专利快速检索-快速检索全球专利，免费商用专利数据库-IPRDB

1. 发明申请

US20090119510A1 END-TO-END NETWORK SECURITY WITH TRAFFIC VISIBILITY 审中-公开
标题翻译：具有交通可见性的端到端网络安全
公开(公告)号：US20090119510A1
公开(公告)日：2009-05-07
申请号：US11935783
申请日：2007-11-06
申请人： Men Long , Jesse Walker , David Durham , Marc Millier , Karanvir Grewal , Prashant Dewan , Uday Savagaonkar , Steven D. Williams
发明人： Men Long , Jesse Walker , David Durham , Marc Millier , Karanvir Grewal , Prashant Dewan , Uday Savagaonkar , Steven D. Williams
IPC分类号： H04L9/32
CPC分类号： H04L63/0428 , H04L9/0631 , H04L9/3242 , H04L63/08 , H04L63/1466 , H04L63/168 , H04L2209/12 , H04L2209/38
摘要： End-to-end security between clients and a server, and traffic visibility to intermediate network devices, achieved through combined mode, single pass encryption and authentication using two keys is disclosed. In various embodiments, a combined encryption-authentication unit includes a cipher unit and an authentication unit coupled in parallel to the cipher unit, and generates an authentication tag using an authentication key in parallel with the generation of the cipher text using an encryption key, where the authentication and encryption key have different key values. In various embodiments, the cipher unit operates in AES counter mode, and the authentication unit operates in parallel, in AES-GMAC mode Using a two key, single pass combined mode algorithm preserves network performance using a limited number of HW gates, while allowing an intermediate device access to the encryption key for deciphering the data, without providing that device the ability to compromise data integrity, which is preserved between the end to end devices.
摘要翻译：公开了客户机与服务器之间的端到端安全性，以及通过组合模式，单程加密和使用两个密钥的认证实现的对中间网络设备的流量可见性。在各种实施例中，组合加密认证单元包括与密码单元并行耦合的密码单元和认证单元，并且使用加密密钥与密文生成并行地使用认证密钥生成认证标签，其中认证和加密密钥具有不同的密钥值。在各种实施例中，密码单元以AES计数器模式运行，并且认证单元以AES-GMAC模式并行操作。使用双键单通组合模式算法使用有限数量的HW门保留网络性能，同时允许中间设备访问用于解密数据的加密密钥，而不提供该设备损害数据完整性的能力，这在端到端设备之间保留。

2. 发明授权

US08467527B2 Efficient key derivation for end-to-end network security with traffic visibility 有权
标题翻译：针对具有流量可见性的端到端网络安全性的高效密钥导出
公开(公告)号：US08467527B2
公开(公告)日：2013-06-18
申请号：US12327137
申请日：2008-12-03
申请人： Men Long , Jesse Walker , Karanvir Grewal
发明人： Men Long , Jesse Walker , Karanvir Grewal
IPC分类号： H04L9/00 , G06F7/04 , G06F21/00
CPC分类号： H04L9/0866 , H04L9/0631 , H04L63/0428 , H04L63/06 , H04L2209/125
摘要： Both end-to-end security and traffic visibility may be achieved by a system using a controller that derives a cryptographic key that is different for each client based on a derivation key and a client identifier that is conveyed in each data packet. The controller distributes the derivation key to information technology monitoring devices and a server to provide traffic visibility. For large key sizes, the key may be derived using a derivation formula as follows: client_key—MSB=AES128(base_key_1, client_ID), (1) client_key—LSB=AES128(base_key_2, client_ID+pad), and (2) client_key=client_key_MSB∥client_key_LSB, where (1) and (2) are executed in parallel. The client key and a client identifier may be used so that end-to-end security may be achieved.
摘要翻译：端到端安全性和流量可见性可以由使用控制器的系统来实现，所述控制器基于在每个数据分组中传送的导出密钥和客户端标识符来导出每个客户端不同的密码密钥。控制器将派生密钥分发到信息技术监控设备和服务器，以提供流量可视性。对于较大的密钥大小，密钥可以使用以下推导公式导出：client_key-MSB = AES128（base_key_1，client_ID），（1）client_key-LSB = AES128（base_key_2，client_ID + pad）和（2）client_key = client_key_MSB‖client_key_LSB，其中（1）和（2）并行执行。可以使用客户端密钥和客户端标识符，以便可以实现端到端的安全性。

