公开(公告)号：WO2007069046A1

公开(公告)日：2007-06-21

申请号：PCT/IB2006/003594

申请日：2006-12-13

Applicant: NOKIA CORPORATION ,  ERONEN, Pasi ,  TARKKALA, Lauri ,  HAVERINEN, Henry

Inventor： ERONEN, Pasi ,  TARKKALA, Lauri ,  HAVERINEN, Henry

IPC: H04L12/12 ,  H04L29/06 ,  H04L29/12

CPC classification number: H04L29/12009 ,  H04L12/12 ,  H04L29/1233 ,  H04L61/25 ,  H04L69/16 ,  H04L69/165 ,  H04L69/28 ,  Y02D30/30 ,  Y02D50/40

Abstract: The present invention relates to a method, system, client device, gateway device and computer program product for maintaining a state information in an intermediate network function (20), wherein the state information expires after a predetermined idle period. Detecting means (16; 36) are provided for detecting an idle state of a connection. In response to the detecting means, a transport protocol used for encapsulating data is changed from a first protocol with a first predetermined idle period to a second protocol with a second predetermined idle period, said second predetermined idle period being longer than said first predetermined idle period. Alternatively, a connection parameter is provided to a device (10) for a parallel second connection in a set-up negotiation via said first connection. This connection parameter is then used for setting up a parallel second connection to the device (10) based on the second transport protocol used for encapsulating data with the second predetermined idle period. Then, an information linking the first and second connections is transmitted from the device (10) to the data network, wherein the second connection is used for transmitting a wake-up notification to the device (10) in response a detected idle state. Both alternatives provide the advantage of reduced keep-alive signaling and thus enhanced battery efficiency.

Abstract translation: 本发明涉及一种用于维持中间网络功能（20）中的状态信息的方法，系统，客户端设备，网关设备和计算机程序产品，其中状态信息在预定的空闲时段之后到期。 检测装置（16; 36）用于检测连接的空闲状态。 响应于检测装置，用于封装数据的传输协议从具有第一预定空闲周期的第一协议改变为具有第二预定空闲周期的第二协议，所述第二预定空闲周期长于所述第一预定空闲周期 。 或者，在经由所述第一连接的建立协商中，将连接参数提供给用于并行第二连接的设备（10）。 然后，该连接参数用于基于用于封装具有第二预定空闲时段的数据的第二传输协议来设置到设备（10）的并行第二连接。 然后，将连接第一和第二连接的信息从设备（10）发送到数据网络，其中响应于检测到的空闲状态，第二连接用于向设备（10）发送唤醒通知。 两种替代方案都提供减少保活信号的优点，从而提高电池效率。

公开(公告)号：WO2006131826A3

公开(公告)日：2007-03-22

申请号：PCT/IB2006001555

申请日：2006-04-10

Applicant: NOKIA CORP ,  FORSBERG DAN ,  TARKKALA LAURI

Inventor： FORSBERG DAN ,  TARKKALA LAURI

IPC: H04L29/06 ,  H04L20060101 ,  H04W36/00

CPC classification number: H04L63/0428 ,  H04L63/04 ,  H04L63/0435 ,  H04L63/06 ,  H04L63/062 ,  H04L2209/80 ,  H04W12/02 ,  H04W12/04 ,  H04W12/06 ,  H04W12/08 ,  H04W36/0016 ,  H04W36/0033 ,  H04W36/02

Abstract: A communication network manages key material. A method generates and provides session keys from a security node to an access node for further propagation during handoff procedures, without requiring the security node to take part in the handoff procedures.

Abstract translation: 通信网络管理密钥材料。 方法生成并提供从安全节点到接入节点的会话密钥，用于切换过程中的进一步传播，而不需要安全节点参与切换过程。

公开(公告)号：WO2008053391A3

公开(公告)日：2008-08-14

申请号：PCT/IB2007054010

申请日：2007-10-03

Applicant: NOKIA CORP ,  NOKIA INC ,  TARKKALA LAURI

Inventor： TARKKALA LAURI

IPC: G06F9/445 ,  G06F21/00

CPC classification number: G06F21/575 ,  G06F9/4416 ,  G06F21/305 ,  G06F21/57 ,  H04L63/123

Abstract: An improved system and method for efficiently implementing a remotely manageable secure boot on a Trusted Computing Group defined Trusted Platform Module. Various embodiments of the present invention enable a boot process which does not require a dependency on prior RIM certificates, while still requiring a dependency on the sequencing of the boot process.

