专利快速检索-快速检索全球专利，免费商用专利数据库-IPRDB

1. 发明授权

US08635284B1 Method and apparatus for defending against denial of service attacks 有权
标题翻译：防止拒绝服务攻击的方法和装置
公开(公告)号：US08635284B1
公开(公告)日：2014-01-21
申请号：US11255366
申请日：2005-10-21
申请人： Sunay Tripathi , Radia J. Perlman , Nicolas G. Droux
发明人： Sunay Tripathi , Radia J. Perlman , Nicolas G. Droux
IPC分类号： G06F15/16 , H04L29/06 , G06F11/30
CPC分类号： H04L69/22 , H04L49/9047 , H04L63/1458 , H04L69/161
摘要： A method for processing packets that includes receiving a packet from a network, analyzing the packet to obtain packet information used to determine to which temporary data structure to forward the packet, if a first list includes the packet information forwarding the packet to a first temporary data structure, and processing the packet from the first temporary data structure, and if the first list does not include the packet information forwarding the packet to a second temporary data structure, processing the packet, wherein processing the packet comprises: sending a first test to a source of the packet using the packet information, placing the packet information on the first list, if a successful response to the first test is received, and placing the packet information on a second list, if an unsuccessful response to the first test is received.
摘要翻译：一种处理分组的方法，包括从网络接收分组，如果第一列表包括将分组转发到第一临时数据的分组信息，则分析分组以获得用于确定哪个临时数据结构转发分组的分组信息结构，并且处理来自第一临时数据结构的分组，并且如果第一列表不包括将分组转发到第二临时数据结构的分组信息，则处理分组，其中处理分组包括：向第一临时数据结构发送第一测试如果接收到对第一测试的成功响应，则将分组信息放置在第一列表上，并且如果接收到对第一测试的不成功的响应，则将分组信息放置在第二列表上。

2. 发明授权

US08538014B2 Fast computation of one-way hash sequences 有权
标题翻译：快速计算单向哈希序列
公开(公告)号：US08538014B2
公开(公告)日：2013-09-17
申请号：US12118893
申请日：2008-05-12
申请人： Radia J. Perlman
发明人： Radia J. Perlman
IPC分类号： H04L9/28
CPC分类号： H04L9/0643 , H04L9/0869 , H04L2209/38
摘要： Some embodiments of the present invention provide a system that computes a target secret St in a sequence of secrets S0 . . . Sn. During operation, the system obtains k hash functions h1, . . . , hk, where h1 is known as the “lowest order hash function”, and hk is known as the “highest order hash function.” Associated with each hash function hi is a seed value seed comprising a pair (seedindexi, seedvaluei). Hash function hi operates on a pair (indexi, valuei) to produce a pair (newindexi, newvaluei), where newindexi>indexi. To compute target secret St, the hash functions are applied successively, starting with the highest order hash function whose associated seed's index value is largest without being greater than t, applying that hash function as many times as possible without having that hash function's output's index value become greater than t, and then applying each successive hash function in turn as many times as possible, until St has been computed. To delete the earliest computable secret in the chain, S1, the new seed for each of the hash functions is computed as follows. Let x=1+index1, (the index of the seed associated with the lowest order hash function). For each hash function hi, if x>indexi, then hi is applied to seedi. If the resulting indexi is greater than indexi+1, then (indexi+1, valuei+1) associated with hashi+1 is copied into the (index, value) associated with hashi. Otherwise, seed is replaced by hi(seedi).
摘要翻译：本发明的一些实施例提供了一种以秘密序列S0计算目标秘密St的系统。。。锡在操作期间，系统获得k个哈希函数h1，。。。，hk，其中h1被称为“最低阶哈希函数”，并且hk被称为“最高阶哈希函数”。与每个哈希函数相关联的是包括对（seedindexi，seedvaluei）的种子值种子。哈希函数hi在一对（indexi，valuei）上运行以产生一对（newindexi，newvaluei），其中newindexi> indexi。为了计算目标秘密St，哈希函数被连续地应用，从相关种子的索引值最大而不大于t的最高阶哈希函数开始，将哈希函数尽可能多地应用，而不需要哈希函数的输出的索引值变得大于t，然后依次应用每个连续的哈希函数，直到St被计算为止。要删除链中最早的可计算秘密S1，每个哈希函数的新种子计算如下。令x = 1 + index1（与最低阶哈希函数关联的种子的索引）。对于每个散列函数嗨，如果x> indexi，那么hi应用于seedi。如果所得到的indexi大于indexi + 1，则与hashi + 1相关联的（indexi + 1，valuei + 1）被复制到与hashi相关联的（index，value）中。否则，种子由hi（seedi）代替。