3. 发明申请

US20100135498A1 Efficient Key Derivation for End-To-End Network Security with Traffic Visibility 有权
标题翻译：针对具有流量可见性的端到端网络安全性的高效关键推导
公开(公告)号：US20100135498A1
公开(公告)日：2010-06-03
申请号：US12327137
申请日：2008-12-03
申请人： Men Long , Jesse Walker , Karanvir Grewal
发明人： Men Long , Jesse Walker , Karanvir Grewal
IPC分类号： H04L9/08 , H04L9/00
CPC分类号： H04L9/0866 , H04L9/0631 , H04L63/0428 , H04L63/06 , H04L2209/125
摘要： Both end-to-end security and traffic visibility may be achieved by a system using a controller that derives a cryptographic key that is different for each client based on a derivation key and a client identifier that is conveyed in each data packet. The controller distributes the derivation key to information technology monitoring devices and a server to provide traffic visibility. For large key sizes, the key may be derived using a derivation formula as follows: client_key—MSB=AES128(base_key_1, client_ID), (1) client_key—LSB=AES128(base_key_2, client_ID+pad), and (2) client_key=client_key_MSB∥client_key_LSB, where (1) and (2) are executed in parallel. The client key and a client identifier may be used so that end-to-end security may be achieved.
摘要翻译：端到端安全性和流量可见性可以由使用控制器的系统来实现，所述控制器基于在每个数据分组中传送的导出密钥和客户端标识符来导出每个客户端不同的密码密钥。控制器将派生密钥分发到信息技术监控设备和服务器，以提供流量可视性。对于较大的密钥大小，密钥可以使用以下推导公式导出：client_key-MSB = AES128（base_key_1，client_ID），（1）client_key-LSB = AES128（base_key_2，client_ID + pad）和（2）client_key = client_key_MSB‖client_key_LSB，其中（1）和（2）并行执行。可以使用客户端密钥和客户端标识符，以便可以实现端到端的安全性。

4. 发明申请

US20090210699A1 METHOD AND APPARATUS FOR SECURE NETWORK ENCLAVES 有权
标题翻译：用于安全网络包装的方法和装置
公开(公告)号：US20090210699A1
公开(公告)日：2009-08-20
申请号：US12032618
申请日：2008-02-15
申请人： Karanvir Grewal , Men Long , Prashant Dewan
发明人： Karanvir Grewal , Men Long , Prashant Dewan
IPC分类号： H04L9/32
CPC分类号： H04L63/061 , H04L9/083 , H04L9/321 , H04L9/3247
摘要： Methods and apparatus are disclosed to provide for security within a network enclave. In one embodiment authentication logic initiates authentication with a central network authority. Packet processing logic receives a key and an identifier from the central network authority. Security protocol logic then establishes a client-server security association through a communication that includes a client identifier and an encrypted portion and/or an authorization signature, wherein a client authorization key allocated by the central network authority can be reproduced by a server, other than said central network authority, from the client identifier and a derivation key provided to the server by the central network authority to decrypt the encrypted portion and/or to validate the communication using the authorization signature. The server may also provide the client with new session keys and/or new client session identifiers using server-generated derivation keys if desired, protecting these with the client authorization key.
摘要翻译：公开了提供网络飞地内的安全性的方法和装置。在一个实施例中，认证逻辑启动与中央网络授权机构的认证。分组处理逻辑从中央网络机构接收密钥和标识符。然后，安全协议逻辑通过包括客户端标识符和加密部分和/或授权签名的通信来建立客户机 - 服务器安全关联，其中由中央网络机构分配的客户机授权密钥可以由服务器再现，除了所述中央网络机构根据客户端标识符和由中央网络机构提供给服务器的导出密钥来解密加密部分和/或使用授权签名验证通信。如果需要，服务器还可以使用服务器生成的导出密钥向客户端提供新的会话密钥和/或新的客户端会话标识符，并用客户端授权密钥来保护它们。

