公开(公告)号：US08650394B2

公开(公告)日：2014-02-11

申请号：US13296069

申请日：2011-11-14

申请人： Jan Vilhuber ,  Max Pritikin

发明人： Jan Vilhuber ,  Max Pritikin

IPC分类号： H04L29/06 ,  G06F21/00

CPC分类号： H04L9/3263 ,  H04L63/0442 ,  H04L63/0823

摘要： According to one aspect, a method for certifying the identity of a network device. The method includes an initial step of coupling the network device to a provisioning device via a physically secure communications link. The provisioning device then certifies the identity of the network device including generating a cryptographic private key for the network device and sending the generated private key to the network device over the physically secure communications link.

摘要翻译： 根据一个方面，一种用于验证网络设备的身份的方法。 该方法包括通过物理上安全的通信链路将网络设备耦合到供应设备的初始步骤。 配置设备然后证明网络设备的身份，包括为网络设备生成加密专用密钥，并通过物理安全通信链路将生成的专用密钥发送到网络设备。

公开(公告)号：US07849495B1

公开(公告)日：2010-12-07

申请号：US10226887

申请日：2002-08-22

申请人： Geoffrey Huang ,  Jan Vilhuber

发明人： Geoffrey Huang ,  Jan Vilhuber

IPC分类号： H04L9/00

CPC分类号： H04L63/062 ,  H04L63/02 ,  H04L63/102 ,  H04L63/20 ,  H04L67/34

摘要： Techniques for passing security configuration information between a security policy server and a client includes the client forming a request for security configuration information that configures the client for secure communications. The client is separated by an untrusted network from a trusted network that includes the security policy sever. A tag is generated that indicates a generic security configuration attribute. An Internet Security Association and Key Management Protocol (ISAKMP) configuration mode request message is sent to a security gateway on an edge of the trusted network connected to the untrusted network. The message includes the request in association with the tag. The gateway sends the request associated with the tag to the security policy server on the trusted network and does not interpret the request. The techniques allow client configuration extensions to be added by modifying the policy server or security client, or both, without modifying the gateway.

摘要翻译： 在安全策略服务器和客户端之间传递安全配置信息的技术包括客户端形成用于配置客户机以进行安全通信的安全配置信息的请求。 客户端由包含安全策略服务器的受信任网络的不可信网络分隔开。 生成一个标签，指示一般的安全配置属性。 互联网安全关联和密钥管理协议（ISAKMP）配置模式请求消息被发送到连接到不可信网络的可信网络的边缘上的安全网关。 消息包括与标签相关联的请求。 网关将与标签关联的请求发送到可信网络上的安全策略服务器，不会解释请求。 这些技术允许通过修改策略服务器或安全客户端或两者来添加客户端配置扩展，而无需修改网关。

公开(公告)号：US20070220589A1

公开(公告)日：2007-09-20

申请号：US11378577

申请日：2006-03-17

申请人： Joseph Salowey ,  Jan Vilhuber

发明人： Joseph Salowey ,  Jan Vilhuber

IPC分类号： H04L9/32

CPC分类号： H04L63/08 ,  H04L63/0892 ,  H04L63/12

摘要： Techniques for validating a first device are provided. A second device receives a first device public key and first device identification information from the first device. Validation of the first device identification information is required for a security process using a security protocol. The second device sends the first device public key and the first device identification information to an AAA server for validation. The AAA server is separate from the second device. The second device receives a response from the AAA server, the response including an indication whether the received first device identification information is validated with stored first device identification information for the first device public key. If the first device identification information is validated, an action for the security process is performed using the security protocol.

摘要翻译： 提供了验证第一设备的技术。 第二设备从第一设备接收第一设备公钥和第一设备标识信息。 使用安全协议的安全过程需要验证第一个设备标识信息。 第二设备将第一设备公钥和第一设备标识信息发送到AAA服务器进行验证。 AAA服务器与第二个设备分开。 所述第二设备从所述AAA服务器接收响应，所述响应包括所接收的第一设备标识信息是否被所存储的用于所述第一设备公钥的第一设备标识信息验证的指示。 如果第一设备识别信息被验证，则使用安全协议执行安全处理的动作。

公开(公告)号：US08341250B2

公开(公告)日：2012-12-25

申请号：US12475487

申请日：2009-05-30

申请人： Max Pritikin ,  David A. McGrew ,  Jan Vilhuber ,  Brian E. Weis

发明人： Max Pritikin ,  David A. McGrew ,  Jan Vilhuber ,  Brian E. Weis

IPC分类号： G06F15/177

CPC分类号： H04L41/0806 ,  H04L63/0823

摘要： Systems, methods and other embodiments associated with network device provisioning are described. One example method includes storing a set of device specific identification data in a network device. The example method may also include storing an association between the network device and a set of device specific provisioning data. The example method may also include providing the set of device specific provisioning data to the network device. The set of device specific provisioning data may be provided in response to receiving a provisioning data request from the network device.

