公开(公告)号：US20100238874A1

公开(公告)日：2010-09-23

申请号：US12668935

申请日：2007-07-13

申请人： Wassim Haddad ,  Mats Naslund ,  Andras Mehes

发明人： Wassim Haddad ,  Mats Naslund ,  Andras Mehes

IPC分类号： H04W4/00

CPC分类号： H04L63/1458 ,  H04L2463/141 ,  H04W60/005 ,  H04W80/04

摘要： A system, method, and node for protecting a telecommunication system against a mobile and multi-homed attacker, MMA (10). The telecommunication system includes one or more correspondent nodes, CN, (102, 104) for transferring data packets. A mobile and multi-homed network node, MMN, (108) associated with the MMA communicates and receives data packets with the CN. An access router, AR, (106) transferring data between the MMN and the CN performs a reachability test with the MMN to determine if the MMN is still reachable. The AR sends a message to the CN to flush cached information associated with the MMN if the MMN is not reachable by the AR. The CN, upon receiving the message to flush cached information, flushes binding cache entries associated with the MMN from the CN.

摘要翻译： 一种用于保护电信系统免受移动和多宿主攻击者MMA（10）的系统，方法和节点。 电信系统包括用于传送数据分组的一个或多个通信节点CN（102,104）。 与MMA相关联的移动和多归属网络节点MMN（108）与CN通信和接收数据分组。 在MMN和CN之间传送数据的接入路由器AR（106）利用MMN执行可达性测试，以确定MMN是否仍然可达。 如果无法通过AR访问MMN，则AR向CN发送消息来刷新与MMN相关联的缓存信息。 CN接收到刷新缓存信息的消息时，CN从CN中刷新与MMN相关联的绑定缓存条目。

公开(公告)号：US20110179277A1

公开(公告)日：2011-07-21

申请号：US13120679

申请日：2008-09-24

申请人： Wassim Haddad ,  Mats Naslund

发明人： Wassim Haddad ,  Mats Naslund

IPC分类号： H04L9/08 ,  H04L9/32 ,  H04L12/56

CPC分类号： H04L9/0827 ,  H04L9/0844 ,  H04L45/60 ,  H04L63/062

摘要： Before actually communicating information/data between two endpoints (C, S) connected to a network a secure and confidential distribution of a special key (K h) is performed to nodes (R j) along a path in the network. This is allowed by performing a path handshaking procedure in which first a hint token is forwarded along the path in a first direction and then a disclosure token is forwarded in the opposite direction. In forwarding the disclosure token it is verified in the nodes against the already received hint token. This assures that only nodes on the particular path will receive the special key or possibly some other information related thereto.

摘要翻译： 在连接到网络的两个端点（C，S）上实际传达信息/数据之前，沿着网络中的路径对节点（R j）执行特殊密钥（Kh）的安全和机密分发。 这是通过执行路径握手过程来允许的，其中首先沿第一方向沿着路径转发提示令牌，然后以相反的方向转发公开令牌。 在转发公开令牌时，它在节点中针对已经接收的提示令牌进行验证。 这确保只有特定路径上的节点才能接收到特殊密钥或可能与其相关的某些其他信息。

公开(公告)号：US08942377B2

公开(公告)日：2015-01-27

申请号：US13578356

申请日：2010-02-12

申请人： Wassim Haddad ,  Rolf Blom ,  Mats Naslund

发明人： Wassim Haddad ,  Rolf Blom ,  Mats Naslund

IPC分类号： H04L12/06 ,  H04W12/06 ,  H04L29/06

CPC分类号： H04W12/06 ,  H04L63/08 ,  H04L63/0823

摘要： A method and apparatus to establish trust between two nodes in a communications network. A first node receives from a network node authentication data unique to the first node, which can be used to derive a compact representation of verification data for the first node. The first node also receives a certified compact representation of verification data of all nodes in the network. The first node derives trust information from the authentication data for the node, and sends to a second node a message that includes the trust information and part of the authentication data. The second node has its own copy of the certified compact representation of verification data of all nodes in the network, and verifies the authenticity of the message from the first node using the compact representation of verification data of all nodes in the network and the received trust information and authentication data.

摘要翻译： 一种在通信网络中的两个节点之间建立信任的方法和装置。 第一节点从网络节点接收对第一节点唯一的认证数据，其可以用于导出用于第一节点的验证数据的紧凑表示。 第一个节点还接收到网络中所有节点的验证数据的认证紧凑表示。 第一节点从节点的认证数据中导出信任信息，并向第二节点发送包含信任信息和认证数据的一部分的消息。 第二节点具有网络中所有节点的验证数据的经认证的紧凑表示的副本，并使用网络中所有节点的验证数据的紧密表示和接收到的信任来验证来自第一节点的消息的真实性 信息和认证数据。

公开(公告)号：US08650397B2

公开(公告)日：2014-02-11

申请号：US13120679

申请日：2008-09-24

申请人： Wassim Haddad ,  Mats Naslund

发明人： Wassim Haddad ,  Mats Naslund

IPC分类号： H04L9/32

CPC分类号： H04L9/0827 ,  H04L9/0844 ,  H04L45/60 ,  H04L63/062

摘要： Before actually communicating information/data between two endpoints (C, S) connected to a network a secure and confidential distribution of a special key (K h) is performed to nodes (R j) along a path in the network. This is allowed by performing a path handshaking procedure in which first a hint token is forwarded along the path in a first direction and then a disclosure token is forwarded in the opposite direction. In forwarding the disclosure token it is verified in the nodes against the already received hint token. This assures that only nodes on-the particular path will receive the special key or possibly some other information related thereto.

