US20050149732A1 - Use of static Diffie-Hellman key with IPSec for authentication - Google Patents
Use of static Diffie-Hellman key with IPSec for authentication Download PDFInfo
- Publication number
- US20050149732A1 US20050149732A1 US10/806,772 US80677204A US2005149732A1 US 20050149732 A1 US20050149732 A1 US 20050149732A1 US 80677204 A US80677204 A US 80677204A US 2005149732 A1 US2005149732 A1 US 2005149732A1
- Authority
- US
- United States
- Prior art keywords
- responder
- key
- initiator
- public
- identity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
- H04L41/084—Configuration by using pre-existing information, e.g. using templates or copying from other elements
- H04L41/0843—Configuration by using pre-existing information, e.g. using templates or copying from other elements based on generic templates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
- H04L41/0806—Configuration setting for initial configuration or provisioning, e.g. plug-and-play
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/2866—Architectures; Arrangements
- H04L67/30—Profiles
- H04L67/303—Terminal profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/065—Continuous authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W28/00—Network traffic management; Network resource management
- H04W28/16—Central resource management; Negotiation of resources or communication parameters, e.g. negotiating bandwidth or QoS [Quality of Service]
- H04W28/18—Negotiating wireless communication parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0876—Aspects of the degree of configuration automation
- H04L41/0879—Manual configuration through operator
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/30—Definitions, standards or architectural aspects of layered protocol stacks
- H04L69/32—Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
- H04L69/322—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
- H04L69/329—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer [OSI layer 7]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/08—Access restriction or access information delivery, e.g. discovery data delivery
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/16—Discovering, processing access restriction or access information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
Definitions
- This invention generally relates to the area of computer systems. More particularly, the present invention concerns methods for facilitating the use of a security protocol to protect network communications, and even more particularly to methods for negotiating security parameters and authenticating users interconnected to a network.
- Computer networks provide an efficient way to exchange information between two or more computers.
- Various types of computer networks are utilized including private networks, e.g., local area networks (LANs), and public networks, e.g., the Internet.
- private networks e.g., local area networks (LANs)
- public networks e.g., the Internet.
- the information exchanged between computers is of a sensitive or confidential nature. For example, to purchase goods or services via the network, a user is required to enter payment information such as a credit card number. Similarly, users routinely transmit sensitive and confidential business information over networks.
- IP Internet Protocol
- IP Internet Protocol
- standard IP was not designed to protect information from unauthorized access. Accordingly, standard IP does not prevent an unauthorized user from receiving, viewing, and even modifying information transmitted over a network. Standard IP lacks other features such as authentication of users and network devices.
- IPSec Internet Protocol Security
- IPSec provides protocols that conform to standard IP, but that include security features lacking in standard IP.
- Specific examples of IPSec protocols include an authentication header (AH) protocol and encapsulating security protocol (ESP).
- the ESP protocol documented mainly in IETF Request for Comments (RFC) 2406 , is an authenticating and encrypting protocol that uses cryptographic mechanisms to provide integrity, source authentication, and confidentiality of data.
- the AH protocol documented mainly in IETF RFC 2402
- RFCs 2406 and 2402 are hereby incorporated by reference in their entirety for all that they teach without exclusion of any parts thereof.
- a first computer and a second computer in communication over the network must negotiate a set of security parameters.
- the first computer begins the negotiation and is usually referred to as an initiator.
- the second computer is referred to as a responder because it is responding to a request from the initiator.
- the negotiated security parameters are stored in the initiator and the responder as one or more data structures referred to as a security association (SA).
- Parameters stored in the SA identify a security protocol (e.g. ESP or AH), a cryptographic algorithm used to secure communication (e.g. DES, 3DES), keys used with the cryptographic algorithm, a lifetime during which the keys are valid and the like.
- IKE internet key management and exchange protocol
- SA security association
- IKE is generally used to negotiate and provide authenticated cryptographic keys to be used in establishing a security association (SA) in a protected manner.
- SA security association
- IKE typically requires multiple messages and keys between an initiator and a responder.
- a first set of ephemeral Diffie-Hellman (DH) keys are exchanged to establish a confidential channel.
- Ephemeral keys are used a limited number of times or for a limited period of time before being discarded.
- a second set of information is then exchanged over the confidential channel to authenticate the parties and establish a symmetric cryptographic key.
- the ephemeral DH keys exchanged in existing methods are not used directly for authentication.
- the authentication in existing IKE implementations is mutual, in that each party authenticates the identity of the other.
- the IPSec protocol is also sometimes used in Virtual Private Networks (VPNs).
- VPN is a private, secured network that runs over a public, unsecured network (typically the Internet).
- a user connecting to a VPN typically uses a password that is used to gain access to the VPN.
- the password is also used to compute a symmetric cryptographic key for encrypting subsequent communications between the user and the VPN.
- a group of users share a pre-determined symmetric key and password to allow authentication in IKE.
- Embodiments of the invention authenticate devices and establish secure connections between devices using static Diffie-Hellman key pairs.
- a first device obtains in a trusted manner a static DH public key of a second device prior to negotiation.
- the second device negotiates a secure connection to the first device using the static DH public key, which serves as both a claim on the second device's identity and an encryption key.
- the static DH public key is static, rather than ephemeral, the static DH public key can be used to establish subsequent secure, authenticated communications sessions.
- using the public DH directly for authentication allows one-way authentication, where only one party authenticates the identity of the other.
- a method for establishing a secure communications channel and authenticating a party, for use by an initiator in an Internet Security Protocol (IPSec) negotiation, comprising initiating an Internet Key Exchange (IKE) negotiation with a responder, transmitting to the responder a public Diffie-Hellman (DH) key of the initiator, receiving from the responder a public DH key of the responder, transmitting to the responder a payload encrypted with a shared secret created from the public DH key of the responder and the private DH key corresponding to the public DH key of the initiator transmitted to the responder, receiving from the responder a payload encrypted with the shared secret, and decrypting the payload, wherein the public DH key of the responder is a claim on the identity of the responder and the shared secret is used to authenticate the identity of the responder, or the public DH key of the initiator is a claim on the identity of the initiator and the shared secret is used to authenticate the identity of the initiator.
- IKE Internet Key Exchange
- a method for establishing a secure communications channel and authenticating a party, for use by a responder in an Internet Security Protocol (IPSec) negotiation, comprising receiving an Internet Key Exchange (IKE) negotiation request from an initiator, transmitting to the initiator a public Diffie-Hellman (DH) key of the responder, receiving from the initiator a public DH key of the initiator, transmitting to the initiator a payload encrypted with a shared secret created from the public DH key of the initiator and the private DH key corresponding to the public DH key of the responder transmitted to the initiator, receiving from the initiator a payload encrypted with the shared secret; and decrypting the payload, wherein the public DH key of the responder is a claim on the identity of the responder and the shared secret is used to authenticate the identity of the responder, or the public DH key of the initiator is a claim on the identity of the initiator and the shared secret is used to authenticate the identity of the initiator.
- IKE Internet Key Exchange
- a method for establishing, between an initiator and a responder, a secure communications channel following the Internet Security Protocol (IPSec), comprising using the Internet Key Exchange (IKE) protocol, wherein a static Diffie-Hellman key-pair is used by at least one of the initiator or the responder to establish confidentiality and authentication.
- IKE Internet Key Exchange
- the private DH key of the DH key-pair is used to create a claim of identity for the initiator or the responder.
- the secure communications channel is a channel in a virtual private network.
- a system for establishing a secure communications channel between networked devices comprising a first networked device generating a Diffie-Hellman (DH) key pair, a portable media device storing the DH key pair generated by the first networked device, a second networked device reading the DH key pair from the portable media device, and the second networked device using the DH key pair to ensure confidentiality and authenticity in securing a communications channel with another networked device, following the Internet Key Exchange (IKE) and Internet Security (IPSec) protocols.
- the secure communications channel is a channel in a virtual private network.
- a computer-readable medium including computer-executable instructions for facilitating establishing a secure communications channel and authenticating a party, for execution by an initiator in an Internet Security Protocol (IPSec) negotiation, said computer-executable instructions executing the steps of initiating an Internet Key Exchange (IKE) negotiation with a responder, transmitting to the responder a public Diffie-Hellman (DH) key of the initiator, receiving from the responder a public DH key of the responder, transmitting to the responder a payload encrypted with a shared secret created from the public DH key of the responder and the private DH key corresponding to the public DH key of the initiator transmitted to the responder, receiving from the responder a payload encrypted with the shared secret, and decrypting the payload, wherein the public DH key of the responder is a claim on the identity of the responder and the shared secret is used to authenticate the identity of the responder, or the public DH key of the initiator is a claim on the identity of
- IKE Internet Key
- FIG. 1 is a simplified schematic illustrating an exemplary architecture of a network device for carrying out a method in accordance with an embodiment of the present invention
- FIG. 2 is an exemplary network environment including multiple network devices coupled to a network, as used in accordance with embodiments of the invention
- FIG. 3 is a simplified diagram of a packet payload format used to exchange payload data, as used in accordance with embodiments of the invention
- FIG. 4 is a diagram illustrating a method of two devices each using a single trusted DH key pair to authenticate the other device and establish a confidential channel, in accordance with an embodiment of the invention
- FIG. 5 is a flow diagram illustrating a method used by an initiator to authenticate and establish a secure communications channel with a responder using a single DH key pair, in accordance with an embodiment of the invention.
- FIG. 6 is a flow diagram illustrating a method used by a responder to authenticate and establish a secure communications channel with an initiator using a single DH key pair, in accordance with an embodiment of the invention.
- the invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network.
- program modules may be located in both local and remote memory storage devices.
- the term computer system may be used to refer to a system of computers such as may be found in a distributed computing environment.
- FIG. 1 illustrates an example of a suitable computing system environment 100 on which the invention may be implemented.
- the computing system environment 100 is only one example of a suitable computing environment and is not intended to suggest any limitation as to the scope of use or functionality of the invention. Neither should the computing environment 100 be interpreted as having any dependency or requirement relating to any one or combination of components illustrated in the exemplary operating environment 100 .
- one embodiment of the invention does include each component illustrated in the exemplary operating environment 100
- another more typical embodiment of the invention excludes non-essential components, for example, input/output devices other than those required for network communications.
- an exemplary system for implementing the invention includes a general purpose computing device in the form of a computer 110 .
- Components of the computer 110 may include, but are not limited to, a processing unit 120 , a system memory 130 , and a system bus 121 that couples various system components including the system memory to the processing unit 120 .
- the system bus 121 may be any of several types of bus structures including a memory bus or memory controller, a peripheral bus, and a local bus using any of a variety of bus architectures.
- such architectures include Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus also known as Mezzanine bus.
- ISA Industry Standard Architecture
- MCA Micro Channel Architecture
- EISA Enhanced ISA
- VESA Video Electronics Standards Association
- PCI Peripheral Component Interconnect
- the computer 110 typically includes a variety of computer readable media.
- Computer readable media can be any available media that can be accessed by the computer 110 and includes both volatile and nonvolatile media, and removable and non-removable media.
- Computer readable media may comprise computer storage media and communication media.
- Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data.
- Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by the computer 110 .
- Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media.
- modulated data signal means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal.
- communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared and other wireless media. Combinations of the any of the above are also included within the scope of computer readable media.
- the system memory 130 includes computer storage media in the form of volatile and/or nonvolatile memory such as read only memory (ROM) 131 and random access memory (RAM) 132 .
- ROM read only memory
- RAM random access memory
- BIOS basic input/output system
- RAM 132 typically contains data and/or program modules that are immediately accessible to and/or presently being operated on by processing unit 120 .
- FIG. 1 illustrates operating system 134 , application programs 135 , other program modules 136 and program data 137 .
- the computer 110 may also include other removable/non-removable, volatile/nonvolatile computer storage media.
- FIG. 1 illustrates a hard disk drive 141 that reads from or writes to non-removable, nonvolatile magnetic media, a magnetic disk drive 151 that reads from or writes to a removable, nonvolatile magnetic disk 152 , and an optical disk drive 155 that reads from or writes to a removable, nonvolatile optical disk 156 such as a CD ROM or other optical media.
- removable/non-removable, volatile/nonvolatile computer storage media that can be used in the exemplary operating environment include, but are not limited to, magnetic tape cassettes, flash memory cards, digital versatile disks, digital video tape, solid state RAM, solid state ROM, SmartCards, SecureDigital cards, SmartMedia cards, CompactFlash cards and the like.
- the hard disk drive 141 is typically connected to the system bus 121 through a non-removable memory interface such as interface 140
- magnetic disk drive 151 and optical disk drive 155 are typically connected to the system bus 121 by a removable memory interface, such as interface 150 .
- hard disk drive 141 is illustrated as storing operating system 144 , application programs 145 , other program modules 146 and program data 147 . Note that these components can either be the same as or different from operating system 134 , application programs 135 , other program modules 136 , and program data 137 . Operating system 144 , application programs 145 , other program modules 146 , and program data 147 are given different numbers hereto illustrate that, at a minimum, they are different copies.
- a user may enter commands and information into the computer 110 through input devices such as a tablet, or electronic digitizer, 164 , a microphone 163 , a keyboard 162 and pointing device 161 , commonly referred to as a mouse, trackball or touch pad.
- Other input devices may include a joystick, game pad, satellite dish, scanner, or the like.
- a monitor 191 or other type of display device is also connected to the system bus 121 via an interface, such as a video interface 190 .
- the monitor 191 may also be integrated with a touch-screen panel or the like. Note that the monitor and/or touch screen panel can be physically coupled to a housing in which the computing device 110 is incorporated, such as in a tablet-type personal computer. In addition, computers such as the computing device 110 may also include other peripheral output devices such as speakers 197 and printer 196 , which may be connected through an output peripheral interface 194 or the like.
- the computer 110 is operable in a networked environment using logical connections to one or more remote computers, such as a remote computer 180 .
- the remote computer 180 may be a personal computer, a server, a router, a network PC, a peer device or other common network node, and typically includes many or all of the elements described above relative to the computer 110 , although only a memory storage device 181 has been illustrated in FIG. 1 .
- the logical connections depicted in FIG. 1 include a local area network (LAN) 171 and a wide area network (WAN) 173 , but may also include other networks.
- LAN local area network
- WAN wide area network
- Such networking environments are commonplace in offices, enterprise-wide computer networks, intranets and the Internet.
- the computer 110 may comprise the source machine from which data is being migrated
- the remote computer 180 may comprise the destination machine.
- source and destination machines need not be connected by a network or any other means, but instead, data may be migrated via any media capable of being written by the source platform and read by the destination platform or platforms.
- the computer 110 When used in a LAN networking environment, the computer 110 is connected to the LAN 171 through a network interface or adapter 170 . Alternatively, the computer 110 contains a wireless LAN network interface operating on, for example, the 802.11b protocol, allowing the computer 110 to connect to the LAN 171 without a physical connection.
