-
公开(公告)号:US08929543B2
公开(公告)日:2015-01-06
申请号:US13634920
申请日:2011-03-16
申请人: Karl Norrman , Tomas Hedberg , Mats Naslund
发明人: Karl Norrman , Tomas Hedberg , Mats Naslund
摘要: A method comprises maintaining, in a first node serving a mobile terminal over a connection protected by at least one first key, said first key and information about the key management capabilities of the mobile terminal. Upon relocation of the mobile terminal to a second node the method includes: if, and only if, said key management capabilities indicate an enhanced key management capability supported by the mobile terminal, modifying, by said first node, the first key, thereby creating a second key, sending, from the first node to the second node, the second key, and transmitting to the second node the information about the key management capabilities of the mobile terminal.
摘要翻译: 一种方法包括在通过由至少一个第一密钥保护的连接上为移动终端服务的第一节点中保留所述第一密钥和关于移动终端的密钥管理能力的信息。 在将移动终端重新定位到第二节点时,该方法包括:如果并且仅当所述密钥管理能力指示由移动终端支持的增强密钥管理能力时,由所述第一节点修改第一密钥,从而创建 第二密钥,从第一节点向第二节点发送第二密钥,并向第二节点发送关于移动终端的密钥管理能力的信息。
-
公开(公告)号:US08887246B2
公开(公告)日:2014-11-11
申请号:US13806119
申请日:2010-06-22
申请人: Mats Naslund , Tereza Cristina Carvalho , Cristina Dominicini , Makan Pourzandi , Rony Sakuragui , Marcos Antonio Simplicio Junior
发明人: Mats Naslund , Tereza Cristina Carvalho , Cristina Dominicini , Makan Pourzandi , Rony Sakuragui , Marcos Antonio Simplicio Junior
CPC分类号: H04L63/08 , H04L9/0841 , H04L9/321 , H04L63/0407 , H04L63/062 , H04L63/0815 , H04L2209/80 , H04W12/02 , H04W12/04
摘要: A method for preserving privacy during authorization in pervasive environments is described. The method includes an authorization phase in which the user is provided with a reusable credential associated with verifiable constraints, and an operation phase where the service provider verifies the reusable credential before authorizing the user. Third parties cannot link plural uses of the credential to each other, and the service provider cannot link plural uses of said credential to each other.
摘要翻译: 描述了在普及环境中授权期间保护隐私的方法。 该方法包括向用户提供与可验证约束相关联的可重用证书的授权阶段,以及服务提供商在授权用户之前验证可重用凭证的操作阶段。 第三方不能将凭证的复用用途彼此链接,并且服务提供者不能将所述证书的复数用法彼此链接起来。
-
3.发明申请Method and Apparatus for Forwarding Data Packets using Aggregating Router Keys 有权使用聚合路由器密钥转发数据包的方法和装置公开(公告)号:US20110274112A1
公开(公告)日:2011-11-10
申请号:US13128012
申请日:2008-11-07
申请人: Andras Czaszar , Lars G. Magnusson , Mats Naslund , Lars Westberg
发明人: Andras Czaszar , Lars G. Magnusson , Mats Naslund , Lars Westberg
IPC分类号: H04L12/56
CPC分类号: H04L45/00 , H04L63/0227
摘要: Method and apparatus for supporting the forwarding of received data packets in a router (402,702) of a packet-switched network. A forwarding table (706a) is configured in the router based on aggregating router keys and associated aggregation related instructions received from a key manager (400,700). Each aggregating router key represents a set of destinations. When a data packet (P) is received comprising an ingress tag derived from a sender key or router key, the ingress tag is matched with entries in the forwarding table. An outgoing port is selected for the packet according to a found matching table entry that further comprises an associated aggregation related instruction. An egress tag is then created according to the aggregation related instruction, and the packet with the created egress tag attached is sent from the selected outgoing port to a next hop router.
