专利快速检索-快速检索全球专利，免费商用专利数据库-IPRDB

1. 发明授权

US07739724B2 Techniques for authenticated posture reporting and associated enforcement of network access 有权
公开(公告)号：US07739724B2
公开(公告)日：2010-06-15
申请号：US11174205
申请日：2005-06-30
申请人： David Durham , Ravi Sahita , Karanvir Grewal , Ned Smith , Kapil Sood
发明人： David Durham , Ravi Sahita , Karanvir Grewal , Ned Smith , Kapil Sood
IPC分类号： G06F21/00
CPC分类号： H04L63/10 , G06F2221/2141 , H04L9/3234 , H04L9/3247 , H04L9/3263 , H04L63/0209 , H04L63/08 , H04L63/20
摘要： Architectures and techniques that allow a firmware agent to operate as a tamper-resistant agent on a host platform that may be used as a trusted policy enforcement point (PEP) on the host platform to enforce policies even when the host operating system is compromised. The PEP may be used to open access control and/or remediation channels on the host platform. The firmware agent may also act as a local policy decision point (PDP) on the host platform in accordance with an authorized enterprise PDP entity by providing policies if a host trust agent is non-responsive and may function as a passive agent when the host trust agent is functional.

2. 发明申请

US20090210699A1 METHOD AND APPARATUS FOR SECURE NETWORK ENCLAVES 有权
标题翻译：用于安全网络包装的方法和装置
公开(公告)号：US20090210699A1
公开(公告)日：2009-08-20
申请号：US12032618
申请日：2008-02-15
申请人： Karanvir Grewal , Men Long , Prashant Dewan
发明人： Karanvir Grewal , Men Long , Prashant Dewan
IPC分类号： H04L9/32
CPC分类号： H04L63/061 , H04L9/083 , H04L9/321 , H04L9/3247
摘要： Methods and apparatus are disclosed to provide for security within a network enclave. In one embodiment authentication logic initiates authentication with a central network authority. Packet processing logic receives a key and an identifier from the central network authority. Security protocol logic then establishes a client-server security association through a communication that includes a client identifier and an encrypted portion and/or an authorization signature, wherein a client authorization key allocated by the central network authority can be reproduced by a server, other than said central network authority, from the client identifier and a derivation key provided to the server by the central network authority to decrypt the encrypted portion and/or to validate the communication using the authorization signature. The server may also provide the client with new session keys and/or new client session identifiers using server-generated derivation keys if desired, protecting these with the client authorization key.
摘要翻译：公开了提供网络飞地内的安全性的方法和装置。在一个实施例中，认证逻辑启动与中央网络授权机构的认证。分组处理逻辑从中央网络机构接收密钥和标识符。然后，安全协议逻辑通过包括客户端标识符和加密部分和/或授权签名的通信来建立客户机 - 服务器安全关联，其中由中央网络机构分配的客户机授权密钥可以由服务器再现，除了所述中央网络机构根据客户端标识符和由中央网络机构提供给服务器的导出密钥来解密加密部分和/或使用授权签名验证通信。如果需要，服务器还可以使用服务器生成的导出密钥向客户端提供新的会话密钥和/或新的客户端会话标识符，并用客户端授权密钥来保护它们。