摘要翻译： 描述了与网络设备供应相关联的系统，方法和其他实施例。 一个示例性方法包括将一组设备特定标识数据存储在网络设备中。 示例性方法还可以包括存储网络设备与一组设备特定供应数据之间的关联。 示例性方法还可以包括向网络设备提供设备特定供应数据集。 响应于从网络设备接收供应数据请求，可以提供该设备特定供应数据集。

公开(公告)号：US08250359B2

公开(公告)日：2012-08-21

申请号：US12760507

申请日：2010-04-14

申请人： Brian E. Weis ,  Jan Vilhuber ,  Michael Lee Sullenberger ,  Frederic R. P. Detienne

发明人： Brian E. Weis ,  Jan Vilhuber ,  Michael Lee Sullenberger ,  Frederic R. P. Detienne

IPC分类号： H04L9/00

CPC分类号： H04L12/1886 ,  H04L45/16 ,  H04L63/0428 ,  H04L63/065

摘要： A packet forwarding process, on a data communications device, forwards a packet to a plurality of destinations within a network from that data communications device using an “encrypt, then replicate” method. The packet forwarding process receives a packet that is to be transmitted to the plurality of destinations, and applies a security association to the packet using security information shared between the data communications device, and the plurality of destinations, to create a secured packet. The secured packet contains a header that has a source address and a destination address. The source address is inserted into the header, and then the packet forwarding process replicates the secured packet, once for each of the plurality of destinations. After replication, the destination address is inserted into the header, and the packet forwarding process transmits each replicated secured packet to each of the plurality of destinations authorized to maintain the security association.

摘要翻译： 在数据通信设备上的分组转发过程使用“加密，然后复制”方法将数据包从该数据通信设备转发到网络内的多个目的地。 分组转发过程接收要发送到多个目的地的分组，并且使用在数据通信设备和多个目的地之间共享的安全信息来向分组应用安全关联，以创建安全分组。 安全数据包包含一个具有源地址和目标地址的报头。 源地址被插入到报头中，然后分组转发过程对多个目的地中的每个目的地一次复制安全分组。 在复制之后，目的地址被插入到报头中，并且分组转发过程将每个复制的安全分组传送到被授权维护安全关联的多个目的地中的每一个。

公开(公告)号：US08015594B2

公开(公告)日：2011-09-06

申请号：US11378577

申请日：2006-03-17

申请人： Joseph Salowey ,  Jan Vilhuber

发明人： Joseph Salowey ,  Jan Vilhuber

IPC分类号： H04L29/06

CPC分类号： H04L63/08 ,  H04L63/0892 ,  H04L63/12

摘要： Techniques for validating a first device are provided. A second device receives a first device public key and first device identification information from the first device. Validation of the first device identification information is required for a security process using a security protocol. The second device sends the first device public key and the first device identification information to an AAA server for validation. The AAA server is separate from the second device. The second device receives a response from the AAA server, the response including an indication whether the received first device identification information is validated with stored first device identification information for the first device public key. If the first device identification information is validated, an action for the security process is performed using the security protocol.

摘要翻译： 提供了验证第一设备的技术。 第二设备从第一设备接收第一设备公钥和第一设备标识信息。 使用安全协议的安全过程需要验证第一个设备标识信息。 第二设备将第一设备公钥和第一设备标识信息发送到AAA服务器进行验证。 AAA服务器与第二个设备分开。 所述第二设备从所述AAA服务器接收响应，所述响应包括所接收的第一设备标识信息是否被所存储的用于所述第一设备公钥的所存储的第一设备标识信息验证的指示。 如果第一设备识别信息被验证，则使用安全协议来执行安全处理的动作。

公开(公告)号：US20100205428A1

公开(公告)日：2010-08-12

申请号：US12760507

申请日：2010-04-14

申请人： Brian E. Weis ,  Jan Vilhuber ,  Michael Lee Sullenberger ,  Frederic R.P. Detienne

发明人： Brian E. Weis ,  Jan Vilhuber ,  Michael Lee Sullenberger ,  Frederic R.P. Detienne

IPC分类号： H04L9/00

CPC分类号： H04L12/1886 ,  H04L45/16 ,  H04L63/0428 ,  H04L63/065

摘要： A packet forwarding process, on a data communications device, forwards a packet to a plurality of destinations within a network from that data communications device using an “encrypt, then replicate” method. The packet forwarding process receives a packet that is to be transmitted to the plurality of destinations, and applies a security association to the packet using security information shared between the data communications device, and the plurality of destinations, to create a secured packet. The secured packet contains a header that has a source address and a destination address. The source address is inserted into the header, and then the packet forwarding process replicates the secured packet, once for each of the plurality of destinations. After replication, the destination address is inserted into the header, and the packet forwarding process transmits each replicated secured packet to each of the plurality of destinations authorized to maintain the security association.