摘要翻译: 用于支持在分组交换网络的路由器(402,702)中转发所接收的数据分组的方法和装置。 基于从密钥管理器(400,700)接收的聚合路由器密钥和相关联的聚合相关指令,在路由器中配置转发表(706a)。 每个聚合路由器密钥代表一组目的地。 当接收到包含从发送方密钥或路由器密钥导出的入口标签的数据分组(P)时,入口标签与转发表中的条目匹配。 根据发现的匹配表条目,为分组选择输出端口,进一步包括相关联的聚合相关指令。 然后根据聚合相关指令创建出口标签,并将附加了创建的出口标签的数据包从所选出口端口发送到下一跳路由器。
-
公开(公告)号:US20110179277A1
公开(公告)日:2011-07-21
申请号:US13120679
申请日:2008-09-24
申请人: Wassim Haddad , Mats Naslund
发明人: Wassim Haddad , Mats Naslund
CPC分类号: H04L9/0827 , H04L9/0844 , H04L45/60 , H04L63/062
摘要: Before actually communicating information/data between two endpoints (C, S) connected to a network a secure and confidential distribution of a special key (K h) is performed to nodes (R j) along a path in the network. This is allowed by performing a path handshaking procedure in which first a hint token is forwarded along the path in a first direction and then a disclosure token is forwarded in the opposite direction. In forwarding the disclosure token it is verified in the nodes against the already received hint token. This assures that only nodes on the particular path will receive the special key or possibly some other information related thereto.
摘要翻译: 在连接到网络的两个端点(C,S)上实际传达信息/数据之前,沿着网络中的路径对节点(R j)执行特殊密钥(Kh)的安全和机密分发。 这是通过执行路径握手过程来允许的,其中首先沿第一方向沿着路径转发提示令牌,然后以相反的方向转发公开令牌。 在转发公开令牌时,它在节点中针对已经接收的提示令牌进行验证。 这确保只有特定路径上的节点才能接收到特殊密钥或可能与其相关的某些其他信息。
-
公开(公告)号:US20110064085A1
公开(公告)日:2011-03-17
申请号:US12993674
申请日:2008-05-22
申请人: Lars Westberg , Andras Csaszar , Mats Naslund
发明人: Lars Westberg , Andras Csaszar , Mats Naslund
IPC分类号: H04L12/56
CPC分类号: H04L45/00 , H04L47/20 , H04L61/1511 , H04L63/0227 , H04L63/0428 , H04L63/104
摘要: Method and apparatus for controlling the routing of data packets in an IP network (200). A DNS system (202) stores a packet admission policy configured for a first end-host (B) that dictates conditions for allowing other end-hosts to get across data packets to the first end-host or not. A routing voucher is defined which is required for routing data packets to the first end-host. The routing voucher is distributed to routers (R) in the IP network. When an address query is received at the DNS system (202) from a second end-host, the voucher is supplied to the second end-host if the configured policy allows the second end-host to convey data packets. Otherwise, the voucher is not supplied. If allowed, the second end-host will add the routing voucher to any data packets directed to the first end-host. When a valid routing voucher is present in a packet at a router (204) in the network, the packet will be forwarded to the next router in the IP network. The router will otherwise discard the packet.
摘要翻译: 控制IP网络中数据分组路由的方法和装置(200)。 DNS系统(202)存储为第一终端主机(B)配置的分组准入策略,其指示允许其他终端主机跨数据分组到达第一终端主机的条件。 定义了路由凭证,用于将数据包路由到第一个终端主机。 路由凭证分配给IP网络中的路由器(R)。 当从第二终端主机在DNS系统(202)处接收到地址查询时,如果所配置的策略允许第二终端主机传送数据分组,则将凭证提供给第二终端主机。 否则,不提供凭证。 如果允许,则第二个终端主机会将路由凭证添加到指向第一个终端主机的任何数据包。 当在网络中的路由器(204)的分组中存在有效的路由凭证时,分组将被转发到IP网络中的下一个路由器。 否则路由器将丢弃该数据包。
-
公开(公告)号:US20090253411A1
公开(公告)日:2009-10-08
申请号:US12370781
申请日:2009-02-13
申请人: Jari Arkko , Pekka Nikander , Mats Naslund
发明人: Jari Arkko , Pekka Nikander , Mats Naslund
CPC分类号: H04L63/08 , H04L9/3236 , H04L63/061 , H04L2209/38 , H04L2209/80 , H04W12/04 , H04W12/06 , H04W36/0038 , H04W88/02
摘要: A mobile wireless terminal, the terminal comprising a generator configured to generate and store a first numerical chain comprising a series of n values using a one-way coding function such that a given value within the chain is easily obtainable from a subsequent value, but the subsequent value is not easily obtainable from that given value, and an authentication requester configured to disclose a value from the numerical chain to an access node, in order to allow the access node to authenticate the mobile wireless terminal, wherein the disclosed value succeeds any values in the chain already disclosed by the mobile wireless terminal.
