公开(公告)号：US20120159587A1

公开(公告)日：2012-06-21

申请号：US13391526

申请日：2009-12-24

Applicant: Li Ge ,  Jun Cao ,  Manxia Tie ,  Qin Li ,  Zhenhai Huang

Inventor： Li Ge ,  Jun Cao ,  Manxia Tie ,  Qin Li ,  Zhenhai Huang

IPC: G06F21/20

CPC classification number: H04L63/061 ,  H04L63/0869 ,  H04L63/20

Abstract: A method and system for pre-shared-key-based network access control are disclosed. The method includes the following steps: 1) security policy negotiation is implemented between a REQuester(REQ) and Authentication Access Controller(AAC); 2) identity authentication and uni-cast key negotiation are implemented between REQ and AAC; 3) a group-cast key is notified between REQ and AAC. Applying the method and system, rapid bidirectional authentication can be implemented between a user and network.

Abstract translation: 公开了一种基于预共享密钥的网络访问控制的方法和系统。 该方法包括以下步骤：1）在REQuester（REQ）和认证接入控制器（AAC）之间实现安全策略协商; 2）在REQ和AAC之间实现身份认证和单播密钥协商; 3）REQ和AAC之间通知组播密钥。 应用该方法和系统，可以在用户和网络之间实现快速双向认证。

公开(公告)号：US09137259B2

公开(公告)日：2015-09-15

申请号：US13702785

申请日：2011-01-14

Applicant: Qin Li ,  Jun Cao ,  Manxia Tie ,  Zhenhai Huang

Inventor： Qin Li ,  Jun Cao ,  Manxia Tie ,  Zhenhai Huang

IPC: H04L29/06 ,  H04L12/721

CPC classification number: H04L63/1475 ,  H04L45/26

Abstract: A switch route exploring method, system and device are provided in the present invention. The method comprises that: a transmitting source node NSource constructs a switch route exploring request packet and transmits it to a destination node NDestination; the switch route exploring request packet comprises information of switch route from the transmitting source node NSource to the destination node NDestination, wherein the information is known by the transmitting source node NSource; and the destination node NDestination constructs a switch route exploring response packet and transmits it to the transmitting source node NSource.

Abstract translation: 在本发明中提供了一种开关路径探索方法，系统和装置。 该方法包括：发送源节点NSource构建探索请求分组的交换路由，并将其发送到目的节点NDestination; 所述交换路由探索请求分组包括从所述发送源节点NSource到所述目的节点NDestination的切换路由的信息，其中，所述信息由所述发送源节点NSource知道; 并且目的地节点NDestination构建探索响应分组的交换机路由，并将其发送到发送源节点NSource。

公开(公告)号：US20130080783A1

公开(公告)日：2013-03-28

申请号：US13702217

申请日：2011-01-10

Applicant: Manxia Tie ,  Jun Cao ,  Qin Li ,  Li Ge

Inventor： Manxia Tie ,  Jun Cao ,  Qin Li ,  Li Ge

IPC: H04L9/08

CPC classification number: H04L9/0844 ,  H04L12/18 ,  H04L63/061

Abstract: A method for establishing a secure network architecture, a method and system for secure communication are provided. Said method for establishing a secure network architecture includes: 1) constructing the network architecture where the identities of nodes are legal, including: neighboring node discovery; performing identities certification and shared key negotiation between a node and the neighbor node; 2) constructing a secure switching device architecture, including: establishing a shared key between every two of the switch devices.

Abstract translation: 提供了一种用于建立安全网络架构的方法，一种用于安全通信的方法和系统。 所述建立安全网络架构的方法包括：1）构建节点身份合法的网络架构，包括：邻居节点发现; 执行节点与邻居节点之间的身份认证和共享密钥协商; 2）构建安全交换设备架构，包括：在每两个交换设备之间建立共享密钥。

公开(公告)号：US08752126B2

公开(公告)日：2014-06-10

申请号：US13059547

申请日：2009-08-20

Applicant: Liaojun Pang ,  Jun Cao ,  Manxia Tie

Inventor： Liaojun Pang ,  Jun Cao ,  Manxia Tie

IPC: G06F7/04 ,  G06F17/30 ,  G06F15/16 ,  H04L29/06

CPC classification number: H04W12/04 ,  H04L9/085 ,  H04L9/3073 ,  H04L63/062 ,  H04L2209/601

