-
公开(公告)号:US20120240240A1
公开(公告)日:2012-09-20
申请号:US13484731
申请日:2012-05-31
申请人: Mats Naslund , Göran Selander , Ulf Bjorkengren
发明人: Mats Naslund , Göran Selander , Ulf Bjorkengren
IPC分类号: G06F21/00
CPC分类号: H04L63/0428 , H04L63/0823 , H04L2463/101 , Y02P90/845
摘要: The invention refers to monitoring usage of digital content provided from a content provider over a network to a client system. In the client system, a logging agent generates and stores information concerning usage of the digital content individually for each usage to be monitored. The generated information is entered in a usage log, either stored in the client system or at a trusted party. The logged usage information is also authenticated allowing identification of the client using the associated digital content. The entries of the log may include a representation of the content, information about usage quality and/or usage time. The logging agent is preferably implemented in a portable tamper-resistant module, e.g. a network subscriber identity module. The module may be pre-manufactured with the logging agent, or the agent can be downloaded thereto.
摘要翻译: 本发明涉及监视从内容提供商通过网络向客户端系统提供的数字内容的使用。 在客户端系统中,日志记录代理生成并存储有关数字内容的使用的信息,用于每个待监视的使用。 所生成的信息被输入到使用日志中,存储在客户端系统中或信任方。 记录的使用信息也被认证,允许使用相关联的数字内容来识别客户端。 日志的条目可以包括内容的表示,关于使用质量和/或使用时间的信息。 测井剂优选地实现在便携式防篡改模块中,例如, 网络用户识别模块。 模块可以使用记录代理预先制造,或者可以向其下载代理。
-
公开(公告)号:US08181014B2
公开(公告)日:2012-05-15
申请号:US12599472
申请日:2008-05-09
申请人: Andras Csaszar , Lars Westberg , Mats Naslund
发明人: Andras Csaszar , Lars Westberg , Mats Naslund
IPC分类号: H04L29/06
CPC分类号: H04L45/00 , H04L29/12066 , H04L61/1511 , H04L63/0428 , H04L63/08 , H04L69/22
摘要: A method and apparatus for protecting the routing of data packets in a packet data network. When a first end-host sends an address query to a DNS server system regarding a second end-host, the DNS server system responds by providing a destination parameter containing an encrypted destination address associated with the second end-host. Thereby, the first end-host is able to get across data packets to the second end-host by attaching the destination parameter to each transmitted data packet. A router in the packet data network admits a received packet if a destination parameter is attached to the packet including a valid destination address encrypted by a key dependent on a distributed master encryption key. Otherwise, the router discards the packet if no such valid destination address can be derived from the packet by applying decryption to the destination parameter.
摘要翻译: 一种用于保护分组数据网络中的数据分组的路由的方法和装置。 当第一终端主机向DNS服务器系统发送关于第二终端主机的地址查询时,DNS服务器系统通过提供包含与第二终端主机相关联的加密目的地地址的目的地参数进行响应。 因此,通过将目的参数附加到每个发送的数据分组,第一终端主机能够跨数据分组到达第二终端主机。 分组数据网络中的路由器如果目的地参数附加到包括由依赖于分布式主加密密钥的密钥加密的有效目的地地址的分组,则承认接收到的分组。 否则,如果通过向目的参数应用解密,则不能从分组导出这样有效的目的地址,则路由器丢弃该分组。
-
公开(公告)号:US20110142044A1
公开(公告)日:2011-06-16
申请号:US13059515
申请日:2008-08-22
申请人: Andras Csaszar , Lars Westberg , Mats Naslund , Lars G. Magnusson
发明人: Andras Csaszar , Lars Westberg , Mats Naslund , Lars G. Magnusson
IPC分类号: H04L12/56
CPC分类号: H04L45/00 , H04L9/083 , H04L29/12066 , H04L29/12207 , H04L45/50 , H04L61/1511 , H04L61/20 , H04L63/08 , H04L63/14
摘要: Method and apparatus for controlling transmission of data packets in a packet-switched network. When a first end-host (A) sends an address query to a DNS system (300) for a second end-host, the DNS system responds by providing a sender key created from a destination key registered for the second end-host, if the first end-host is authorised to send packets to the second end-host. Thereby, the first end-host, if authorised, is able to get across data packets to the second end-host by attaching a sender tag (TAG) generated from the sender key, as ingress tag to each transmitted data packet. A router (302) in the network matches an ingress tag in a received packet with entries in a forwarding table and sends out the packet on an output port (X) according to a matching entry. Otherwise, the router discards the packet if no matching entry is found in the table.