摘要翻译: 一种移动无线终端,所述终端包括发生器,其被配置为使用单向编码功能生成并存储包括一系列n个值的第一数字链,使得链中的给定值可以容易地从后续值获得,但是 为了允许接入节点认证移动无线终端,认证请求器被配置为从数字链公开一个值到接入节点,其中所公开的值成功地接收任何值 在移动无线终端已经公开的链中。
-
公开(公告)号:US20080240427A1
公开(公告)日:2008-10-02
申请号:US12090185
申请日:2005-12-01
申请人: Mats Naslund
发明人: Mats Naslund
IPC分类号: H04L9/06
CPC分类号: H04L9/0891 , H04L9/14 , H04L63/06 , H04L2209/805 , H04W12/04 , H04W84/18
摘要: The present invention relates to arrangements and methods for generating keys for cryptographic processing of communication between a first communication unit (200) and a second communication unit (300). The first communication unit (200) and second communication unit (300) are adapted to obtain knowledge about a secret function, wherein the first communication unit comprises: means for selecting a value z (210), means for calculating the secret function as a function of the selected value z (220) means for processing data with the calculated secret function (230), and means for transmitting the processed data in association with the selected z to the second communication unit (240), wherein the secret function is selected from a set of functions that are almost k-wise independent.
摘要翻译: 本发明涉及用于生成用于第一通信单元(200)和第二通信单元(300)之间的通信的密码处理的密钥的配置和方法。 第一通信单元(200)和第二通信单元(300)适于获得关于秘密功能的知识,其中第一通信单元包括:用于选择值z(210)的装置,用于计算秘密功能作为功能的装置 选择值z(220)的装置用于处理具有计算的秘密功能的数据(230),以及用于将与所选择的z相关联的处理数据发送到第二通信单元(240)的装置,其中秘密功能从 一组功能几乎是独立的。
-
8.发明申请公开(公告)号:US20070192602A1
公开(公告)日:2007-08-16
申请号:US11275166
申请日:2005-12-16
申请人: Rolf Blom , Mats Naslund
发明人: Rolf Blom , Mats Naslund
IPC分类号: H04L9/00
CPC分类号: H04L9/3236 , H04L9/0643 , H04L9/0841 , H04L9/321 , H04L9/3247 , H04L9/3273 , H04L63/0823 , H04L63/0853 , H04L63/0869 , H04L2209/20 , H04L2209/80 , H04W12/06 , H04W12/1206
摘要: A system and method for preventing unauthorized duplication of an identity module, IM, and authenticating valid IMs. Different information is stored in the IM and an authentication center, AuC, and if the information in the AuC is leaked, it is insufficient to clone the IM. The IM generates a first key, K1, and a second key, K2, while assuring that K1 cannot be derived from K2, and optionally that K2 cannot be derived from K1. The IM exports K2 and an identifier to the AuC while keeping K1 secret within the IM. During authentication, the IM provides to a third party such as a VLR, information containing the identifier. The VLR forwards the information to the AuC, which retrieves K2 based on the identifier and generates a first value, R, and a second value, X, based on at least K2. The AuC then returns R and X to the VLR, which forwards R to the IM. The IM then generates a response, RES, based on at least K1 and R, and sends the RES to the VLR. The VLR then verifies the RES based on X.