3. 发明申请

US20090119510A1 END-TO-END NETWORK SECURITY WITH TRAFFIC VISIBILITY 审中-公开
标题翻译：具有交通可见性的端到端网络安全
公开(公告)号：US20090119510A1
公开(公告)日：2009-05-07
申请号：US11935783
申请日：2007-11-06
申请人： Men Long , Jesse Walker , David Durham , Marc Millier , Karanvir Grewal , Prashant Dewan , Uday Savagaonkar , Steven D. Williams
发明人： Men Long , Jesse Walker , David Durham , Marc Millier , Karanvir Grewal , Prashant Dewan , Uday Savagaonkar , Steven D. Williams
IPC分类号： H04L9/32
CPC分类号： H04L63/0428 , H04L9/0631 , H04L9/3242 , H04L63/08 , H04L63/1466 , H04L63/168 , H04L2209/12 , H04L2209/38
摘要： End-to-end security between clients and a server, and traffic visibility to intermediate network devices, achieved through combined mode, single pass encryption and authentication using two keys is disclosed. In various embodiments, a combined encryption-authentication unit includes a cipher unit and an authentication unit coupled in parallel to the cipher unit, and generates an authentication tag using an authentication key in parallel with the generation of the cipher text using an encryption key, where the authentication and encryption key have different key values. In various embodiments, the cipher unit operates in AES counter mode, and the authentication unit operates in parallel, in AES-GMAC mode Using a two key, single pass combined mode algorithm preserves network performance using a limited number of HW gates, while allowing an intermediate device access to the encryption key for deciphering the data, without providing that device the ability to compromise data integrity, which is preserved between the end to end devices.
摘要翻译：公开了客户机与服务器之间的端到端安全性，以及通过组合模式，单程加密和使用两个密钥的认证实现的对中间网络设备的流量可见性。在各种实施例中，组合加密认证单元包括与密码单元并行耦合的密码单元和认证单元，并且使用加密密钥与密文生成并行地使用认证密钥生成认证标签，其中认证和加密密钥具有不同的密钥值。在各种实施例中，密码单元以AES计数器模式运行，并且认证单元以AES-GMAC模式并行操作。使用双键单通组合模式算法使用有限数量的HW门保留网络性能，同时允许中间设备访问用于解密数据的加密密钥，而不提供该设备损害数据完整性的能力，这在端到端设备之间保留。

4. 发明申请

US20080082680A1 Method for provisioning of credentials and software images in secure network environments 审中-公开
标题翻译：在安全网络环境中提供凭据和软件映像的方法
公开(公告)号：US20080082680A1
公开(公告)日：2008-04-03
申请号：US11540352
申请日：2006-09-29
申请人： Karanvir Grewal , Vincent Zimmer , Hormuzd Khosravi , Alan D. Ross
发明人： Karanvir Grewal , Vincent Zimmer , Hormuzd Khosravi , Alan D. Ross
IPC分类号： G06F15/16
CPC分类号： G06F9/4416 , G06F21/575 , H04L63/0428 , H04L63/12 , H04L67/34
摘要： A method of providing a secure download of a boot image to a remote boot environment of a computer system. In one embodiment of the invention, the remote boot environment and a boot image source engage in a boot image exchange through an authentication channel. In another embodiment, data related to the boot image exchange is tunneled in the authentication channel to protect the boot image exchange from security attacks.
摘要翻译：提供引导映像到计算机系统的远程引导环境的安全下载的方法。在本发明的一个实施例中，远程引导环境和引导映像源通过认证通道参与引导映像交换。在另一个实施例中，与引导映像交换有关的数据在认证通道中被隧道传送，以保护启动映像交换免受安全攻击。

5. 发明申请

US20070239875A1 Method and apparatus for maintaining local area network("LAN") and wireless LAN ("WLAN") security associations 有权
标题翻译：用于维护局域网（“LAN”）和无线局域网（“WLAN”）安全关联的方法和装置
公开(公告)号：US20070239875A1
公开(公告)日：2007-10-11
申请号：US11393018
申请日：2006-03-29
申请人： Kapil Sood , Jesse Walker , Karanvir Grewal
发明人： Kapil Sood , Jesse Walker , Karanvir Grewal
IPC分类号： G06F15/16
CPC分类号： H04L63/20 , H04W52/0254 , H04W52/0258 , H04W84/12 , Y02D70/00 , Y02D70/142 , Y02D70/146
摘要： Cooperating entities share a signaling interface. Each entity establishes a security association between itself and an endpoint, and one of the entities transmits keepalive messages over a channel associated with the security association. Chipsets and systems to implement related methods are also described and claimed.
摘要翻译：合作实体共享信令接口。每个实体在其自身和端点之间建立安全关联，并且其中一个实体通过与安全关联相关联的信道发送保持活动消息。还描述和要求保护用于实现相关方法的芯片组和系统。

