专利快速检索-快速检索全球专利，免费商用专利数据库-IPRDB

1. 发明申请

US20100329460A1 METHOD AND APPARATUS FOR ASSURING ENHANCED SECURITY 审中-公开
标题翻译：保证加强安全的方法和装置
公开(公告)号：US20100329460A1
公开(公告)日：2010-12-30
申请号：US12494486
申请日：2009-06-30
申请人： Radia J. Perlman
发明人： Radia J. Perlman
IPC分类号： H04L9/00 , H04L9/06 , G06F21/00
CPC分类号： G06F21/62 , G06F21/556 , G06F21/606 , G06F2221/2107 , H04L9/0825 , H04L9/0841 , H04L9/3236 , H04L2209/04 , H04L2209/56 , H04L2209/60 , H04L2209/80
摘要： Some embodiments provide a system to assure enhanced security, e.g., by assuring that information is not revealed over a covert channel. All communications between a source system and a destination system may pass through an intermediate system. In some embodiments, the intermediate system may perform an additional level of blinding to ensure that the source system does not covertly reveal information to the destination system. In some embodiments, the intermediate system may request the source system to perform a modification operation, and then check if the source system performed the modification operation. Examples of the modification operation include a blinding operation and a cryptographic hashing operation.
摘要翻译：一些实施例提供了一种系统，以确保增强的安全性，例如通过确保在隐蔽通道上不显示信息。源系统和目的地系统之间的所有通信可以通过中间系统。在一些实施例中，中间系统可以执行额外的盲目级别，以确保源系统不隐蔽地向目的地系统显露信息。在一些实施例中，中间系统可以请求源系统执行修改操作，然后检查源系统是否执行修改操作。修改操作的示例包括盲目操作和密码散列操作。

2. 发明授权

US07596696B1 Efficiently managing keys to make data permanently unreadable 有权
标题翻译：有效地管理密钥，使数据永久不可读
公开(公告)号：US07596696B1
公开(公告)日：2009-09-29
申请号：US11214958
申请日：2005-08-29
申请人： Radia J. Perlman
发明人： Radia J. Perlman
IPC分类号： H04L9/00
CPC分类号： H04L9/083 , H04L9/0897
摘要： One embodiment of the present invention provides a system that facilitates making the files permanently unreadable. During operation, the system encrypts a file with a key K at a file manager and then stores the encrypted file in non-volatile storage. Next, the system stores the key K in a key database located in volatile storage at the file manager. The system then encrypts the key database, and stores the encrypted key database in non-volatile storage. Additionally, a key that can be used to decrypt the encrypted key database is maintained by a key manager, and is not maintained in non-volatile form by the file manager. In this way, if the file manager crashes, losing the contents of its volatile storage, the file manager must interact with the key manager to decrypt the encrypted key database.
摘要翻译：本发明的一个实施例提供了一种有助于使文件永久不可读的系统。在操作过程中，系统在文件管理器中用密钥K加密文件，然后将加密的文件存储在非易失性存储器中。接下来，系统将密钥K存储在位于文件管理器的易失性存储器中的密钥数据库中。然后系统对密钥数据库进行加密，并将加密的密钥数据库存储在非易失性存储器中。此外，可以用于解密加密密钥数据库的密钥由密钥管理器维护，并且文件管理器不保持非易失性形式。这样，如果文件管理器崩溃，丢失其易失性存储器的内容，则文件管理器必须与密钥管理器进行交互以对加密的密钥数据库进行解密。