摘要翻译: 用于控制分组交换网络中数据分组传输的方法和装置。 当第一终端主机(A)向第二终端主机的DNS系统(300)发送地址查询时,DNS系统通过提供从为第二终端主机注册的目的地密钥创建的发送者密钥进行响应,如果 第一个终端主机被授权将数据包发送到第二个终端主机。 因此,如果授权,第一终端主机能够通过将从发送方密钥生成的发送者标签(TAG)作为入口标签附加到每个发送的数据分组,来跨越数据分组到达第二终端主机。 网络中的路由器(302)将接收到的分组中的入口标签与转发表中的条目匹配,并根据匹配条目在输出端口(X)上发送分组。 否则,如果表中没有匹配的条目,路由器将丢弃该数据包。
-
公开(公告)号:US20110093698A1
公开(公告)日:2011-04-21
申请号:US12997913
申请日:2009-05-06
申请人: Rolf Blom , Yi Cheng , John Mattsson , Mats Naslund , Karl Norrman
发明人: Rolf Blom , Yi Cheng , John Mattsson , Mats Naslund , Karl Norrman
IPC分类号: H04L9/12
CPC分类号: H04L65/601 , H04L63/0464 , H04L63/0478 , H04L63/06 , H04L63/123
摘要: A method and apparatus for sending protected media data from a data source node to a client node via an intermediate node. The data source node establishes a first hop-by-hop key to be shared with the intermediate node and an end-to-end key to be shared with the client node. A single security protocol instance is configured and used to trans-protocol form data from a media stream into transformed data using the keys. The transformed data is then sent to the intermediate node. The intermediate node uses the first hop-by-hop key to apply a security processing to the transformed data, and establishes a second hop-by-hop key with the client node. A second transformation is performed on the transformed data using the second hop-by-hop key to produce further transformed media data, which is then sent to the client node. At the client node a single security protocol instance is configured with the second hop-by-hop key and the end-to-end key, which are used to apply further security processing to the transformed media data.
摘要翻译: 一种用于经由中间节点将受保护媒体数据从数据源节点发送到客户端节点的方法和装置。 数据源节点建立与中间节点共享的第一个逐跳密钥和要与客户机节点共享的端对端密钥。 单个安全协议实例被配置并用于使用密钥将媒体流中的数据转换为变换数据。 然后将变换的数据发送到中间节点。 中间节点使用第一个逐跳密钥对转换的数据应用安全处理,并与客户端节点建立第二个逐跳密钥。 使用第二逐跳密钥对经变换的数据执行第二变换以产生进一步转换的媒体数据,然后将其转发到客户端节点。 在客户端节点,单个安全协议实例配置有第二个逐跳密钥和端对端密钥,用于对转换的媒体数据应用进一步的安全处理。
-
公开(公告)号:US20110091036A1
公开(公告)日:2011-04-21
申请号:US12996214
申请日:2008-07-21
申请人: Karl Norrman , Mats Naslund
发明人: Karl Norrman , Mats Naslund
IPC分类号: H04L9/00
CPC分类号: H04W12/06 , H04L9/065 , H04L9/0819 , H04L9/0838 , H04L9/0866 , H04L9/0869 , H04L9/0891 , H04L9/14 , H04L9/3271 , H04L2209/24 , H04L2209/80 , H04L2463/061 , H04W12/04
摘要: A technique for generating a cryptographic key (120) is provided. The technique is particularly useful for protecting the communication between two entities (202, 302; 204, 304) cooperatively running a distributed security operation. The technique comprises providing at least two parameters (106, 108), the first parameter (106) comprising or deriving from some cryptographic keys (110, 112) which have been computed by the first entity (202, 302) by running the security operation; and the second parameter (108) comprising or deriving from a token (116) having a different value each time the security (114) operation is initiated by the second entity (204, 304) for the first entity (202, 302). A key derivation function is applied to the provided parameters (106, 108) to generate the desired cryptographic key (120).
摘要翻译: 提供了一种用于生成加密密钥(120)的技术。 该技术对于保护协作地运行分布式安全操作的两个实体(202,302; 204,304)之间的通信特别有用。 所述技术包括提供至少两个参数(106,108),所述第一参数(106)包括由所述第一实体(202,302)通过运行所述安全操作来计算的一些加密密钥(110,112) ; 并且所述第二参数(108)包括每个所述第一实体(202,302)由所述第二实体(204,304)发起所述安全性(114)操作)具有不同值的令牌(116)。 密钥导出函数被应用于所提供的参数(106,108)以生成期望的密码密钥(120)。
-
56.发明申请公开(公告)号:US20110010768A1
公开(公告)日:2011-01-13
申请号:US12744720
申请日:2008-12-01
申请人: Luis Barriga , Rolf Blom , Yi Cheng , Fredrik Lindholm , Mats Naslund , Karl Norrman
发明人: Luis Barriga , Rolf Blom , Yi Cheng , Fredrik Lindholm , Mats Naslund , Karl Norrman
IPC分类号: G06F21/00
CPC分类号: H04W76/02 , H04L63/0428 , H04L65/1016 , H04L65/1069 , H04W12/02 , H04W12/04 , H04W76/10
摘要: An IMS system includes an IMS initiator user entity. The system includes an IMS responder user entity that is called by the initiator user entity. The system includes a calling side S-CSCF in communication with the caller entity which receives an INVITE having a first protection offer and parameters for key establishment from the caller entity, removes the first protection offer from the INVITE and forwards the INVITE without the first protection offer. The system includes a receiving end S-CSCF in communication with the responder user entity and the calling side S-CSCF which receives the INVITE without the first protection offer and checks that the responder user entity supports the protection, inserts a second protection offer into the INVITE and forwards the INVITE to the responder user entity, wherein the responder user entity accepts the INVITE including the second protection offer and answers with an acknowledgment having a first protection accept. A method for supporting a call by a telecommunications node.
