公开(公告)号：US20110202992A1

公开(公告)日：2011-08-18

申请号：US13119909

申请日：2009-11-03

申请人： Yuelei Xiao ,  Jun Cao ,  Li Ge ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Yuelei Xiao ,  Jun Cao ,  Li Ge ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： H04L9/32 ,  G06F21/00

CPC分类号： H04L63/083 ,  G06F21/33 ,  H04L9/321 ,  H04L9/3234 ,  H04L9/3247 ,  H04L9/3263 ,  H04L63/0876 ,  H04L63/105 ,  H04L63/20 ,  H04L2209/80

摘要： A method for authenticating a trusted platform based on the Tri-element Peer Authentication (TePA). The method includes the following steps: A) a second attesting system sends the first message to a first attesting system; B) the first attesting system sends a second message to the second attesting system after receiving the first message; C) the second attesting system sends a third message to a Trusted Third Party (TTP) after receiving the second message; D) the TTP sends a fourth message to the second attesting system after receiving the third message; E) the second attesting system sends a fifth message to the first attesting system after receiving the fourth message; and F) the first attesting system performs an access control after receiving the fifth message. The method for authenticating a trusted platform based on TePA of the present invention adopts the security architecture of TePA, and improves the safety of an evaluation agreement of the trusted platform, realizes the mutual evaluation of the trusted platform between the attesting systems, and extends the application ranges.

摘要翻译： 一种基于三元素对等认证（TePA）认证可信平台的方法。 该方法包括以下步骤：A）第二证明系统将第一消息发送到第一认证系统; B）第一证明系统在接收到第一消息之后向第二认证系统发送第二消息; C）第二证明系统在接收到第二消息之后向受信任的第三方（TTP）发送第三消息; D）TTP在接收到第三消息之后向第二认证系统发送第四消息; E）第二证明系统在接收到第四消息之后向第一认证系统发送第五消息; 和F）第一认证系统在接收到第五消息之后执行访问控制。 本发明基于TePA认证信任平台的方法采用了TePA的安全架构，提高了可信平台评估协议的安全性，实现了认证系统之间信任平台的相互评估，并扩展了 应用范围。

公开(公告)号：US08533806B2

公开(公告)日：2013-09-10

申请号：US13119909

申请日：2009-11-03

申请人： Yuelei Xiao ,  Jun Cao ,  Li Ge ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Yuelei Xiao ,  Jun Cao ,  Li Ge ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： G06F7/04 ,  G06F15/16 ,  G06F17/30 ,  H04L29/06

CPC分类号： H04L63/083 ,  G06F21/33 ,  H04L9/321 ,  H04L9/3234 ,  H04L9/3247 ,  H04L9/3263 ,  H04L63/0876 ,  H04L63/105 ,  H04L63/20 ,  H04L2209/80

摘要： A method for authenticating a trusted platform based on the Tri-element Peer Authentication (TePA). The method includes the following steps: A) a second attesting system sends the first message to a first attesting system; B) the first attesting system sends a second message to the second attesting system after receiving the first message; C) the second attesting system sends a third message to a Trusted Third Party (TTP) after receiving the second message; D) the TTP sends a fourth message to the second attesting system after receiving the third message; E) the second attesting system sends a fifth message to the first attesting system after receiving the fourth message; and F) the first attesting system performs an access control after receiving the fifth message. The method for authenticating a trusted platform based on TePA of the present invention adopts the security architecture of TePA, and improves the safety of an evaluation agreement of the trusted platform, realizes the mutual evaluation of the trusted platform between the attesting systems, and extends the application ranges.

摘要翻译： 一种基于三元素对等认证（TePA）认证可信平台的方法。 该方法包括以下步骤：A）第二证明系统将第一消息发送到第一认证系统; B）第一证明系统在接收到第一消息之后向第二认证系统发送第二消息; C）第二证明系统在接收到第二消息之后向受信任的第三方（TTP）发送第三消息; D）TTP在接收到第三消息之后向第二认证系统发送第四消息; E）第二证明系统在接收到第四消息之后向第一认证系统发送第五消息; 和F）第一认证系统在接收到第五消息之后执行访问控制。 本发明基于TePA认证信任平台的方法采用了TePA的安全架构，提高了可信平台评估协议的安全性，实现了认证系统之间信任平台的相互评估，并扩展了 应用范围。

公开(公告)号：US08756654B2

公开(公告)日：2014-06-17

申请号：US13059798

申请日：2009-08-20

申请人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： G06F17/00 ,  G06F7/04 ,  G06F17/30 ,  G06F15/16 ,  H04L29/06