摘要翻译： 在连接到网络的两个端点（C，S）上实际传达信息/数据之前，沿着网络中的路径对节点（R j）执行特殊密钥（Kh）的安全和机密分发。 这是通过执行路径握手过程来允许的，其中首先沿第一方向沿着路径转发提示令牌，然后以相反的方向转发公开令牌。 在转发公开令牌时，它在节点中针对已经接收的提示令牌进行验证。 这确保只有特定路径上的节点将接收到特殊密钥或可能与其相关的某些其他信息。

公开(公告)号：US20120322413A1

公开(公告)日：2012-12-20

申请号：US13578356

申请日：2010-02-12

申请人： Wassim Haddad ,  Rolf Blom ,  Mats Naslund

发明人： Wassim Haddad ,  Rolf Blom ,  Mats Naslund

IPC分类号： H04W12/06

CPC分类号： H04W12/06 ,  H04L63/08 ,  H04L63/0823

摘要： A method and apparatus to establish trust between two nodes in a communications network. A first node receives from a network node authentication data unique to the first node, which can be used to derive a compact representation of verification data for the first node. The first node also receives a certified compact representation of verification data of all nodes in the network. The first node derives trust information from the authentication data for the node, and sends to a second node a message that includes the trust information and part of the authentication data. The second node has its own copy of the certified compact representation of verification data of all nodes in the network, and verifies the authenticity of the message from the first node using the compact representation of verification data of all nodes in the network and the received trust information and authentication data.

摘要翻译： 一种在通信网络中的两个节点之间建立信任的方法和装置。 第一节点从网络节点接收对第一节点唯一的认证数据，其可以用于导出用于第一节点的验证数据的紧凑表示。 第一个节点还接收到网络中所有节点的验证数据的认证紧凑表示。 第一节点从节点的认证数据中导出信任信息，并向第二节点发送包含信任信息和认证数据的一部分的消息。 第二节点具有网络中所有节点的验证数据的经认证的紧凑表示的副本，并使用网络中所有节点的验证数据的紧密表示和接收到的信任来验证来自第一节点的消息的真实性 信息和认证数据。

公开(公告)号：US08295487B2

公开(公告)日：2012-10-23

申请号：US12744198

申请日：2008-11-21

申请人： Wassim Haddad ,  Mats Naslund

发明人： Wassim Haddad ,  Mats Naslund

IPC分类号： G06F21/22

CPC分类号： H04W12/04 ,  H04L9/3239 ,  H04L63/0823 ,  H04L2209/80 ,  H04L2463/081 ,  H04W8/082 ,  H04W12/06 ,  H04W80/04 ,  H04W88/02 ,  H04W88/182

摘要： A method and apparatus for establishing a cryptographic relationship between a first node and a second node in a communications network. The first node receives at least part of a cryptographic attribute of the second node, uses the received at least part of the cryptographic attribute to generate an identifier for the first node. The cryptographic attribute may a public key belonging to the second node, and the identifier may be a Cryptographically Generated IP address. The cryptographic relationship allows the second node to establish with a third node that it is entitled to act on behalf of the first node.

摘要翻译： 一种在通信网络中建立第一节点和第二节点之间的密码关系的方法和装置。 第一节点接收第二节点的加密属性的至少一部分，使用所接收的至少部分密码属性来生成第一节点的标识符。 加密属性可以是属于第二节点的公共密钥，并且该标识符可以是加密生成的IP地址。 加密关系允许第二节点与第三节点建立它有权代表第一节点行动。

公开(公告)号：US20100260338A1

公开(公告)日：2010-10-14

申请号：US12744198

申请日：2008-11-21

申请人： Wassim Haddad ,  Mats Naslund

发明人： Wassim Haddad ,  Mats Naslund

IPC分类号： G06F21/22 ,  H04L9/00 ,  H04L9/08

CPC分类号： H04W12/04 ,  H04L9/3239 ,  H04L63/0823 ,  H04L2209/80 ,  H04L2463/081 ,  H04W8/082 ,  H04W12/06 ,  H04W80/04 ,  H04W88/02 ,  H04W88/182

摘要： A method and apparatus for establishing a cryptographic relationship between a first node and a second node in a communications network. The first node receives at least part of a cryptographic attribute of the second node, uses the received at least part of the cryptographic attribute to generate an identifier for the first node. The cryptographic attribute may a public key belonging to the second node, and the identifier may be a Cryptographically Generated IP address. The cryptographic relationship allows the second node to establish with a third node that it is entitled to act on behalf of the first node.