Abstract: A method for enhancing the security of the multicast or broadcast system comprises the following steps: after having established the system parameter, the base station receives the register request message transmitted by the terminal, and the register request message carries the device identity information of the terminal; the base station registers the terminal according to the register request message and transmits the authorization key to the terminal after successful registration. By the base station establishing the specific system parameter, generating and awarding the corresponding terminal's key based on the parameter, the embodiment of the present invention can construct a secure network system of multicast or broadcast effectively and solve the security problem of the multicast or broadcast from the base station to the terminal in the network system.

Abstract translation: 一种用于增强多播或广播系统的安全性的方法包括以下步骤：在建立了系统参数之后，基站接收终端发送的注册请求消息，并且注册请求消息携带终端的设备身份信息 ; 基站根据注册请求消息注册终端，并在成功注册后向终端发送授权密钥。 由基站建立具体的系统参数，根据参数生成和授予相应的终端密钥，本发明的实施例可以有效构建安全的组播或广播网络系统，解决组播或广播的安全问题 基站到终端在网络系统中。

公开(公告)号：US08417955B2

公开(公告)日：2013-04-09

申请号：US12808049

申请日：2008-12-09

Applicant: Manxia Tie ,  Jun Cao ,  Zhenhai Huang ,  Xiaolong Lai

Inventor： Manxia Tie ,  Jun Cao ,  Zhenhai Huang ,  Xiaolong Lai

IPC: H04L29/06

CPC classification number: H04L9/321 ,  H04L9/3247

Abstract: An entity bidirectional authentication method and system, the method involves: the first entity sends the first message; the second entity sends the second message to the credible third party after receiving the said first message; the said credible third party returns the third message after receiving the second message; the said second entity sends the fourth message after receiving the third message and verifying it; the said first entity receives the said fourth message and verifies it, completes the authentication. Compared with the conventional authentication mechanism, the invention defines an on-line retrieval and authentication mechanism of a public key, realizes the centralized management for it, simplifies the operating condition of the protocol, and facilitates the application and implement.

Abstract translation: 一种实体双向认证方法和系统，该方法涉及：第一实体发送第一消息; 第二实体在接收到所述第一消息之后将第二消息发送到可信第三方; 所述可信第三方在接收到第二消息后返回第三消息; 所述第二实体在接收到第三消息并验证之后发送第四消息; 所述第一实体接收所述第四消息并对其进行验证，从而完成认证。 与常规认证机制相比，本发明定义了公钥的在线检索和认证机制，实现了集中管理，简化了协议的工作状态，便于应用和实现。

公开(公告)号：US08412943B2

公开(公告)日：2013-04-02

申请号：US12741982

申请日：2008-11-07

Applicant: Liaojun Pang ,  Jun Cao ,  Manxia Tie ,  Zhenhai Huang

Inventor： Liaojun Pang ,  Jun Cao ,  Manxia Tie ,  Zhenhai Huang

IPC: H04L29/00

CPC classification number: H04L9/3247 ,  G06F21/445 ,  G06Q20/3823 ,  G06Q20/388 ,  G06Q20/4097 ,  H04L9/0847 ,  H04L9/321 ,  H04L9/3271 ,  H04L63/0869 ,  H04L2209/80 ,  H04W12/06

Abstract: A two-way access authentication method comprises: According to the system parameters pre-established by the third entity, the first entity sends the access authentication request packet to the second entity, then the second entity validates whether the signature of first entity is correct, and if yes, the share master key of second entity is calculated; the second entity generates the access authentication response packet and sends it to the first entity, then the first entity validates whether the signature of access authentication response packet and the message integrity check code are correct; if yes, the share master key of first entity is calculated; the first entity sends the access authentication acknowledge packet to the second entity, then the second entity validates the integrity of the access authentication acknowledge packet, if passing the validation, the share master key of first entity is consistent with that of the second entity, and the access authentication is achieved. For improving the security, after received the access authentication request packet sent by the first entity, the second entity may perform the identity validity validation and generates the access authentication response packet after passing the validation.