3. 发明授权

US08006285B1 Dynamic defense of network attacks 有权
标题翻译：动态防御网络攻击
公开(公告)号：US08006285B1
公开(公告)日：2011-08-23
申请号：US11150924
申请日：2005-06-13
申请人： Radia J. Perlman
发明人： Radia J. Perlman
IPC分类号： H04L29/06
CPC分类号： H04L63/1458
摘要： A distributed denial of service attack can be defended against by challenging requests at a machine upstream from the target of the attack. The upstream machine limits access to the victim machine in response to indication of the victim machine being attacked. The upstream machine begins trapping protocol data units destined for the victim machine and challenging requests to access the victim machine with tests that require sentient responses, such as Turing tests. The upstream machine then updates a set of rules governing access to the victim machine based, at least in part, on responses to the challenges or administered tests.
摘要翻译：可以通过在攻击目标上游的机器的挑战性请求来防御分布式拒绝服务攻击。上游机器响应受害机器受到攻击的指示，限制对受害机器的访问。上游机器开始捕获去往受害机器的协议数据单元，并挑战要求访问受害机器的请求，该测试需要有敏感的响应，如图灵测试。然后，上游机器至少部分地基于对挑战或管理测试的响应来更新一组管理对受害者机器的访问的规则。

4. 发明申请

US20110093721A1 PARAMETERIZABLE CRYPTOGRAPHY 有权
标题翻译：可参考的CRYPTOGRAPHY
公开(公告)号：US20110093721A1
公开(公告)日：2011-04-21
申请号：US12582276
申请日：2009-10-20
申请人： Radia J. Perlman
发明人： Radia J. Perlman
IPC分类号： G06F21/24
CPC分类号： G06F21/602
摘要： Some embodiments provide systems and techniques for performing parameterizable cryptography. An encryption key can be determined based at least on a string associated with an authorization policy. The encryption key can then be used to encrypt information. The decryption key can also be determined based at least on the string associated with the authorization policy. Note that the authorization policy must be satisfied to decrypt information. In some embodiments, the systems and techniques for performing parameterizable cryptography are blindable. These blindable embodiments can be used to preserve privacy.
摘要翻译：一些实施例提供用于执行可参数化密码术的系统和技术。可以至少基于与授权策略相关联的字符串来确定加密密钥。然后可以使用加密密钥来加密信息。解密密钥也可以至少基于与授权策略关联的字符串来确定。请注意，解密信息必须满足授权策略。在一些实施例中，用于执行可参数化密码术的系统和技术是盲目的。这些不确定的实施例可用于保护隐私。

5. 发明授权

US06975729B1 Method and apparatus for facilitating use of a pre-shared secret key with identity hiding 有权
标题翻译：便于使用具有身份隐藏的预共享秘密密钥的方法和装置
公开(公告)号：US06975729B1
公开(公告)日：2005-12-13
申请号：US09640465
申请日：2000-08-15
申请人： Radia J. Perlman
发明人： Radia J. Perlman
IPC分类号： H04L9/08 , H04L29/06
CPC分类号： H04L9/0841 , H04L63/0407 , H04L63/061 , H04L2209/16
摘要： One embodiment of the present invention provides a system that facilitates a key exchange that operates with a pre-shared secret key and that hides identities of parties involved in the key exchange. The method operates by establishing a negotiated secret key between a first party and a second party by performing communications between the first party and the second party across a network in a manner that does not allow an eavesdropper to determine the negotiated secret key. Next, the system encrypts an identifier for the first party using the negotiated secret key and a group secret key to form an encrypted identifier. This group secret key is known to members of a group, including the first party and the second party, but is kept secret from parties outside of the group. Next, the system sends the encrypted identifier from the first party across the network to the second party. This allows the second party to decrypt the encrypted identifier by using the negotiated secret key and the group secret key, so that the second party can use the identifier to lookup the pre-shared secret key that was previously established between the first party and the second party. This pre-shared secret key is subsequently used in forming at least one subsequent communication between the first party and the second party.
摘要翻译：本发明的一个实施例提供了一种系统，其有助于利用预共享秘密密钥进行密钥交换并隐藏密钥交换中涉及的各方的身份的系统。该方法通过以不允许窃听者确定协商的秘密密钥的方式通过网络执行第一方和第二方之间的通信来在第一方和第二方之间建立协商的秘密密钥来操作。接下来，系统使用协商的秘密密钥和组密钥对第一方的标识符进行加密，以形成加密的标识符。该组秘密密钥是包括第一方和第二方在内的组的成员所知道的，但是对该组之外的各方保密。接下来，系统将加密的标识符从第一方通过网络发送到第二方。这允许第二方通过使用协商的秘密密钥和组密钥来解密加密的标识符，使得第二方可以使用标识符来查找先前在第一方和第二方之间建立的预共享密钥派对。该预共享密钥随后用于形成第一方和第二方之间的至少一个后续通信。