3. 发明授权

US07409545B2 Ephemeral decryption utilizing binding functions 有权
标题翻译：短暂解密利用绑定功能
公开(公告)号：US07409545B2
公开(公告)日：2008-08-05
申请号：US10665386
申请日：2003-09-18
申请人： Radia J. Perlman
发明人： Radia J. Perlman
IPC分类号： H04L9/00
CPC分类号： H04L63/0428 , H04L9/002 , H04L9/088 , H04L9/3013 , H04L9/302 , H04L63/068 , H04L2209/04 , H04L2209/42
摘要： A method and system is disclosed for utilizing an ephemeral encryption or decryption agent so as to preclude access by the ephemeral encryption agent or decryption agent, respectively, to the information being ephemerally encrypted or decrypted. To preclude access by the ephemeral encryption agent, a blinding function is applied to the information prior to forwarding such information to the encryption agent for encryption. To preclude access to the information by the ephemeral decryption agent, a blinding function is applied to the encrypted information prior to forwarding the encrypted information to the decryption agent for decryption. Once the information has been returned, the information is unblinded, leaving an encrypted or decrypted message respectively.
摘要翻译：公开了一种用于利用临时加密或解密代理的方法和系统，以便分别防止临时加密代理或解密代理人对被短时加密或解密的信息进行访问。为了排除临时加密代理的访问，在将这些信息转发到加密代理进行加密之前，将盲目的功能应用于信息。为了防止临时解密代理访问信息，在将加密信息转发到解密代理进行解密之前，将加密信息应用于加密信息。一旦信息被返回，信息就被解除隐藏，分别留下加密或解密的消息。

4. 发明授权

US07178021B1 Method and apparatus for using non-secure file servers for secure information storage 有权
标题翻译：使用非安全文件服务器进行安全信息存储的方法和装置
公开(公告)号：US07178021B1
公开(公告)日：2007-02-13
申请号：US09517410
申请日：2000-03-02
申请人： Stephen R. Hanna , Radia J. Perlman
发明人： Stephen R. Hanna , Radia J. Perlman
IPC分类号： G06F17/30
CPC分类号： G06F21/6209 , G06F2221/2107 , H04L9/0822 , H04L9/0825 , H04L9/0833 , H04L9/0894 , H04L9/321
摘要： A method and apparatus for utilizing a non-secure file server for storing and sharing data securely only among clients and groups authorized to read and modify the data. A first client that desires to store data on the file server encrypts the data with a first encryption key having an associated first decryption key. The client encrypts the first decryption key with a second encryption key having an associated second decryption key known to the first client. Additionally, the first decryption key is encrypted with respective encryption keys of other clients or groups intended to have access to the data stored on the file server and the clients and groups retain their respective decryption keys. All of the encrypted first decryption keys are stored within an access control list in association with the encrypted data on the non-secure file server. In response to an indication that the data should be transmitted to one of the clients, the file server returns to the client the encrypted data along with at least the applicable encrypted first decryption key for the respective client. The client is able to decrypt the first decryption key and decrypt the data using the unencrypted first decryption key. The data may then be modified and securely stored on the file server as described above. The first decryption key may also be encrypted with a second encryption key having a second decryption key known to members of a group or a group server. The first encryption key encrypted with the group second encryption key is stored in the access control list so that group members can obtain access to the encrypted data stored on the file server.
摘要翻译：一种利用非安全文件服务器的方法和装置，用于仅在授权读取和修改数据的客户端和组之间安全地存储和共享数据。希望在文件服务器上存储数据的第一客户端使用具有关联的第一解密密钥的第一加密密钥加密数据。客户端用具有第一客户端已知的相关联的第二解密密钥的第二加密密钥来加密第一解密密钥。此外，第一解密密钥用其他客户端或组的相应加密密钥进行加密，这些客户端或组旨在访问存储在文件服务器上的数据，并且客户端和组保留其各自的解密密钥。所有加密的第一解密密钥与非安全文件服务器上的加密数据相关联地存储在访问控制列表内。响应于将数据发送到客户端之一的指示，文件服务器返回客户端加密数据以及相应客户端的至少可应用的加密的第一解密密钥。客户端能够解密第一解密密钥并使用未加密的第一解密密钥解密数据。然后可以如上所述将数据修改并安全地存储在文件服务器上。第一解密密钥也可以用具有组或组服务器的成员已知的第二解密密钥的第二加密密钥来加密。利用组第二加密密钥加密的第一加密密钥存储在访问控制列表中，使得组成员可以获得对存储在文件服务器上的加密数据的访问。