Abstract translation: 一种改进的系统和方法，用于在定义可信平台模块的可信计算组上有效实现可远程管理的安全启动。 本发明的各种实施例实现了不需要依赖于先前的RIM证书的启动过程，而仍需要依赖于启动过程的顺序。

公开(公告)号：WO2006114684A3

公开(公告)日：2007-01-18

申请号：PCT/IB2006000992

申请日：2006-04-24

Applicant: NOKIA CORP ,  NOKIA INC ,  TARKKALA LAURI

Inventor： TARKKALA LAURI

IPC: H04L9/08 ,  H04H1/00 ,  H04H60/23 ,  H04N7/167

CPC classification number: H04H60/23 ,  H04L9/0637 ,  H04L9/0833 ,  H04L9/0877 ,  H04L9/0897 ,  H04L9/3236 ,  H04N7/1675 ,  H04N21/26613 ,  H04N21/63345

Abstract: A key generation system is disclosed that provides for the generation of privileged group keys based on the input of a privileged group. The system performing the key generation has stored component keys corresponding to every possible subset X of the unitary set, where subsets X have k or fewer members. The privileged group key is generated for the privileged set by passing ordered component keys of subsets X that do not contain members of the privileged set to a pseudo random function.

Abstract translation: 公开了一种密钥生成系统，其基于特权组的输入来提供特权组密钥的生成。 执行密钥生成的系统具有与单个集合的每个可能的子集X相对应的组件密钥，其中子集X具有k个或更少的成员。 通过将不包含特权集的成员的子集X的有序分量密钥传递给伪随机函数，为特权集生成特权组密钥。

公开(公告)号：WO2006131826A2

公开(公告)日：2006-12-14

申请号：PCT/IB2006/001555

申请日：2006-04-10

Applicant: NOKIA CORPORATION ,  FORSBERG, Dan ,  TARKKALA, Lauri

Inventor： FORSBERG, Dan ,  TARKKALA, Lauri

IPC: H04L29/06 ,  H04Q7/38

CPC classification number: H04L63/0428 ,  H04L63/04 ,  H04L63/0435 ,  H04L63/06 ,  H04L63/062 ,  H04L2209/80 ,  H04W12/02 ,  H04W12/04 ,  H04W12/06 ,  H04W12/08 ,  H04W36/0016 ,  H04W36/0033 ,  H04W36/02

Abstract: A communication network manages key material. A method generates and provides session keys from a security node to an access node for further propagation during handoff procedures, without requiring the security node to take part in the handoff procedures.

Abstract translation: 通信网络管理密钥材料。 方法生成并提供从安全节点到接入节点的会话密钥，用于切换过程中的进一步传播，而不需要安全节点参与切换过程。

公开(公告)号：WO2008053391A2

公开(公告)日：2008-05-08

申请号：PCT/IB2007/054010

申请日：2007-10-03

Applicant: NOKIA CORPORATION ,  NOKIA, INC. ,  TARKKALA, Lauri

Inventor： TARKKALA, Lauri

IPC: G06F9/445

CPC classification number: G06F21/575 ,  G06F9/4416 ,  G06F21/305 ,  G06F21/57 ,  H04L63/123

Abstract: An improved system and method for efficiently implementing a remotely manageable secure boot on a Trusted Computing Group defined Trusted Platform Module. Various embodiments of the present invention enable a boot process which does not require a dependency on prior RIM certificates, while still requiring a dependency on the sequencing of the boot process.

Abstract translation: 一种改进的系统和方法，用于在可信计算组定义的可信平台模块上有效实施可远程管理的安全引导。 本发明的各种实施例能够引导进程，其不需要依赖于先前的RIM证书，同时仍需要依赖于引导过程的顺序。

公开(公告)号：WO2007031834A3

公开(公告)日：2007-05-18

申请号：PCT/IB2006002472

申请日：2006-09-07

Applicant: NOKIA CORP ,  NOKIA INC ,  TARKKALA LAURI

Inventor： TARKKALA LAURI

IPC: G06F21/06

CPC classification number: G06F21/51 ,  G06F21/575

Abstract: A method, apparatus, system and computer program product are provided for booting up a system using a secure boot framework. In particular, a secure boot mechanism (i.e., a mechanism that enforces that only authenticated programs and/or events are executed on a particular platform) is provided that has an unlimited number of authorized boot configurations, while requiring only a minimal amount of secure/confidential storage. The secure boot mechanism further provides for the separation of run-time and management functionality, which allows other authorization mechanisms to be plugged-in later on. In addition, the authorized secure boot configurations (i.e., the definition of the secure boot state) can be kept in insecure storage, such as a system disk (e.g., flash memory). Finally, the disclosed secure boot mechanism is further beneficial because it builds upon existing TCG techniques, causing it to require minimal implementation where TCG techniques are implemented.