- the computer 110 When used in a WAN networking environment, the computer 110 typically includes a modem 172 or other means for establishing communications over the WAN 173 , such as the Internet.
- the modem 172 which may be internal or external, may be connected to the system bus 121 via the user input interface 160 or other appropriate mechanism.
- the computer 110 contains a wireless WAN network interface operating over, for example, the General Packet Radio Service (GPRS), allowing the computer 110 to connect to the WAN 173 without a physical connection.
- GPRS General Packet Radio Service
- program modules depicted relative to the computer 110 may be stored in the remote memory storage device.
- FIG. 1 illustrates remote application programs 185 as residing on memory device 181 .
- the network connections shown are exemplary and other means of establishing a communications link between the computers may be used.
- variations of the computer 110 may be incorporated into other exemplary systems for implementing the invention, such as cellular phones, personal digital assistants, and the like.
- FIG. 2 illustrates an exemplary network environment wherein the present invention is employed.
- Embodiments of the invention are directed to a method for authenticating and establishing a secure communications channel between devices through one or more networks using a static DH key pair.
- Embodiments are implemented as extensions to existing protocols, such as the Internet key exchange and management protocol (IKE). Alternatively, embodiments are implemented as separate proprietary protocols.
- IKE Internet key exchange and management protocol
- the environment includes a plurality of network devices 202 , 204 , 206 communicatively coupled to a network 208 .
- the network 208 is any suitable type such as a local area network (LAN), wide area networks (WAN), intranet, the Internet, or any combination thereof.
- LAN local area network
- WAN wide area networks
- intranet the Internet
- Internet any combination thereof.
- LAN local area network
- WAN wide area networks
- intranet intranet
- the Internet or any combination thereof.
- the network device 202 communicates, i.e., exchanges information, with the network device 204 by sending packets of data according to a protocol such as the Internet Protocol (IP).
- IP Internet Protocol
- the network device 202 referred to herein as the initiator, begins the exchange of information by sending a request to the network device 204 , referred to herein as the responder.
- the network device 206 is a malicious user that attempts to gain unauthorized access to the information exchanged between the initiator 202 and the responder 204 .
- the malicious user 206 also attempts to mount attacks on one or more of the initiator 202 and the responder 204 through, for example, a denial of service attack.
- the initiator 202 includes a security policy 216 stored in security policy database.
- the security policy 216 is used by the initiator 202 to determine whether data transmitted to, or received from, another network device, such as the responder 204 , needs to conform to a security protocol such as the Encapsulating Security Protocol (ESP) or Authentication Header (AH).
- ESP Encapsulating Security Protocol
- AH Authentication Header
- the responder 204 includes its own security policy 220 stored in a security policy database that is used by the responder 204 to determine whether data transmitted to, or received from, another device, such as the initiator 202 , needs to conform to a security protocol.
- Security protocols such as AH and ESP protect the contents of data in an IP packet from the attacker 206 .
- the negotiated security parameters include an identification of the security protocol to be used (e.g. AH or ESP), an encryption algorithm that will be used to secure the data (e.g. DES or 3DES), keys used with the encryption algorithm to protect the data, life time that the keys will be valid and the like.
- the negotiated security parameters are stored in one or more data structures called a Security Association (SA).
- SA Security Association
- Embodiments of the invention provide a method to exchange keys to authenticate identity and establish a confidential channel.
- the method is executed via a main mode 210 or an aggressive mode 212 by negotiation module 218 executing in the initiator 202 and negotiation module 222 executing in the responder 204 .
- Each mode includes one or more pair of exchanges between the initiator 202 and the responder 204 .
- Each exchange includes a first message sent from the initiator 202 to the responder 204 and a second message sent from the responder 204 to the initiator 202 .
- a main mode 210 or aggressive mode 212 is used to perform machine authentication, negotiate security parameters, and to provide a secure channel for subsequent communication under the IPSec protocol.
- embodiments of the invention allow both one-way and mutual authentication.
- One-way machine authentication is used to prove the identity of one of, but not both, the initiator 202 and the responder 204 .
- Mutual machine authentication is used to prove the identity of both the initiator 202 and the responder 204 .
- Keys are derived and refreshed with IPSec protocols such as ESP and AH.
- IPSec protocols such as ESP and AH.
- the keys used with AH and ESP to encrypt and decrypt data have a limited lifetime defined by the SA, referred to as life time of the key.
- life time of the key it is necessary for the initiator 202 and responder 204 to periodically refresh keys used as part of the security protocol.
- FIG. 3 illustrates an example of a packet 228 , referred to herein as a message, used to exchange data between the initiator 202 and the responder 204 .
- the packet or message 228 includes a header portion 230 and one or more payloads 232 .
- the format illustrated in FIG. 3 generally conforms to the IKE protocol. It will be understood that the format described is by way of example, and not limitation, as any suitable format can be used to exchange data between the initiator 202 and the responder 204 .
- the header 230 includes an Initiator Cookie (I-Cookie) 236 and a Responder Cookie (R-Cookie) 238 .
- I-Cookie is a non-zero value assigned by the initiator 202
- R-Cookie is a non-zero value assigned by the responder 204 .
- the header is shown in simplified form and may include fields for additional data such as version data, flags, and a message length.
- Each of the one or more payloads 232 includes a payload length field and a corresponding payload data field.
- the payload length field stores the size, e.g. in bytes, of the corresponding payload data.
- the payload data field stores data that varies depending on a payload type.
- the payload types included in the message depend upon the mode (e.g. main mode 210 or aggressive mode 212 ), state of the negotiation process, and security options employed by the initiator 202 and the responder 204 .
- the different payload types and corresponding payload data are described in Table 1 , below.
- TABLE 1 Payload Type Payload Data HDR An ISAKMP header.
- HDR* An encrypted ISAKMP header.
- SA security association
- KE key exchange data
- N Main mode nonce
- SSPI Kerberos authentication Kerberos authentication data
- AUTH Certificate
- CERT Includes data that establishes a user's credentials to another user such as a name, serial number, expiration date, and public key. Certificate Request Request for a network device to provide a certificate.
- V-Id Generic data field that includes data to be transmitted from a first network device to a second network device. Notify Generic data field that includes data to be transmitted from a first network device to a second network device.
- N i identifies a main mode nonce generated by the initiator 202 and N r identifies a main mode nonce generated by the responder 204 .
- the message 228 may include a plurality of payloads and each payload has different payload data.
- the payload data is in the form of one of the payload types previously described herein. As shown, a first payload has a payload length 240 and corresponding first payload data 242 ; a second payload has a payload length 244 and corresponding second payload data 246 ; and a last payload has a last payload length 248 and corresponding last payload data 249 .
- each payload may include additional information, such as data that identifies the payload types included therein.
- FIG. 4 illustrates a method for conducting an authentication and security negotiation between the initiator 202 and the responder 204 according to an embodiment of the invention.
- the negotiation is executed by the negotiation module 218 of the initiator 202 and the negotiation module 222 of the responder 204 in accordance with the respective security policies 216 and 220 .
- the method is performed in a main mode 210 or an aggressive mode 212 .
- the main mode 210 and the aggressive mode 212 are completed through a plurality of messages exchanged between the initiator 202 and the responder 204 .
- Messages 250 , 252 and 256 are messages sent from the initiator 202 to the responder 204 .
- Messages 251 , 254 and 258 are messages sent from the responder 204 to the initiator 202 .
- the initiator and responder obtain each other's public (but not private) Diffie-Hellman (DH) keys in a trusted manner, allowing for subsequent mutual authentication.
- DH Diffie-Hellman
- only one party obtains public DH keys of the other party in a trusted manner, allowing for subsequent one-way authentication.
- Trust in a set of DH keys can come from another mechanism, such as an Out of Band configuration.
- trust in a set of DH keys can come via an exchange through a trusted hardware device, such as a portable media device.
- a set of DH keys are generated by a first device and stored onto a portable media device such as a USB flash drive, Secure Digital card, SmartCard, or the like.
- the second device trusts that the DH keys originated from the first device.
- Trust in individual DH keys can come, for example, via local policy.
- devices may employ transitive trust, where a third party endorses trust in a public DH key.
- Each public DH key is generated along with a corresponding private DH key.
- a typical use of DH keys includes the initiator 202 exchanging public DH keys with the responder 204 .
- the initiator 202 creates a “shared secret” from the responder's 204 public key and its own private key.
- the responder 204 creates the shared secret using the initiator's 202 public key and its own private key.
- the mathematical properties of the Diffie-Hellman algorithm guarantee that the shared secret is identical for the initiator 202 and the responder 204 .
- the shared secret is useful in establishing a secure connection, it is often computationally inefficient for continued use during a communications session.
- the initiator 202 therefore typically creates a symmetric key for use in a more efficient cryptographic protocol such as Triple-DES, encrypts the symmetric key using the shared secret, and sends the encrypted symmetric key to the responder 204 .
- the responder 204 decrypts the symmetric key, which is then used for efficient encrypting and decrypting during the communications session.
- the method used in the embodiment begins when the initiator 202 sends message 250 to the responder 204 .
- the message 250 is an initiation request for a key exchange negotiation following the IKE protocol.
- the message 250 contains an ISAKMP header and a proposed SA negotiation payload.
- ISAKMP is a security association management protocol, and provides a framework for SA management.
- the responder 204 receives the request 250 and responds with an acknowledgement message 251 containing an ISAKMP header and an agreed-upon SA negotiation payload.
- the agreed-upon SA includes security parameters, selected from the proposed security parameters, to which the responder 204 agrees. If the responder does not agree to a set of the parameters in the proposed SA, the negotiation fails.
- the initiator 202 sends message 252 to the responder 204 .
- the message 252 has a plurality of payload types including an ISAKMP header, a nonce (Ni), and a key exchange payload (KE).
- the KE comprises a public DH key for the initiator 202 . Because the responder 204 has previously obtained the initiator's 202 public DH key in a trusted manner, the KE acts as a claim for the initiator's 202 identity.
- the initiator 202 creates a shared secret from its private key and the responder's 204 public key.
- the responder 204 receives the message 252 and in return sends the message 254 back to the initiator 202 .
- the message 254 has a plurality of payload types including a ISAKMP header, a responder nonce (N r ) and key exchange data (KE).
- the KE comprises a public DH key for the responder 204 . Because the initiator 202 has previously obtained the responder's 204 public DH key in a trusted manner, the KE acts as a claim for the responder's 204 identity.
- the responder 204 creates the shared secret from its private key and the initiator's public key. This shared secret is, by mathematics, identical to the shared secret produced by the initiator 202 .
- the initiator 202 receives the message 254 and, in return, sends the message 256 to the responder 204 .
- the message 256 has a header (HDR*) and a plurality of payload types including an identification payload (IDii) and a hash payload (HASH_I).
- the HDR* header indicates the payload is encrypted using the shared secret.
- the responder 204 receives the message 256 and decrypts the encrypted payload using the shared secret. Because only a holder of the private DH key can encrypt a message that is decrypted with the corresponding public DH key, and the responder 204 trusts that the public DH key previously sent belongs to the initiator 202 , the responder 204 is convinced that it is in communication with the identity of initiator 202 .
- the responder 204 replies with a message 258 to the initiator 202 .
- the message 258 has a header (HDR*) and a plurality of payload types including an identification payload (IDir) and a hash payload (HASH_R).
- the HDR* header indicates the payload is encrypted using the shared secret.
- the initiator 202 receives the message 258 and decrypts the encrypted payload using the shared secret. The initiator is thereby convinced of the identity of the responder 204 .
- one-way authentication is provided.
- one device learns the public DH key of the second device in a trusted manner as described above, prior to beginning the method.
- the second device does not, however, know the public DH key of the first device.
- the initiator 202 has learned the public DH key of the responder 204 in a trusted manner.
- the method proceeds as above, with the initiator 202 sending an initiation request message 250 to the responder 202 .
- the responder 202 responds with a message 251 .
- the initiator then sends message 252 as above. However, because the responder 204 does not know the public DH key of the initiator 202 , the KE payload in message 252 does not serve as an identity claim on the initiator 202 . The initiator 202 thus remains anonymous to the responder 204 .
- the responder 204 responds to message 252 by sending message 254 .
- the KE payload in message 254 contains the public DH key for the responder 204 . Because the initiator 202 has previous knowledge of this public DH key, the key serves as an identity claim on the responder 204 .
- the initiator 202 receives the message 254 and, in return, sends the message 256 to the responder 204 .
- the message 256 includes an HDR*, which indicates the payload is encrypted using the shared secret created from the responder's 204 public DH key and the initiator's private DH key.
- the responder 204 receives the message 256 and decrypts the encrypted payload using the shared secret created from its private key and the initiator's 202 public key. Because the responder 204 does not know the identity of the owner of the DH keys used for this encryption, the responder is not convinced of the initiator's 202 identity.
- the responder 204 replies with a message 258 to the initiator 202 .
- the message 258 includes an HDR* header indicating that the payload is encrypted using the shared secret.
- the initiator 202 receives the message 258 and decrypts the encrypted payload using the shared secret. The initiator 202 is thereby convinced of the identity of the responder 204 .
- the responder 204 has learned the public DH key of the initiator 202 in a trusted manner prior to beginning the method, and the method proceeds similarly as described above, with the responder 204 being convinced of the identity of the initiator 202 .
- An embodiment of the invention performs a variation of the method in an aggressive mode.
- the aggressive mode three exchanges take place.
- the initiator 202 passes to the responder 204 a message containing a ISAKMP header, a proposed SA negotiation payload, a KE comprising a public key for the initiator 202 , a nonce (Ni), and an identification payload IDii.
- the responder 204 replies with a ISAKMP header, an accepted SA negotiation payload, a KE comprising a public key for the responder 204 , a nonce (Nr), and identification payload IDir, and a hash payload (HASH_R).
- the initiator 202 and responder 204 create a shared secret using the exchanged public keys and their own private keys. If either of the exchanged public keys had been previously obtained in a trusted manner, it serves as a claim to the owner's identity.
- the third exchange is when the initiator 202 replies with a header (HDR*) and a hash payload (HASH_I), encrypted using the shared secret.
- the method begins by initiating an IKE negotiation at step 502 .
- the initiation preferably comprises sending a ISAKMP header and proposed SA negotiation payload.
- the initiator receives a reply at step 504 .
- the initiator checks that the SA negotiation was successful at step 506 . If the negotiation was not successful and a security association was not agreed upon, then the initiator starts another negotiation initiation at step 502 . Alternatively, the negotiation process terminates. Otherwise, the initiator continues by sending a key exchange (KE) payload at step 508 .
- KE key exchange
- the KE payload comprises the initiator's public DH key.
- the responder has previously obtained the initiator's public DH key in a trusted manner.
- the KE sent at step 508 acts as a claim to the initiator's identity.
- the initiator receives a reply at step 509 .
- the reply contains a public DH key for the responder.
- the initiator has previously obtained the responder's public DH key in a trusted manner.
