公开(公告)号：US20160315921A1

公开(公告)日：2016-10-27

申请号：US14992112

申请日：2016-01-11

Applicant: Cisco Technology, Inc.

Inventor： Venkata Krishna Sashank Dara ,  Shwetha Subray Bhandari ,  Andrew Yourtchenko ,  Eric Vyncke ,  Frank Brockners

IPC: H04L29/06 ,  H04L9/32

CPC classification number: H04L9/32 ,  H04L12/4633 ,  H04L41/0246 ,  H04L41/0853 ,  H04L41/0866 ,  H04L41/28 ,  H04L45/26 ,  H04L61/6059 ,  H04L63/06 ,  H04L63/12 ,  H04L63/1408 ,  H04L69/166 ,  H04L69/22

Abstract: A system and methods are provided for verifying proof of transit of network traffic through a plurality of network nodes in a network. In one embodiment, each network node reads a first value and a second value from in-band metadata of packet, and generates, using a cryptographic key that is unique to each respective network node, an encryption result based on the first value. An updated second value is generated based on the second value read from the packet and the encryption result. Each network node writes the updated second value to the in-band metadata of the packet, and forwards the packet in the network. In another embodiment, a secret sharing scheme is employed by each network node computes a portion of verification information using a unique share of a secret and based on the packet specific information.

Abstract translation: 提供了一种用于验证通过网络中的多个网络节点的网络流量的过境证明的系统和方法。 在一个实施例中，每个网络节点从分组的带内元数据中读取第一值和第二值，并且使用每个相应网络节点唯一的密码密钥生成基于第一值的加密结果。 基于从分组读取的第二值和加密结果生成更新的第二值。 每个网络节点将更新的第二个值写入分组的带内元数据，并转发网络中的分组。 在另一个实施例中，每个网络节点使用秘密共享方案，使用秘密的唯一共享并基于分组特定信息来计算验证信息的一部分。

公开(公告)号：US20160315850A1

公开(公告)日：2016-10-27

申请号：US14992109

申请日：2016-01-11

Applicant: Cisco Technology, Inc.

Inventor： Venkata Krishna Sashank Dara ,  Shwetha Subray Bhandari ,  Andrew Yourtchenko ,  Eric Vyncke ,  Frank Brockners

IPC: H04L12/721 ,  H04L29/06 ,  H04L12/24

CPC classification number: H04L9/32 ,  H04L12/4633 ,  H04L41/0246 ,  H04L41/0853 ,  H04L41/0866 ,  H04L41/28 ,  H04L45/26 ,  H04L61/6059 ,  H04L63/06 ,  H04L63/12 ,  H04L63/1408 ,  H04L69/166 ,  H04L69/22

Abstract: A system and methods are provided for verifying proof of transit of network traffic through a plurality of network nodes in a network. Information is obtained about a packet at a network node in a network. The information may include in-band metadata of the packet. Verification information is read from in-band metadata of the packet. Updated verification information is generated from the verification information read from the packet and based on configuration information associated with the network node. The updated verification information is written back to the in-band metadata in the packet. The packet is forwarded from the network node in the network.

Abstract translation: 提供了一种用于验证通过网络中的多个网络节点的网络流量的过境证明的系统和方法。 获取关于网络中的网络节点上的分组的信息。 信息可以包括分组的带内元数据。 从分组的带内元数据中读取验证信息。 根据从分组读取的验证信息，并根据与网络节点相关联的配置信息生成更新的验证信息。 更新的验证信息被写回到分组中的带内元数据。 该分组从网络中的网络节点转发。

公开(公告)号：US20150149772A1

公开(公告)日：2015-05-28

申请号：US14087045

申请日：2013-11-22

Applicant: Cisco Technology, Inc.

Inventor： Nicholas Read Leavy ,  Venkata Krishna Sashank Dara

IPC: H04L9/08

CPC classification number: H04L9/0822 ,  H04L63/0428 ,  H04L63/0442 ,  H04L63/06 ,  H04L2209/24 ,  H04L2463/062

Abstract: Embodiments generally provide techniques for managing data security. One embodiment includes providing, at a client system, an encrypted private key that can be decrypted using a locker key. Encrypted data is received from a remote system, and embodiment determine that the received encrypted data can be decrypted using a private key recovered by decrypting the encrypted private key. A request is transmitted to the remote system for the locker key corresponding to the encrypted private key, and the requested locker key is received from the remote system. Embodiments decrypt the encrypted private key using the received locker key to recover the private key, and decrypt the encrypted data, using the private key.

Abstract translation: 实施例通常提供用于管理数据安全性的技术。 一个实施例包括在客户端系统处提供可以使用更衣室密钥进行解密的加密专用密钥。 从远程系统接收加密的数据，并且实施例确定可以使用通过解密加密的私钥恢复的专用密钥来解密所接收的加密数据。 向远程系统发送对应于加密私钥的锁匙的请求，并从远程系统接收所请求的锁匙。 实施例使用接收到的锁定密钥解密加密的私钥以恢复私钥，并且使用私钥对加密的数据进行解密。

公开(公告)号：US10211987B2

公开(公告)日：2019-02-19

申请号：US14992114

申请日：2016-01-11

Applicant: Cisco Technology, Inc.