CPC分类号： H04L41/28 ,  H04L9/3234 ,  H04L9/3263 ,  H04L63/0823 ,  H04L63/0876 ,  H04L63/105 ,  H04L63/20 ,  H04L2209/127 ,  H04L2209/76

摘要： A trusted network management method of trusted network connections based on tri-element peer authentication. A trusted management proxy and a trusted management system are respectively installed and configured on a host to be managed and a management host, and are verified as local trusted. When the host to be managed and the management host are not connected to the trusted network, they use the trusted network connection method based on the tri-element peer authentication to connect to the trusted network respectively, and subsequently perform the authentications and the cipher key negotiations of the trusted management proxy and the trusted management system; when the host to be managed and the management host have not completed the user authentication and the cipher key negotiation process, they use the tri-element peer authentication protocol to complete the user authentication and the cipher key negotiation process, then use the tri-element peer authentication protocol to implement the remote trust of the trusted management proxy and the trusted management system, and finally perform network management. The present invention can actively defend attacks, reinforce the safety of the trusted network management architecture, and realize the trusted network management of distributed control and centralized management.

摘要翻译： 基于三元对等认证的可信网络连接的可信网络管理方法。 分别在要管理的主机和管理主机上安装和配置可信管理代理和可信管理系统，并将其验证为本地可信。 当要管理的主机和管理主机没有连接到可信网络时，他们使用基于三元对等认证的可信网络连接方法分别连接到可信网络，然后执行认证和密码密钥 可信管理代理和可信管理系统的协商; 当要管理的主机和管理主机尚未完成用户认证和密钥协商过程时，他们使用三元素对等体认证协议完成用户认证和密钥协商过程，然后使用三元素 对等体认证协议，实现可信管理代理和可信管理系统的远程信任，最终执行网络管理。 本发明可以积极防御攻击，加强可信网管理架构的安全性，实现分布式控制和集中管理的可信网络管理。

公开(公告)号：US08656153B2

公开(公告)日：2014-02-18

申请号：US12810374

申请日：2008-12-26

申请人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： H04L29/06

CPC分类号： H04W12/06 ,  H04L9/0844 ,  H04L9/3226 ,  H04L9/3263 ,  H04L63/061 ,  H04L63/0807 ,  H04L2209/80 ,  H04W12/04 ,  H04W88/02

摘要： Authentication access method and authentication access system for wireless multi-hop network. Terminal equipment and coordinator have the capability of port control, the coordinator broadcasts a beacon frame, and the terminal equipment selects an authentication and key management suite and transmits a connecting request command to the coordinator. The coordinator performs authentication with the terminal equipment according to the authentication and key management suite which is selected by the terminal equipment, after authenticated, transmits a connecting response command to the terminal equipment. The terminal equipment and the coordinator control the port according to the authentication result, therefore the authenticated access for the wireless multi-hop network is realized. The invention solves the security problem of the wireless multi-hop network authentication method.

摘要翻译： 无线多跳网络的认证接入方式和认证接入系统。 终端设备和协调器具有端口控制能力，协调器广播信标帧，终端设备选择认证和密钥管理套件，并向协调器发送连接请求命令。 协调器根据由终端设备选择的认证和密钥管理套件与终端设备进行认证，经过认证，向终端设备发送连接响应命令。 终端设备和协调器根据认证结果对端口进行控制，实现了无线多跳网络的认证接入。 本发明解决了无线多跳网络认证方法的安全问题。

公开(公告)号：US08230220B2

公开(公告)日：2012-07-24

申请号：US12631491

申请日：2009-12-04

申请人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： H04L29/06

CPC分类号： H04L63/20

摘要： A method for realizing trusted network management is provided. A trusted management agent resides on a managed host, and a trusted management system resides on a management host. The trusted management agent and the trusted management system are software modules, which are both based on a trusted computing platform and signed after being authenticated by a trusted third party of the trusted management agent and the trusted management system. Trusted platform modules of the managed host and the management host can perform integrity measurement, storage, and report for the trusted management agent and the trusted management system. Therefore, the managed host and the management host can ensure that the trusted management agent and the trusted management system are trustworthy. Then, the trusted management agent and the trusted management system execute a network management function, thus realizing the trusted network management. Therefore, the technical problem in the prior art that the network management security cannot be ensured due to the mutual attack between an agent, a host where the agent resides, and a manager system is solved, and trusted network management is realized.