6. 发明授权

US06901076B2 Dynamic LAN boundaries 有权
标题翻译：动态LAN边界
公开(公告)号：US06901076B2
公开(公告)日：2005-05-31
申请号：US09726800
申请日：2000-11-30
申请人： Radia J. Perlman , Eric A. Guttman
发明人： Radia J. Perlman , Eric A. Guttman
IPC分类号： H04L12/46 , H04L12/28 , H04L12/56
CPC分类号： H04L12/4625
摘要： A network device dynamically switches between layer 2 (data link) operation and layer 3 (network) operation. When enabled, bridging logic functions as a data link bridge, receiving data link messages from communications links forming part of a single network-layer segment and forwarding the messages to another communications link using layer-2 addresses in the messages. When enabled, routing logic functions as a network router, receiving network layer messages from different network-layer segments and forwarding the messages to other links based on a routing algorithm and the network layer addresses. Selection logic dynamically selects the desired function under different operating conditions. For a transition from router to bridge, multiple network-layer segments are merged into a single bridged network-layer segment, freeing up link numbers for use in configuring addresses for other segments. For the transition from bridge to router, a single bridged network-layer segment is divided into multiple segments having distinct routing identities.
摘要翻译：网络设备在层2（数据链路）操作和第3层（网络）操作之间动态切换。当启用时，桥接逻辑用作数据链桥，从形成单个网络层段的一部分的通信链路接收数据链路消息，并使用消息中的二层地址将消息转发到另一通信链路。启用后，路由逻辑作为网络路由器，从不同的网络层接收网络层消息，并根据路由算法和网络层地址将消息转发到其他链路。选择逻辑在不同的操作条件下动态地选择所需的功能。对于从路由器到桥接的过渡，多个网络层段被合并到单个桥接网络层段中，释放用于配置其他段的地址的链路号。对于从桥到路由器的过渡，单个桥接网络层段被划分成具有不同路由标识的多个段。

