using the group authentication information and device specific authentication information and sends the device specific response to the network. The device is for example a member of a machine-type communication device group.

摘要翻译： 根据本发明的一个方面，提供了一种操作通信设备的方法，所述通信设备是包括共享对通信网络的订阅的两个或更多个通信设备的组的一部分。 该方法包括从网络接收组认证挑战，使用与共享订阅相关联的组认证信息已经生成了组认证挑战的至少一部分。 然后，该设备使用组认证信息和设备特定认证信息生成对组认证挑战的设备特定响应，并将设备特定响应发送到网络。 该设备例如是机器型通信设备组的成员。

公开(公告)号：US08539564B2

公开(公告)日：2013-09-17

申请号：US13254013

申请日：2009-03-04

申请人： Mats Näslund ,  Rolf Blom ,  Yi Cheng ,  Fredrik Lindholm ,  Karl Norrman

发明人： Mats Näslund ,  Rolf Blom ,  Yi Cheng ,  Fredrik Lindholm ,  Karl Norrman

IPC分类号： G06F7/04

CPC分类号： H04L63/06 ,  H04L9/0844 ,  H04L2209/80 ,  H04W12/04

摘要： A method of establishing keys for at least partially securing media plane data exchanged between first and second end users via respective first and second media plane network nodes. The method comprises sending session set-up signalling from said first end point towards said second end point, said session set-up signalling including a session key generated by said first end point. The set-up signalling is intercepted at a first signalling plane network node and a determination made as to whether or not a signalling plane key has already been established for securing the signalling plane between said first end point and said first signalling plane network node. If a signalling plane key has already been established, then a media plane key is derived from that signalling plane key, and the media plane key sent to said first media plane network node for securing the media plane between said first end user and said first media plane network node. If a signalling plane key has not already been established, then an alternative media plane key is derived from said session key and sent to said first media plane network node for securing the media plane between said first end user and said first media plane network node.

摘要翻译： 一种建立用于经由相应的第一和第二媒体平面网络节点至少部分地保护在第一和第二终端用户之间交换的媒体平面数据的密钥的方法。 该方法包括从所述第一端点向所述第二端点发送会话建立信令，所述会话建立信令包括由所述第一端点产生的会话密钥。 建立信令在第一信令平面网络节点被拦截，并且确定信令平面密钥是否已被建立用于在所述第一终端和所述第一信令平面网络节点之间保护信令平面。 如果已经建立了信令平面密钥，则从该信令平面密钥导出媒体平面密钥，并且将媒体平面密钥发送到所述第一媒体平面网络节点，以将介质平面固定在所述第一终端用户和所述第一媒体之间 平面网络节点。 如果还没有建立信令平面密钥，则从所述会话密钥导出替代媒体平面密钥，并将其发送到所述第一媒体平面网络节点，以便在所述第一终端用户和所述第一媒体平面网络节点之间保护媒体平面。

公开(公告)号：US20130203454A1

公开(公告)日：2013-08-08

申请号：US13700600

申请日：2010-06-07

申请人： Mats Näslund ,  Göran Selander ,  Per Skillermark ,  Riitta Almgren

发明人： Magnus Almgren ,  Mats Näslund ,  Göran Selander ,  Per Skillermark

IPC分类号： H04W72/04

CPC分类号： H04W72/04 ,  H04W12/12 ,  H04W72/048 ,  H04W76/14

摘要： A method and arrangement in a first mobile terminal (600) for determining allocation of radio resources for DMO communication amongst a group of mobile terminals. M the first mobile terminal, a first determining module 600a determines a communication (Sout, Sin) with a second mobile terminal (602) of the group. A second determining module (600b) determines a resource element (RE) for communication by applying a predefined cryptographic function P based on a terminal identification (K)). The cryptographic function has been configured in the mobile terminals of the group to provide terminal-specific resource elements for different mobile terminals within respective radio frames. A communication module (600c) then communicates with the second mobile terminal (602), either by transmission or reception of the data, on the determined resource element (RE).