5. 发明申请

US20080022388A1 Method and apparatus for multiple inclusion offsets for security protocols 审中-公开
标题翻译：用于安全协议的多重包含偏移的方法和装置
公开(公告)号：US20080022388A1
公开(公告)日：2008-01-24
申请号：US11478986
申请日：2006-06-30
申请人： Karanvir Grewal , David Durham , Hormuzd Khosravi , Men Long , Prashant Dewan
发明人： Karanvir Grewal , David Durham , Hormuzd Khosravi , Men Long , Prashant Dewan
IPC分类号： G06F15/16
CPC分类号： H04L63/105
摘要： A method and apparatus to define multiple zones in a data packet for inclusion in processing by security operations of a security protocol. In one embodiment, each defined zone has an associated list of security operations to which the zone is subjected. In another embodiment, the list of security operations for a zone includes parameters to be passed when performing the security operations on the zone.
摘要翻译：一种在数据分组中定义多个区域以包括在安全协议的安全操作的处理中的方法和装置。在一个实施例中，每个定义的区域具有该区域经受的安全操作的关联列表。在另一个实施例中，区域的安全操作的列表包括在区域上执行安全操作时要传递的参数。

6. 发明授权

US09319220B2 Method and apparatus for secure network enclaves 有权
标题翻译：安全网络飞地的方法和装置
公开(公告)号：US09319220B2
公开(公告)日：2016-04-19
申请号：US12032618
申请日：2008-02-15
申请人： Karanvir Grewal , Men Long , Prashant Dewan
发明人： Karanvir Grewal , Men Long , Prashant Dewan
IPC分类号： H04L29/06 , H04L9/08 , H04L9/32
CPC分类号： H04L63/061 , H04L9/083 , H04L9/321 , H04L9/3247
摘要： Methods and apparatus are disclosed to provide for security within a network enclave. In one embodiment authentication logic initiates authentication with a central network authority. Packet processing logic receives a key and an identifier from the central network authority. Security protocol logic then establishes a client-server security association through a communication that includes a client identifier and an encrypted portion and/or an authorization signature, wherein a client authorization key allocated by the central network authority can be reproduced by a server, other than said central network authority, from the client identifier and a derivation key provided to the server by the central network authority to decrypt the encrypted portion and/or to validate the communication using the authorization signature. The server may also provide the client with new session keys and/or new client session identifiers using server-generated derivation keys if desired, protecting these with the client authorization key.
摘要翻译：公开了提供网络飞地内的安全性的方法和装置。在一个实施例中，认证逻辑启动与中央网络授权机构的认证。分组处理逻辑从中央网络机构接收密钥和标识符。然后，安全协议逻辑通过包括客户端标识符和加密部分和/或授权签名的通信来建立客户机 - 服务器安全关联，其中由中央网络机构分配的客户机授权密钥可以由服务器再现，除了所述中央网络机构根据客户端标识符和由中央网络机构提供给服务器的导出密钥来解密加密部分和/或使用授权签名验证通信。如果需要，服务器还可以使用服务器生成的导出密钥向客户端提供新的会话密钥和/或新的客户端会话标识符，并用客户端授权密钥来保护它们。

7. 发明申请

US20080002724A1 Method and apparatus for multiple generic exclusion offsets for security protocols 审中-公开
标题翻译：用于安全协议的多个通用排除偏移的方法和装置
公开(公告)号：US20080002724A1
公开(公告)日：2008-01-03
申请号：US11479157
申请日：2006-06-30
申请人： Karanvir Grewal , David Durham , Hormuzd Khosravi , Men Long , Prashant Dewan
发明人： Karanvir Grewal , David Durham , Hormuzd Khosravi , Men Long , Prashant Dewan
IPC分类号： H04L12/56
CPC分类号： H04L63/0428 , H04L63/104 , H04L63/164 , H04L69/22
摘要： A method and apparatus to define multiple zones in a data packet for exclusion from processing by security operations of a security protocol. In one embodiment, each defined zone has an associated list of security operations from which the zone is protected.
摘要翻译：一种在数据分组中定义多个区域以便通过安全协议的安全操作排除在处理之外的方法和装置。在一个实施例中，每个定义的区域具有相关的安全操作列表，从该区域被保护。

