专利快速检索-快速检索全球专利，免费商用专利数据库-IPRDB

1. 发明授权

US07055027B1 System and method for trusted inspection of a data stream 有权
标题翻译：数据流信任检查的系统和方法
公开(公告)号：US07055027B1
公开(公告)日：2006-05-30
申请号：US09274294
申请日：1999-03-22
申请人： David Gunter , Leeon Moshe Shachaf
发明人： David Gunter , Leeon Moshe Shachaf
IPC分类号： G06F13/36
CPC分类号： H04L63/0428 , H04L63/30
摘要： A network architecture allows an intermediary to inspect an encrypted data stream on a virtual private network (VPN) in a secure and trusted manner. The endpoints establish a virtual private network by negotiating a session key used to encrypt data being exchanged between them. The endpoints know the session key, but not the intermediary. To grant the intermediary trusted access to the data stream on the VPN, one endpoint securely transfers the session key to the firewall by encrypting the session key using the intermediary's public key and then signing the encrypted session key. The intermediary authenticates the signature and decrypts the session key using its own private key. If the process yields a valid key, the intermediary is assured that the session key was sent by the endpoint and was not subsequently tampered with in route. Once the session key is transferred, the firewall can decrypt and inspect the data stream on the VPN in a manner that is transparent to the endpoints.
摘要翻译：网络架构允许中间人以安全和可信的方式检查虚拟专用网络（VPN）上的加密数据流。端点通过协商用于加密它们之间交换的数据的会话密钥来建立虚拟专用网络。端点知道会话密钥，但不知道中间人。为了授予对VPN上的数据流的中间信任访问，一个端点通过使用中间人的公钥加密会话密钥然后对加密的会话密钥进行签名来安全地将会话密钥传送到防火墙。中间人使用自己的私钥验证签名并解密会话密钥。如果该过程产生一个有效的密钥，则中间人保证该会话密钥是由端点发送的，并且随后未被路由篡改。一旦会话密钥被传输，防火墙就可以以对端点透明的方式对VPN上的数据流进行解密和检查。

2. 发明授权

US06751728B1 System and method of transmitting encrypted packets through a network access point 有权
标题翻译：通过网络接入点发送加密数据包的系统和方法
公开(公告)号：US06751728B1
公开(公告)日：2004-06-15
申请号：US09334349
申请日：1999-06-16
申请人： David V. Gunter , Leeon Moshe Shachaf
发明人： David V. Gunter , Leeon Moshe Shachaf
IPC分类号： H04L900
CPC分类号： H04L61/2514 , H04L29/12009 , H04L29/12367 , H04L29/125 , H04L61/2564 , H04L63/0428 , H04L63/123
摘要： A method and system for network communication efficiently transmits encrypted packets from a sending host on an external network to a receiving host on an intranet through a network access point (NAP) of the intranet. A packet to be sent by the sending host on the external network is constructed with the external network address of the NAP as the destination address of the packet. The intranet address of the receiving host is also included in the packet in the non-encrypted form and is used in the calculation of the cryptographic hash or the like that is included in the packet for authentication purposes. The encrypted packet is then routed to the NAP through the external network. When the NAP receives the packet, it strips the intranet address of the receiving host from the packet and uses that address to replace the original destination address in the packet. The NAP then forwards the modified packet to the receiving host. Because the NAP does not have to decrypt the packet, encrypted packets can quickly go through the NAP. When receiving host receives the modified packet, it decrypts the packet and authenticates it. Because the destination address in the modified packet is the same address used in calculating the cryptographic hash of the packet, the packet should be deemed valid by the receiving host.
摘要翻译：用于网络通信的方法和系统通过内联网的网络接入点（NAP）将加密的分组从外部网络上的发送主机高效地传输到内联网上的接收主机。由外部网络上的发送主机发送的报文由NAP的外部网络地址作为报文的目的地址构成。接收主机的内部网地址也以非加密形式包含在分组中，并且被用于计算包含在分组中用于认证目的的密码散列等。加密的数据包然后通过外部网络路由到NAP。当NAP接收到该数据包时，它从数据包中剥离接收主机的内部网地址，并使用该地址替换数据包中的原始目标地址。然后，NAP将修改的数据包转发到接收主机。因为NAP不需要解密数据包，加密的数据包可以快速地通过NAP。当接收主机接收到修改后的数据包时，会对数据包进行解密并对其进行认证。由于修改的分组中的目的地地址与计算分组密码散列时使用的地址相同，所以该分组应被接收主机视为有效。

你已经成功收藏专利！

检索式保存成功!

IPRDB

热门服务

关于我们

友情链接

联系方式