公开(公告)号：US11941146B2

公开(公告)日：2024-03-26

申请号：US17462501

申请日：2021-08-31

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Patrick Wetterwald ,  Eric Levy- Abegnoli ,  Jonas Zaddach

IPC: G06F21/62 ,  G06F9/455 ,  H04L9/32

CPC classification number: G06F21/6245 ,  G06F9/45558 ,  H04L9/3247 ,  H04L9/3268 ,  G06F2009/4557 ,  G06F2009/45595 ,  G06F2221/2111

Abstract: A container includes a user program and data generated by the user program within a regulatory jurisdiction. Before the container leaves the regulatory jurisdiction, the data is validated by the jurisdiction to ensure the data complies with privacy laws of the jurisdiction. Upon ingress to a second regulatory jurisdiction, the data is signed locally to provide for confirmation that the data can leave the second regulatory jurisdiction, since it was not generated within the second jurisdiction. By allowing the user program to move from the first regulatory jurisdiction to a second regulatory jurisdiction, the disclosed embodiments overcome limitations in current solutions that restrict access to local data based on what a public application programming interface (API) can provide. By operating within the regulatory jurisdiction, albeit subject to access controls imposed by that jurisdiction, flexibility in the processing of sensitive data is improved.

公开(公告)号：US11784970B2

公开(公告)日：2023-10-10

申请号：US17362485

申请日：2021-06-29

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric M. Levy-Abegnoli ,  Patrick M. P. Wetterwald ,  Jonas Zaddach

IPC: H04L9/40

CPC classification number: H04L63/0209 ,  H04L63/12

Abstract: The present disclosure is directed to systems and methods for first hop security in a multi-site and multi-vendor cloud. The method may include receiving, at a first hop security (FHS) device located within a defined security perimeter, a message from a first host; validating a security of the message; signing the message with a signature to prove validation of the message, the signature comprising at least a Crypto-ID Parameters Option (CIPO) and a Neighbor Discovery Protocol Signature Option (NDPSO); and transmitting the signed message to one or more network FHS devices within the security perimeter.

公开(公告)号：US12250215B2

公开(公告)日：2025-03-11

申请号：US16986923

申请日：2020-08-06

Applicant: Cisco Technology, Inc.

Inventor： Patrick Wetterwald ,  Jonas Zaddach ,  Pascal Thubert ,  Eric Levy-Abegnoli

IPC: H04L9/40

Abstract: This disclosure describes techniques for device to device authentication. For instance, a first device may detect a second device, such as when a user physically attaches the second device to the first device or when the second device wireless communicates with the first device. A component of the first device and/or an authentication entity may then determine to authenticate the second device. In some instances, the component determines to authenticate the second device using information associated with an environment of the second device. To authenticate the second device, the authentication entity may send a request to a user, receive a response from the user, and then verify the response. After the authentication, the first device may determine that the second device includes a trusted device and establish a connection with the second device.

公开(公告)号：US11757827B2

公开(公告)日：2023-09-12

申请号：US17819783

申请日：2022-08-15

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric Levy-Abegnoli ,  Jonas Zaddach ,  Patrick Wetterwald

IPC: G06F15/16 ,  H04L61/3015 ,  H04L61/30 ,  H04L45/02 ,  H04L9/40 ,  H04L101/622

CPC classification number: H04L61/302 ,  H04L45/02 ,  H04L61/3005 ,  H04L63/062 ,  H04L2101/622

Abstract: Systems and methods may include sending, to a network registrar, an extended duplicate address request (EDAR) message including a first nonce generated by a host computing device, and receiving, from the network registrar, an extended duplicate address confirmation (EDAC) message including a second nonce and a first signature, a first nonce pair including the first nonce and the second nonce being signed by the network registrar via a first key pair of the network registrar via the first signature. The systems and methods may further include sending a first neighbor advertisement (NA) message to the host computing device including the second nonce. The second nonce and a public key of the network registrar verifies the first signature from the network registrar, the verification of the first signature indicating that a router through which the host computing device connects to a network is not impersonating the network.

公开(公告)号：US20230216847A1

公开(公告)日：2023-07-06

申请号：US18120889

申请日：2023-03-13

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Patrick Wetterwald ,  Jonas Zaddach ,  Eric Levy-Abegnoli

IPC: H04L9/40

CPC classification number: H04L63/0876 ,  H04L63/108

Abstract: Techniques for adjusting a duration of an authenticated user device session. A baseline session duration is determined for a session for which a user account is authorized in response to a request for authentication. A first session is established on behalf of a user device associated with the user account based at least in part on the user account performing a first authentication. A posture associated with the user device is determined. The baseline duration is then adjusted to a dynamic duration based at least in part upon the posture associated with the user device. Based at least in part on the dynamic duration the user can be required to re-authenticate.