Abstract translation: 双向接入认证方法包括：根据第三实体预先建立的系统参数，第一实体向第二实体发送接入认证请求报文，第二实体验证第一实体的签名是否正确， 如果是，则计算第二实体的共享主密钥; 第二实体生成接入认证响应报文并将其发送给第一实体，则第一实体验证接入认证响应报文的签名和消息完整性检查码是否正确; 如果是，则计算第一实体的共享主密钥; 第一实体向第二实体发送接入认证确认分组，则第二实体验证接入认证确认分组的完整性，如果通过验证，则第一实体的共享主密钥与第二实体的共享主密钥一致， 实现了访问认证。 为了提高安全性，在接收到由第一实体发送的接入认证请求分组之后，第二实体可以在通过验证之后执行身份有效性验证并生成接入认证响应分组。

公开(公告)号：US20110314286A1

公开(公告)日：2011-12-22

申请号：US12740082

申请日：2008-10-30

Applicant: Manxia Tie ,  Jun Cao ,  Xiaolong Lai ,  Jiandong Li ,  Liaojun Pang ,  Zhenhai Huang

Inventor： Manxia Tie ,  Jun Cao ,  Xiaolong Lai ,  Jiandong Li ,  Liaojun Pang ,  Zhenhai Huang

IPC: H04L9/08 ,  G06F15/16

CPC classification number: H04W12/06 ,  H04L63/1466 ,  H04L63/162 ,  H04W12/04 ,  H04W84/12

Abstract: An access authentication method applying to IBSS network involves the following steps of: 1) performing authentication role configuration for network entities; 2) authenticating an authentication entity and a request entity that have been performed the authentication role configuration via an authentication protocol; and 3) after finishing the authentication, the authentication entity and the request entity perform the key negotiation, wherein, the message integrity check field and protocol synchronization lock-in field are added in a key negotiation message. The access authentication method applying to IBSS network provided by the invention has the advantages of the better safeness and the higher execution efficiency.

Abstract translation: 适用于IBSS网络的接入认证方法包括以下步骤：1）对网络实体进行认证角色配置; 2）通过认证协议认证已经执行认证角色配置的认证实体和请求实体; 和3）认证完成后，认证实体和请求实体进行密钥协商，其中消息完整性检查字段和协议同步锁定字段被添加到密钥协商消息中。 适用于本发明提供的IBSS网络的接入认证方法具有安全性更高，执行效率更高的优点。

公开(公告)号：US20110289562A1

公开(公告)日：2011-11-24

申请号：US13059547

申请日：2009-08-20

Applicant: Liaojun Pang ,  Jun Cao ,  Manxia Tie

Inventor： Liaojun Pang ,  Jun Cao ,  Manxia Tie

IPC: G06F17/30

CPC classification number: H04W12/04 ,  H04L9/085 ,  H04L9/3073 ,  H04L63/062 ,  H04L2209/601

Abstract: A method for enhancing the security of the multicast or broadcast system comprises the following steps: after having established the system parameter, the base station receives the register request message transmitted by the terminal, and the register request message carries the device identity information of the terminal; the base station registers the terminal according to the register request message and transmits the authorization key to the terminal after successful registration. By the base station establishing the specific system parameter, generating and awarding the corresponding terminal's key based on the parameter, the embodiment of the present invention can construct a secure network system of multicast or broadcast effectively and solve the security problem of the multicast or broadcast from the base station to the terminal in the network system.

Abstract translation: 一种用于增强多播或广播系统的安全性的方法包括以下步骤：在建立了系统参数之后，基站接收终端发送的注册请求消息，并且注册请求消息携带终端的设备身份信息 ; 基站根据注册请求消息注册终端，并在成功注册后向终端发送授权密钥。 由基站建立具体的系统参数，根据参数生成和授予相应的终端密钥，本发明的实施例可以有效构建安全的组播或广播网络系统，解决组播或广播的安全问题 基站到终端在网络系统中。

公开(公告)号：US20110252239A1

公开(公告)日：2011-10-13

申请号：US13140632

申请日：2009-12-07

Applicant: Xiaolong Lai ,  Jun Cao ,  Yuelei Xiao ,  Manxia Tie ,  Zhenhai Huang ,  Bianlin Zhang ,  Yanan Hu

