公开(公告)号：US08984287B2

公开(公告)日：2015-03-17

申请号：US12863285

申请日：2009-01-14

Applicant: Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang ,  Bianling Zhang ,  Zhiqiang Qin ,  Qizhu Song

Inventor： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang ,  Bianling Zhang ,  Zhiqiang Qin ,  Qizhu Song

IPC: H04L9/32 ,  H04L29/06 ,  H04W12/04 ,  H04L29/08 ,  H04W12/06

CPC classification number: H04W12/04 ,  H04L29/08576 ,  H04L63/0428 ,  H04L63/08 ,  H04W12/06

Abstract: A wireless personal area network access method based on the primitive, includes: a coordinator broadcasts a beacon frame to the device which requests connecting to the wireless personal area network (WPAN), the beacon frame includes the authentication request information for the device and the authentication and a key management tool supported by the coordinator; the device authenticates the authentication request information, when the coordinator has an authentication request to the device, the coordinator and the device execute the authentication based on the primitive and obtains the conversation key.

Abstract translation: 基于原语的无线个人区域网络接入方法包括：协调器向请求连接到无线个域网（WPAN）的设备广播信标帧，信标帧包括用于设备的认证请求信息和认证 和协调员支持的关键管理工具; 设备对认证请求信息进行认证，当协调器向设备发送认证请求时，协调器和设备根据原语执行认证，获取会话密钥。

公开(公告)号：US08547205B2

公开(公告)日：2013-10-01

申请号：US13056856

申请日：2009-07-28

Applicant: Liaojun Pang ,  Manxia Tie ,  Xiaolong Lai ,  Zhenhai Huang

Inventor： Liaojun Pang ,  Manxia Tie ,  Xiaolong Lai ,  Zhenhai Huang

IPC: G05B19/00 ,  H04Q5/22

CPC classification number: H04L63/0869 ,  H04L9/3236 ,  H04L9/3273 ,  H04L63/0492 ,  H04L2209/42 ,  H04L2209/805 ,  H04M15/48 ,  H04M2215/0156

Abstract: An anonymous authentication method based on a pre-shared key, a reader-writer, an electronic tag and an anonymous bidirectional authentication system are disclosed. The method comprises the following steps: 1) a reader-writer sends an accessing authentication requirement group to the electronic tag; 2) after the electronic tag receives the accessing authentication requirement group, an accessing authentication response group is constructed and sent to the reader-writer; 3) after the reader-writer receives the accessing authentication response group, an accessing authentication confirmation group is constructed and sent to the electronic tag; 4) the electronic tag carries out confirmation according to the accessing authentication confirmation group.

Abstract translation: 公开了一种基于预共享密钥，读写器，电子标签和匿名双向认证系统的匿名认证方法。 该方法包括以下步骤：1）读写器向电子标签发送访问认证要求组; 2）电子标签收到接入认证要求组后，构建接入认证响应组并发送给读写器; 3）在读写器接收到访问认证响应组之后，建立访问认证确认组并发送给电子标签; 4）电子标签根据访问认证确认组进行确认。

公开(公告)号：US08495712B2

公开(公告)日：2013-07-23

申请号：US12519955

申请日：2007-06-25

Applicant: Xiaolong Lai ,  Jun Cao ,  Manxia Tie ,  Bianling Zhang

Inventor： Xiaolong Lai ,  Jun Cao ,  Manxia Tie ,  Bianling Zhang

IPC: H04L29/00

CPC classification number: H04L63/0869

Abstract: This invention relates to a peer-to-peer access control method of a triple-unit structure for safely implementing bidirectional authentication between the terminal and the network. According to the method, on the basis of the access control method of the existing double-unit triple-entity structure, the authenticator function is implemented in the access controller, and the authentication protocol function is implemented in the terminal and the access controller, so that the terminal, the access controller and the server all participate in the authentication, and the trust relationship is established between the terminal and the access controller directly, which renders security very reliable. The invention not only solves the technical problems of the access control method of the existing double-unit double-entity structure that the access flexibility is limited and the extension of the number of the access controllers is inconvenient, but also solves the technical problems of the existing access control method of the double-unit triple-entity structure that the process for establishing the trust relationship is complicated and the security of the network may be influenced, thus achieving advantages of high security performance, no requirement of changing existing network structures and relative independency of the authentication protocol.