Inventor： Venkata Krishna Sashank Dara ,  Shwetha Subray Bhandari ,  Andrew Yourtchenko ,  Eric Vyncke ,  Frank Brockners

IPC: H04L9/32 ,  H04L12/24 ,  H04L12/46 ,  H04L29/06 ,  H04L29/12 ,  H04L12/721

Abstract: A system and methods are provided herein for verifying proof of transit of traffic through a plurality of network nodes in a network. In one embodiment, a method is provided in which information is obtained about a packet at a network node in a network. The information includes in-band metadata. Verification information is read from the in-band metadata. The verification information for use in verifying a path of the packet in the network. Updated verification information is generated from the verification information read from the packet. The updated verification information is written to the in-band metadata of the packet, and the packet is forwarded from the network node in the network.

公开(公告)号：US10237068B2

公开(公告)日：2019-03-19

申请号：US14992109

申请日：2016-01-11

Applicant: Cisco Technology, Inc.

Inventor： Venkata Krishna Sashank Dara ,  Shwetha Subray Bhandari ,  Andrew Yourtchenko ,  Eric Vyncke ,  Frank Brockners

IPC: H04L12/721 ,  H04L9/32 ,  H04L29/06 ,  H04L29/12 ,  H04L12/46 ,  H04L12/24

Abstract: A system and methods are provided for verifying proof of transit of network traffic through a plurality of network nodes in a network. Information is obtained about a packet at a network node in a network. The information may include in-band metadata of the packet. Verification information is read from in-band metadata of the packet. Updated verification information is generated from the verification information read from the packet and based on configuration information associated with the network node. The updated verification information is written back to the in-band metadata in the packet. The packet is forwarded from the network node in the network.

公开(公告)号：US10187209B2

公开(公告)日：2019-01-22

申请号：US14992112

申请日：2016-01-11

Applicant: Cisco Technology, Inc.

Inventor： Venkata Krishna Sashank Dara ,  Shwetha Subray Bhandari ,  Andrew Yourtchenko ,  Eric Vyncke ,  Frank Brockners

IPC: H04L9/32 ,  H04L29/06 ,  H04L29/12 ,  H04L12/46 ,  H04L12/24 ,  H04L12/721

Abstract: A system and methods are provided for verifying proof of transit of network traffic through a plurality of network nodes in a network. In one embodiment, each network node reads a first value and a second value from in-band metadata of packet, and generates, using a cryptographic key that is unique to each respective network node, an encryption result based on the first value. An updated second value is generated based on the second value read from the packet and the encryption result. Each network node writes the updated second value to the in-band metadata of the packet, and forwards the packet in the network. In another embodiment, a secret sharing scheme is employed by each network node computes a portion of verification information using a unique share of a secret and based on the packet specific information.

公开(公告)号：US20160315819A1

公开(公告)日：2016-10-27

申请号：US14992114

申请日：2016-01-11

Applicant: Cisco Technology, Inc.

Inventor： Venkata Krishna Sashank Dara ,  Shwetha Subray Bhandari ,  Andrew Yourtchenko ,  Eric Vyncke ,  Frank Brockners

IPC: H04L12/24 ,  H04L29/12 ,  H04L12/46 ,  H04L29/06

CPC classification number: H04L9/32 ,  H04L12/4633 ,  H04L41/0246 ,  H04L41/0853 ,  H04L41/0866 ,  H04L41/28 ,  H04L45/26 ,  H04L61/6059 ,  H04L63/06 ,  H04L63/12 ,  H04L63/1408 ,  H04L69/166 ,  H04L69/22

Abstract: A system and methods are provided herein for verifying proof of transit of traffic through a plurality of network nodes in a network. In one embodiment, a method is provided in which information is obtained about a packet at a network node in a network. The information includes in-band metadata. Verification information is read from the in-band metadata. The verification information for use in verifying a path of the packet in the network. Updated verification information is generated from the verification information read from the packet. The updated verification information is written to the in-band metadata of the packet, and the packet is forwarded from the network node in the network.

Abstract translation: 本文提供的系统和方法用于验证通过网络中的多个网络节点的业务的传输证明。 在一个实施例中，提供了一种方法，其中获得关于网络中网络节点处的分组的信息。 该信息包括带内元数据。 从带内元数据中读取验证信息。 用于验证网络中分组路径的验证信息。 根据从数据包读取的验证信息生成更新的验证信息。 将更新的验证信息写入分组的带内元数据，并且从网络中的网络节点转发分组。

公开(公告)号：US09246676B2

公开(公告)日：2016-01-26

申请号：US14087045

申请日：2013-11-22

Applicant: Cisco Technology, Inc.

Inventor： Nicholas Read Leavy ,  Venkata Krishna Sashank Dara

IPC: H04L29/06 ,  H04L9/08

CPC classification number: H04L9/0822 ,  H04L63/0428 ,  H04L63/0442 ,  H04L63/06 ,  H04L2209/24 ,  H04L2463/062

Abstract: Embodiments generally provide techniques for managing data security. One embodiment includes providing, at a client system, an encrypted private key that can be decrypted using a locker key. Encrypted data is received from a remote system, and embodiment determine that the received encrypted data can be decrypted using a private key recovered by decrypting the encrypted private key. A request is transmitted to the remote system for the locker key corresponding to the encrypted private key, and the requested locker key is received from the remote system. Embodiments decrypt the encrypted private key using the received locker key to recover the private key, and decrypt the encrypted data, using the private key.

Abstract translation: 实施例通常提供用于管理数据安全性的技术。 一个实施例包括在客户端系统处提供可以使用更衣室密钥进行解密的加密专用密钥。 从远程系统接收加密的数据，并且实施例确定可以使用通过解密加密的私钥恢复的专用密钥来解密所接收的加密数据。 向远程系统发送对应于加密私钥的锁匙的请求，并从远程系统接收所请求的锁匙。 实施例使用接收到的锁定密钥解密加密的私钥以恢复私钥，并且使用私钥对加密的数据进行解密。