5. 发明授权

US06996712B1 Data authentication system employing encrypted integrity blocks 有权
公开(公告)号：US06996712B1
公开(公告)日：2006-02-07
申请号：US09632557
申请日：2000-08-04
申请人： Radia J. Perlman , Stephen R. Hanna
发明人： Radia J. Perlman , Stephen R. Hanna
IPC分类号： H04L9/18
CPC分类号： H04L9/3247
摘要： A data authentication system that at the sender produces for a plurality of data packets a plurality of “integrity checks” by selecting an integrity function from a family or set of integrity functions, selecting a number of bytes from a given packet and manipulating the bytes in accordance with the selected integrity function to produce the integrity check. The system then selects corresponding bytes or bytes that are offset from the corresponding bytes from a next packet and produces a next associated integrity check using the same or another selected integrity check function, and so forth. The system encrypts the integrity checks associated with the plurality of data packets using, for example, a shared secret key, and produces an integrity block. The system then sends the encrypted integrity block and the data packets to the intended recipients. A recipient decrypts the integrity block using the shared secret key and reproduces the integrity checks. It then uses the integrity checks to authenticate the associated data packets by manipulating selected data bytes in accordance with selected integrity check functions. The recipient thus authenticates a plurality of data packets by performing a single decryption operation and a plurality of relatively fast integrity check operations using a selection of integrity check functions that are unknown to an interloper. The sender may also include in a transmission one or more extraneous, or “chaff,” data packets, which are data packets that intentionally fail the associated integrity checks. The sender may, for example, include in a transmission multiple sets of packets with the same sequence numbers. The recipient readily determines which of the packets with the same sequence numbers are valid using the appropriate integrity check. However, an interloper who cannot decipher the encrypted integrity block cannot as easily determine which of the packets are valid, and thus, cannot determine which packets to alter and/or how to alter these packets without detection by the integrity checks.

6. 发明授权

US06898187B2 Automatic selection of unique node identifiers in a distributed routing environment 有权
标题翻译：在分布式路由环境中自动选择唯一的节点标识符
公开(公告)号：US06898187B2
公开(公告)日：2005-05-24
申请号：US09726378
申请日：2000-11-30
申请人： Radia J. Perlman , Eric A. Guttman
发明人： Radia J. Perlman , Eric A. Guttman
IPC分类号： H04L12/56 , H04J1/16
CPC分类号： H04L45/02 , H04L29/12264 , H04L45/44 , H04L61/2046
摘要： To ensure uniqueness of a router identifier in routing protocol messages (RPMs), a router determines whether an identifier IDR in received RPMs is the same as an identifier IDS in RPMs originated by the router. For RPMs having the same identifier, sequence information such as a sequence number is compared with sequence information in the RPM most recently originated by the router, the comparison indicating whether the received RPM appears to have been originated more recently. The rate at which such RPMs are being received is monitored. If the rate is above a predetermined threshold rate, the router infers that another router is using the same identifier, and selects a different identifier for subsequent use. The sequence information preferably includes a checksum calculated over contents of the message including a random number, to ensure proper flooding of each message to other routers that may be using a duplicate identifier.
摘要翻译：为了确保路由器标识符在路由协议消息（RPM）中的唯一性，路由器确定接收的RPM中的标识符ID _{R 是否与RPM中的标识符ID _{S 相同由路由器发起。对于具有相同标识符的RPM，将诸如序列号的序列信息与路由器最近发起的RPM中的序列信息进行比较，该比较指示接收的RPM是否最近似乎已经发起。监视这些RPM的接收速率。如果速率高于预定阈值速率，则路由器推断另一个路由器正在使用相同的标识符，并选择不同的标识符供后续使用。序列信息优选地包括通过包括随机数的消息的内容计算的校验和，以确保每个消息适当地泛滥到可能使用重复标识符的其他路由器。}}