Abstract translation: 本发明涉及用于在终端和网络之间安全地实现双向认证的三单元结构的对等接入控制方法。 根据该方法，在现有的双单元三实体结构的访问控制方法的基础上，在接入控制器中实现认证方的功能，在终端和接入控制器中实现认证协议功能， 终端，接入控制器和服务器都参与认证，直接在终端和接入控制器之间建立信任关系，使安全性非常可靠。 本发明不仅解决了现有的双单元双实体结构的访问控制方法的技术问题，即访问灵活性有限，访问控制器数量的扩展不方便，而且解决了 建立信任关系的过程复杂，网络安全性可能受影响的双单元三实体结构的现有访问控制方法，从而实现高安全性能的优势，无需改变现有网络结构和相对性 认证协议的独立性。

公开(公告)号：US08356179B2

公开(公告)日：2013-01-15

申请号：US12739678

申请日：2008-10-23

Applicant: Manxia Tie ,  Jun Cao ,  Xiaolong Lai ,  Liaojun Pang ,  Zhenhai Huang

Inventor： Manxia Tie ,  Jun Cao ,  Xiaolong Lai ,  Liaojun Pang ,  Zhenhai Huang

IPC: G06F7/04 ,  G06F15/16 ,  G06F17/30 ,  H04L29/06 ,  H04L9/32

CPC classification number: H04L63/0869 ,  H04L9/3213 ,  H04L9/3273 ,  H04L63/0823 ,  H04L63/126

Abstract: An entity bi-directional identification method and system based on a trustable third party thereof are provided. The system comprises a first entity, which is for sending a first message to a second entity, sending a third message to a third entity after receiving a second message sent by the second entity, verifying the fourth message after receiving a fourth message sent by the third entity, sending a fifth message to the second entity after the verification is finished; the second entity, which is for receiving the first message sent by the first entity, sending the second message to the first entity, verifying the fifth message after receiving the fifth message sent by the first entity; the third entity, which is for receiving the third message sent by the first entity, checking if the first entity and the second entity are legal, implementing the pretreatment according to the checking result, sending the first entity the fourth message after the treatment is finished.

Abstract translation: 提供了一种基于可信任第三方的实体双向识别方法和系统。 该系统包括用于向第二实体发送第一消息的第一实体，在接收到由第二实体发送的第二消息之后向第三实体发送第三消息，在接收到由第二实体发送的第四消息之后验证第四消息 第三实体，在验证完成之后向第二实体发送第五消息; 所述第二实体用于接收由所述第一实体发送的所述第一消息，向所述第一实体发送所述第二消息，在接收到由所述第一实体发送的所述第五消息之后验证所述第五消息; 用于接收第一实体发送的第三消息的第三实体，检查第一实体和第二实体是否合法，根据检查结果实现预处理，在处理完成之后发送第一实体第四消息 。

公开(公告)号：US08336083B2

公开(公告)日：2012-12-18

申请号：US12743170

申请日：2008-11-14

Applicant: Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

Inventor： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

IPC: G06F21/00

CPC classification number: H04L63/20 ,  H04L41/0893 ,  H04L63/0823 ,  H04L63/0876 ,  H04L63/102 ,  H04L63/126

Abstract: A trusted network access control system based on ternary equal identification is provided. The system includes access requestor AR, access controller AC and policy manager PM as well as the protocol interface among them. The protocol interface between the AR and AC includes a trusted network transmission interface (IF-TNT) and IF-TNACCS interface between TNAC client and TNAC server. The protocol interface between the AC and PM includes an identification policy service interface IF-APS, evaluation policy service interface IF-EPS and a trust measurement interface IF-TM. The protocol interface between the AR and PM includes a trust measurement interface IF-TM.

Abstract translation: 提供了基于三元等同识别的可信网络访问控制系统。 该系统包括访问请求者AR，访问控制器AC和策略管理器PM以及它们之间的协议接口。 AR和AC之间的协议接口包括TNAC客户端和TNAC服务器之间的可信网络传输接口（IF-TNT）和IF-TNACCS接口。 AC和PM之间的协议接口包括识别策略服务接口IF-APS，评估策略服务接口IF-EPS和信任测量接口IF-TM。 AR和PM之间的协议接口包括信任测量接口IF-TM。

公开(公告)号：US08191113B2

公开(公告)日：2012-05-29

申请号：US12628903

申请日：2009-12-01

Applicant: Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

Inventor： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

IPC: G06F7/04 ,  G06F15/16 ,  G06F17/30 ,  H04L29/06 ,  G06F15/173

CPC classification number: H04L63/20 ,  H04L9/321 ,  H04L9/3263 ,  H04L63/061 ,  H04L63/08 ,  H04L63/0869 ,  H04L63/0876 ,  H04L63/10 ,  H04L2209/127