- the KE sent at step 509 acts as a claim to the responder's identity.
- the initiator sends an encrypted payload at step 510 .
- the payload is encrypted using a shared secret created from the initiator's 202 private key and the public key received at step 509 .
- the initiator receives a message at step 512 comprising an encrypted payload, which the initiator decrypts using the shared secret.
- the initiator decides whether or not to trust the identity of the responder at step 514 by noting if the public key received at step 509 corresponds to a previously known, trusted identity. If so, the initiator trusts the responder's identity at step 516 . Otherwise, the initiator does not trust the identity of the responder at step 518 .
- the method begins by receiving an IKE negotiation at step 602 .
- the initiation preferably comprises receiving a ISAKMP header and proposed SA negotiation payload.
- the responder sends a reply at step 604 preferably comprising a ISAKMP header and an accepted SA negotiation payload.
- the responder receives a key exchange (KE) payload at step 608 .
- the payload contains a public DH key for the initiator.
- the responder has previously obtained the initiator's public DH key in a trusted manner.
- the KE sent at step 608 acts as a claim to the initiator's identity.
- the responder continues by sending a key exchange (KE) payload at step 609 .
- the KE payload comprises the responder's public DH key.
- the initiator has previously obtained the responder's public DH key in a trusted manner.
- the KE sent at step 609 acts as a claim to the responder's identity.
- the responder receives a message at step 610 comprising an encrypted payload, which the responder decrypts using a shared secret created from the responder's 204 private key and the public DH key received at step 608 .
- the responder sends an encrypted payload at step 612 .
- the payload is encrypted using the shared secret.
- the responder decides whether or not to trust the identity of the initiator at step 614 by noting if the public key received at step 610 corresponds to a previously known, trusted identity. If so, the responder trusts the initiator's identity at step 616 . Otherwise, the responder does not trust the identity of the initiator at step 618 .
- a device connects and is authenticated to a VPN via the IKE protocol. This is used to establish a secure channel that follows the IPSec protocol.
- the client and server use a shared key derived from a hash of the client's user-password. Because the identity of the client is encrypted, existing VPN servers are limited by a conundrum: they need to know the identity of the client in order to use the correct shared key for decryption.
- a VPN server first obtains the public DH key of a client (initiator) in a trusted manner, prior to beginning a negotiation.
- a client sends his public DH key to the server.
- the public DH key acts as a hint to the user's identity.
- the server finds the corresponding shared key for the user, and performs pre-shared key authentication with the client using the shared key.
Abstract
Description
- The present application claims the benefit of Abraham et al., U.S. Provisional Patent Application No. 60/534,795 entitled, “Configuring Network Settings Using Portable Media”, filed on Jan. 7, 2004, which is hereby incorporated by reference in its entirety.
- This invention generally relates to the area of computer systems. More particularly, the present invention concerns methods for facilitating the use of a security protocol to protect network communications, and even more particularly to methods for negotiating security parameters and authenticating users interconnected to a network.
- Computer networks provide an efficient way to exchange information between two or more computers. Various types of computer networks are utilized including private networks, e.g., local area networks (LANs), and public networks, e.g., the Internet. Often, the information exchanged between computers is of a sensitive or confidential nature. For example, to purchase goods or services via the network, a user is required to enter payment information such as a credit card number. Similarly, users routinely transmit sensitive and confidential business information over networks.
- Information is exchanged over networks according to a protocol, such as the Internet Protocol (IP). IP was designed to allow for an open exchange of information; however, standard IP was not designed to protect information from unauthorized access. Accordingly, standard IP does not prevent an unauthorized user from receiving, viewing, and even modifying information transmitted over a network. Standard IP lacks other features such as authentication of users and network devices.
- To address the lack of security provided by standard IP, the Internet Engineering Task Force (IETF) has developed a set of protocols, referred to as the Internet Protocol Security (IPSec) suite. IPSec provides protocols that conform to standard IP, but that include security features lacking in standard IP. Specific examples of IPSec protocols include an authentication header (AH) protocol and encapsulating security protocol (ESP). The ESP protocol, documented mainly in IETF Request for Comments (RFC) 2406, is an authenticating and encrypting protocol that uses cryptographic mechanisms to provide integrity, source authentication, and confidentiality of data. The AH protocol, documented mainly in IETF RFC 2402, is an authentication protocol that uses a hash signature in the packet header to validate the integrity of the packet data and authenticity of the sender. RFCs 2406 and 2402 are hereby incorporated by reference in their entirety for all that they teach without exclusion of any parts thereof.
- Prior to using the ESP, AH or similar protocols, a first computer and a second computer in communication over the network must negotiate a set of security parameters. The first computer begins the negotiation and is usually referred to as an initiator. The second computer is referred to as a responder because it is responding to a request from the initiator. The negotiated security parameters are stored in the initiator and the responder as one or more data structures referred to as a security association (SA). Parameters stored in the SA identify a security protocol (e.g. ESP or AH), a cryptographic algorithm used to secure communication (e.g. DES, 3DES), keys used with the cryptographic algorithm, a lifetime during which the keys are valid and the like.
- One method of negotiating security parameters is by using a separate negotiation protocol. An example of a negotiation protocol is the internet key management and exchange protocol (IKE), also provided as part of IPSec and documented in IETF RFC 2409, hereby incorporated by reference in its entirety for all that it teaches without exclusion of any parts thereof. IKE is generally used to negotiate and provide authenticated cryptographic keys to be used in establishing a security association (SA) in a protected manner. As practiced today, IKE typically requires multiple messages and keys between an initiator and a responder. A first set of ephemeral Diffie-Hellman (DH) keys are exchanged to establish a confidential channel. Ephemeral keys are used a limited number of times or for a limited period of time before being discarded. A second set of information is then exchanged over the confidential channel to authenticate the parties and establish a symmetric cryptographic key. The ephemeral DH keys exchanged in existing methods are not used directly for authentication. The authentication in existing IKE implementations is mutual, in that each party authenticates the identity of the other.
- The IPSec protocol is also sometimes used in Virtual Private Networks (VPNs). A VPN is a private, secured network that runs over a public, unsecured network (typically the Internet). A user connecting to a VPN typically uses a password that is used to gain access to the VPN. In some existing systems, the password is also used to compute a symmetric cryptographic key for encrypting subsequent communications between the user and the VPN. In other existing VPN systems, a group of users share a pre-determined symmetric key and password to allow authentication in IKE.
- Embodiments of the invention authenticate devices and establish secure connections between devices using static Diffie-Hellman key pairs. A first device obtains in a trusted manner a static DH public key of a second device prior to negotiation. The second device negotiates a secure connection to the first device using the static DH public key, which serves as both a claim on the second device's identity and an encryption key. Because the DH key is static, rather than ephemeral, the static DH public key can be used to establish subsequent secure, authenticated communications sessions. Furthermore, using the public DH directly for authentication allows one-way authentication, where only one party authenticates the identity of the other.
- In one embodiment of the invention, a method is provided for establishing a secure communications channel and authenticating a party, for use by an initiator in an Internet Security Protocol (IPSec) negotiation, comprising initiating an Internet Key Exchange (IKE) negotiation with a responder, transmitting to the responder a public Diffie-Hellman (DH) key of the initiator, receiving from the responder a public DH key of the responder, transmitting to the responder a payload encrypted with a shared secret created from the public DH key of the responder and the private DH key corresponding to the public DH key of the initiator transmitted to the responder, receiving from the responder a payload encrypted with the shared secret, and decrypting the payload, wherein the public DH key of the responder is a claim on the identity of the responder and the shared secret is used to authenticate the identity of the responder, or the public DH key of the initiator is a claim on the identity of the initiator and the shared secret is used to authenticate the identity of the initiator. In a further embodiment, the secure communications channel is a channel in a virtual private network.
- In another embodiment, a method is provided for establishing a secure communications channel and authenticating a party, for use by a responder in an Internet Security Protocol (IPSec) negotiation, comprising receiving an Internet Key Exchange (IKE) negotiation request from an initiator, transmitting to the initiator a public Diffie-Hellman (DH) key of the responder, receiving from the initiator a public DH key of the initiator, transmitting to the initiator a payload encrypted with a shared secret created from the public DH key of the initiator and the private DH key corresponding to the public DH key of the responder transmitted to the initiator, receiving from the initiator a payload encrypted with the shared secret; and decrypting the payload, wherein the public DH key of the responder is a claim on the identity of the responder and the shared secret is used to authenticate the identity of the responder, or the public DH key of the initiator is a claim on the identity of the initiator and the shared secret is used to authenticate the identity of the initiator. In a further embodiment, the secure communications channel is a channel in a virtual private network.
- In another embodiment, a method is provided for establishing, between an initiator and a responder, a secure communications channel following the Internet Security Protocol (IPSec), comprising using the Internet Key Exchange (IKE) protocol, wherein a static Diffie-Hellman key-pair is used by at least one of the initiator or the responder to establish confidentiality and authentication. In one embodiment, the private DH key of the DH key-pair is used to create a claim of identity for the initiator or the responder. In a further embodiment, the secure communications channel is a channel in a virtual private network.
- In still another embodiment, a system is provided for establishing a secure communications channel between networked devices comprising a first networked device generating a Diffie-Hellman (DH) key pair, a portable media device storing the DH key pair generated by the first networked device, a second networked device reading the DH key pair from the portable media device, and the second networked device using the DH key pair to ensure confidentiality and authenticity in securing a communications channel with another networked device, following the Internet Key Exchange (IKE) and Internet Security (IPSec) protocols. In a further embodiment, the secure communications channel is a channel in a virtual private network.
- In yet another embodiment, a computer-readable medium including computer-executable instructions is provided for facilitating establishing a secure communications channel and authenticating a party, for execution by an initiator in an Internet Security Protocol (IPSec) negotiation, said computer-executable instructions executing the steps of initiating an Internet Key Exchange (IKE) negotiation with a responder, transmitting to the responder a public Diffie-Hellman (DH) key of the initiator, receiving from the responder a public DH key of the responder, transmitting to the responder a payload encrypted with a shared secret created from the public DH key of the responder and the private DH key corresponding to the public DH key of the initiator transmitted to the responder, receiving from the responder a payload encrypted with the shared secret, and decrypting the payload, wherein the public DH key of the responder is a claim on the identity of the responder and the shared secret is used to authenticate the identity of the responder, or the public DH key of the initiator is a claim on the identity of the initiator and the shared secret is used to authenticate the identity of the initiator. In a further embodiment, the secure communications channel is a channel in a virtual private network.
- While the appended claims set forth the features of the present invention with particularity, the invention and its advantages are best understood from the following detailed description taken in conjunction with the accompanying drawings, of which:
-
FIG. 1 is a simplified schematic illustrating an exemplary architecture of a network device for carrying out a method in accordance with an embodiment of the present invention; -
FIG. 2 is an exemplary network environment including multiple network devices coupled to a network, as used in accordance with embodiments of the invention; -
FIG. 3 is a simplified diagram of a packet payload format used to exchange payload data, as used in accordance with embodiments of the invention; -
FIG. 4 is a diagram illustrating a method of two devices each using a single trusted DH key pair to authenticate the other device and establish a confidential channel, in accordance with an embodiment of the invention; -
FIG. 5 is a flow diagram illustrating a method used by an initiator to authenticate and establish a secure communications channel with a responder using a single DH key pair, in accordance with an embodiment of the invention; and -
FIG. 6 is a flow diagram illustrating a method used by a responder to authenticate and establish a secure communications channel with an initiator using a single DH key pair, in accordance with an embodiment of the invention. - The methods and systems supporting the use of a static Diffie-Hellman key pair to authenticate devices during an IPSec protocol will now be described with respect to a number of embodiments; however, the methods and systems of the invention are not limited to the illustrated embodiments. Moreover, the skilled artisan will readily appreciate that the methods and systems described herein are merely exemplary and that variations can be made without departing from the spirit and scope of the invention.
- The invention will be more completely understood through the following detailed description, which should be read in conjunction with the attached drawings. In this description, like numbers refer to similar elements within various embodiments of the present invention. The invention is illustrated as being implemented in a suitable computing environment. Although not required, the invention will be described in the general context of computer-executable instructions, such as procedures, being executed by a personal computer. Generally, procedures include program modules, routines, functions, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. Moreover, those skilled in the art will appreciate that the invention may be practiced with other computer system configurations, including hand-held devices, multi-processor systems, microprocessor based or programmable consumer electronics, network PCs, minicomputers, mainframe computers, and the like. The invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote memory storage devices. The term computer system may be used to refer to a system of computers such as may be found in a distributed computing environment.