摘要翻译： 在数据通信设备上的分组转发过程使用“加密，然后复制”方法将数据包从该数据通信设备转发到网络内的多个目的地。 分组转发过程接收要发送到多个目的地的分组，并且使用在数据通信设备和多个目的地之间共享的安全信息来向分组应用安全关联，以创建安全分组。 安全数据包包含一个具有源地址和目标地址的报头。 源地址被插入到报头中，然后分组转发过程对多个目的地中的每个目的地一次复制安全分组。 在复制之后，目的地址被插入到报头中，并且分组转发过程将每个复制的安全分组传送到被授权维护安全关联的多个目的地中的每一个。

公开(公告)号：US20080222413A1

公开(公告)日：2008-09-11

申请号：US12126219

申请日：2008-05-23

申请人： Jan Vilhuber ,  Max Pritikin

发明人： Jan Vilhuber ,  Max Pritikin

IPC分类号： H04L9/00

CPC分类号： H04L9/3263 ,  H04L63/0442 ,  H04L63/0823

摘要： According to one aspect, a provisioning server comprises a configuration module that configures a network device and an identification certification module that certifies the identity of the network device. With use of the provisioning server, the network device does not require configuration with network connectivity in order to obtain its certified identity. In one embodiment, configuration module configures the device for operation at the device's point of deployment in a network. In one embodiment, the identity certification module is configured to generate a digital certificate for the network device and the configuration module is configured to automatically configure the network device based on its digital certificate. The provisioning server is coupled to the network device with a secure communication link. As a result, a more trusted network device is ultimately deployed into its network of operation.

摘要翻译： 根据一个方面，供应服务器包括配置模块，其配置网络设备和认证网络设备的身份的识别认证模块。 使用配置服务器，网络设备不需要配置网络连接才能获得其认证的身份。 在一个实施例中，配置模块将设备配置为在设备的网络部署点操作。 在一个实施例中，身份认证模块被配置为生成用于网络设备的数字证书，并且配置模块被配置为基于其数字证书自动配置网络设备。 配置服务器通过安全通信链路耦合到网络设备。 因此，更可靠的网络设备最终部署到其操作网络中。

公开(公告)号：US08261318B2

公开(公告)日：2012-09-04

申请号：US12888289

申请日：2010-09-22

申请人： Geoffrey Huang ,  Jan Vilhuber

发明人： Geoffrey Huang ,  Jan Vilhuber

IPC分类号： H04L9/00

CPC分类号： H04L63/062 ,  H04L63/02 ,  H04L63/102 ,  H04L63/20 ,  H04L67/34

摘要： Techniques for passing security configuration information between a security policy server and a client includes the client forming a request for security configuration information that configures the client for secure communications. The client is separated by an untrusted network from a trusted network that includes the security policy sever. A tag is generated that indicates a generic security configuration attribute. An Internet Security Association and Key Management Protocol (ISAKMP) configuration mode request message is sent to a security gateway on an edge of the trusted network connected to the untrusted network. The message includes the request in association with the tag. The gateway sends the request associated with the tag to the security policy server on the trusted network and does not interpret the request. The techniques allow client configuration extensions to be added by modifying the policy server or security client, or both, without modifying the gateway.

摘要翻译： 在安全策略服务器和客户端之间传递安全配置信息的技术包括客户端形成用于配置客户机以进行安全通信的安全配置信息的请求。 客户端由包含安全策略服务器的受信任网络的不可信网络分隔开。 生成一个标签，指示一般的安全配置属性。 互联网安全关联和密钥管理协议（ISAKMP）配置模式请求消息被发送到连接到不可信网络的可信网络的边缘上的安全网关。 消息包括与标签相关联的请求。 网关将与标签关联的请求发送到可信网络上的安全策略服务器，不会解释请求。 这些技术允许通过修改策略服务器或安全客户端或两者来添加客户端配置扩展，而无需修改网关。

公开(公告)号：US08095788B2

公开(公告)日：2012-01-10

申请号：US12126219

申请日：2008-05-23

申请人： Jan Vilhuber ,  Max Pritikin

发明人： Jan Vilhuber ,  Max Pritikin

IPC分类号： H04L29/06

CPC分类号： H04L9/3263 ,  H04L63/0442 ,  H04L63/0823

摘要： According to one aspect, a provisioning server comprises a configuration module that configures a network device and an identification certification module that certifies the identity of the network device. With use of the provisioning server, the network device does not require configuration with network connectivity in order to obtain its certified identity. In one embodiment, configuration module configures the device for operation at the device's point of deployment in a network. In one embodiment, the identity certification module is configured to generate a digital certificate for the network device and the configuration module is configured to automatically configure the network device based on its digital certificate. The provisioning server is coupled to the network device with a secure communication link. As a result, a more trusted network device is ultimately deployed into its network of operation.

摘要翻译： 根据一个方面，供应服务器包括配置模块，其配置网络设备和认证网络设备的身份的识别认证模块。 使用配置服务器，网络设备不需要配置网络连接才能获得其认证的身份。 在一个实施例中，配置模块将设备配置为在设备的网络部署点操作。 在一个实施例中，身份认证模块被配置为生成用于网络设备的数字证书，并且配置模块被配置为基于其数字证书自动配置网络设备。 配置服务器通过安全通信链路耦合到网络设备。 因此，更可靠的网络设备最终部署到其操作网络中。