Abstract: A trusted network connect (TNC) system based on tri-element peer authentication (TePA) is provided. An network access requestor (NAR) of an access requestor (AR) is connected to a TNC client (TNCC), and the TNCC is connected to and integrity measurement collector (IMC1) through a integrity measurement collector interface (IF-IMC). An network access controller (NAC) of an access controller (AC) is connected to a TNC server (TNCS) in a data bearer manner. The TNCS is connected to an IMC2 through the IF-IMC. A user authentication service unit (UASU) of a policy manager (PM) is connected to a platform evaluation service unit (PESU) through an integrity measurement verifier interface (IF-IMV). Thus, the technical problems in the prior art of poor extensibility, complex key agreement process, and low security are solved. TePA is adopted in both the network access layer and the integrity evaluation layer to implement mutual user authentication and platform integrity evaluation, so that the security of the entire TNC architecture is improved.

Abstract translation: 提供了基于三元素对等认证（TePA）的可信网络连接（TNC）系统。 访问请求者（AR）的网络接入请求者（NAR）连接到TNC客户端（TNCC），TNCC通过完整性测量收集器接口（IF-IMC）连接到完整性测量收集器（IMC1）。 接入控制器（AC）的网络接入控制器（NAC）以数据承载方式连接到TNC服务器（TNCS）。 TNCS通过IF-IMC连接到IMC2。 策略管理器（PM）的用户认证服务单元（UASU）通过完整性测量验证器接口（IF-IMV）连接到平台评估服务单元（PESU）。 因此，解决了现有技术中可扩展性差，复杂密钥协商过程和低安全性的技术问题。 TePA被采用于网络接入层和完整性评估层，实现了互用用户认证和平台完整性评估，从而提高了整个TNC架构的安全性。

公开(公告)号：US20110202992A1

公开(公告)日：2011-08-18

申请号：US13119909

申请日：2009-11-03

Applicant: Yuelei Xiao ,  Jun Cao ,  Li Ge ,  Xiaolong Lai ,  Zhenhai Huang

Inventor： Yuelei Xiao ,  Jun Cao ,  Li Ge ,  Xiaolong Lai ,  Zhenhai Huang

IPC: H04L9/32 ,  G06F21/00

CPC classification number: H04L63/083 ,  G06F21/33 ,  H04L9/321 ,  H04L9/3234 ,  H04L9/3247 ,  H04L9/3263 ,  H04L63/0876 ,  H04L63/105 ,  H04L63/20 ,  H04L2209/80

Abstract: A method for authenticating a trusted platform based on the Tri-element Peer Authentication (TePA). The method includes the following steps: A) a second attesting system sends the first message to a first attesting system; B) the first attesting system sends a second message to the second attesting system after receiving the first message; C) the second attesting system sends a third message to a Trusted Third Party (TTP) after receiving the second message; D) the TTP sends a fourth message to the second attesting system after receiving the third message; E) the second attesting system sends a fifth message to the first attesting system after receiving the fourth message; and F) the first attesting system performs an access control after receiving the fifth message. The method for authenticating a trusted platform based on TePA of the present invention adopts the security architecture of TePA, and improves the safety of an evaluation agreement of the trusted platform, realizes the mutual evaluation of the trusted platform between the attesting systems, and extends the application ranges.

Abstract translation: 一种基于三元素对等认证（TePA）认证可信平台的方法。 该方法包括以下步骤：A）第二证明系统将第一消息发送到第一认证系统; B）第一证明系统在接收到第一消息之后向第二认证系统发送第二消息; C）第二证明系统在接收到第二消息之后向受信任的第三方（TTP）发送第三消息; D）TTP在接收到第三消息之后向第二认证系统发送第四消息; E）第二证明系统在接收到第四消息之后向第一认证系统发送第五消息; 和F）第一认证系统在接收到第五消息之后执行访问控制。 本发明基于TePA认证信任平台的方法采用了TePA的安全架构，提高了可信平台评估协议的安全性，实现了认证系统之间信任平台的相互评估，并扩展了 应用范围。

公开(公告)号：US20110191579A1

公开(公告)日：2011-08-04

申请号：US12671575

申请日：2008-07-21

Applicant: Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

Inventor： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

IPC: H04L9/32 ,  H04L29/06 ,  H04L9/08

CPC classification number: H04L63/0869 ,  H04L9/0844 ,  H04L9/3247 ,  H04L9/3263 ,  H04L41/0893 ,  H04L63/0876 ,  H04L63/105 ,  H04L63/20 ,  H04L2209/127

Abstract: A trusted network connect method for enhancing security, it pre-prepares platform integrity information, sets an integrity verify demand. A network access requestor initiates an access request, a network access authority starts a process for bi-directional user authentication, begins to perform the triplex element peer authentication protocol with a user authentication service unit. After the success of the bi-directional user authentication, a TNC server and a TNC client perform bi-directional platform integrity evaluation. The network access requestor and the network access authority control ports according to their respective recommendations, implement the mutual access control of the access requestor and the access authority. The present invention solves the technical problems in the background technologies: the security is lower relatively, the access requestor may be unable to verify the validity of the AIK credential and the platform integrity evaluation is not parity. The present invention may simplify the management of the key and the mechanism of integrity verification, expand the application scope of the trusted network connect.