摘要翻译： 一种在通信网络中建立第一节点和第二节点之间的密码关系的方法和装置。 第一节点接收第二节点的加密属性的至少一部分，使用所接收的至少部分密码属性来生成第一节点的标识符。 加密属性可以是属于第二节点的公共密钥，并且该标识符可以是加密生成的IP地址。 加密关系允许第二节点与第三节点建立它有权代表第一节点行动。

公开(公告)号：US08547835B2

公开(公告)日：2013-10-01

申请号：US12909041

申请日：2010-10-21

申请人： Wassim Haddad ,  Samy Touati

发明人： Wassim Haddad ,  Samy Touati

IPC分类号： H04J1/16 ,  H04J3/16 ,  H04L12/28 ,  H04W4/00 ,  H04W40/00

CPC分类号： H04L61/2528 ,  H04L29/12405 ,  H04L69/14 ,  H04L69/16 ,  H04L69/163 ,  H04W80/06 ,  Y02D50/30

摘要： A network element can include a proxy element that is configured to receive a request from a source node to establish a Transmission Control Protocol (TCP) connection from a first network address of the source node through a Packet Data Network Gateway (PDN GW) to a destination node for an IP flow. The proxy element applies an IP flow offloading policy function to determine that the requested TCP connection for the IP flow should bypass the PDN GW. The proxy element responds to the determination by communicating to the destination node a request for TCP connection with a second network address substituted for the first network address of the source node to establish the TCP connection for the IP flow from the source node to the destination node through a broadband network without passing through the PDN GW.

摘要翻译： 网络元件可以包括代理元件，其被配置为从源节点接收来自源节点的第一网络地址的传输控制协议（TCP）连接通过分组数据网络网关（PDN GW）建立到 IP流的目标节点。 代理元件应用IP流卸载策略功能来确定IP流请求的TCP连接应该绕过PDN GW。 代理元件通过向目的地节点传送与连接到源节点的第一网络地址的第二网络地址的TCP连接的请求，以建立从源节点到目的地节点的IP流的TCP连接来响应该确定 通过宽带网络而不经过PDN GW。

公开(公告)号：US08533455B2

公开(公告)日：2013-09-10

申请号：US12129419

申请日：2008-05-29

申请人： Wassim Haddad ,  Karl Norrman ,  Conny Larsson

发明人： Wassim Haddad ,  Karl Norrman ,  Conny Larsson

IPC分类号： H04L9/32

CPC分类号： H04L9/0844 ,  H04L9/3297 ,  H04L63/0823 ,  H04L2209/76 ,  H04L2209/80 ,  H04W80/02 ,  H04W80/04

摘要： Methods and apparatuses for combining internet protocol layer authentication and mobility signaling are disclosed. Various embodiments for providing authentication and mobility signaling when a mobile node moves from a 3GPP access network to a non 3GPP access network and vice versa are described.

摘要翻译： 公开了用于组合互联网协议层认证和移动性信令的方法和装置。 描述了当移动节点从3GPP接入网络移动到非3GPP接入网络时提供认证和移动性信令的各种实施例，反之亦然。

公开(公告)号：US08509185B2

公开(公告)日：2013-08-13

申请号：US12819074

申请日：2010-06-18

申请人： Wassim Haddad

发明人： Wassim Haddad

IPC分类号： H04J3/22

CPC分类号： H04W76/25 ,  H04L29/12358 ,  H04L61/251 ,  H04W8/26 ,  H04W80/045

摘要： A method for maintaining connectivity between a mobile node and a corresponding node when the mobile node connects to a foreign network, where the foreign network and the home network are Internet protocol version 6 (IPv6) networks but the corresponding node is an Internet protocol version 4 (IPv4) node. The method includes receiving at the home agent node an IPv6 care-of address, determining that the IPv6 care-of address belongs to the foreign network and that the foreign NAT64 node has a prefix to to generate virtual IPv6 addresses and sending a prefix binding request message to a home NAT64 node to bind the prefix to the home address of the mobile node for translation between IPv6 and IPv4.

摘要翻译： 一种用于在移动节点连接到外部网络（其中外部网络和家庭网络是因特网协议版本6（IPv6））但是对应的节点是因特网协议版本4的外部网络时保持移动节点和对应节点之间的连接的方法 （IPv4）节点。 该方法包括在归属代理节点处接收IPv6转交地址，确定IPv6转交地址属于外部网络，外部NAT64节点具有生成虚拟IPv6地址的前缀，并发送前缀绑定请求消息 到家庭NAT64节点，以将前缀绑定到移动节点的归属地址以用于IPv6和IPv4之间的转换。