-
FIG. 1 illustrates an example of a suitablecomputing system environment 100 on which the invention may be implemented. Thecomputing system environment 100 is only one example of a suitable computing environment and is not intended to suggest any limitation as to the scope of use or functionality of the invention. Neither should thecomputing environment 100 be interpreted as having any dependency or requirement relating to any one or combination of components illustrated in theexemplary operating environment 100. Although one embodiment of the invention does include each component illustrated in theexemplary operating environment 100, another more typical embodiment of the invention excludes non-essential components, for example, input/output devices other than those required for network communications. - With reference to
FIG. 1 , an exemplary system for implementing the invention includes a general purpose computing device in the form of acomputer 110. Components of thecomputer 110 may include, but are not limited to, aprocessing unit 120, asystem memory 130, and asystem bus 121 that couples various system components including the system memory to theprocessing unit 120. Thesystem bus 121 may be any of several types of bus structures including a memory bus or memory controller, a peripheral bus, and a local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus also known as Mezzanine bus. - The
computer 110 typically includes a variety of computer readable media. Computer readable media can be any available media that can be accessed by thecomputer 110 and includes both volatile and nonvolatile media, and removable and non-removable media. By way of example, and not limitation, computer readable media may comprise computer storage media and communication media. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by thecomputer 110. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. The term “modulated data signal” means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared and other wireless media. Combinations of the any of the above are also included within the scope of computer readable media. - The
system memory 130 includes computer storage media in the form of volatile and/or nonvolatile memory such as read only memory (ROM) 131 and random access memory (RAM) 132. A basic input/output system 133 (BIOS), containing the basic routines that help to transfer information between elements withincomputer 110, such as during start-up, is typically stored inROM 131.RAM 132 typically contains data and/or program modules that are immediately accessible to and/or presently being operated on by processingunit 120. By way of example, and not limitation,FIG. 1 illustratesoperating system 134, application programs 135,other program modules 136 andprogram data 137. - The
computer 110 may also include other removable/non-removable, volatile/nonvolatile computer storage media. By way of example only,FIG. 1 illustrates ahard disk drive 141 that reads from or writes to non-removable, nonvolatile magnetic media, amagnetic disk drive 151 that reads from or writes to a removable, nonvolatilemagnetic disk 152, and anoptical disk drive 155 that reads from or writes to a removable, nonvolatileoptical disk 156 such as a CD ROM or other optical media. Other removable/non-removable, volatile/nonvolatile computer storage media that can be used in the exemplary operating environment include, but are not limited to, magnetic tape cassettes, flash memory cards, digital versatile disks, digital video tape, solid state RAM, solid state ROM, SmartCards, SecureDigital cards, SmartMedia cards, CompactFlash cards and the like. Thehard disk drive 141 is typically connected to thesystem bus 121 through a non-removable memory interface such asinterface 140, andmagnetic disk drive 151 andoptical disk drive 155 are typically connected to thesystem bus 121 by a removable memory interface, such asinterface 150. - The drives and their associated computer storage media, discussed above and illustrated in
FIG. 1 , provide storage of computer readable instructions, data structures, program modules and other data for thecomputer 110. InFIG. 1 , for example,hard disk drive 141 is illustrated as storingoperating system 144,application programs 145,other program modules 146 andprogram data 147. Note that these components can either be the same as or different fromoperating system 134, application programs 135,other program modules 136, andprogram data 137.Operating system 144,application programs 145,other program modules 146, andprogram data 147 are given different numbers hereto illustrate that, at a minimum, they are different copies. A user may enter commands and information into thecomputer 110 through input devices such as a tablet, or electronic digitizer, 164, amicrophone 163, akeyboard 162 andpointing device 161, commonly referred to as a mouse, trackball or touch pad. Other input devices (not shown) may include a joystick, game pad, satellite dish, scanner, or the like. These and other input devices are often connected to theprocessing unit 120 through auser input interface 160 that is coupled to the system bus, but may be connected by other interface and bus structures, such as a parallel port, game port or a universal serial bus (USB). Amonitor 191 or other type of display device is also connected to thesystem bus 121 via an interface, such as avideo interface 190. Themonitor 191 may also be integrated with a touch-screen panel or the like. Note that the monitor and/or touch screen panel can be physically coupled to a housing in which thecomputing device 110 is incorporated, such as in a tablet-type personal computer. In addition, computers such as thecomputing device 110 may also include other peripheral output devices such asspeakers 197 andprinter 196, which may be connected through an output peripheral interface 194 or the like. - The
computer 110 is operable in a networked environment using logical connections to one or more remote computers, such as aremote computer 180. Theremote computer 180 may be a personal computer, a server, a router, a network PC, a peer device or other common network node, and typically includes many or all of the elements described above relative to thecomputer 110, although only amemory storage device 181 has been illustrated inFIG. 1 . The logical connections depicted inFIG. 1 include a local area network (LAN) 171 and a wide area network (WAN) 173, but may also include other networks. Such networking environments are commonplace in offices, enterprise-wide computer networks, intranets and the Internet. For example, in the present invention, thecomputer 110 may comprise the source machine from which data is being migrated, and theremote computer 180 may comprise the destination machine. Note however that source and destination machines need not be connected by a network or any other means, but instead, data may be migrated via any media capable of being written by the source platform and read by the destination platform or platforms. - When used in a LAN networking environment, the
computer 110 is connected to theLAN 171 through a network interface oradapter 170. Alternatively, thecomputer 110 contains a wireless LAN network interface operating on, for example, the 802.11b protocol, allowing thecomputer 110 to connect to theLAN 171 without a physical connection. When used in a WAN networking environment, thecomputer 110 typically includes amodem 172 or other means for establishing communications over theWAN 173, such as the Internet. Themodem 172, which may be internal or external, may be connected to thesystem bus 121 via theuser input interface 160 or other appropriate mechanism. Alternatively, thecomputer 110 contains a wireless WAN network interface operating over, for example, the General Packet Radio Service (GPRS), allowing thecomputer 110 to connect to theWAN 173 without a physical connection. In a networked environment, program modules depicted relative to thecomputer 110, or portions thereof, may be stored in the remote memory storage device. By way of example, and not limitation,FIG. 1 illustratesremote application programs 185 as residing onmemory device 181. It will be appreciated that the network connections shown are exemplary and other means of establishing a communications link between the computers may be used. Additionally, variations of thecomputer 110 may be incorporated into other exemplary systems for implementing the invention, such as cellular phones, personal digital assistants, and the like. -
FIG. 2 illustrates an exemplary network environment wherein the present invention is employed. Embodiments of the invention are directed to a method for authenticating and establishing a secure communications channel between devices through one or more networks using a static DH key pair. Embodiments are implemented as extensions to existing protocols, such as the Internet key exchange and management protocol (IKE). Alternatively, embodiments are implemented as separate proprietary protocols. - The environment includes a plurality of
network devices network 208. Thenetwork 208 is any suitable type such as a local area network (LAN), wide area networks (WAN), intranet, the Internet, or any combination thereof. For the purpose of illustrating the invention, only a limited number of network devices are shown. However, it will be understood that many network devices may, in fact, be coupled to the network. Moreover, although the network devices are illustrated as coupled directly to thenetwork 208, the network devices are alternatively coupled to thenetwork 208 through a combination of servers, routers, proxies, gateways, network address translation devices, or the like. - The
network device 202 communicates, i.e., exchanges information, with thenetwork device 204 by sending packets of data according to a protocol such as the Internet Protocol (IP). Thenetwork device 202, referred to herein as the initiator, begins the exchange of information by sending a request to thenetwork device 204, referred to herein as the responder. Thenetwork device 206 is a malicious user that attempts to gain unauthorized access to the information exchanged between theinitiator 202 and theresponder 204. Themalicious user 206 also attempts to mount attacks on one or more of theinitiator 202 and theresponder 204 through, for example, a denial of service attack. - The
initiator 202 includes asecurity policy 216 stored in security policy database. Thesecurity policy 216 is used by theinitiator 202 to determine whether data transmitted to, or received from, another network device, such as theresponder 204, needs to conform to a security protocol such as the Encapsulating Security Protocol (ESP) or Authentication Header (AH). Theresponder 204 includes itsown security policy 220 stored in a security policy database that is used by theresponder 204 to determine whether data transmitted to, or received from, another device, such as theinitiator 202, needs to conform to a security protocol. - Security protocols such as AH and ESP protect the contents of data in an IP packet from the
attacker 206. Before the security protocol is used to exchange data, theinitiator 202 and theresponder 204 must negotiate security parameters. The negotiated security parameters include an identification of the security protocol to be used (e.g. AH or ESP), an encryption algorithm that will be used to secure the data (e.g. DES or 3DES), keys used with the encryption algorithm to protect the data, life time that the keys will be valid and the like. The negotiated security parameters are stored in one or more data structures called a Security Association (SA). - Embodiments of the invention provide a method to exchange keys to authenticate identity and establish a confidential channel. The method is executed via a
main mode 210 or anaggressive mode 212 bynegotiation module 218 executing in theinitiator 202 andnegotiation module 222 executing in theresponder 204. Each mode includes one or more pair of exchanges between theinitiator 202 and theresponder 204. Each exchange includes a first message sent from theinitiator 202 to theresponder 204 and a second message sent from theresponder 204 to theinitiator 202. - A
main mode 210 oraggressive mode 212 is used to perform machine authentication, negotiate security parameters, and to provide a secure channel for subsequent communication under the IPSec protocol. Unlike existing systems, embodiments of the invention allow both one-way and mutual authentication. One-way machine authentication is used to prove the identity of one of, but not both, theinitiator 202 and theresponder 204. Mutual machine authentication is used to prove the identity of both theinitiator 202 and theresponder 204. - Keys are derived and refreshed with IPSec protocols such as ESP and AH. Typically, the keys used with AH and ESP to encrypt and decrypt data have a limited lifetime defined by the SA, referred to as life time of the key. Thus, it is necessary for the
initiator 202 andresponder 204 to periodically refresh keys used as part of the security protocol. -
FIG. 3 illustrates an example of apacket 228, referred to herein as a message, used to exchange data between theinitiator 202 and theresponder 204. The packet ormessage 228 includes aheader portion 230 and one ormore payloads 232. The format illustrated inFIG. 3 generally conforms to the IKE protocol. It will be understood that the format described is by way of example, and not limitation, as any suitable format can be used to exchange data between theinitiator 202 and theresponder 204. - The
header 230 includes an Initiator Cookie (I-Cookie) 236 and a Responder Cookie (R-Cookie) 238. The I-Cookie is a non-zero value assigned by theinitiator 202 and the R-Cookie is a non-zero value assigned by theresponder 204. It will be understood that the header is shown in simplified form and may include fields for additional data such as version data, flags, and a message length. - Each of the one or
more payloads 232 includes a payload length field and a corresponding payload data field. The payload length field stores the size, e.g. in bytes, of the corresponding payload data. The payload data field stores data that varies depending on a payload type. The payload types included in the message depend upon the mode (e.g.main mode 210 or aggressive mode 212), state of the negotiation process, and security options employed by theinitiator 202 and theresponder 204. The different payload types and corresponding payload data are described in Table 1, below.TABLE 1 Payload Type Payload Data HDR An ISAKMP header. HDR* An encrypted ISAKMP header. security association (SA) The security association includes either proposed or agreed upon security parameters. key exchange data (KE) Data for a key exchange according to known methods such as a Diffie-Hellman key exchange or elliptical curve. Main mode nonce (N) Pseudo random number sent for signing during a main mode exchange. Kerberos authentication Kerberos authentication data also referred to as data (SSPI) GSSAPI. Authentication data A calculated value that incorporates a secret key. (AUTH) Certificate (CERT) Includes data that establishes a user's credentials to another user such as a name, serial number, expiration date, and public key. Certificate Request Request for a network device to provide a certificate. (CERTreq) Identity payload (Id) Data that identifies a network device, such as an IP address, domain (DNS) name, or fully-qualified domain name (FQDN). Traffic selector (TS) Identifies transmitted or received messages subject to a security policy. Vendor Id (V-Id) Generic data field that includes data to be transmitted from a first network device to a second network device. Notify Generic data field that includes data to be transmitted from a first network device to a second network device. - The payload types described in Table I are identified herein with the subscript “i” to represent values associated with the
initiator 202 and with the subscript “r” to represent values associated with theresponder 204 where appropriate. For example, Ni identifies a main mode nonce generated by theinitiator 202 and Nr identifies a main mode nonce generated by theresponder 204. - Returning to
FIG. 3 , themessage 228 may include a plurality of payloads and each payload has different payload data. The payload data is in the form of one of the payload types previously described herein. As shown, a first payload has apayload length 240 and correspondingfirst payload data 242; a second payload has apayload length 244 and correspondingsecond payload data 246; and a last payload has alast payload length 248 and correspondinglast payload data 249. - The payloads are shown in simplified form and it will be understood that each payload may include additional information, such as data that identifies the payload types included therein.
-
FIG. 4 illustrates a method for conducting an authentication and security negotiation between theinitiator 202 and theresponder 204 according to an embodiment of the invention. As previously described, the negotiation is executed by thenegotiation module 218 of theinitiator 202 and thenegotiation module 222 of theresponder 204 in accordance with therespective security policies - The method is performed in a
main mode 210 or anaggressive mode 212. Themain mode 210 and theaggressive mode 212 are completed through a plurality of messages exchanged between theinitiator 202 and theresponder 204.Messages initiator 202 to theresponder 204.Messages responder 204 to theinitiator 202. - As a precursor to performing the method, the initiator and responder obtain each other's public (but not private) Diffie-Hellman (DH) keys in a trusted manner, allowing for subsequent mutual authentication. Alternatively, only one party obtains public DH keys of the other party in a trusted manner, allowing for subsequent one-way authentication. Trust in a set of DH keys can come from another mechanism, such as an Out of Band configuration. Alternatively, trust in a set of DH keys can come via an exchange through a trusted hardware device, such as a portable media device. In this embodiment, a set of DH keys are generated by a first device and stored onto a portable media device such as a USB flash drive, Secure Digital card, SmartCard, or the like. When the portable media device is attached to a second device, the second device trusts that the DH keys originated from the first device. Trust in individual DH keys can come, for example, via local policy. Alternatively, devices may employ transitive trust, where a third party endorses trust in a public DH key. Each public DH key is generated along with a corresponding private DH key.