7. 发明授权

US06658004B1 Use of beacon message in a network for classifying and discarding messages 有权
标题翻译：在网络中使用信标消息来分类和丢弃消息
公开(公告)号：US06658004B1
公开(公告)日：2003-12-02
申请号：US09473402
申请日：1999-12-28
申请人： Miriam C. Kadansky , Dah Ming Chiu , Stephen R. Hanna , Stephen A. Hurst , Radia J. Perlman , Joseph S. Wesley
发明人： Miriam C. Kadansky , Dah Ming Chiu , Stephen R. Hanna , Stephen A. Hurst , Radia J. Perlman , Joseph S. Wesley
IPC分类号： H04L1228
CPC分类号： H04L12/1827 , H04L47/10 , H04L47/31 , H04L67/104 , H04L67/1063 , H04L67/1074 , H04L69/329
摘要： A method and apparatus for identifying a data message that is eligible for discard. A beacon node periodically transmits a beacon message to a plurality of client nodes communicatively coupled via a network. Each beacon message includes a beacon sequence number and preferably, the beacon sequence numbers are authenticated by the beacon, node. The client nodes, upon receipt of the beacon messages, verify the authenticity of the respective received beacon sequence numbers and generate a local sequence number derived from the received beacon sequence number. When one client in the session has data to transmit to another client in the session, the sending client assembles a data message and inserts its local sequence number in the data message prior to transmission of the data message to the other client nodes in the session. The client nodes receiving the data message discard the data message if their respective local sequence number at the time of receipt of the data message exceeds the local sequence number inserted in the data message by a predetermined value. In one embodiment, the beacon node generates sequence numbers at a periodic interval P but only transmits 1 out of every m beacon sequence numbers to the client nodes in the session. The client nodes each set a local sequence counter equal to the beacon sequence number upon receipt of the beacon message and thereafter, increment the local sequence counter periodically at interval P. The local sequence counter value is employed as the local sequence number in each client node.
摘要翻译：一种用于识别符合丢弃资格的数据消息的方法和装置。信标节点周期性地向经由网络通信耦合的多个客户端节点发送信标消息。每个信标消息包括信标序列号，并且优选地，信标序列号由信标节点认证。客户端节点在接收到信标消息后，验证相应接收到的信标序列号的真实性，并生成从接收到的信标序列号导出的本地序列号。当会话中的一个客户端具有要在会话中传送给另一个客户端的数据时，发送客户端汇集一个数据消息，并将数据消息中的本地序列号插入到数据消息中，并传送到该会话中的其他客户机节点。接收数据消息的客户节点如果在接收数据消息时其各自的本地序列号超过插入数据消息中的本地序列号预定值，则丢弃数据消息。在一个实施例中，信标节点以周期性间隔P生成序列号，但是仅在每个m个信标序列号中发送1个到会话中的客户端节点。客户端节点每接收到信标消息时都设置等于信标序列号的本地序列计数器，此后，以间隔P周期性地增加本地序列计数器。本地序列计数器值被用作每个客户端节点中的本地序列号。

8. 发明授权

US06560705B1 Content screening with end-to-end encryption prior to reaching a destination 有权
标题翻译：在到达目的地之前进行端到端加密的内容筛选
公开(公告)号：US06560705B1
公开(公告)日：2003-05-06
申请号：US09511541
申请日：2000-02-23
申请人： Radia J. Perlman , Stephen R. Hanna , Yassir K. Elley
发明人： Radia J. Perlman , Stephen R. Hanna , Yassir K. Elley
IPC分类号： H04L936
CPC分类号： H04L63/0209 , H04L63/0442 , H04L63/1408
摘要： One embodiment of the present invention provides a system that performs content screening on a message that is protected by end-to-end encryption. The system operates by receiving an encrypted message and an encrypted message key at a content screener from a firewall, the firewall having previously received the encrypted message and the encrypted message key from a source outside the firewall. The content screener decrypts the encrypted message key to restore the message key, and decrypts the encrypted message with the message key to restore the message. Next, the content screener screens the message to determine whether the message satisfies a screening criterion. If so, the system forwards the message to a destination within the firewall in a secure manner. In one embodiment of the present invention, the system decrypts the encrypted message key by sending the encrypted message key to the destination. Upon receiving the encrypted message key, the destination decrypts the encrypted message key and returns the message key to the content screener in a secure manner.
摘要翻译：本发明的一个实施例提供一种对通过端到端加密保护的消息执行内容筛选的系统。该系统通过从防火墙在内容筛选器处接收加密消息和加密消息密钥来操作，防火墙先前从防火墙外部的源接收到加密消息和加密消息密钥。内容筛选器解密加密的消息密钥以恢复消息密钥，并用消息密钥解密加密的消息以恢复消息。接下来，内容筛选器筛选消息以确定消息是否满足筛选标准。如果是这样，系统会以安全的方式将消息转发到防火墙内的目的地。在本发明的一个实施例中，系统通过将加密的消息密钥发送到目的地来解密加密的消息密钥。在接收到加密的消息密钥时，目的地解密加密的消息密钥，并以安全的方式将消息密钥返回给内容筛选器。