8. 发明申请

US20080244268A1 End-to-end network security with traffic visibility 审中-公开
标题翻译：具有流量可见性的端到端网络安全
公开(公告)号：US20080244268A1
公开(公告)日：2008-10-02
申请号：US11731562
申请日：2007-03-30
申请人： David Durham , Men Long , Prashant Dewan , Karanvir Grewal
发明人： David Durham , Men Long , Prashant Dewan , Karanvir Grewal
IPC分类号： H04L9/00
CPC分类号： H04L9/0866 , H04L63/062 , H04L2463/061
摘要： Both end-to-end security and traffic visibility may be achieved by a system using a controller that derives a cryptographic key that is different for each client based on a derivation key and a client identifier that is conveyed in each data packet. The controller distributes the derivation key to information technology monitoring devices and a server to provide traffic visibility. The key may be derived using a cryptographic one way function and a client identifier so that end-to-end security may be achieved.
摘要翻译：端到端安全性和流量可见性可以由使用控制器的系统来实现，所述控制器基于在每个数据分组中传送的导出密钥和客户端标识符来导出每个客户端不同的密码密钥。控制器将派生密钥分发到信息技术监控设备和服务器，以提供流量可视性。可以使用密码单向函数和客户端标识来导出密钥，使得可以实现端到端的安全性。

9. 发明申请

US20070239875A1 Method and apparatus for maintaining local area network("LAN") and wireless LAN ("WLAN") security associations 有权
标题翻译：用于维护局域网（“LAN”）和无线局域网（“WLAN”）安全关联的方法和装置
公开(公告)号：US20070239875A1
公开(公告)日：2007-10-11
申请号：US11393018
申请日：2006-03-29
申请人： Kapil Sood , Jesse Walker , Karanvir Grewal
发明人： Kapil Sood , Jesse Walker , Karanvir Grewal
IPC分类号： G06F15/16
CPC分类号： H04L63/20 , H04W52/0254 , H04W52/0258 , H04W84/12 , Y02D70/00 , Y02D70/142 , Y02D70/146
摘要： Cooperating entities share a signaling interface. Each entity establishes a security association between itself and an endpoint, and one of the entities transmits keepalive messages over a channel associated with the security association. Chipsets and systems to implement related methods are also described and claimed.
摘要翻译：合作实体共享信令接口。每个实体在其自身和端点之间建立安全关联，并且其中一个实体通过与安全关联相关联的信道发送保持活动消息。还描述和要求保护用于实现相关方法的芯片组和系统。

10. 发明申请

US20080005791A1 Method and apparatus for supporting a virtual private network architecture on a partitioned platform 有权
标题翻译：用于在分区平台上支持虚拟专用网络架构的方法和装置
公开(公告)号：US20080005791A1
公开(公告)日：2008-01-03
申请号：US11479609
申请日：2006-06-30
申请人： Ajay Gupta , Jeong Yoon , Jesse Walker , Kapil Sood , Karanvir Grewal , Hormuzd M. Khosravi
发明人： Ajay Gupta , Jeong Yoon , Jesse Walker , Kapil Sood , Karanvir Grewal , Hormuzd M. Khosravi
IPC分类号： G06F15/16
CPC分类号： H04L63/0272 , G06F21/562
摘要： A computer system includes a service partition, not directly accessible to a user, having a security agent to inspect data entering and exiting the computer system on a virtual private network (VPN) tunnel, and a service partition VPN unit to communicate with a VPN gateway. The computer system also includes a user partition, accessible to a user, having a user partition VPN unit to initiate construction of the VPN tunnel with the VPN gateway. Other embodiments are described and claimed.
摘要翻译：计算机系统包括不能直接访问用户的服务分区，具有用于检查在虚拟专用网（VPN）隧道上进入和退出计算机系统的数据的安全代理以及与VPN网关通信的服务分区VPN单元。计算机系统还包括用户可访问的用户分区，具有用户分区VPN单元以启动与VPN网关的VPN隧道的构建。描述和要求保护其他实施例。

你已经成功收藏专利！

检索式保存成功!

IPRDB

热门服务

关于我们

友情链接

联系方式