公开(公告)号：US08750507B2

公开(公告)日：2014-06-10

申请号：US12692812

申请日：2010-01-25

申请人： Tanya Roosta ,  Kavitha Kamarthy ,  Dinesh Ranjit

发明人： Tanya Roosta ,  Kavitha Kamarthy ,  Dinesh Ranjit

IPC分类号： H04K1/00 ,  H04L29/00

CPC分类号： H04L9/0833 ,  H04L63/065 ,  H04L63/104

摘要： A technique for dynamically creating and deleting groups to support secure group communication sessions is provided herein. A request for creation of a dynamic group that enables group members to participate in a secure group communication session is received by a network authentication device such as a key server. Creation of the dynamic group includes generating a lifetime attribute indicating when the dynamic group is to exist based on timing information provided in the request, along with security policies required for generating the keys, and generating a unique group ID associated with the dynamic group for distribution to the group members. The keys for the secure group communication session are supplied, along with security policies, in response to a request containing the unique group ID identifying the dynamic group. The dynamic group is deleted in response to determining from the lifetime attribute that the secure group communication session has expired.

摘要翻译： 本文提供了用于动态创建和删除组以支持安全组通信会话的技术。 通过网络认证设备（如密钥服务器）接收创建使组成员能够参与安全组通信会话的动态组的请求。 动态组的创建包括基于请求中提供的定时信息以及生成密钥所需的安全策略生成指示动态组何时存在的生命周期属性，以及生成与动态组相关联的唯一组ID用于分发 给集团成员。 响应于包含标识动态组的唯一组ID的请求，提供用于安全组通信会话的密钥以及安全策略。 响应于从终身属性确定安全组通信会话已经到期，动态组被删除。

公开(公告)号：US08656170B2

公开(公告)日：2014-02-18

申请号：US12789595

申请日：2010-05-28

申请人： Kavitha Kamarthy ,  Sheela D. Rowles ,  Dinesh Ranjit ,  Tanya Roosta ,  Warren S. Wainner

发明人： Kavitha Kamarthy ,  Sheela D. Rowles ,  Dinesh Ranjit ,  Tanya Roosta ,  Warren S. Wainner

IPC分类号： H04L29/06

CPC分类号： H04L63/1441

摘要： Techniques are provided for determining freshness of control messages in a network. At a first device that is to enter into a secure communication session with a second device, timestamp information and time window size information are sent to the second device in a control message during a first exchange between a first device and a second device. At the first device, timestamp information and time window size information are obtained from a control message received from the second device by the first device during the first exchange. At the first device, the freshness of a control message is tested based on the timestamp information of the control message during a second exchange and the time window size information received from the second device during the first exchange.

摘要翻译： 提供了用于确定网络中控制消息的新鲜度的技术。 在要与第二设备进行安全通信会话的第一设备上，在第一设备和第二设备之间的第一交换期间，时间戳信息和时间窗口大小信息在控制消息中被发送到第二设备。 在第一设备处，在第一交换期间，从第一设备从第二设备接收的控制消息获得时间戳信息和时间窗口大小信息。 在第一设备处，基于第二次交换期间的控制消息的时间戳信息以及在第一交换期间从第二设备接收的时间窗口尺寸信息来测试控制消息的新鲜度。

公开(公告)号：US20110153862A1

公开(公告)日：2011-06-23

申请号：US12641405

申请日：2009-12-18

申请人： Tanya Roosta ,  Kavitha Kamarthy ,  Dinesh Ranjit

发明人： Tanya Roosta ,  Kavitha Kamarthy ,  Dinesh Ranjit

IPC分类号： G06F15/16

CPC分类号： H04L45/00 ,  H04L63/0428 ,  H04L63/1441 ,  H04L65/102

摘要： Techniques are provided for more robust counter-based anti-replay protection with respect to packets sent between network devices. A network device receives packets sent over a network from another network device. Each packet contains a source identifier that identifies a device that is the source of the packet, a destination identifier that identifies a device that is the intended destination of the packet, a sender identifier that identifies a network device that encrypted and sent the packet and a sequence number associated with the packet. The network device stores data indicating source identifier, destination identifier, sender identifier and sequence number for packets received over time. The network device rejects a newly received packet when it is determined that the sequence number of the newly received packet is less than the last sequence number stored for a matching packet flow (same source identifier, destination identifier and sender identifier) and falls outside of the counter-based window with respect to the last sequence number stored for the matching packet flow.