Abstract translation: 提供了一种用于使用安全引导框架引导系统的方法，装置，系统和计算机程序产品。 特别地，提供了安全引导机制（即，在特定平台上执行仅验证的程序和/或事件的机制），其具有无限数量的授权引导配置，同时仅需要最少量的安全/ 保密存储。 安全引导机制进一步提供了运行时间和管理功能的分离，这允许稍后插入其他授权机制。 此外，授权的安全引导配置（即，安全启动状态的定义）可以保持在不安全的存储器中，诸如系统盘（例如，闪存）。 最后，所公开的安全引导机制是进一步的有益的，因为它建立在现有的TCG技术的基础上，导致其实现TCG技术的最小实现。

公开(公告)号：WO2006120535A1

公开(公告)日：2006-11-16

申请号：PCT/IB2006/001176

申请日：2006-05-08

Applicant: NOKIA CORPORATION ,  NOKIA INC. ,  TARKKALA, Lauri ,  ASOKAN, Nadarajah

Inventor： TARKKALA, Lauri ,  ASOKAN, Nadarajah

IPC: H04L9/08 ,  G06F21/24 ,  H04L29/06

CPC classification number: H04L63/0428 ,  G06F21/10 ,  H04L9/0822 ,  H04L9/088 ,  H04L9/12 ,  H04L63/10 ,  H04L2209/603 ,  H04L2463/101 ,  H04N7/1675 ,  H04N21/26613 ,  H04N21/4627 ,  H04N21/63345

Abstract: A content encryption/decryption system is disclosed that provides for the use of multiple DRM rights objects. The disclosed system also provides for use in non-connected, connected and mixed mode transmission models.

Abstract translation: 公开了提供多个DRM权限对象的使用的内容加密/解密系统。 所公开的系统还提供用于非连接，连接和混合模式传输模型。

公开(公告)号：WO2011101531A1

公开(公告)日：2011-08-25

申请号：PCT/FI2011/050066

申请日：2011-01-28

Applicant: NOKIA CORPORATION ,  OTRANEN, Jari ,  TARKKALA, Lauri ,  KHUSHRAJ, Deepali

Inventor： OTRANEN, Jari ,  TARKKALA, Lauri ,  KHUSHRAJ, Deepali

IPC: H04L29/06 ,  G06F21/00 ,  H04L29/08

CPC classification number: H04L63/0815 ,  H04L9/3213 ,  H04L63/0884 ,  H04L63/105 ,  H04L67/14 ,  H04L67/141 ,  H04L67/42 ,  H04L2209/76 ,  H04L2209/80

Abstract: An approach is provided for providing separation of authentication protocols and/or authentication contexts for client-server and server-server communication in network communication. A proxy server receives a request to initiate a service session. The request includes a first authentication context. The proxy server request verification of the first authentication context from an authentication server and validates the first authentication context based, at least in part, on the verification. The proxy server implements a second authentication context based, at least in part, on the verification of the first authentication context to initiate the service session.

Abstract translation: 提供了一种用于在网络通信中提供用于客户机 - 服务器和服务器 - 服务器通信的认证协议和/或认证上下文的分离的方法。 代理服务器接收发起服务会话的请求。 请求包括第一认证上下文。 代理服务器从认证服务器请求验证第一认证上下文，并且至少部分地基于验证来验证第一认证上下文。 至少部分地，代理服务器基于第一认证上下文的验证来实现第二认证上下文以启动服务会话。

公开(公告)号：WO2007088237A1

公开(公告)日：2007-08-09

申请号：PCT/FI2006/050050

申请日：2006-02-01

Applicant: NOKIA CORPORATION ,  TARKKALA, Lauri

Inventor： TARKKALA, Lauri

IPC: G06F9/46 ,  G06F21/00

CPC classification number: G06F21/6218 ,  G06F9/468 ,  G06F2221/2101

Abstract: Access control is provided for a data processing terminal having various resources and capable of executing arbitrary computer executable applications using the resources. A set of conditional access control constraints is maintained for defining permissible combinations of the resources usable in conjunction by the applications. The applications are allowed to run only within the constraints of permissible combinations of resources used by the applications that are run in conjunction. The constraints are defined using access logs assigned to different access objects and using service identifiers stored into access logs corresponding to services used. Propositional logics are applied to determine allowable combinat ions of resources and / or services usable in conjunction.

Abstract translation: 为具有各种资源的数据处理终端提供访问控制，并且能够使用该资源执行任意的计算机可执行应用程序。 维持一组条件访问控制约束，用于定义可由应用程序共同使用的资源的可允许组合。 允许应用程序只能在由运行的应用程序使用的资源的允许组合的约束之内运行。 使用分配给不同访问对象的访问日志定义约束，并使用存储在与所使用的服务相对应的访问日志中的服务标识符。 应用命题逻辑来确定可用的资源和/或服务的可允许组合离子。