摘要翻译: IMS系统包括IMS发起者用户实体。 该系统包括由发起者用户实体调用的IMS应答器用户实体。 该系统包括与主叫实体进行通信的主叫侧S-CSCF,其从呼叫方实体接收具有第一保护报价的INVITE和用于密钥建立的参数,从INVITE中移除第一保护报价并转发INVITE而没有第一保护 提供。 该系统包括与响应者用户实体通信的接收端S-CSCF,以及在没有第一保护提供的情况下接收INVITE的主叫侧S-CSCF,并检查响应者用户实体是否支持保护,将第二保护请求插入到 INVITE并将INVITE转发到响应者用户实体,其中响应者用户实体接受包括第二保护请求的INVITE和具有第一保护接受的确认的应答。 一种用于支持电信节点的呼叫的方法。
-
公开(公告)号:US20100293595A1
公开(公告)日:2010-11-18
申请号:US12863746
申请日:2008-01-22
申请人: Mats Naslund , Michael Liljenstam , Karl Norrman , Bengt Sahlin
发明人: Mats Naslund , Michael Liljenstam , Karl Norrman , Bengt Sahlin
IPC分类号: H04L29/06
CPC分类号: H04L41/0893 , H04L63/20 , H04L63/205 , H04W12/02
摘要: A method and arrangement for distributing a security policy to a communication terminal having an association with a home communication network, but being present in a visited communication network. The home communication network (106) generates its own preferred security policy Ph and the visited communication network (102) generates its own preferred security policy Pv. A communication network entity (104) in the visited communication network combines the security policies and selects security algorithms/functions to apply from the combined security policy. By generating a security policy vectors of both networks and combine them before the security algorithms are selected, enables both networks to influence the selection without affecting use of existing signalling messages.
摘要翻译: 一种用于将安全策略分发给具有与归属通信网络相关联但存在于被访问的通信网络中的通信终端的方法和装置。 家庭通信网络(106)生成其自己的优选安全策略Ph,并且被访问的通信网络(102)生成其自己的优选安全策略Pv。 访问通信网络中的通信网络实体(104)组合安全策略并选择从组合的安全策略应用的安全算法/功能。 通过生成两个网络的安全策略向量并在选择安全算法之前将它们组合起来,使得两个网络能够影响选择,而不影响现有信令消息的使用。
-
58.发明授权Secure communications within and between personal area networks by using private and public identifiers 有权通过使用私有和公共标识符来保护个人区域网内和之间的通信公开(公告)号:US07746851B2
公开(公告)日:2010-06-29
申请号:US10579697
申请日:2004-11-05
申请人: Pubudu Chandrasiri , Bulent Ozgur Gurleyen , Mats Naslund , Annika Jonsson , Christian Gehrmann , Yashar Shahabi
发明人: Pubudu Chandrasiri , Bulent Ozgur Gurleyen , Mats Naslund , Annika Jonsson , Christian Gehrmann , Yashar Shahabi
IPC分类号: H04L12/28
CPC分类号: H04L63/0272 , H04L29/06027 , H04L29/12009 , H04L29/12367 , H04L61/2514 , H04L63/0428 , H04L63/065 , H04L63/0823 , H04L63/104 , H04L63/164 , H04L65/1016 , H04W4/06 , H04W8/26 , H04W12/08 , H04W84/10
摘要: A Personal Area Network Security Domain (PSD) (50) is formed between PDA (52), mobile terminal (54), PC (56) and printer (58). The PSD (50) allows the sharing of resources between the devices within the PSD. If the devices within the PSD (50) are located remotely from one another, communication between those devices will be performed via mobile or cellular telephone network (66) and the Internet (68). For each set or association of similarly located devices within the PSD (50), one of those devices will be a gateway device. The gateway device is a device that is configured to communicate with an external communications medium (mobile network (66) or the Internet (68)). Data transmissions to other devices within the PSD are channelled through the relevant gateway. In another embodiment resources are shared between the two separate PSDs (of which may or may not be remotely located with respect to one another) by means of data exchanges between the respective gateway devices of the two PSDs.