7. 发明授权

US06757843B1 Method and apparatus for using ranking to select repair nodes in formation of a dynamic tree for multicast repair 有权
标题翻译：用于组播修复的动态树形成中使用排名选择修复节点的方法和装置
公开(公告)号：US06757843B1
公开(公告)日：2004-06-29
申请号：US09698490
申请日：2000-10-26
申请人： Joseph Wesley , Stephen A. Hurst , Miriam C. Kadansky , Stephen R. Hanna , Philip M. Rosenzweig , Dah Ming Chiu , Radia J. Perlman
发明人： Joseph Wesley , Stephen A. Hurst , Miriam C. Kadansky , Stephen R. Hanna , Philip M. Rosenzweig , Dah Ming Chiu , Radia J. Perlman
IPC分类号： G06F1100
CPC分类号： H04L45/46 , H04L12/185 , H04L12/1863 , H04L45/04 , H04L45/16
摘要： An embodiment consistent with the present invention includes a method and apparatus for forming a multicast repair tree. The methods perform by a data processor and comprises the steps of determining, for each of a plurality of potential heads in a multicast group, a ranking value associated with the potential head; advertising, by the potential heads to a plurality of potential receivers; prioritizing, by a potential receiver, the ranking values from the potential heads; and binding, by a potential receiver to the head having the highest ranking value, thereby forming a group of which the potential receiver,is a member and the potential head is the head. The ranking values may include “able”, “unable”, “willing”, and “reluctant.” The ranking value of a potential head determines in accordance with a static or a dynamic configuration. Ranking values determine dynamically based on ranges of system resource levels such as memory and available processor resources.
摘要翻译：与本发明一致的实施例包括用于形成多播修复树的方法和装置。所述方法由数据处理器执行并且包括以下步骤：针对多播组中的多个潜在头中的每一者，确定与所述潜在头相关联的排序值; 广告，潜在的头到多个潜在的接收者; 由潜在的接收者优先考虑来自潜在负责人的排名值; 并且由潜在的接收器绑定到具有最高排名的头部，由此形成潜在的接收者是一个成员并且潜在的头部是头部的一组。排名值可能包括“能力”，“不能”，“愿意”和“不情愿”。潜在头的排名值根据静态或动态配置来确定。排名值基于诸如存储器和可用处理器资源的系统资源级别的范围动态地确定。

8. 发明授权

US06526055B1 Method and apparatus for longest prefix address lookup 有权
标题翻译：用于最长前缀地址查找的方法和装置
公开(公告)号：US06526055B1
公开(公告)日：2003-02-25
申请号：US09175552
申请日：1998-10-20
申请人： Radia J. Perlman , Dah Ming Chiu
发明人： Radia J. Perlman , Dah Ming Chiu
IPC分类号： H04L1228
CPC分类号： H04L61/00 , H04L29/12009 , H04L45/742 , H04L45/7457
摘要： A method and apparatus that constructs a “router database” and then uses the database to determine a longest match between a piece of target data, such as an address in a packet to be routed, and the database. The database contains a comparison table having a plurality of entries. In a first embodiment, each entry has up to k values, where 2
摘要翻译：构建“路由器数据库”的方法和装置，然后使用该数据库来确定一条目标数据（例如要路由的分组中的地址）与数据库之间的最长匹配。数据库包含具有多个条目的比较表。在第一实施例中，每个条目具有至多k个值，其中2 <= k <= N，其中N是数据库中的比较值的数量。在第二实施例中，每个条目具有至多k-1个值。在操作期间，加载比较表条目中的各种条目，并将其与地址进行比较，以确定路由器数据库中最长的匹配前缀。比较可以并行进行。