6. 发明申请

US20070005572A1 Architecture and system for host management 有权
标题翻译：主机管理架构和系统
公开(公告)号：US20070005572A1
公开(公告)日：2007-01-04
申请号：US11170491
申请日：2005-06-29
申请人： Travis Schluessler , Priya Rajagopal , Ray Steinberger , Tisson Mathew , Arun Preetham , Ravi Sahita , David Durham , Karanvir Grewal
发明人： Travis Schluessler , Priya Rajagopal , Ray Steinberger , Tisson Mathew , Arun Preetham , Ravi Sahita , David Durham , Karanvir Grewal
IPC分类号： G06F17/30
CPC分类号： G06F9/546 , G06F9/541 , G06F2209/548 , Y10S707/99931 , Y10S707/99933
摘要： According to some embodiments, a system provides a resource service module, a resource data record repository, and a provider module. The resource service module exposes an interface, receives an invocation of the interface from a system management module, and requests managed resource data associated with a manageable resource based on the invocation. The resource data record repository includes a resource data record indicating a memory location of a managed host in which the managed resource data is stored, and the provider module receives the request and to retrieve the managed resource data from the memory location of the managed host.
摘要翻译：根据一些实施例，系统提供资源服务模块，资源数据记录库和提供者模块。资源服务模块公开接口，从系统管理模块接收对接口的调用，并且基于该调用请求与可管理资源相关联的被管理的资源数据。资源数据记录存储库包括指示被管理的主机的存储器位置的资源数据记录，其中管理的资源数据被存储在其中，并且提供者模块接收该请求并从被管理的主机的存储器位置检索被管理的资源数据。

7. 发明授权

US07814531B2 Detection of network environment for network access control 有权
标题翻译：网络访问控制网络环境检测
公开(公告)号：US07814531B2
公开(公告)日：2010-10-12
申请号：US11478987
申请日：2006-06-30
申请人： Hormuzd Khosravi , Karanvir Grewal , Ahuva Kroiser , Avigdor Eldar
发明人： Hormuzd Khosravi , Karanvir Grewal , Ahuva Kroiser , Avigdor Eldar
IPC分类号： H04L9/00 , H04L12/22
CPC分类号： H04L63/102 , H04L61/2015 , H04L63/0227 , H04L63/101 , H04L63/12
摘要： A method and apparatus for detection of network environment to aid policy selection for network access control. An embodiment of a method includes receiving a request to connect a device to a network and, if a security policy is received for the connection of the device, applying the policy for the device. If a security policy for the connection of the device is not received, the domain of the device is determined by determining whether the device is in an enterprise domain and determining whether the device is in a network access control domain, which allows selection of an appropriate domain/environment specific policy.
摘要翻译：一种检测网络环境以帮助网络访问控制的策略选择的方法和装置。一种方法的实施例包括接收将设备连接到网络的请求，并且如果接收到用于设备的连接的安全策略，则应用所述设备的策略。如果没有接收到用于连接设备的安全策略，则通过确定设备是否在企业域中并确定设备是否在网络访问控制域中来确定设备的域，这允许选择适当的域/环境特定策略。