Abstract translation: 一种可靠的网络连接方法，用于增强安全性，预先准备平台完整性信息，设置完整性验证需求。 网络访问请求者发起访问请求，网络访问权限启动用于双向用户认证的过程，开始与用户认证服务单元一起执行三重元素对等认证协议。 在双向用户认证成功之后，TNC服务器和TNC客户端执行双向平台完整性评估。 网络访问请求者和网络访问权限控制端口根据各自的建议，实现访问请求者和访问权限的相互访问控制。 本发明解决了后台技术中的技术问题：安全性相对较低，访问请求者可能无法验证AIK凭据的有效性，平台完整性评估不是奇偶校验。 本发明可以简化密钥的管理和完整性验证的机制，扩大可信网络连接的应用范围。

公开(公告)号：US20110133883A1

公开(公告)日：2011-06-09

申请号：US13056856

申请日：2009-07-28

Applicant: Liaojun Pang ,  Manxia Tie ,  Xiaolong Lai ,  Zhenhai Huang

Inventor： Liaojun Pang ,  Manxia Tie ,  Xiaolong Lai ,  Zhenhai Huang

IPC: G05B19/00 ,  H04L9/00

CPC classification number: H04L63/0869 ,  H04L9/3236 ,  H04L9/3273 ,  H04L63/0492 ,  H04L2209/42 ,  H04L2209/805 ,  H04M15/48 ,  H04M2215/0156

Abstract: An anonymous authentication method based on a pre-shared key, a reader-writer, an electronic tag and an anonymous bidirectional authentication system are disclosed. The method comprises the following steps: 1) a reader-writer sends an accessing authentication requirement group to the electronic tag; 2) after the electronic tag receives the accessing authentication requirement group, an accessing authentication response group is constructed and sent to the reader-writer; 3) after the reader-writer receives the accessing authentication response group, an accessing authentication confirmation group is constructed and sent to the electronic tag; 4) the electronic tag carries out confirmation according to the accessing authentication confirmation group.

Abstract translation: 公开了一种基于预共享密钥，读写器，电子标签和匿名双向认证系统的匿名认证方法。 该方法包括以下步骤：1）读写器向电子标签发送访问认证要求组; 2）电子标签收到接入认证要求组后，构建接入认证响应组并发送给读写器; 3）在读写器接收到访问认证响应组之后，建立访问认证确认组并发送给电子标签; 4）电子标签根据访问认证确认组进行确认。

公开(公告)号：US20110055554A1

公开(公告)日：2011-03-03

申请号：US12863272

申请日：2009-01-14

Applicant: Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang ,  Bianling Zhang ,  Zhiqiang Qin ,  Qizhu Song

Inventor： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang ,  Bianling Zhang ,  Zhiqiang Qin ,  Qizhu Song

IPC: H04L9/00 ,  H04L9/32

CPC classification number: H04W12/04 ,  H04L63/205 ,  H04W12/06

Abstract: A wireless personal area network accessing method is provided, the method includes that: a coordinator broadcasts a beacon frame, the beacon frame includes the information about whether the coordinator sends an authentication requirement, the beacon frame also includes the authentication supported by the coordinator and key management package when a device receipts the authentication requirement, the device receives the beacon frame, the authentication between the coordinator and the device is made by using a authentication method corresponding to the authentication supported by the coordinator and key management package, when the device determines that the coordinator and the device is directly made according to the authentication result, or the association between the coordinator and the device is made after making session key negotiation.

Abstract translation: 提供了无线个人区域网络访问方法，该方法包括：协调器广播信标帧，信标帧包括关于协调器是否发送认证要求的信息，信标帧还包括由协调器和密钥支持的认证 管理包，当设备收到认证要求时，设备收到信标帧，协调器和设备之间的认证是通过使用与协调器和密钥管理包所支持的认证相对应的认证方法进行的，当设备确定 协调器和设备根据认证结果直接进行，或者在进行会话密钥协商之后进行协调器与设备之间的关联。