摘要翻译： 提供技术用于针对在网络设备之间发送的分组的更强大的基于反向的反重放保护。 网络设备从另一网络设备接收通过网络发送的分组。 每个分组包含标识作为分组的源的设备的源标识符，标识作为分组的预期目的地的设备的目的地标识符，标识加密并发送分组的网络设备的发送者标识符和 与数据包相关联的序列号。 网络设备存储指示随时间接收的分组的源标识符，目的地标识符，发送者标识符和序列号的数据。 当确定新接收的分组的序列号小于为匹配分组流（相同的源标识符，目的地标识符和发送方标识符）存储的最后序列号时，网络设备拒绝新接收的分组，并且落在 相对于为匹配的分组流存储的最后序列号的基于反向的窗口。

公开(公告)号：US09137139B2

公开(公告)日：2015-09-15

申请号：US12641405

申请日：2009-12-18

申请人： Tanya Roosta ,  Kavitha Kamarthy ,  Dinesh Ranjit

发明人： Tanya Roosta ,  Kavitha Kamarthy ,  Dinesh Ranjit

IPC分类号： G06F15/16 ,  H04L12/28 ,  H04L12/701 ,  H04L29/06

CPC分类号： H04L45/00 ,  H04L63/0428 ,  H04L63/1441 ,  H04L65/102

摘要： A network device receives packets sent over a network from another network device. Each packet contains a source identifier that identifies a device that is the source of the packet, a destination identifier that identifies a device that is the intended destination of the packet, a sender identifier that identifies a network device that encrypted and sent the packet and a sequence number associated with the packet. The network device stores data indicating source identifier, destination identifier, sender identifier and sequence number for packets received over time. The network device rejects a newly received packet when it is determined that the sequence number of the newly received packet is less than the last sequence number stored for a matching packet flow (same source identifier, destination identifier and sender identifier) and falls outside of the counter-based window with respect to the last sequence number stored for the matching packet flow.

摘要翻译： 网络设备从另一网络设备接收通过网络发送的分组。 每个分组包含标识作为分组的源的设备的源标识符，标识作为分组的预期目的地的设备的目的地标识符，标识加密并发送分组的网络设备的发送者标识符和 与数据包相关联的序列号。 网络设备存储指示随时间接收的分组的源标识符，目的地标识符，发送者标识符和序列号的数据。 当确定新接收的分组的序列号小于为匹配分组流（相同的源标识符，目的地标识符和发送方标识符）存储的最后序列号时，网络设备拒绝新接收的分组，并且落在 相对于为匹配的分组流存储的最后序列号的基于反向的窗口。

公开(公告)号：US20110296185A1

公开(公告)日：2011-12-01

申请号：US12789595

申请日：2010-05-28

申请人： Kavitha Kamarthy ,  Sheela D. Rowles ,  Dinesh Ranjit ,  Tanya Roosta ,  Warren S. Wainner

发明人： Kavitha Kamarthy ,  Sheela D. Rowles ,  Dinesh Ranjit ,  Tanya Roosta ,  Warren S. Wainner

IPC分类号： H04L9/32 ,  G06F1/04 ,  H04L9/00

CPC分类号： H04L63/1441

摘要： Techniques are provided for determining freshness of control messages in a network. At a first device that is to enter into a secure communication session with a second device, timestamp information and time window size information are sent to the second device in a control message during a first exchange between a first device and a second device. At the first device, timestamp information and time window size information are obtained from a control message received from the second device by the first device during the first exchange. At the first device, the freshness of a control message is tested based on the timestamp information of the control message during a second exchange and the time window size information received from the second device during the first exchange.

摘要翻译： 提供了用于确定网络中控制消息的新鲜度的技术。 在要与第二设备进行安全通信会话的第一设备上，在第一设备和第二设备之间的第一交换期间，时间戳信息和时间窗口大小信息在控制消息中被发送到第二设备。 在第一设备处，在第一交换期间，从第一设备从第二设备接收的控制消息获得时间戳信息和时间窗口大小信息。 在第一设备处，基于第二次交换期间的控制消息的时间戳信息以及在第一交换期间从第二设备接收的时间窗口尺寸信息来测试控制消息的新鲜度。

公开(公告)号：US20110182426A1

公开(公告)日：2011-07-28

申请号：US12692812

申请日：2010-01-25

申请人： Tanya Roosta ,  Kavitha Kamarthy ,  Dinesh Ranjit

发明人： Tanya Roosta ,  Kavitha Kamarthy ,  Dinesh Ranjit

IPC分类号： H04K1/00 ,  H04L9/08

CPC分类号： H04L9/0833 ,  H04L63/065 ,  H04L63/104

摘要： A technique for dynamically creating and deleting groups to support secure group communication sessions is provided herein. A request for creation of a dynamic group that enables group members to participate in a secure group communication session is received by a network authentication device such as a key server. Creation of the dynamic group includes generating a lifetime attribute indicating when the dynamic group is to exist based on timing information provided in the request, along with security policies required for generating the keys, and generating a unique group ID associated with the dynamic group for distribution to the group members. The keys for the secure group communication session are supplied, along with security policies, in response to a request containing the unique group ID identifying the dynamic group. The dynamic group is deleted in response to determining from the lifetime attribute that the secure group communication session has expired.

摘要翻译： 本文提供了用于动态创建和删除组以支持安全组通信会话的技术。 通过网络认证设备（如密钥服务器）接收创建使组成员能够参与安全组通信会话的动态组的请求。 动态组的创建包括基于请求中提供的定时信息以及生成密钥所需的安全策略以及生成与动态组相关联的唯一组ID来生成指示动态组何时存在的生命周期属性 给集团成员。 响应于包含标识动态组的唯一组ID的请求，提供用于安全组通信会话的密钥以及安全策略。 响应于从终身属性确定安全组通信会话已经到期，动态组被删除。