- A typical use of DH keys includes the
initiator 202 exchanging public DH keys with theresponder 204. Theinitiator 202 creates a “shared secret” from the responder's 204 public key and its own private key. Theresponder 204 creates the shared secret using the initiator's 202 public key and its own private key. The mathematical properties of the Diffie-Hellman algorithm guarantee that the shared secret is identical for theinitiator 202 and theresponder 204. Although the shared secret is useful in establishing a secure connection, it is often computationally inefficient for continued use during a communications session. Theinitiator 202 therefore typically creates a symmetric key for use in a more efficient cryptographic protocol such as Triple-DES, encrypts the symmetric key using the shared secret, and sends the encrypted symmetric key to theresponder 204. Theresponder 204 decrypts the symmetric key, which is then used for efficient encrypting and decrypting during the communications session. - The method used in the embodiment begins when the
initiator 202 sendsmessage 250 to theresponder 204. Themessage 250 is an initiation request for a key exchange negotiation following the IKE protocol. Themessage 250 contains an ISAKMP header and a proposed SA negotiation payload. ISAKMP is a security association management protocol, and provides a framework for SA management. Theresponder 204 receives therequest 250 and responds with anacknowledgement message 251 containing an ISAKMP header and an agreed-upon SA negotiation payload. The agreed-upon SA includes security parameters, selected from the proposed security parameters, to which theresponder 204 agrees. If the responder does not agree to a set of the parameters in the proposed SA, the negotiation fails. - The
initiator 202 sendsmessage 252 to theresponder 204. Themessage 252 has a plurality of payload types including an ISAKMP header, a nonce (Ni), and a key exchange payload (KE). The KE comprises a public DH key for theinitiator 202. Because theresponder 204 has previously obtained the initiator's 202 public DH key in a trusted manner, the KE acts as a claim for the initiator's 202 identity. Theinitiator 202 creates a shared secret from its private key and the responder's 204 public key. - The
responder 204 receives themessage 252 and in return sends themessage 254 back to theinitiator 202. Themessage 254 has a plurality of payload types including a ISAKMP header, a responder nonce (Nr) and key exchange data (KE). The KE comprises a public DH key for theresponder 204. Because theinitiator 202 has previously obtained the responder's 204 public DH key in a trusted manner, the KE acts as a claim for the responder's 204 identity. Theresponder 204 creates the shared secret from its private key and the initiator's public key. This shared secret is, by mathematics, identical to the shared secret produced by theinitiator 202. - The
initiator 202 receives themessage 254 and, in return, sends themessage 256 to theresponder 204. Themessage 256 has a header (HDR*) and a plurality of payload types including an identification payload (IDii) and a hash payload (HASH_I). The HDR* header indicates the payload is encrypted using the shared secret. - The
responder 204 receives themessage 256 and decrypts the encrypted payload using the shared secret. Because only a holder of the private DH key can encrypt a message that is decrypted with the corresponding public DH key, and theresponder 204 trusts that the public DH key previously sent belongs to theinitiator 202, theresponder 204 is convinced that it is in communication with the identity ofinitiator 202. Theresponder 204 replies with amessage 258 to theinitiator 202. Themessage 258 has a header (HDR*) and a plurality of payload types including an identification payload (IDir) and a hash payload (HASH_R). The HDR* header indicates the payload is encrypted using the shared secret. - The
initiator 202 receives themessage 258 and decrypts the encrypted payload using the shared secret. The initiator is thereby convinced of the identity of theresponder 204. - In an alternative embodiment of the described method, one-way authentication is provided. In this embodiment, one device learns the public DH key of the second device in a trusted manner as described above, prior to beginning the method. The second device does not, however, know the public DH key of the first device. For the following example, the
initiator 202 has learned the public DH key of theresponder 204 in a trusted manner. The method proceeds as above, with theinitiator 202 sending aninitiation request message 250 to theresponder 202. Theresponder 202 responds with amessage 251. - The initiator then sends
message 252 as above. However, because theresponder 204 does not know the public DH key of theinitiator 202, the KE payload inmessage 252 does not serve as an identity claim on theinitiator 202. Theinitiator 202 thus remains anonymous to theresponder 204. - The
responder 204 responds tomessage 252 by sendingmessage 254. The KE payload inmessage 254 contains the public DH key for theresponder 204. Because theinitiator 202 has previous knowledge of this public DH key, the key serves as an identity claim on theresponder 204. - The
initiator 202 receives themessage 254 and, in return, sends themessage 256 to theresponder 204. Themessage 256 includes an HDR*, which indicates the payload is encrypted using the shared secret created from the responder's 204 public DH key and the initiator's private DH key. - The
responder 204 receives themessage 256 and decrypts the encrypted payload using the shared secret created from its private key and the initiator's 202 public key. Because theresponder 204 does not know the identity of the owner of the DH keys used for this encryption, the responder is not convinced of the initiator's 202 identity. Theresponder 204 replies with amessage 258 to theinitiator 202. Themessage 258 includes an HDR* header indicating that the payload is encrypted using the shared secret. - The
initiator 202 receives themessage 258 and decrypts the encrypted payload using the shared secret. Theinitiator 202 is thereby convinced of the identity of theresponder 204. - In an alternative example, the
responder 204 has learned the public DH key of theinitiator 202 in a trusted manner prior to beginning the method, and the method proceeds similarly as described above, with theresponder 204 being convinced of the identity of theinitiator 202. - An embodiment of the invention performs a variation of the method in an aggressive mode. In the aggressive mode, three exchanges take place. First, the
initiator 202 passes to the responder 204 a message containing a ISAKMP header, a proposed SA negotiation payload, a KE comprising a public key for theinitiator 202, a nonce (Ni), and an identification payload IDii. Second, theresponder 204 replies with a ISAKMP header, an accepted SA negotiation payload, a KE comprising a public key for theresponder 204, a nonce (Nr), and identification payload IDir, and a hash payload (HASH_R). Theinitiator 202 andresponder 204 create a shared secret using the exchanged public keys and their own private keys. If either of the exchanged public keys had been previously obtained in a trusted manner, it serves as a claim to the owner's identity. The third exchange is when theinitiator 202 replies with a header (HDR*) and a hash payload (HASH_I), encrypted using the shared secret. - Turning attention to
FIG. 5 , a method is described for use by an initiator to authenticate and establish a secure communications channel with a responder using a static DH key pair, in accordance with an embodiment of the invention. The method begins by initiating an IKE negotiation atstep 502. The initiation preferably comprises sending a ISAKMP header and proposed SA negotiation payload. In response to the negotiation request, the initiator receives a reply atstep 504. The initiator checks that the SA negotiation was successful atstep 506. If the negotiation was not successful and a security association was not agreed upon, then the initiator starts another negotiation initiation atstep 502. Alternatively, the negotiation process terminates. Otherwise, the initiator continues by sending a key exchange (KE) payload atstep 508. The KE payload comprises the initiator's public DH key. In one embodiment, the responder has previously obtained the initiator's public DH key in a trusted manner. In such an embodiment, the KE sent atstep 508 acts as a claim to the initiator's identity. - The initiator receives a reply at
step 509. The reply contains a public DH key for the responder. In one embodiment, the initiator has previously obtained the responder's public DH key in a trusted manner. In such an embodiment, the KE sent atstep 509 acts as a claim to the responder's identity. - The initiator sends an encrypted payload at
step 510. The payload is encrypted using a shared secret created from the initiator's 202 private key and the public key received atstep 509. - The initiator receives a message at
step 512 comprising an encrypted payload, which the initiator decrypts using the shared secret. The initiator decides whether or not to trust the identity of the responder atstep 514 by noting if the public key received atstep 509 corresponds to a previously known, trusted identity. If so, the initiator trusts the responder's identity atstep 516. Otherwise, the initiator does not trust the identity of the responder atstep 518. - Turning attention to
FIG. 6 , a method is described for use by a responder to authenticate and establish a secure communications channel with an initiator using a static DH key pair, in accordance with an embodiment of the invention. The method begins by receiving an IKE negotiation atstep 602. The initiation preferably comprises receiving a ISAKMP header and proposed SA negotiation payload. In response to the negotiation request, the responder sends a reply atstep 604 preferably comprising a ISAKMP header and an accepted SA negotiation payload. - The responder receives a key exchange (KE) payload at
step 608. The payload contains a public DH key for the initiator. In one embodiment, the responder has previously obtained the initiator's public DH key in a trusted manner. In such an embodiment, the KE sent atstep 608 acts as a claim to the initiator's identity. - The responder continues by sending a key exchange (KE) payload at
step 609. The KE payload comprises the responder's public DH key. In one embodiment, the initiator has previously obtained the responder's public DH key in a trusted manner. In such an embodiment, the KE sent atstep 609 acts as a claim to the responder's identity. - The responder receives a message at
step 610 comprising an encrypted payload, which the responder decrypts using a shared secret created from the responder's 204 private key and the public DH key received atstep 608. - The responder sends an encrypted payload at
step 612. The payload is encrypted using the shared secret. - The responder decides whether or not to trust the identity of the initiator at
step 614 by noting if the public key received atstep 610 corresponds to a previously known, trusted identity. If so, the responder trusts the initiator's identity atstep 616. Otherwise, the responder does not trust the identity of the initiator atstep 618. - The above-described methods are further applicable in a Virtual Private Network setting. Using a static DH key in the manner described above, a device connects and is authenticated to a VPN via the IKE protocol. This is used to establish a secure channel that follows the IPSec protocol. Typically, in existing VPNs, the client and server use a shared key derived from a hash of the client's user-password. Because the identity of the client is encrypted, existing VPN servers are limited by a conundrum: they need to know the identity of the client in order to use the correct shared key for decryption.
- In accordance with an embodiment of the invention, a VPN server (responder) first obtains the public DH key of a client (initiator) in a trusted manner, prior to beginning a negotiation. To begin a negotiation, a client sends his public DH key to the server. The public DH key acts as a hint to the user's identity. Using this hint, the server finds the corresponding shared key for the user, and performs pre-shared key authentication with the client using the shared key.
- In view of the many possible embodiments to which the principles of the present invention may be applied, it should be recognized that the embodiments described herein with respect to the drawing figures are meant to be illustrative only and should not be taken as limiting the scope of the invention. For example, those of skill in the art will recognize that the illustrated embodiments can be modified in arrangement and detail without departing from the spirit of the invention. Although the invention is described in terms of software modules or components, those skilled in the art will recognize that such may be equivalently replaced by hardware components. Devices embodying the invention can include, for example, computers, personal digital assistants (PDAs), portable media devices (USB flash drives, Smartcards, etc.), and the like. Therefore, the invention as described herein contemplates all such embodiments as may come within the scope of the following claims and equivalents thereof.
Claims (23)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/806,772 US20050149732A1 (en) | 2004-01-07 | 2004-03-23 | Use of static Diffie-Hellman key with IPSec for authentication |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US53479504P | 2004-01-07 | 2004-01-07 | |
US10/806,772 US20050149732A1 (en) | 2004-01-07 | 2004-03-23 | Use of static Diffie-Hellman key with IPSec for authentication |
Publications (1)
Publication Number | Publication Date |
---|---|
US20050149732A1 true US20050149732A1 (en) | 2005-07-07 |
Family
ID=36707197
Family Applications (4)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/806,772 Abandoned US20050149732A1 (en) | 2004-01-07 | 2004-03-23 | Use of static Diffie-Hellman key with IPSec for authentication |
US10/806,369 Active 2026-03-30 US7546357B2 (en) | 2004-01-07 | 2004-03-23 | Configuring network settings using portable storage media |
US12/422,750 Active 2024-09-09 US7930374B2 (en) | 2004-01-07 | 2009-04-13 | Configuring network settings using portable storage media |
US13/088,943 Expired - Lifetime US8145735B2 (en) | 2004-01-07 | 2011-04-18 | Configuring network settings using portable storage media |
Family Applications After (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/806,369 Active 2026-03-30 US7546357B2 (en) | 2004-01-07 | 2004-03-23 | Configuring network settings using portable storage media |
US12/422,750 Active 2024-09-09 US7930374B2 (en) | 2004-01-07 | 2009-04-13 | Configuring network settings using portable storage media |
US13/088,943 Expired - Lifetime US8145735B2 (en) | 2004-01-07 | 2011-04-18 | Configuring network settings using portable storage media |