9. 发明授权

US06507562B1 DYNAMIC OPTIMIZATION FOR RECEIVERS USING DISTANCE BETWEEN A REPAIR HEAD AND A MEMBER STATION IN A REPAIR GROUP FOR RECEIVERS HAVING A CLOSELY KNIT TOPOLOGICAL ARRANGEMENT TO LOCATE REPAIR HEADS NEAR THE MEMBER STATIONS WHICH THEY SERVE IN TREE BASED REPAIR IN RELIABLE MULTICAST PROTOCOL 有权
标题翻译：对于接收者的动态优化使用维修组和成员站之间的距离，在修理组中，对于在可靠的多媒体协议中进行基于树的维修服务的会员站的位置修复头的接收者的接收者
公开(公告)号：US06507562B1
公开(公告)日：2003-01-14
申请号：US09336660
申请日：1999-06-18
申请人： Miriam C. Kadansky , Dah Ming Chiu , Stephen R. Hanna , Stephen A. Hurst , Joseph S. Wesley , Philip M. Rosenzweig , Radia J. Perlman
发明人： Miriam C. Kadansky , Dah Ming Chiu , Stephen R. Hanna , Stephen A. Hurst , Joseph S. Wesley , Philip M. Rosenzweig , Radia J. Perlman
IPC分类号： G06F1100
CPC分类号： H04L12/1877 , H04L12/185 , H04L12/1868
摘要： Receiver stations located close together in a computer network dynamically form a multicast repair tree by a plurality of receiver stations choosing a repair head station from among the closely located receiver stations. A receiver station calculates its distance from a repair head station by subtracting the decremented TTL value read from the IP header from the initial value of the TTL parameter carried in field TTL SCOPE of HELLO messages, transmitted by repair head stations. Using a criteria that a closer repair head station is a more optimum repair head station, receiver stations listen to each received HELLO message, calculate the distance to the repair head station, and reaffiliate with the closest repair head station.
摘要翻译：位于计算机网络中的接收站由多个接收站动态地形成多播修复树，所述多个接收站从位于接近站的接收站中选择修复头站。接收站通过从修复头站发送的HELLO消息的字段TTL SCOPE中携带的TTL参数的初始值中减去从IP报头读取的递减的TTL值来计算其与修复站的距离。使用更接近的修理头站是更为优化的修复头站的标准，接收站收听每个接收到的HELLO消息，计算到维修站的距离，并且与最接近的维修站相连。

10. 发明授权

US06363480B1 Ephemeral decryptability 有权
标题翻译：短暂可解密
公开(公告)号：US06363480B1
公开(公告)日：2002-03-26
申请号：US09395581
申请日：1999-09-14
申请人： Radia J. Perlman
发明人： Radia J. Perlman
IPC分类号： G06F1130
CPC分类号： H04L9/083 , H04L9/088
摘要： A system and method for a user to encrypt data in a way that ensures the data cannot be decrypted after a finite period. A number of ephemeral encryption keys are established by a first party, each of which will be destroyed at an associated time in the future (the “expiration time”). A second party selects or requests one of the ephemeral encryption keys for encrypting a message. The first party provides an ephemeral encryption key to the second party. Subsequently, the first party decrypts at least a portion of the message, using an ephemeral decryption key associated with the ephemeral encryption key provided to the second party. At the expiration time, the first party destroys all copies of at least the ephemeral decryption key, thus rendering any messages encrypted using the ephemeral encryption key permanently undecipherable. In an alternative embodiment, a number of ephemeral key servers provide a respective number of ephemeral encryption keys having associated expiration times. A party wishing to transmit an ephemeral message uses the provided ephemeral encryption keys to encrypt at least a portion of the message. The receiver of the message uses at least a subset of the ephemeral key servers to decrypt at least a portion of the encrypted message. At the expiration time(s), at least one of the ephemeral key servers permanently destroys at least one of the decryption keys associated with the provided ephemeral encryption keys.
摘要翻译：一种用于用户以有限周期保证数据不能被解密的方式加密数据的系统和方法。许多短暂加密密钥由第一方建立，每个将在将来的相关时间（“到期时间”）中被销毁。第二方选择或请求用于加密消息的短暂加密密钥之一。第一方向第二方提供短暂加密密钥。随后，第一方使用与提供给第二方的临时加密密钥相关联的临时解密密钥来解密消息的至少一部分。在到期时间，第一方破坏至少临时解密密钥的所有副本，从而使任何使用临时加密密钥加密的消息永久地不可解密。在替代实施例中，许多短暂密钥服务器提供具有相关联的到期时间的相应数量的临时加密密钥。希望传送短暂消息的方使用提供的临时加密密钥来加密消息的至少一部分。消息的接收者使用至少一个临时密钥服务器的子集来解密加密消息的至少一部分。在到期时间，至少一个短暂密钥服务器永久地破坏与所提供的临时加密密钥相关联的至少一个解密密钥。

你已经成功收藏专利！

检索式保存成功!

IPRDB

热门服务

关于我们

友情链接

联系方式