摘要翻译： 一种在一组移动终端中确定用于DMO通信的无线资源的分配的第一移动终端（600）中的方法和装置。 M是第一移动终端，第一确定模块600a用该组的第二移动终端（602）确定通信（Sout，Sin）。 第二确定模块（600b）通过基于终端标识（K）应用预定的加密函数P来确定用于通信的资源元素（RE）。 已经在该组的移动终端中配置了加密功能，以为各个无线电帧内的不同移动终端提供终端专用资源元素。 通信模块（600c）然后通过在所确定的资源元素（RE）上发送或接收数据来与第二移动终端（602）进行通信。

公开(公告)号：US20120287934A1

公开(公告)日：2012-11-15

申请号：US13521629

申请日：2010-10-22

申请人： Mikko Särelä ,  Mats Näslund ,  Pekka Nikander

发明人： Mikko Särelä ,  Mats Näslund ,  Pekka Nikander

IPC分类号： H04L12/56

CPC分类号： H04L63/04 ,  H04L45/04 ,  H04L45/34 ,  H04L63/164

摘要： A network node (NB1) located within a domain is adapted to receive, from another node, a packet having an in-packet Bloom filter or Bloom filter equivalent encoding information about a route within the domain. The node reversibly modifies the in-packet Bloom filter or Bloom filter equivalent in a manner which is linear with respect to the operation used to add links to the Bloom filter or Bloom filter equivalent. The node then forward the packet with its header containing the modified Bloom filter or Bloom filter to another node (NA1). The invention allows secure Bloom filter-based routing in a domain (Domain B), while requiring that only routers (NB1) at the domain boundary are secure routers. Other routers (NB2, NB3, NB4) in the domain may operate conventionally, and may be secure routers or insecure routers. The modification may be a bit permutation.

摘要翻译： 位于域内的网络节点（NB1）适于从另一个节点接收具有分组内Bloom过滤器或Bloom过滤器等效编码与域内的路由相关的信息的分组。 节点以相对于用于添加到Bloom过滤器或Bloom过滤器等价物的链接的操作是线性的方式可逆地修改包内Bloom过滤器或Bloom过滤器等价物。 然后，该节点将其包含修改的Bloom过滤器或Bloom过滤器的报头转发到另一个节点（NA1）。 本发明允许在域（域B）中基于安全的基于Bloom过滤器的路由，同时要求仅在域边界的路由器（NB1）是安全路由器。 域中的其他路由器（NB2，NB3，NB4）可以常规操作，并且可以是安全路由器或不安全路由器。 该修改可以是位置换。

公开(公告)号：US08261078B2

公开(公告)日：2012-09-04

申请号：US12303342

申请日：2006-06-09

申请人： Luis Barriga ,  Rolf Blom ,  Mats Näslund

发明人： Luis Barriga ,  Rolf Blom ,  Mats Näslund

IPC分类号： H04L9/32

CPC分类号： H04L65/1016 ,  H04L9/32 ,  H04L9/321 ,  H04L63/0421 ,  H04L63/062 ,  H04L63/08 ,  H04L63/0815 ,  H04L63/0853 ,  H04L2209/80 ,  H04W4/00 ,  H04W12/02 ,  H04W12/04 ,  H04W12/06 ,  H04W60/00 ,  H04W74/00 ,  H04W88/16

摘要： A method and arrangement is disclosed for providing a user, not previously having an individual subscription with a network operator, with credentials for secure access to network services. The arrangement includes a gateway, associated with a subscription for network services, having means for generating and exporting to a user entity personalized user security data derived from security data related to the subscription. In particular, the derivation of credentials is based on a function that is shared between network and gateway and further conveniently makes use of bootstrapping on keying material from the subscription authentication. Pre-registered user identities are assigned trusted users who, thereafter, can download credentials and authenticate for service access. The invention may be implemented at a public place for providing temporary visitors network access whereby trust may exemplary be established by presenting a credit card.

摘要翻译： 公开了一种方法和装置，用于提供先前不具有与网络运营商的单独订阅的用户，以及用于安全访问网络服务的凭证。 该安排包括与网络服务的订阅相关联的网关，具有用于生成和导出到用户实体的个体化用户安全数据，该安全数据是从与订阅有关的安全数据导出的。 特别地，证书的推导基于在网络和网关之间共享的功能，并且进一步方便地利用来自订阅认证的密钥材料的引导。 预先注册的用户身份被分配给受信任的用户，其后可以下载凭证并进行身份验证以进行服务访问。 本发明可以在公共场所实现，以提供临时访问者网络访问，从而通过呈现信用卡可以示范地建立信任。