Country Status (3)
Country | Link |
---|---|
US (4) | US20050149732A1 (en) |
CN (1) | CN1761256A (en) |
ZA (1) | ZA200410331B (en) |
Cited By (68)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050108531A1 (en) * | 2003-11-14 | 2005-05-19 | Microsoft Corporation | Method of negotiating security parameters and authenticating users interconnected to a network |
US20050251589A1 (en) * | 2004-05-04 | 2005-11-10 | Jung-Chung Wang | Method of authenticating universal serail bus on-the-go device |
US20060285693A1 (en) * | 2005-06-16 | 2006-12-21 | Amit Raikar | Method and apparatus for automatic and secure distribution of a symmetric key security credential in a utility computing environment |
US20070130069A1 (en) * | 2005-12-06 | 2007-06-07 | Microsoft Corporation | Encapsulating Address Components |
US20070214502A1 (en) * | 2006-03-08 | 2007-09-13 | Mcalister Donald K | Technique for processing data packets in a communication network |
WO2007124671A1 (en) * | 2006-04-30 | 2007-11-08 | Huawei Technologies Co., Ltd. | A method, device and system of negotiating the encrypting algorithm between the user equipment and the network |
US20080016550A1 (en) * | 2006-06-14 | 2008-01-17 | Mcalister Donald K | Securing network traffic by distributing policies in a hierarchy over secure tunnels |
US20080040775A1 (en) * | 2006-08-11 | 2008-02-14 | Hoff Brandon L | Enforcing security groups in network of data processors |
US20080072033A1 (en) * | 2006-09-19 | 2008-03-20 | Mcalister Donald | Re-encrypting policy enforcement point |
US20080072281A1 (en) * | 2006-09-14 | 2008-03-20 | Willis Ronald B | Enterprise data protection management for providing secure communication in a network |
US20080075073A1 (en) * | 2006-09-25 | 2008-03-27 | Swartz Troy A | Security encapsulation of ethernet frames |
US20080075088A1 (en) * | 2006-09-27 | 2008-03-27 | Cipheroptics, Inc. | IP encryption over resilient BGP/MPLS IP VPN |
US20080104693A1 (en) * | 2006-09-29 | 2008-05-01 | Mcalister Donald | Transporting keys between security protocols |
US20080104692A1 (en) * | 2006-09-29 | 2008-05-01 | Mcalister Donald | Virtual security interface |
US20080127327A1 (en) * | 2006-09-27 | 2008-05-29 | Serge-Paul Carrasco | Deploying group VPNS and security groups over an end-to-end enterprise network |
US20080162922A1 (en) * | 2006-12-27 | 2008-07-03 | Swartz Troy A | Fragmenting security encapsulated ethernet frames |
US20080195863A1 (en) * | 2007-02-09 | 2008-08-14 | Microsoft Corporation | Securing wireless communications between devices |
US20080192739A1 (en) * | 2007-02-14 | 2008-08-14 | Serge-Paul Carrasco | Ethernet encryption over resilient virtual private LAN services |
US20080222693A1 (en) * | 2006-08-08 | 2008-09-11 | Cipheroptics, Inc. | Multiple security groups with common keys on distributed networks |
US20080232382A1 (en) * | 2004-01-15 | 2008-09-25 | Matsushita Electric Industrial Co., Ltd. | Mobile Wireless Communication System, Mobile Wireless Terminal Apparatus, Virtual Private Network Relay Apparatus and Connection Authentication Server |
US20090034738A1 (en) * | 2007-07-31 | 2009-02-05 | Charles Rodney Starrett | Method and apparatus for securing layer 2 networks |
WO2009026771A1 (en) * | 2007-08-24 | 2009-03-05 | Guan, Haiying | The method for negotiating the key, encrypting and decrypting the information, signing and authenticating the information |
US20090089593A1 (en) * | 2007-10-02 | 2009-04-02 | Sony Corporation | Recording system, information processing apparatus, storage apparatus, recording method, and program |
US20090119318A1 (en) * | 2007-11-05 | 2009-05-07 | Canon Kabushiki Kaisha | Information processing apparatus, control method therefor, and storage medium |
US20090240942A1 (en) * | 2008-03-20 | 2009-09-24 | Canon Kabushiki Kaisha | Long term key establishment for embedded devices |
US20090276524A1 (en) * | 2007-03-19 | 2009-11-05 | Fujitsu Limited | Thin client terminal, operation program and method thereof, and thin client system |
US7675867B1 (en) | 2006-04-19 | 2010-03-09 | Owl Computing Technologies, Inc. | One-way data transfer system with built-in data verification mechanism |
CN101911017A (en) * | 2007-12-31 | 2010-12-08 | 数据逻辑移动公司 | Systems and methods for configuring, updating, and booting an alternate operating system on a portable data reader |
US7895648B1 (en) * | 2004-03-01 | 2011-02-22 | Cisco Technology, Inc. | Reliably continuing a secure connection when the address of a machine at one end of the connection changes |
US20110196946A1 (en) * | 2004-01-07 | 2011-08-11 | Microsoft Corporation | Configuring network settings using portable storage media |
US20120023325A1 (en) * | 2010-07-20 | 2012-01-26 | Gemtek Technology Co., Ltd. | Virtual private network system and network device thereof |
US20130333008A1 (en) * | 2012-06-07 | 2013-12-12 | Authentify, Inc. | Enhanced 2chk authentication security with query transactions |
US8732453B2 (en) | 2010-07-19 | 2014-05-20 | Owl Computing Technologies, Inc. | Secure acknowledgment device for one-way data transfer system |
US8793780B2 (en) | 2011-04-11 | 2014-07-29 | Blackberry Limited | Mitigation of application-level distributed denial-of-service attacks |
US20150095649A1 (en) * | 2013-04-22 | 2015-04-02 | Unisys Corporation | Community of interest-based secured communications over ipsec |
US20150113277A1 (en) * | 2013-10-21 | 2015-04-23 | Aruba Networks, Inc. | Provisioning Devices For Secure Wireless Local Area Networks |
NL2011717C2 (en) * | 2013-10-31 | 2015-05-04 | Ubiqu B V | A first entity, a second entity, an intermediate node, methods for setting up a secure session between a first and second entity, and computer program products. |
US20150372811A1 (en) * | 2014-06-18 | 2015-12-24 | Eric Le Saint | Efficient methods for authenticated communication |
WO2016175659A1 (en) * | 2015-04-30 | 2016-11-03 | Ubiqu B.V. | A first entity, a second entity, an intermediate node, methods for setting up a secure session between a first and second entity, and computer program products |
US20160344775A1 (en) * | 2012-01-12 | 2016-11-24 | Blackberry Limited | System and method of lawful access to secure communications |
US9584530B1 (en) | 2014-06-27 | 2017-02-28 | Wickr Inc. | In-band identity verification and man-in-the-middle defense |
US9584316B1 (en) | 2012-07-16 | 2017-02-28 | Wickr Inc. | Digital security bubble |
US9584493B1 (en) | 2015-12-18 | 2017-02-28 | Wickr Inc. | Decentralized authoritative messaging |
US9590958B1 (en) | 2016-04-14 | 2017-03-07 | Wickr Inc. | Secure file transfer |
US9591479B1 (en) | 2016-04-14 | 2017-03-07 | Wickr Inc. | Secure telecommunications |
US9654288B1 (en) | 2014-12-11 | 2017-05-16 | Wickr Inc. | Securing group communications |
US20170171747A1 (en) * | 2015-12-14 | 2017-06-15 | Afero, Inc. | System and method for establishing a secondary communication channel to control an internet of things (iot) device |
US9698976B1 (en) | 2014-02-24 | 2017-07-04 | Wickr Inc. | Key management and dynamic perfect forward secrecy |
US9830089B1 (en) | 2013-06-25 | 2017-11-28 | Wickr Inc. | Digital data sanitization |
US9843929B2 (en) | 2015-08-21 | 2017-12-12 | Afero, Inc. | Apparatus and method for sharing WiFi security data in an internet of things (IoT) system |
WO2017214380A1 (en) * | 2016-06-08 | 2017-12-14 | University Of Florida Research Foundation, Incorporated | Practical end-to-end cryptographic authentication for telephony over voice channels |
US9866591B1 (en) | 2013-06-25 | 2018-01-09 | Wickr Inc. | Enterprise messaging platform |
US9942837B2 (en) | 2015-08-25 | 2018-04-10 | Afero, Inc. | Apparatus and method for a dynamic scan interval for a wireless device |
US10129260B1 (en) | 2013-06-25 | 2018-11-13 | Wickr Inc. | Mutual privacy management |
US10291607B1 (en) | 2016-02-02 | 2019-05-14 | Wickr Inc. | Providing real-time events to applications |
CN109845184A (en) * | 2018-08-29 | 2019-06-04 | 区链通网络有限公司 | A kind of data ciphering method and device of instant messaging |
US10390227B2 (en) * | 2015-12-04 | 2019-08-20 | Samsara Networks Inc. | Authentication of a gateway device in a sensor network |
US10447784B2 (en) | 2015-12-14 | 2019-10-15 | Afero, Inc. | Apparatus and method for modifying packet interval timing to identify a data transfer condition |
WO2020025138A1 (en) * | 2018-08-02 | 2020-02-06 | Telefonaktiebolaget Lm Ericsson (Publ) | Secured authenticated communication between an initiator and a responder |
US10567349B2 (en) | 2013-06-25 | 2020-02-18 | Wickr Inc. | Secure time-to-live |
US10805344B2 (en) | 2015-12-14 | 2020-10-13 | Afero, Inc. | Apparatus and method for obscuring wireless communication patterns |
US10972257B2 (en) | 2016-06-07 | 2021-04-06 | Visa International Service Association | Multi-level communication encryption |
US20210345106A1 (en) * | 2019-01-25 | 2021-11-04 | Kabushiki Kaisha Toshiba | Communication control device and communication control system |
CN113746861A (en) * | 2021-09-13 | 2021-12-03 | 南京首传信安科技有限公司 | Data transmission encryption and decryption method and encryption and decryption system based on state encryption technology |
CN114338153A (en) * | 2021-12-28 | 2022-04-12 | 杭州迪普科技股份有限公司 | IPSec negotiation method and device |
US11588637B2 (en) * | 2014-08-29 | 2023-02-21 | Visa International Service Association | Methods for secure cryptogram generation |
US20230083997A1 (en) * | 2005-01-21 | 2023-03-16 | Blackberry Limited | Elliptic Curve Random Number Generation |
US11856104B2 (en) | 2015-01-27 | 2023-12-26 | Visa International Service Association | Methods for secure credential provisioning |
Families Citing this family (103)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7433546B2 (en) * | 2004-10-25 | 2008-10-07 | Apple Inc. | Image scaling arrangement |
US11106424B2 (en) | 2003-07-28 | 2021-08-31 | Sonos, Inc. | Synchronizing operations among a plurality of independently clocked digital data processing devices |
US11294618B2 (en) | 2003-07-28 | 2022-04-05 | Sonos, Inc. | Media player system |
US8234395B2 (en) | 2003-07-28 | 2012-07-31 | Sonos, Inc. | System and method for synchronizing operations among a plurality of independently clocked digital data processing devices |
US11106425B2 (en) | 2003-07-28 | 2021-08-31 | Sonos, Inc. | Synchronizing operations among a plurality of independently clocked digital data processing devices |
US11650784B2 (en) | 2003-07-28 | 2023-05-16 | Sonos, Inc. | Adjusting volume levels |
US8290603B1 (en) | 2004-06-05 | 2012-10-16 | Sonos, Inc. | User interfaces for controlling and manipulating groupings in a multi-zone media system |
US7734748B1 (en) * | 2003-10-03 | 2010-06-08 | Nortel Networks Limited | Method and apparatus for intelligent management of a network element |
US8639819B2 (en) * | 2004-02-05 | 2014-01-28 | Nokia Corporation | Ad-hoc connection between electronic devices |
US9977561B2 (en) | 2004-04-01 | 2018-05-22 | Sonos, Inc. | Systems, methods, apparatus, and articles of manufacture to provide guest access |
US8326951B1 (en) | 2004-06-05 | 2012-12-04 | Sonos, Inc. | Establishing a secure wireless network with minimum human intervention |
US8868698B2 (en) | 2004-06-05 | 2014-10-21 | Sonos, Inc. | Establishing a secure wireless network with minimum human intervention |
US20060069819A1 (en) * | 2004-09-28 | 2006-03-30 | Microsoft Corporation | Universal serial bus device |
US7747797B2 (en) * | 2004-09-28 | 2010-06-29 | Microsoft Corporation | Mass storage device with near field communications |
JP2007334379A (en) * | 2004-10-05 | 2007-12-27 | Matsushita Electric Ind Co Ltd | Processing device |
US20060084411A1 (en) * | 2004-10-14 | 2006-04-20 | Dell Products L.P. | Wireless infrastructure device for providing security in a wireless network |
US7710587B2 (en) | 2004-10-18 | 2010-05-04 | Microsoft Corporation | Method and system for configuring an electronic device |
US7342925B2 (en) * | 2004-11-30 | 2008-03-11 | At&T Corp. | Technique for automated MAC address cloning |
US7555783B2 (en) * | 2005-01-21 | 2009-06-30 | Cisco Technology, Inc. | Wireless network credential provisioning |
US20060184380A1 (en) * | 2005-02-15 | 2006-08-17 | Samsung Electronics Co., Ltd. | XML-based resource data structures and networks managed by XML-based resource data structures |
US7735145B2 (en) * | 2005-02-18 | 2010-06-08 | Microsoft Corporation | Portable secure media with timed erasure |
US7543023B2 (en) * | 2005-03-15 | 2009-06-02 | Microsoft Corporation | Service support framework for peer to peer applications |
US20090083449A1 (en) * | 2005-06-17 | 2009-03-26 | Governing Dynamics, Llc | Synchronization for Wireless Devices |
US7539723B2 (en) * | 2005-07-28 | 2009-05-26 | International Business Machines Corporation | System for configuring a cellular telephone to operate according to policy guidelines of a group of users |
US7594031B2 (en) * | 2005-09-15 | 2009-09-22 | Microsoft Corporation | Network address selection |
US20070066119A1 (en) * | 2005-09-21 | 2007-03-22 | Tsung-Chu Wu | Memory device with serial AT attachment |
US7930369B2 (en) | 2005-10-19 | 2011-04-19 | Apple Inc. | Remotely configured media device |
US20070103277A1 (en) * | 2005-11-09 | 2007-05-10 | Honeywell International, Inc. | Security system enhancement device key |
US9203858B2 (en) * | 2005-11-11 | 2015-12-01 | Ca, Inc. | Method and system for generating an advisory message for an endpoint device |
US7802088B2 (en) * | 2005-12-29 | 2010-09-21 | Microsoft Corporation | Ad hoc wireless network create/join user experience |
US20070255868A1 (en) * | 2006-04-26 | 2007-11-01 | Cisco Technology, Inc. (A California Corporation) | Method and system for managing a network device using a slave USB interface |
US7926092B2 (en) * | 2006-04-28 | 2011-04-12 | Canon Kabushiki Kaisha | Facilitating the delivery of security credentials to a network device |
US9202509B2 (en) | 2006-09-12 | 2015-12-01 | Sonos, Inc. | Controlling and grouping in a multi-zone media system |
US8788080B1 (en) | 2006-09-12 | 2014-07-22 | Sonos, Inc. | Multi-channel pairing in a media system |
US8483853B1 (en) | 2006-09-12 | 2013-07-09 | Sonos, Inc. | Controlling and manipulating groupings in a multi-zone media system |
US9060325B2 (en) * | 2006-12-04 | 2015-06-16 | Intel Corporation | Method and apparatus for creating and connecting to an ad hoc wireless cell |
US8214885B2 (en) | 2007-05-07 | 2012-07-03 | Mocana Corporation | Managing network components using USB keys |
CN101321080B (en) * | 2007-06-04 | 2010-07-28 | 华为技术有限公司 | Method for configuring network appliance, network appliance and network system |
US9918218B2 (en) | 2007-06-12 | 2018-03-13 | Avago Technologies General Ip (Singapore) Pte. Ltd. | Method and system for a networked self-configuring communication device utilizing user preference information |
US20080313085A1 (en) * | 2007-06-14 | 2008-12-18 | Motorola, Inc. | System and method to share a guest version of rights between devices |
DE102007058631A1 (en) * | 2007-12-05 | 2009-06-10 | Hirschmann Automation And Control Gmbh | Offline configuration of switches |
KR101006818B1 (en) * | 2007-12-12 | 2011-01-10 | 이근진 | Apparatus that decreasing standby power of electronic appliance and receptacle |