摘要翻译: 在PDA(52),移动终端(54),PC(56)和打印机(58)之间形成个人区域网络安全域(PSD)(50)。 PSD(50)允许在PSD内的设备之间共享资源。 如果PSD(50)内的设备彼此远离地定位,则这些设备之间的通信将通过移动或蜂窝电话网络(66)和因特网(68)进行。 对于PSD(50)内类似位置的设备的每个集合或关联,这些设备之一将是网关设备。 网关设备是被配置为与外部通信介质(移动网络(66)或因特网(68))进行通信的设备。 通过相关网关将数据传输到PSD内的其他设备。 在另一个实施例中,通过两个PSD的各个网关设备之间的数据交换,资源在两个单独的PSD(其可以相对于彼此可以或可以不相对于彼此远位置)之间共享。
-
公开(公告)号:US20090013380A1
公开(公告)日:2009-01-08
申请号:US10580297
申请日:2004-11-05
申请人: Pubudu Chandrasiri , Bulent Ozgur Gurleyen , Mats Naslund , Annika Jonsson , Christian Gehrmann
发明人: Pubudu Chandrasiri , Bulent Ozgur Gurleyen , Mats Naslund , Annika Jonsson , Christian Gehrmann
IPC分类号: G06F21/20
CPC分类号: H04L63/0272 , H04L29/06027 , H04L29/12009 , H04L29/12367 , H04L61/2514 , H04L63/0428 , H04L63/065 , H04L63/0823 , H04L63/104 , H04L63/164 , H04L65/1016 , H04W4/06 , H04W8/26 , H04W12/08 , H04W84/10
摘要: A Personal Area Network Security Domain (PSD) is formed between devices (142, 150, 152, 154 and 156). The PSD allows the sharing of data and/or resources between the devices within the PSD. The devices within the PSD are located remotely from one another. For example, communication between device (150 and 156) will be performed via mobile or cellular telephone network (120), the Internet (140) and mobile or cellular telephone network (126). Each network (120, 126) is provided with a PSD Hub, which enables an IPsec secure connection between the devices (150 and 156) to be established.
摘要翻译: 在设备(142,150,152,154和156)之间形成个人区域网络安全域(PSD)。 PSD允许在PSD内的设备之间共享数据和/或资源。 PSD内的设备彼此远离。 例如,设备(150和156)之间的通信将通过移动或蜂窝电话网络(120),因特网(140)和移动或蜂窝电话网络(126)来执行。 每个网络(120,126)设置有PSD集线器,其能够建立设备(150和156)之间的IPsec安全连接。
-
60.发明申请公开(公告)号:US20080095362A1
公开(公告)日:2008-04-24
申请号:US11857621
申请日:2007-09-19
申请人: Rolf Blom , Karl Norrman , Mats Naslund
发明人: Rolf Blom , Karl Norrman , Mats Naslund
IPC分类号: H04L9/14
CPC分类号: H04L9/321 , H04L63/062 , H04L63/08 , H04L2209/80 , H04L2463/061 , H04W12/04 , H04W12/06 , H04W36/0038
摘要: An authentication server and a system and method for managing cryptographic keys across different combinations of user terminals, access networks, and core networks. A Transformation Coder Entity (TCE) creates a master key (Mk), which is used to derive keys during the authentication procedure. During handover between the different access types, the Mk or a transformed Mk is passed between two nodes that hold the key in the respective access networks when a User Equipment (UE) terminal changes access. The transformation of the Mk is performed via a one-way function, and has the effect that if the Mk is somehow compromised, it is not possible to automatically obtain access to previously used master keys. The transformation is performed based on the type of authenticator node and type of UE/identity module with which the transformed key is to be utilized. The Mk is never used directly, but is only used to derive the keys that are directly used to protect the access link.
摘要翻译: 一种认证服务器,以及用于管理跨越用户终端,接入网络和核心网络的不同组合的加密密钥的系统和方法。 转换编码器实体(TCE)创建主密钥(Mk),用于在认证过程期间导出密钥。 在不同访问类型之间的切换期间,当用户设备(UE)终端改变访问时,Mk或经变换的Mk在保持密钥的两个节点之间传递。 通过单向函数执行Mk的转换,并且具有以下效果:如果Mk以某种方式受损,则不可能自动获得对先前使用的主密钥的访问。 基于认证者节点的类型和使用变换密钥的UE /身份模块的类型进行转换。 Mk从不直接使用,但仅用于派生直接用于保护访问链接的密钥。
-
-
-
-
-
-
-
-
-
搜索结果
80 条记录 (耗时 0.028 秒)