摘要翻译： 提供了一种实现可信网络管理的方法。 可信管理代理驻留在受管主机上，可管理系统驻留在管理主机上。 信任管理代理和信任管理系统是软件模块，它们都是基于可信计算平台，经信任管理代理和可信管理系统的信任第三方认证后进行签名。 托管主机和管理主机的可信平台模块可以对可信管理代理和可信管理系统执行完整性测量，存储和报告。 因此，托管主机和管理主机可以确保可信管理代理和可信管理系统是值得信赖的。 然后，信任管理代理和信任管理系统执行网络管理功能，从而实现可信网络管理。 因此，现有技术的技术问题是解决了代理，代理所在的主机与管理者系统之间的相互攻击而不能确保网络管理安全性，并实现了可信网络管理。

公开(公告)号：US20110243330A1

公开(公告)日：2011-10-06

申请号：US13133890

申请日：2009-12-08

申请人： Yanan Hu ,  Jun Cao ,  Yuelei Xiao ,  Manxia Tie ,  Zhenhai Huang ,  Xiaolong Lai

发明人： Yanan Hu ,  Jun Cao ,  Yuelei Xiao ,  Manxia Tie ,  Zhenhai Huang ,  Xiaolong Lai

IPC分类号： H04W12/06 ,  H04W12/04

CPC分类号： H04W12/04 ,  H04W12/06

摘要： An authentication associated suite discovery and negotiation method for ultra wide band network. The method includes the following steps of: 1) adding a pairwise temporal key PTK establishment IE and a group temporal key GTK distribution IE in an information element IE list of an initiator and a responder, and setting a corresponding information element identifier ID, and 2) an authentication associated process based on the authentication associated suite discovery and negotiation method. The authentication associated suite discovery and negotiation method for ultra wide band network provided by the present invention can provide the discovery and negotiation functions of a security solution to the network so as to satisfy all kinds of application requirements better when multiple pairwise temporal key PTK establishing plans or multiple group temporal key GTK distributing plans co-exist.

摘要翻译： 用于超宽带网络的认证相关套件发现和协商方法。 该方法包括以下步骤：1）在发起者和应答者的信息元素IE列表中添加成对的时间密钥PTK建立IE和组时间密钥GTK分布IE，并设置相应的信息元素标识符ID，2 ）基于认证相关套件发现和协商方法的认证关联过程。 本发明提供的用于超宽带网络的认证相关套件发现和协商方法可以向网络提供安全解决方案的发现和协商功能，以便在多对成对临时密钥PTK建立计划时更好地满足各种应用需求 或多组时态密钥GTK分发计划并存。

公开(公告)号：US20100299519A1

公开(公告)日：2010-11-25

申请号：US12864317

申请日：2009-01-21

申请人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： H04L9/00

CPC分类号： H04W12/04 ,  H04L9/083 ,  H04L9/0866 ,  H04L9/0891 ,  H04L63/061 ,  H04L2209/80 ,  H04L2463/061 ,  H04W84/18

摘要： A method for managing wireless multi-hop network key is applicable to a security application protocol when a WAPI frame method (TePA, an access control method based on the ternary peer-to-peer identification) is applied in a concrete network containing a Wireless Local Area Network, a Wireless Metropolitan Area Network AN and a Wireless Personal Area Network. The key management method of the present invention includes the steps of key generation, key distribution, key storage, key modification and key revocation. The present invention solves the technical problems that the prior pre-share-key based key management method is not suitable for larger networks and the PKI-based key management method is not suitable for wireless multi-hop networks; the public-key system and the ternary structure are adopted, thereby the security and the performance of the wireless multi-hop networks are improved.

摘要翻译： 一种用于管理无线多跳网络密钥的方法适用于安全应用协议，当WAPI帧方法（TePA，基于三进制对等体标识的访问控制方法）被应用于包含无线本地 区域网络，无线城域网AN和无线个域网。 本发明的密钥管理方法包括密钥生成，密钥分配，密钥存储，密钥修改，密钥撤销等步骤。 本发明解决了以前的基于共享密钥的密钥管理方法不适用于较大网络的技术问题，而基于PKI的密钥管理方法不适用于无线多跳网络; 采用公钥系统和三元结构，提高无线多跳网络的安全性和性能。

公开(公告)号：US08984287B2

公开(公告)日：2015-03-17

申请号：US12863285

申请日：2009-01-14

申请人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang ,  Bianling Zhang ,  Zhiqiang Qin ,  Qizhu Song

发明人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang ,  Bianling Zhang ,  Zhiqiang Qin ,  Qizhu Song

IPC分类号： H04L9/32 ,  H04L29/06 ,  H04W12/04 ,  H04L29/08 ,  H04W12/06

CPC分类号： H04W12/04 ,  H04L29/08576 ,  H04L63/0428 ,  H04L63/08 ,  H04W12/06

摘要： A wireless personal area network access method based on the primitive, includes: a coordinator broadcasts a beacon frame to the device which requests connecting to the wireless personal area network (WPAN), the beacon frame includes the authentication request information for the device and the authentication and a key management tool supported by the coordinator; the device authenticates the authentication request information, when the coordinator has an authentication request to the device, the coordinator and the device execute the authentication based on the primitive and obtains the conversation key.