EP2260427A4 (en) * | 2008-02-20 | 2016-11-16 | Ericsson Telefon Ab L M | Flexible node identity for telecom nodes |
JP5468557B2 (en) * | 2008-02-27 | 2014-04-09 | フィッシャー−ローズマウント システムズ インコーポレイテッド | Wireless device join key supply |
GB0805803D0 (en) * | 2008-03-31 | 2008-04-30 | British Telecomm | Method of installing a wireless network |
US8095631B2 (en) | 2008-04-10 | 2012-01-10 | Eastman Kodak Company | Simplified walk-up enablement of internet-based, personalized access to retail imaging devices and services |
US10895898B2 (en) * | 2008-04-16 | 2021-01-19 | Deka Products Limited Partnership | Management of remotely controlled devices |
US8837491B2 (en) | 2008-05-27 | 2014-09-16 | Glue Networks | Regional virtual VPN |
US8147735B2 (en) * | 2008-07-09 | 2012-04-03 | Eltron Research & Development, Inc. | Semipermeable polymers and method for producing same |
US9021470B2 (en) * | 2008-08-29 | 2015-04-28 | Red Hat, Inc. | Software provisioning in multiple network configuration environment |
US8799893B2 (en) * | 2008-10-15 | 2014-08-05 | International Business Machines Corporation | Method, system and computer program product for solution replication |
WO2010068698A2 (en) * | 2008-12-09 | 2010-06-17 | Glue Networks, Inc. | System and method for providing virtual private networks |
US9253034B1 (en) * | 2009-06-01 | 2016-02-02 | Juniper Networks, Inc. | Mass activation of network devices |
US8156213B1 (en) | 2009-07-27 | 2012-04-10 | Juniper Networks, Inc. | Merging network device configuration schemas |
WO2011014586A1 (en) * | 2009-07-28 | 2011-02-03 | Belkin International, Inc. | Self healing networking device systems and related methods |
KR20110056856A (en) * | 2009-11-23 | 2011-05-31 | 삼성전자주식회사 | Method for setting network and storage device applying the same |
KR20110063297A (en) * | 2009-12-02 | 2011-06-10 | 삼성전자주식회사 | Mobile device and control method thereof |
US8631284B2 (en) | 2010-04-30 | 2014-01-14 | Western Digital Technologies, Inc. | Method for providing asynchronous event notification in systems |
US20110289229A1 (en) * | 2010-05-05 | 2011-11-24 | BridgeCo Inc. | Methods and systems for wi-fi setup and configuration |
US8762682B1 (en) | 2010-07-02 | 2014-06-24 | Western Digital Technologies, Inc. | Data storage apparatus providing host full duplex operations using half duplex storage devices |
JP5668397B2 (en) * | 2010-10-01 | 2015-02-12 | ミツミ電機株式会社 | Communication device setting device, communication device setting method, and communication device setting program |
US11429343B2 (en) | 2011-01-25 | 2022-08-30 | Sonos, Inc. | Stereo playback configuration and control |
US11265652B2 (en) | 2011-01-25 | 2022-03-01 | Sonos, Inc. | Playback device pairing |
US8346672B1 (en) * | 2012-04-10 | 2013-01-01 | Accells Technologies (2009), Ltd. | System and method for secure transaction process via mobile device |
DE102011111736A1 (en) * | 2011-08-26 | 2013-02-28 | Fujitsu Technology Solutions Intellectual Property Gmbh | Method for executing application e.g. word processing in data network, involves executing application by application service, transmitting input for processing from client computer, and transferring output to client computer |
JP2013222991A (en) * | 2012-04-12 | 2013-10-28 | Ricoh Co Ltd | Radio communication system, radio communication method, and radio terminal device |
CN104094249B (en) | 2012-04-25 | 2018-09-28 | 企业服务发展公司有限责任合伙企业 | It is transmitted using the file of XML |
CN103581134A (en) * | 2012-07-31 | 2014-02-12 | 深圳市共进电子股份有限公司 | Method and system for network access |
US20140280804A1 (en) * | 2013-03-13 | 2014-09-18 | Dell Products L.P. | Relationship driven dynamic workflow system |
US9760528B1 (en) * | 2013-03-14 | 2017-09-12 | Glue Networks, Inc. | Methods and systems for creating a network |
US9928082B1 (en) | 2013-03-19 | 2018-03-27 | Gluware, Inc. | Methods and systems for remote device configuration |
US20150071052A1 (en) * | 2013-09-09 | 2015-03-12 | Qualcomm Innovation Center, Inc. | Reconfiguring a headless wireless device |
FR3011706B1 (en) * | 2013-10-07 | 2017-03-03 | Schneider Electric Ind Sas | ETHERNET EQUIPMENT CONFIGURATION DEVICE AND ETHERNET EQUIPMENT CONFIGURATION METHOD USING SUCH A DEVICE |
GB201319591D0 (en) | 2013-11-06 | 2013-12-18 | Microsoft Corp | Network Access |
KR101543578B1 (en) | 2014-02-07 | 2015-08-11 | 현대자동차주식회사 | A terminal certification system for vehicle network connection and certification method thereof |
US9882774B2 (en) | 2015-02-02 | 2018-01-30 | Eero Inc. | Systems and methods for intuitive home networking |
US9785412B1 (en) | 2015-02-27 | 2017-10-10 | Glue Networks, Inc. | Methods and systems for object-oriented modeling of networks |
WO2016161266A1 (en) | 2015-04-02 | 2016-10-06 | Google Inc. | Efficient network stack for wireless application protocols |
US10455066B2 (en) | 2015-04-03 | 2019-10-22 | Pinn, Inc. | Mobile system with wireless earbud |
US9736019B2 (en) * | 2015-05-14 | 2017-08-15 | Eero Inc. | Methods for dynamic router configuration in a mesh network |
US10248376B2 (en) | 2015-06-11 | 2019-04-02 | Sonos, Inc. | Multiple groupings in a playback system |
CN105120043A (en) * | 2015-06-25 | 2015-12-02 | 北京讯光科技发展有限责任公司 | Automatic test system of telephone device |
ES2628907T3 (en) * | 2015-06-30 | 2017-08-04 | Skidata Ag | Method for the configuration of electronic devices, particularly for the configuration of components of an access control system |
US10255420B2 (en) * | 2015-08-04 | 2019-04-09 | Ge Aviation Systems, Llc | Configuring cryptographic systems |
FR3041787A1 (en) * | 2015-09-28 | 2017-03-31 | Orange | METHOD FOR TRANSFERRING CONFIGURATION INFORMATION OF A CONNECTED OBJECT |
US10552821B2 (en) * | 2016-01-13 | 2020-02-04 | Paypal, Inc. | Dongle device for automatic pairing of payment terminal to mobile computing device |
CN109923883B (en) | 2016-09-27 | 2022-05-17 | A9.Com公司 | Method for sharing network configuration |
US10712997B2 (en) | 2016-10-17 | 2020-07-14 | Sonos, Inc. | Room association based on name |
US10530865B2 (en) * | 2017-04-19 | 2020-01-07 | Vmware, Inc. | Offline sideloading for enrollment of devices in a mobile device management system |
CN107197462B (en) * | 2017-06-28 | 2020-04-07 | 阿里巴巴集团控股有限公司 | Wireless network type detection method and device and electronic equipment |
JP7035481B2 (en) * | 2017-11-22 | 2022-03-15 | 横河電機株式会社 | Setting system, setting device, setting method, program and recording medium |
CN109947482B (en) * | 2017-12-21 | 2022-07-29 | 深圳Tcl新技术有限公司 | Loading method of USB (universal serial bus) equipment, storage medium and smart television |
US10805153B2 (en) * | 2018-01-31 | 2020-10-13 | Salesforce.Com, Inc. | Provisioning network devices using a vendor-neutral platform |
US10904088B2 (en) * | 2018-11-15 | 2021-01-26 | Western Digital Technologies, Inc. | Reconfiguring network settings for operating configuration installation |
CN111277549B (en) * | 2018-12-05 | 2022-05-03 | 杭州希戈科技有限公司 | Security service method and system adopting block chain |
JP7231057B2 (en) * | 2019-03-15 | 2023-03-01 | オムロン株式会社 | Safeguard settings cloning |
US11363449B2 (en) | 2019-07-12 | 2022-06-14 | Apple Inc. | Cellular wireless service preferences transfer |
US10936336B1 (en) | 2019-09-24 | 2021-03-02 | Amazon Technologies, Inc. | Configuration change tracking with multiple manifests |
US10958522B1 (en) * | 2019-09-24 | 2021-03-23 | Amazon Technologies, Inc. | Configuration tracking perimeter |
US11036209B2 (en) | 2019-09-24 | 2021-06-15 | Rockwell Automation Technologies, Inc. | Peer-level control of industrial automation system components |
US11269903B1 (en) * | 2019-09-27 | 2022-03-08 | Amazon Technologies, Inc. | Indexing and retrieval of configuration data |
CN111865564A (en) * | 2020-07-29 | 2020-10-30 | 北京浪潮数据技术有限公司 | IPSec communication establishing method and system |
US20230050390A1 (en) * | 2021-08-12 | 2023-02-16 | Dish Network L.L.C. | System and method for generating a video signal |
Citations (34)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5930362A (en) * | 1996-10-09 | 1999-07-27 | At&T Wireless Services Inc | Generation of encryption key |
US5933504A (en) * | 1995-05-18 | 1999-08-03 | Certicom Corp. | Strengthened public key protocol |
US6052720A (en) * | 1998-05-14 | 2000-04-18 | Sun Microsystems, Inc. | Generic schema for storing configuration information on a server computer |
US6078667A (en) * | 1996-10-10 | 2000-06-20 | Certicom Corp. | Generating unique and unpredictable values |
US6148354A (en) * | 1999-04-05 | 2000-11-14 | M-Systems Flash Disk Pioneers Ltd. | Architecture for a universal serial bus-based PC flash disk |
US6178507B1 (en) * | 1997-02-03 | 2001-01-23 | Certicom Corp. | Data card verification system |
US6195433B1 (en) * | 1998-05-08 | 2001-02-27 | Certicom Corp. | Private key validity and validation |
US20010014153A1 (en) * | 1997-10-14 | 2001-08-16 | Johnson Donald B. | Key validation scheme |
US20020090085A1 (en) * | 2000-12-27 | 2002-07-11 | Vanstone Scott A. | Method of public key generation |
US6449642B2 (en) * | 1998-09-15 | 2002-09-10 | Microsoft Corporation | Method and system for integrating a client computer into a computer network |
US20020152384A1 (en) * | 2001-04-12 | 2002-10-17 | Microsoft Corporation | Methods and systems for unilateral authentication of messages |
US6526264B2 (en) * | 2000-11-03 | 2003-02-25 | Cognio, Inc. | Wideband multi-protocol wireless radio transceiver system |
US20030101247A1 (en) * | 2001-11-07 | 2003-05-29 | Microsoft Corporation | Method and system for configuring a computer for real-time communication |
US6654841B2 (en) * | 2001-05-03 | 2003-11-25 | Power Quotient International Company, Inc. | USB interface flash memory card reader with a built-in flash memory |
US20030225971A1 (en) * | 2002-05-29 | 2003-12-04 | Yuji Oishi | USB storage device and program |
US20040002943A1 (en) * | 2002-06-28 | 2004-01-01 | Merrill John Wickens Lamb | Systems and methods for application delivery and configuration management of mobile devices |
US20040010429A1 (en) * | 2002-07-12 | 2004-01-15 | Microsoft Corporation | Deployment of configuration information |
US6687492B1 (en) * | 2002-03-01 | 2004-02-03 | Cognio, Inc. | System and method for antenna diversity using joint maximal ratio combining |
US20040024875A1 (en) * | 2002-07-30 | 2004-02-05 | Microsoft Corporation | Schema-based services for identity-based access to device data |
US6693651B2 (en) * | 2001-02-07 | 2004-02-17 | International Business Machines Corporation | Customer self service iconic interface for resource search results display and selection |
US20040038592A1 (en) * | 2002-08-21 | 2004-02-26 | Fu-I Yang | USB flash drive |
US6700450B2 (en) * | 2002-07-29 | 2004-03-02 | Cognio, Inc. | Voltage-controlled oscillator with an automatic amplitude control circuit |
US6714605B2 (en) * | 2002-04-22 | 2004-03-30 | Cognio, Inc. | System and method for real-time spectrum analysis in a communication device |
US6728517B2 (en) * | 2002-04-22 | 2004-04-27 | Cognio, Inc. | Multiple-input multiple-output radio transceiver |
US6785520B2 (en) * | 2002-03-01 | 2004-08-31 | Cognio, Inc. | System and method for antenna diversity using equal power joint maximal ratio combining |
US6850735B2 (en) * | 2002-04-22 | 2005-02-01 | Cognio, Inc. | System and method for signal classiciation of signals in a frequency band |
US6907532B2 (en) * | 2000-03-04 | 2005-06-14 | Telefonaktiebolaget Lm Ericsson (Publ) | Communication node, communication network and method of recovering from a temporary failure of a node |
US7058180B2 (en) * | 2000-02-08 | 2006-06-06 | Swisscom Mobile Ag | Single sign-on process |
US7130425B2 (en) * | 2001-03-02 | 2006-10-31 | Ati International Srl | Method and apparatus for providing a bus-encrypted copy protection key to an unsecured bus |
US7181620B1 (en) * | 2001-11-09 | 2007-02-20 | Cisco Technology, Inc. | Method and apparatus providing secure initialization of network devices using a cryptographic key distribution approach |
US7181012B2 (en) * | 2000-09-11 | 2007-02-20 | Telefonaktiebolaget Lm Ericsson (Publ) | Secured map messages for telecommunications networks |
US7181542B2 (en) * | 2000-04-12 | 2007-02-20 | Corente, Inc. | Method and system for managing and configuring virtual private networks |
US7188365B2 (en) * | 2002-04-04 | 2007-03-06 | At&T Corp. | Method and system for securely scanning network traffic |
US7269730B2 (en) * | 2002-04-18 | 2007-09-11 | Nokia Corporation | Method and apparatus for providing peer authentication for an internet key exchange |
Family Cites Families (136)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2311365A1 (en) | 1975-05-13 | 1976-12-10 | Innovation Ste Int | SYSTEM FOR TRANSFERRING AND STORING DATA IN A PERSONAL AND CONFIDENTIAL WAY BY MEANS OF PORTABLE INDEPENDENT ELECTRONIC OBJECTS |
US4805222A (en) | 1985-12-23 | 1989-02-14 | International Bioaccess Systems Corporation | Method and apparatus for verifying an individual's identity |
US4783766A (en) | 1986-05-30 | 1988-11-08 | Seeq Technology, Inc. | Block electrically erasable EEPROM |
US4970692A (en) | 1987-09-01 | 1990-11-13 | Waferscale Integration, Inc. | Circuit for controlling a flash EEPROM having three distinct modes of operation by allowing multiple functionality of a single pin |
US6614768B1 (en) | 1989-04-28 | 2003-09-02 | Broadcom Corporation | Enhanced mobility and address resolution in a wireless premises based network |
US4922734A (en) | 1989-07-10 | 1990-05-08 | Paul Iannucci | Locking assembly for preventing the unauthorized use of an electrically powered device |
US5949776A (en) | 1990-01-18 | 1999-09-07 | Norand Corporation | Hierarchical communication system using premises, peripheral and vehicular local area networking |
GB9223890D0 (en) | 1992-11-13 | 1993-01-06 | Ncr Int Inc | Wireless local area network system |
US5566331A (en) | 1994-01-24 | 1996-10-15 | University Corporation For Atmospheric Research | Mass storage system for file-systems |
US5557124A (en) | 1994-03-11 | 1996-09-17 | Waferscale Integration, Inc. | Flash EEPROM and EPROM arrays with select transistors within the bit line pitch |
US5553314A (en) | 1994-04-12 | 1996-09-03 | Motorola, Inc. | Method of configuring a communication unit using a wireless portable configuration device |
US5815682A (en) | 1994-12-13 | 1998-09-29 | Microsoft Corporation | Device independent modem interface |
US5727212A (en) | 1995-04-12 | 1998-03-10 | International Business Machines Corporation | Object oriented device driver system for procedural device drivers |
GB9517943D0 (en) | 1995-09-02 | 1995-11-01 | At & T Corp | Radio communication device and method |
US5918018A (en) | 1996-02-09 | 1999-06-29 | Secure Computing Corporation | System and method for achieving network separation |
US5838907A (en) | 1996-02-20 | 1998-11-17 | Compaq Computer Corporation | Configuration manager for network devices and an associated method for providing configuration information thereto |
US6148332A (en) | 1996-04-24 | 2000-11-14 | Earthlink, Inc. | Mandatory message display and reporting system |