8. 发明申请

US20100162356A1 Hierarchical Trust Based Posture Reporting and Policy Enforcement 有权
标题翻译：基于层次信任的姿势报告和策略执行
公开(公告)号：US20100162356A1
公开(公告)日：2010-06-24
申请号：US12714979
申请日：2010-03-01
申请人： Hormuzd Khosravi , David Durham , Karanvir Grewal
发明人： Hormuzd Khosravi , David Durham , Karanvir Grewal
IPC分类号： G06F17/30
CPC分类号： H04L63/0227
摘要： A method that includes initiating a network access request from an access requester on a platform that couples to a network, the network access request made to a policy decision point for the network. The method also includes establishing a secure communication channel over a communication link between the policy decision point and a policy enforcement point on the platform. Another secure communication channel is established over another communication link. The other communication link is between at least the policy enforcement point and a manageability engine resident on the platform. The manageability engine forwards posture information associated with the access requester via the other secure communication channel. The posture information is then forwarded to the policy decision point via the secure communication channel between the policy enforcement point and the policy decision point. The policy decision point indicates what access the access requester can obtain to the network based on a comparison of the posture information to one or more network administrative policies.
摘要翻译：一种方法，其包括从耦合到网络的平台上的访问请求者发起网络访问请求，所述网络访问请求发送到网络的策略决策点。该方法还包括在策略决策点和平台上的策略执行点之间的通信链路上建立安全通信信道。通过另一个通信链路建立另一个安全通信信道。另一个通信链路至少在平台上驻留的策略执行点和可管理引擎之间。可管理性引擎经由另一个安全通信信道转发与访问请求者相关联的姿势信息。然后，姿势信息经由策略执行点和策略决策点之间的安全通信信道被转发到策略决策点。策略决策点基于姿势信息与一个或多个网络管理策略的比较来指示访问请求者可以获得哪些访问到网络。

9. 发明申请

US20100107224A1 Techniques for authenticated posture reporting and associated enforcement of network access 有权
标题翻译：用于认证状态报告和网络访问相关实施的技术
公开(公告)号：US20100107224A1
公开(公告)日：2010-04-29
申请号：US12655024
申请日：2009-12-22
申请人： David Durham , Ravi Sahita , Karanvir Grewal , Ned Smith , Kapil Sood
发明人： David Durham , Ravi Sahita , Karanvir Grewal , Ned Smith , Kapil Sood
IPC分类号： G06F17/00
CPC分类号： H04L63/10 , G06F2221/2141 , H04L9/3234 , H04L9/3247 , H04L9/3263 , H04L63/0209 , H04L63/08 , H04L63/20
摘要： Architectures and techniques that allow a firmware agent to operate as a tamper-resistant agent on a host platform that may be used as a trusted policy enforcement point (PEP) on the host platform to enforce policies even when the host operating system is compromised. The PEP may be used to open access control and/or remediation channels on the host platform. The firmware agent may also act as a local policy decision point (PDP) on the host platform in accordance with an authorized enterprise PDP entity by providing policies if a host trust agent is non-responsive and may function as a passive agent when the host trust agent is functional.
摘要翻译：允许固件代理在主机平台上作为防篡改代理操作的体系结构和技术，可在主机平台上用作受信任的策略执行点（PEP），即使主机操作系统受到威胁也可执行策略。 PEP可用于在主机平台上打开访问控制和/或修复通道。固件代理还可以根据授权的企业PDP实体在主机平台上作为本地策略决策点（PDP），通过在主机信任代理不响应时提供策略，并且当主机信任时可以用作被动代理代理功能。

10. 发明授权

US07483423B2 Authenticity of communications traffic 有权
标题翻译：通信流量的真实性
公开(公告)号：US07483423B2
公开(公告)日：2009-01-27
申请号：US11096843
申请日：2005-03-30
申请人： Karanvir Grewal , David M. Durham
发明人： Karanvir Grewal , David M. Durham
IPC分类号： H04L12/56
CPC分类号： H04L63/123
摘要： Provided are a techniques for storing information in a packet. A data integrity operation is performed over one portion of the packet to calculate an integrity check value using a secret key. The data transformation operation is performed over another selectable portion of the packet to store the integrity check value in the other portion of the packet, without increasing a size of the packet.Other embodiments are described and claimed.
摘要翻译：提供了用于在信息包中存储信息的技术。在分组的一部分上执行数据完整性操作，以使用密钥来计算完整性校验值。在分组的另一可选部分上执行数据变换操作，以将完整性校验值存储在分组的其他部分中，而不增加分组的大小。描述和要求保护其他实施例。

你已经成功收藏专利！

检索式保存成功!

IPRDB

热门服务

关于我们

友情链接

联系方式