公开(公告)号：US20220417213A1

公开(公告)日：2022-12-29

申请号：US17362485

申请日：2021-06-29

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric M. Levy-Abegnoli ,  Patrick M. P. Wetterwald ,  Jonas Zaddach

IPC: H04L29/06

Abstract: The present disclosure is directed to systems and methods for first hop security in a multi-site and multi-vendor cloud. The method may include receiving, at a first hop security (FHS) device located within a defined security perimeter, a message from a first host; validating a security of the message; signing the message with a signature to prove validation of the message, the signature comprising at least a Crypto-ID Parameters Option (CIPO) and a Neighbor Discovery Protocol Signature Option (NDPSO); and transmitting the signed message to one or more network FHS devices within the security perimeter.

公开(公告)号：US11418481B2

公开(公告)日：2022-08-16

申请号：US17492214

申请日：2021-10-01

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric Levy-Abegnoli ,  Jonas Zaddach ,  Patrick Wetterwald

IPC: G06F15/16 ,  H04L61/3015 ,  H04L45/02 ,  H04L61/30 ,  H04L9/40 ,  H04L101/622

Abstract: Systems and methods may include sending, to a network registrar, a first message including a first nonce generated by a host computing device, and receiving, from the network registrar, a second message including a second nonce, the second nonce being signed by the network registrar via a private key of a first public key infrastructure (PKI) key pair of the network registrar via a first signature. The method further includes sending a first neighbor advertisement (NA) message to the host computing device including the second nonce. The second nonce and the private key of the network registrar verifies the first signature from the network registrar, the verification of the first signature indicating that the router is not impersonating the network.

公开(公告)号：US20220116354A1

公开(公告)日：2022-04-14

申请号：US17492214

申请日：2021-10-01

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric Levy-Abegnoli ,  Jonas Zaddach ,  Patrick Wetterwald

IPC: H04L29/12 ,  H04L12/751 ,  H04L29/06

Abstract: Systems and methods may include sending, to a network registrar, a first message including a first nonce generated by a host computing device, and receiving, from the network registrar, a second message including a second nonce, the second nonce being signed by the network registrar via a private key of a first public key infrastructure (PKI) key pair of the network registrar via a first signature. The method further includes sending a first neighbor advertisement (NA) message to the host computing device including the second nonce. The second nonce and the private key of the network registrar verifies the first signature from the network registrar, the verification of the first signature indicating that the router is not impersonating the network.

公开(公告)号：US20220070156A1

公开(公告)日：2022-03-03

申请号：US17004368

申请日：2020-08-27

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Patrick Wetterwald ,  Jonas Zaddach ,  Eric Levy-Abegnoli

IPC: H04L29/06 ,  H04L29/08

Abstract: This disclosure describes techniques for authenticating a user device for a session. For instance, an authentication entity may authenticate a user device using single sign-on authentication and/or multi-factor authentication. The authentication entity may then determine a duration for which the user device is authenticated for the session. For example, the authentication entity may receive information representing a state of an environment of the user device. The authentication entity may then use the information to identify one or more transitions associated with the environment between the session and a previous session. Using the one or more transitions, the authentication entity may determine the duration for the session by increasing or decreasing a previous duration associated with the previous session.

公开(公告)号：US20250071089A1

公开(公告)日：2025-02-27

申请号：US18885330

申请日：2024-09-13

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric Voit ,  Eric Levy-Abegnoli ,  Patrick Wetterwald ,  Jonas Zaddach

IPC: H04L61/5007 ,  H04L9/40 ,  H04L61/2503 ,  H04L61/4511

Abstract: Techniques for varying locations of virtual networks associated with endpoints using Network Address Translation (NAT), Mobile Internet Protocol (MIP), and/or other techniques in conjunction with Domain Name System (DNS). Rather than having DNS provide a client device with an IP address of an endpoint device, such as a server, the DNS instead returns a virtual IP (VIP) address that is mapped to the client device and the endpoint device. The VIP address may be selected based on a number of factors (e.g., power usage, privacy requirements, virtual distances, etc.). In this way, IP addresses of servers are obfuscated by a virtual network of VIP addresses that can be periodically rotated and/or load balanced. The client device may then communicate data packets to the server using the VIP address as the destination address, and a virtual network service that works in conjunction with DNS can convert the VIP address to the actual IP address of the server using NAT and forward the data packet onto the server.