摘要翻译： 基于原语的无线个人区域网络接入方法包括：协调器向请求连接到无线个域网（WPAN）的设备广播信标帧，信标帧包括用于设备的认证请求信息和认证 和协调员支持的关键管理工具; 设备对认证请求信息进行认证，当协调器向设备发送认证请求时，协调器和设备根据原语执行认证，获取会话密钥。

公开(公告)号：US08336083B2

公开(公告)日：2012-12-18

申请号：US12743170

申请日：2008-11-14

申请人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： G06F21/00

CPC分类号： H04L63/20 ,  H04L41/0893 ,  H04L63/0823 ,  H04L63/0876 ,  H04L63/102 ,  H04L63/126

摘要： A trusted network access control system based on ternary equal identification is provided. The system includes access requestor AR, access controller AC and policy manager PM as well as the protocol interface among them. The protocol interface between the AR and AC includes a trusted network transmission interface (IF-TNT) and IF-TNACCS interface between TNAC client and TNAC server. The protocol interface between the AC and PM includes an identification policy service interface IF-APS, evaluation policy service interface IF-EPS and a trust measurement interface IF-TM. The protocol interface between the AR and PM includes a trust measurement interface IF-TM.

摘要翻译： 提供了基于三元等同识别的可信网络访问控制系统。 该系统包括访问请求者AR，访问控制器AC和策略管理器PM以及它们之间的协议接口。 AR和AC之间的协议接口包括TNAC客户端和TNAC服务器之间的可信网络传输接口（IF-TNT）和IF-TNACCS接口。 AC和PM之间的协议接口包括识别策略服务接口IF-APS，评估策略服务接口IF-EPS和信任测量接口IF-TM。 AR和PM之间的协议接口包括信任测量接口IF-TM。

公开(公告)号：US08191113B2

公开(公告)日：2012-05-29

申请号：US12628903

申请日：2009-12-01

申请人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： G06F7/04 ,  G06F15/16 ,  G06F17/30 ,  H04L29/06 ,  G06F15/173

CPC分类号： H04L63/20 ,  H04L9/321 ,  H04L9/3263 ,  H04L63/061 ,  H04L63/08 ,  H04L63/0869 ,  H04L63/0876 ,  H04L63/10 ,  H04L2209/127

摘要： A trusted network connect (TNC) system based on tri-element peer authentication (TePA) is provided. An network access requestor (NAR) of an access requestor (AR) is connected to a TNC client (TNCC), and the TNCC is connected to and integrity measurement collector (IMC1) through a integrity measurement collector interface (IF-IMC). An network access controller (NAC) of an access controller (AC) is connected to a TNC server (TNCS) in a data bearer manner. The TNCS is connected to an IMC2 through the IF-IMC. A user authentication service unit (UASU) of a policy manager (PM) is connected to a platform evaluation service unit (PESU) through an integrity measurement verifier interface (IF-IMV). Thus, the technical problems in the prior art of poor extensibility, complex key agreement process, and low security are solved. TePA is adopted in both the network access layer and the integrity evaluation layer to implement mutual user authentication and platform integrity evaluation, so that the security of the entire TNC architecture is improved.

摘要翻译： 提供了基于三元素对等认证（TePA）的可信网络连接（TNC）系统。 访问请求者（AR）的网络接入请求者（NAR）连接到TNC客户端（TNCC），TNCC通过完整性测量收集器接口（IF-IMC）连接到完整性测量收集器（IMC1）。 接入控制器（AC）的网络接入控制器（NAC）以数据承载方式连接到TNC服务器（TNCS）。 TNCS通过IF-IMC连接到IMC2。 策略管理器（PM）的用户认证服务单元（UASU）通过完整性测量验证器接口（IF-IMV）连接到平台评估服务单元（PESU）。 因此，解决了现有技术中可扩展性差，复杂密钥协商过程和低安全性的技术问题。 TePA被采用于网络接入层和完整性评估层，实现了互用用户认证和平台完整性评估，从而提高了整个TNC架构的安全性。