9. 发明授权

US06275859B1 Tree-based reliable multicast system where sessions are established by repair nodes that authenticate receiver nodes presenting participation certificates granted by a central authority 有权
标题翻译：基于树的可靠的多播系统，其中由修复节点建立会话，验证接收节点呈现由中央机构授予的参与证书
公开(公告)号：US06275859B1
公开(公告)日：2001-08-14
申请号：US09429192
申请日：1999-10-28
申请人： Joseph S. Wesley , Dah Ming Chiu , Miriam C. Kadansky , Stephen A. Hurst , Radia J. Perlman , Joseph E. Provino , Philip M. Rosenzweig
发明人： Joseph S. Wesley , Dah Ming Chiu , Miriam C. Kadansky , Stephen A. Hurst , Radia J. Perlman , Joseph E. Provino , Philip M. Rosenzweig
IPC分类号： G06F1516
CPC分类号： H04L12/1877 , G06F15/16 , H04L9/321 , H04L9/3263 , H04L12/185 , H04L63/0823 , H04L63/104
摘要： To authenticate and authorize prospective members in a reliable multicast data distribution setup, the prospective members contact a central authority to obtain a “participation certificate” for the multicast session. The central authority authenticates each node and issues a digitally signed certificate to the node. Each certificate contains information specifying the manner in which the respective node is authorized to participate in the multicast session in addition to the respective node's public key. The nodes exchange their participation certificates with each other during session-establishment dialog to prove their identities and their authorization to participate. Each node verifies the rights of other nodes based on authorization information contained in the participation certificate received from the other node. Thus, a node is allowed to participate as a repair node only if it presents a participation certificate authorizing it to do so. Disruption in network operation is avoided by reducing the ability of malicious nodes to consume resources to the detriment of legitimate session members.
摘要翻译：为了对可靠的组播数据分发设置中的潜在成员进行身份验证和授权，预期成员联系中央机构获取组播会话的“参与证书”。中央机构对每个节点进行身份验证，并向节点发出数字签名的证书。除了相应的节点的公共密钥之外，每个证书包含指定相应节点被授权参与多播会话的方式的信息。节点在会话建立对话期间将他们的参与证书交给对方，以证明其身份和授权参与。每个节点根据从其他节点接收到的参与证书中包含的授权信息来验证其他节点的权限。因此，只有当一个节点呈现授权它的参与证书才可以作为修复节点参与。通过降低恶意节点消耗资源的能力来避免网络运行中断，从而损害合法的会话成员。

10. 发明授权

US5500860A Router using multiple hop redirect messages to enable bridge like data forwarding 失效
标题翻译：路由器使用多跳重定向消息来启用像数据转发这样的桥梁
公开(公告)号：US5500860A
公开(公告)日：1996-03-19
申请号：US716027
申请日：1991-06-14
申请人： Radia J. Perlman , Alan J. Kirby , Floyd J. Backes , Charles W. Kaufman
发明人： Radia J. Perlman , Alan J. Kirby , Floyd J. Backes , Charles W. Kaufman
IPC分类号： G06F13/00 , H04L12/46 , H04L12/56 , H04J3/02 , H04J3/24
CPC分类号： H04L45/04 , H04L12/4625
摘要： An apparatus for forwarding a data packet from a first link to a second link is disclosed. The apparatus is coupled with a plurality of computer networks through ports on the apparatus. The apparatus maintains a spanning tree list indicating which of the apparatus ports are active. The apparatus receives a packet, and determines if the packet was received from a port that is active. If the packet was received from a port that is not active, the packet is discarded. If the packet is not discarded, the data link source address of the packet is stored in a database within the apparatus for the computer network coupled with the port from which the packet was received. The apparatus then decides, responsive to a contents of a data link destination address field in the packet, whether to forward the packet as a bridge or to forward the packet as a router. If the apparatus forwards the packet as a router, the apparatus sends a redirect message to update the data link layer destination address used by the originating station to contain the data link layer address of the destination station where the destination station is on a link remote from the link of the originating station. For the subsequent packets the apparatus then behaves as a bridge by forwarding the subsequent packets based upon parsing of only the Data Link Header. For forwarding of subsequent packets, the apparatus is advantageously fast, in accordance with bridge operation.
摘要翻译：公开了一种用于将数据分组从第一链路转发到第二链路的装置。该设备通过设备上的端口与多个计算机网络耦合。设备维护生成树列表，指示哪些设备端口是活动的。该装置接收一个分组，并确定该分组是否从一个活跃的端口接收到。如果从不活动的端口接收到数据包，则丢弃该数据包。如果分组不被丢弃，则分组的数据链路源地址被存储在与从其接收分组的端口耦合的计算机网络的装置内的数据库中。然后，该装置响应于分组中的数据链路目的地址字段的内容，决定是否将分组转发为桥接器，或者转发该分组作为路由器。如果该装置将该分组作为路由器转发，则该装置发送重定向消息，以更新由始发站使用的数据链路层目的地址，以包含目的站在远程远程链路上的目的站的数据链路层地址始发站的链接。对于随后的分组，装置然后基于仅解析数据链路报头来转发后续分组来表现为桥。为了转发后续分组，该装置有利地是快速的，根据桥接操作。

你已经成功收藏专利！

检索式保存成功!

IPRDB

热门服务

关于我们

友情链接

联系方式