摘要翻译: 一种用于防止身份模块的未经授权的复制,IM和验证有效的IM的系统和方法。 不同的信息存储在IM和认证中心AuC中,如果AuC中的信息泄漏,则不足以克隆IM。 IM产生第一密钥K1和第二密钥K2,同时确保K1不能从K2导出,并且可选地,K2不能从K1导出。 IM将K2和一个标识符导出到AuC,同时保持K1内的IM秘密。 在认证期间,IM向诸如VLR的第三方提供包含标识符的信息。 VLR将信息转发到AuC,AuC基于标识符检索K2,并且至少基于K2产生第一值R和第二值X。 然后,AuC将R和X返回给VLR,VLR将R转发到IM。 然后,IM至少基于K1和R产生响应RES,并将RES发送到VLR。 VLR然后验证基于X的RES。
-
公开(公告)号:US20070157022A1
公开(公告)日:2007-07-05
申请号:US11570186
申请日:2005-05-17
申请人: Rolf Blom , Mats Naslund
发明人: Rolf Blom , Mats Naslund
IPC分类号: H04L9/00
CPC分类号: H04L9/0838 , H04L9/3273 , H04L63/0428 , H04L63/0853 , H04L2209/80 , H04W12/04 , H04W12/06 , H04W88/06
摘要: When a mobile terminal (10), having a basic identity module (12) operative according to a first security standard, initiates a service access, the home network (30) determines whether the mobile terminal has an executable program (14) configured to interact with the basic identity module for emulating an identity module according to the second security standard. If it is concluded that the mobile terminal has such an executable program, a security algorithm is executed at the home network (30) to provide security data according to the second security standard. At least part of these security data are then transferred, transparently to a visited network (20), to the mobile terminal (10). On the mobile terminal side, the executable program (14) is executed for emulating an identity module according to the second security standard using at least part of the transferred security data as input. Preferably, the first security standard corresponds to a 2G standard, basically the GSM standard and the second security standard at least in part corresponds to a 3G standard such as the UMTS standard, and/or the IP Multimedia Sub-system (IMS) standard.
摘要翻译: 当具有根据第一安全标准操作的基本身份模块(12)的移动终端(10)启动服务访问时,家庭网络(30)确定移动终端是否具有被配置为相互作用的可执行程序(14) 具有用于根据第二安全标准模拟身份模块的基本身份模块。 如果确定移动终端具有这样的可执行程序,则在归属网络(30)处执行安全算法以根据第二安全标准提供安全数据。 这些安全数据的至少一部分然后被透明地传送到被访问网络(20)到移动终端(10)。 在移动终端侧,执行可执行程序(14),用于使用至少部分传送的安全数据作为输入来根据第二安全标准来模拟身份模块。 优选地,第一安全标准对应于2G标准,基本上GSM标准和第二安全标准至少部分地对应于诸如UMTS标准和/或IP多媒体子系统(IMS)标准的3G标准。
-
10.发明申请Robust and flexible digital rights management involving a tamper-resistant identity module 有权强大而灵活的数字版权管理涉及防篡改身份模块公开(公告)号:US20050278787A1
公开(公告)日:2005-12-15
申请号:US10524583
申请日:2002-12-19
申请人: Mats Naslund , Karl Norrman
发明人: Mats Naslund , Karl Norrman
CPC分类号: H04L63/0428 , G06F21/10 , G06F2221/0711 , G06F2221/2115 , G06F2221/2129 , G06F2221/2135 , G06F2221/2137 , G06F2221/2153 , H04L63/08 , H04L63/0807 , H04L63/0823 , H04L63/0853 , H04L63/0869 , H04L2463/101 , H04W8/22 , H04W12/04 , H04W12/06
摘要: The invention relates to digital rights management, and proposes the implementation of a DRM agent (125) into a tamper-resistant identity module (120) adapted for engagement with a client system (100), such as a mobile phone or a computer system. The DRM agent (125) is generally implemented with functionality for enabling usage, such as rendering or execution of protected digital content provided to the client system from a content provider In general, the DRM agent (125) includes functionality for cryptographic processing of DRM metadata associated with the digital content to be rendered. In a particularly advantageous realization, the DRM agent is implemented as an application in the application environment of the identity module. The DRM application can be preprogrammed into the application environment, or securely downloaded from a trusted party associated with the identity module. The invention also relates to a distributed DRM module, with communication between distributed DRM agents (125, 135) based on usage-device specific key information.
摘要翻译: 本发明涉及数字版权管理,并且提出将DRM代理(125)实现到适用于与例如移动电话或计算机系统的客户端系统(100)接合的防篡改身份模块(120)中。 DRM代理(125)通常由具有用于启用使用的功能来实现,例如从内容提供商呈现或执行提供给客户端系统的受保护数字内容通常,DRM代理(125)包括用于DRM元数据的密码处理的功能 与要呈现的数字内容相关联。 在特别有利的实现中,DRM代理被实现为身份模块的应用环境中的应用。 DRM应用可以被预编程到应用环境中,或者从与身份模块相关联的可信方安全地下载。 本发明还涉及一种基于使用设备特定密钥信息的分布式DRM代理(125,135)之间的通信的分布式DRM模块。
-
-
-
-
-
-
-
-
-
搜索结果
80 条记录 (耗时 0.027 秒)