Inventor： Xiaolong Lai ,  Jun Cao ,  Yuelei Xiao ,  Manxia Tie ,  Zhenhai Huang ,  Bianlin Zhang ,  Yanan Hu

IPC: H04L9/32

CPC classification number: H04W12/10 ,  H04L9/0838 ,  H04L9/3242 ,  H04L9/3273 ,  H04L63/123 ,  H04L2209/80

Abstract: The present invention provides a method for protecting the first message of a security protocol and the method includes the following steps: 1) initialization step; 2) the initiating side sends the first message; 3) the responding side receives the first message. The method for protecting the first message of the security protocol provided by the present invention can implement that: 1) Pre-Shared Master Key (PSMK), which is shared by the initiating side and responding side, and the security parameter in the first message are bound by using computation function of Message Integrality Code (MIC) or Message Authentication Code (MAC), and thus the fabrication attack of the first message in the security protocol is avoided effectively; 2) during computing the MIC or MAC of the first message, only PSMK and the security parameter of the first message are selected to be computed, and thus the computation load of the initiating side and the responding side is effectively reduced and the computation resource is saved.

Abstract translation: 本发明提供一种保护安全协议的第一消息的方法，该方法包括以下步骤：1）初始化步骤; 2）发起方发送第一个消息; 3）响应端接收第一条消息。 用于保护本发明提供的安全协议的第一消息的方法可以实现：1）由发起端和响应侧共享的预共享主密钥（PSMK）和第一消息中的安全参数 通过使用消息完整性代码（MIC）或消息认证码（MAC）的计算功能来限制，从而有效地避免了安全协议中的第一消息的制造攻击; 2）在计算第一个消息的MIC或MAC期间，仅选择PSMK和第一个消息的安全参数进行计算，从而有效减少发起方和响应方的计算负载，计算资源为 保存

公开(公告)号：US20100250952A1

公开(公告)日：2010-09-30

申请号：US12741982

申请日：2008-11-07

Applicant: Liaojun Pang ,  Jun Cao ,  Manxia Tie ,  Zhenhai Huang

Inventor： Liaojun Pang ,  Jun Cao ,  Manxia Tie ,  Zhenhai Huang

IPC: H04L9/32 ,  G06F21/00

CPC classification number: H04L9/3247 ,  G06F21/445 ,  G06Q20/3823 ,  G06Q20/388 ,  G06Q20/4097 ,  H04L9/0847 ,  H04L9/321 ,  H04L9/3271 ,  H04L63/0869 ,  H04L2209/80 ,  H04W12/06

Abstract: A two-way access authentication method comprises: According to the system parameters pre-established by the third entity, the first entity sends the access authentication request packet to the second entity, then the second entity validates whether the signature of first entity is correct, and if yes, the share master key of second entity is calculated; the second entity generates the access authentication response packet and sends it to the first entity, then the first entity validates whether the signature of access authentication response packet and the message integrity check code are correct; if yes, the share master key of first entity is calculated; the first entity sends the access authentication acknowledge packet to the second entity, then the second entity validates the integrity of the access authentication acknowledge packet, if passing the validation, the share master key of first entity is consistent with that of the second entity, and the access authentication is achieved. For improving the security, after received the access authentication request packet sent by the first entity, the second entity may perform the identity validity validation and generates the access authentication response packet after passing the validation.

Abstract translation: 双向接入认证方法包括：根据第三实体预先建立的系统参数，第一实体向第二实体发送接入认证请求报文，第二实体验证第一实体的签名是否正确， 如果是，则计算第二实体的共享主密钥; 第二实体生成接入认证响应报文并将其发送给第一实体，则第一实体验证接入认证响应报文的签名和消息完整性检查码是否正确; 如果是，则计算第一实体的共享主密钥; 第一实体向第二实体发送接入认证确认分组，则第二实体验证接入认证确认分组的完整性，如果通过验证，则第一实体的共享主密钥与第二实体的共享主密钥一致， 实现了访问认证。 为了提高安全性，在接收到由第一实体发送的接入认证请求分组之后，第二实体可以在通过验证之后执行身份有效性验证并生成接入认证响应分组。