US5918158A (en) | 1996-07-24 | 1999-06-29 | Lucent Technologies Inc. | Two-way wireless messaging system |
FR2756411B1 (en) | 1996-11-28 | 1998-12-31 | Sgs Thomson Microelectronics | METHOD FOR ERASING A NON-VOLATILE AND ELECTRICALLY ERASABLE MEMORY, AND ASSOCIATED DEVICES |
US5898668A (en) | 1996-12-13 | 1999-04-27 | Siemens Information And Communication Networks, Inc. | Method and system for increasing quality of service at or below a threshold cost |
US5966082A (en) | 1997-05-23 | 1999-10-12 | Intemec Ip Corp. | Method of flagging partial write in RF tags |
JP3045985B2 (en) | 1997-08-07 | 2000-05-29 | インターナショナル・ビジネス・マシーンズ・コーポレイション | Connection establishment method, communication method, state change transmission method, state change execution method, wireless device, wireless device, and computer |
US6041075A (en) | 1997-09-29 | 2000-03-21 | Intel Corporation | Scheme for the detection of V.25 ter responses from modem, on a TAP1 voice call |
US6226719B1 (en) | 1998-05-08 | 2001-05-01 | Apple Computer, Inc. | Organizing memory extents of OS input/output control |
US6202147B1 (en) | 1998-06-29 | 2001-03-13 | Sun Microsystems, Inc. | Platform-independent device drivers |
JP3278616B2 (en) | 1998-08-20 | 2002-04-30 | 日本電信電話株式会社 | Mobile user accommodation device |
US6480711B1 (en) | 1998-09-15 | 2002-11-12 | Nms Communications Corporation | Method and system for wireless data communication over the internet |
US6470397B1 (en) | 1998-11-16 | 2002-10-22 | Qlogic Corporation | Systems and methods for network and I/O device drivers |
US6795967B1 (en) | 1999-01-26 | 2004-09-21 | Microsoft Corporation | Changing user identities without closing applications |
JP3492541B2 (en) | 1999-02-24 | 2004-02-03 | 埼玉日本電気株式会社 | Wireless communication equipment |
US6411823B1 (en) | 1999-03-08 | 2002-06-25 | E. Lead Electronic Co., Ltd. | Replaceable signal cable making a sound-controlled or externally dialed hand-free system universally compatible with all types of cellular phones |
FR2791159B1 (en) | 1999-03-15 | 2001-05-04 | Bull Cp8 | METHOD FOR ACCESSING AN OBJECT USING A WEB-BASED BROWSER COOPERATING WITH A CHIP CARD AND ARCHITECTURE FOR IMPLEMENTING THE METHOD |
US20010029607A1 (en) | 1999-04-06 | 2001-10-11 | Microsoft Corporation | System and method for application installation management |
US6633929B1 (en) | 1999-04-30 | 2003-10-14 | Microsoft Corporation | Method and system for abstracting network device drivers |
US6792286B1 (en) | 1999-06-28 | 2004-09-14 | Legerity, Inc. | Apparatus for transmitting and receiving signals |
US6658018B1 (en) | 1999-06-30 | 2003-12-02 | Intel Corporation | Method and system of providing advanced teaming functionality capable of utilizing heterogeneous adapters to improve utility and performance |
EP2109265B1 (en) | 1999-07-15 | 2015-09-30 | Telefonaktiebolaget L M Ericsson (publ) | Scheduling and admission control of packet data traffic |
KR20010021111A (en) | 1999-07-23 | 2001-03-15 | 스테븐 디.피터스 | Messaging and status indication for wireless communication devices |
US6600726B1 (en) | 1999-09-29 | 2003-07-29 | Mobilian Corporation | Multiple wireless communication protocol methods and apparatuses |
US6324537B1 (en) | 1999-09-30 | 2001-11-27 | M-Systems Flash Disk Pioneers Ltd. | Device, system and method for data access control |
US6704293B1 (en) | 1999-12-06 | 2004-03-09 | Telefonaktiebolaget Lm Ericsson (Publ) | Broadcast as a triggering mechanism for route discovery in ad-hoc networks |
US7047424B2 (en) | 2000-04-12 | 2006-05-16 | Corente, Inc. | Methods and systems for hairpins in virtual networks |
US7000015B2 (en) | 2000-04-24 | 2006-02-14 | Microsoft Corporation | System and methods for providing physical location information and a location method used in discovering the physical location information to an application on a computing device |
US6615038B1 (en) | 2000-04-28 | 2003-09-02 | Samsung Electronics Co., Ltd. | System and method for automatically creating and updating a mobile station configuration database in a wireless network |
US6654797B1 (en) | 2000-05-25 | 2003-11-25 | International Business Machines Corporation | Apparatus and a methods for server configuration using a removable storage device |
US20020012329A1 (en) | 2000-06-02 | 2002-01-31 | Timothy Atkinson | Communications apparatus interface and method for discovery of remote devices |
JP3756137B2 (en) | 2000-06-09 | 2006-03-15 | 株式会社トミー | toy |
FI111208B (en) | 2000-06-30 | 2003-06-13 | Nokia Corp | Arrangement of data encryption in a wireless telecommunication system |
US7219332B2 (en) | 2000-07-07 | 2007-05-15 | Microsoft Corporation | Configuring software components(merge) with transformation component using configurable and non-configurable data elements |
US7103661B2 (en) | 2000-07-12 | 2006-09-05 | John Raymond Klein | Auto configuration of portable computers for use in wireless local area networks |
KR100471053B1 (en) | 2000-08-04 | 2005-03-07 | 삼성전자주식회사 | Computer and method for controlling the same |
US6928301B2 (en) | 2000-08-11 | 2005-08-09 | Novatel Wireless, Inc. | Distributed architecture wireless RF modem |
US7207059B1 (en) | 2000-08-16 | 2007-04-17 | Hewlett-Packard Development Company, L.P. | Wireless communication system utilizing antenna dongle |
US7168092B2 (en) * | 2000-08-31 | 2007-01-23 | Sun Microsystems, Inc. | Configuring processing units |
US6738027B1 (en) | 2000-10-17 | 2004-05-18 | Sun Microsystems, Inc. | Method and apparatus for configuration using a portable electronic configuration device |
US7171475B2 (en) | 2000-12-01 | 2007-01-30 | Microsoft Corporation | Peer networking host framework and hosting API |
US6667906B2 (en) | 2001-01-08 | 2003-12-23 | Azalea Microelectronics Corporation | Integrated circuit having an EEPROM and flash EPROM using a memory cell with source-side programming |
US6934853B2 (en) | 2001-01-18 | 2005-08-23 | International Business Machines Corporation | Method, system and program for sharing the ability to set configuration parameters in a network environment |
JP2002318788A (en) | 2001-04-20 | 2002-10-31 | Matsushita Electric Works Ltd | Network terminal |
US6754725B1 (en) | 2001-05-07 | 2004-06-22 | Cypress Semiconductor Corp. | USB peripheral containing its own device driver |
US20020178295A1 (en) | 2001-05-23 | 2002-11-28 | Joseph Buczek | Distributed gateways for remote management of USB-compatible devices |
US6658538B2 (en) | 2001-06-21 | 2003-12-02 | International Business Machines Corporation | Non-uniform memory access (NUMA) data processing system having a page table including node-specific data storage and coherency control |
US6842460B1 (en) | 2001-06-27 | 2005-01-11 | Nokia Corporation | Ad hoc network discovery menu |
JP2003050757A (en) * | 2001-08-08 | 2003-02-21 | Toshiba Corp | Method for providing environmental setting information of communication application |
US8266451B2 (en) | 2001-08-31 | 2012-09-11 | Gemalto Sa | Voice activated smart card |
US7194263B2 (en) | 2001-09-17 | 2007-03-20 | Microsoft Corporation | System and method for concurrent operation of a wireless device in two disjoint wireless networks |
US7493363B2 (en) | 2001-09-19 | 2009-02-17 | Microsoft Corporation | Peer-to-peer group management and method for maintaining peer-to-peer graphs |
JP2003198568A (en) | 2001-10-16 | 2003-07-11 | Sony Corp | Transmitting/receiving apparatus, transmitting/receiving method and transmitting/receiving system |
US6806879B2 (en) | 2001-10-17 | 2004-10-19 | Avid Technology, Inc. | Manipulation of motion data in an animation editing system |
US7321784B2 (en) | 2001-10-24 | 2008-01-22 | Texas Instruments Incorporated | Method for physically updating configuration information for devices in a wireless network |
US7103773B2 (en) | 2001-10-26 | 2006-09-05 | Hewlett-Packard Development Company, L.P. | Message exchange in an information technology network |
JP3612528B2 (en) | 2001-10-29 | 2005-01-19 | Necインフロンティア株式会社 | Parameter setting system |
KR100450080B1 (en) | 2001-11-13 | 2004-10-06 | (주)지에스텔레텍 | Portable storage medium based on Universal Serial Bus standard and Control Method therefor |
CN100363895C (en) | 2001-12-05 | 2008-01-23 | 微软公司 | Configuration and management system for movable and imbedded equipment |
US6885585B2 (en) | 2001-12-20 | 2005-04-26 | Saifun Semiconductors Ltd. | NROM NOR array |
AU2002327271A1 (en) | 2001-12-29 | 2003-07-15 | Tai Guen Enterprise Co., Ltd | A portable data conversion processor with standard data port |
US6687799B2 (en) | 2002-01-31 | 2004-02-03 | Hewlett-Packard Development Company, L.P. | Expedited memory dumping and reloading of computer processors |
US6801756B1 (en) | 2002-02-08 | 2004-10-05 | Networks Associates Technology, Inc. | Method and system for dynamic evaluation of a wireless network with a portable computing device |
US7451222B2 (en) | 2002-02-13 | 2008-11-11 | Gateway Inc. | Client-centered WEP settings on a LAN |
US20030158842A1 (en) | 2002-02-21 | 2003-08-21 | Eliezer Levy | Adaptive acceleration of retrieval queries |
CN1307522C (en) | 2002-03-06 | 2007-03-28 | 弗里科姆技术公司 | Monitoring and data exchange method of an external storage medium unit |
JP2003271482A (en) * | 2002-03-14 | 2003-09-26 | Osaka Gas Co Ltd | Information communication terminal setting method |
US7165154B2 (en) | 2002-03-18 | 2007-01-16 | Net Integration Technologies Inc. | System and method for data backup |
JP2003271694A (en) | 2002-03-18 | 2003-09-26 | Fujitsu Ltd | Simulation method and device for verifying logic circuit including processor and error detecting program for verifying logic circuit |
EP1355485A1 (en) | 2002-04-18 | 2003-10-22 | Deutsche Thomson-Brandt Gmbh | Method for generating a user interface on a HAVi device for the control of a Non-HAVi device |
US7116943B2 (en) | 2002-04-22 | 2006-10-03 | Cognio, Inc. | System and method for classifying signals occuring in a frequency band |
JP3748106B2 (en) | 2002-04-25 | 2006-02-22 | ソニー株式会社 | COMMUNICATION SYSTEM, INFORMATION PROCESSING DEVICE AND METHOD, RECORDING MEDIUM, AND PROGRAM |
US7551628B2 (en) | 2002-05-03 | 2009-06-23 | Hewlett-Packard Development Company, L.P. | Wireless dongle with computing capability for equipment control and method of operation thereof |
US20030217126A1 (en) * | 2002-05-14 | 2003-11-20 | Polcha Andrew J. | System and method for automatically configuring remote computer |
JP2004021581A (en) | 2002-06-17 | 2004-01-22 | Tai Guen Enterprise Co Ltd | Guide device and guide method for flash memory system |
US20050193103A1 (en) | 2002-06-18 | 2005-09-01 | John Drabik | Method and apparatus for automatic configuration and management of a virtual private network |
KR100597734B1 (en) | 2002-06-25 | 2006-07-07 | 삼성전자주식회사 | Memorydrive and method of controlling the same |
US6990656B2 (en) | 2002-06-27 | 2006-01-24 | Microsoft Corporation | Dynamic metabase store |
JP4695816B2 (en) | 2002-06-28 | 2011-06-08 | 富士通株式会社 | Electronic equipment |
US6738834B1 (en) | 2002-07-15 | 2004-05-18 | Cypress Microsystems | System for reconfiguring a peripheral device using configuration residing on the peripheral device by electronically simulating a physical disconnection and reconnection to a host device |
JP2004096146A (en) * | 2002-08-29 | 2004-03-25 | Sony Corp | Communication apparatus, communication control method and program, and recording medium |
US7395435B2 (en) | 2002-09-20 | 2008-07-01 | Atmel Corporation | Secure memory device for smart cards |
US7562393B2 (en) | 2002-10-21 | 2009-07-14 | Alcatel-Lucent Usa Inc. | Mobility access gateway |
GB2395613B (en) | 2002-11-21 | 2006-09-06 | Hewlett Packard Co | Memory tag,read/write device and method of operating a memory tag |
US7478248B2 (en) | 2002-11-27 | 2009-01-13 | M-Systems Flash Disk Pioneers, Ltd. | Apparatus and method for securing data on a portable storage device |
US6998871B2 (en) | 2002-11-29 | 2006-02-14 | Sigmatel, Inc. | Configurable integrated circuit for use in a multi-function handheld device |
US7099881B2 (en) | 2002-12-06 | 2006-08-29 | Stmicroelectronics, Inc. | Method for increasing average storage capacity in a bit-mapped tree-based storage engine by using remappable prefix representations and a run-length encoding scheme that defines multi-length fields to compactly store IP prefixes |
US7013331B2 (en) * | 2002-12-20 | 2006-03-14 | Nokia, Inc. | Automated bulk configuration of network devices |
US7596625B2 (en) | 2003-01-27 | 2009-09-29 | Microsoft Corporation | Peer-to-peer grouping interfaces and methods |
US7340611B2 (en) | 2003-01-28 | 2008-03-04 | Microsoft Corporation | Template-driven XML digital signature |
US20040162076A1 (en) | 2003-02-14 | 2004-08-19 | Atul Chowdry | System and method for simplified secure universal access and control of remote networked electronic resources for the purposes of assigning and coordinationg complex electronic tasks |
WO2004095758A2 (en) | 2003-04-22 | 2004-11-04 | Cognio, Inc. | Signal classification methods for scanning receiver and other applications |
US7735095B2 (en) * | 2003-05-02 | 2010-06-08 | Microsoft Corporation | Network device drivers using a communication transport |
US6922734B2 (en) | 2003-05-25 | 2005-07-26 | M-Systems Flash Disk Pioneers Ltd. | Non-volatile storage device with contactless interface |
US7533184B2 (en) | 2003-06-13 | 2009-05-12 | Microsoft Corporation | Peer-to-peer name resolution wire protocol and message format data structure for use therein |
JP2005045557A (en) | 2003-07-22 | 2005-02-17 | Sony Corp | Communication device |
WO2005010730A2 (en) | 2003-07-24 | 2005-02-03 | Idea Place Corporation | Mobile memory device with integrated applications and online services |
US6976253B1 (en) | 2003-07-30 | 2005-12-13 | Microsoft Corporation | Method and apparatus for configuring a mobile device |
US7463378B2 (en) | 2003-08-21 | 2008-12-09 | Hewlett-Packard Development Company, L.P. | Visitor safe wireless printer access point |
JP2005085047A (en) * | 2003-09-09 | 2005-03-31 | Victor Co Of Japan Ltd | Network-setting device and computer program |
US7103874B2 (en) | 2003-10-23 | 2006-09-05 | Microsoft Corporation | Model-based management of computer systems and distributed applications |
US7213766B2 (en) | 2003-11-17 | 2007-05-08 | Dpd Patent Trust Ltd | Multi-interface compact personal token apparatus and methods of use |
US20050118977A1 (en) | 2003-12-02 | 2005-06-02 | Drogi Serge F. | Method, apparatus, and systems for digital radio communication systems |
US20050119936A1 (en) | 2003-12-02 | 2005-06-02 | Robert Buchanan | Sponsored media content |
US20050198221A1 (en) | 2004-01-07 | 2005-09-08 | Microsoft Corporation | Configuring an ad hoc wireless network using a portable media device |
US20050149732A1 (en) | 2004-01-07 | 2005-07-07 | Microsoft Corporation | Use of static Diffie-Hellman key with IPSec for authentication |
US7769995B2 (en) | 2004-01-07 | 2010-08-03 | Microsoft Corporation | System and method for providing secure network access |
US7657612B2 (en) | 2004-01-07 | 2010-02-02 | Microsoft Corporation | XML schema for network device configuration |
US20050198233A1 (en) | 2004-01-07 | 2005-09-08 | Microsoft Corporation | Configuring network settings of thin client devices using portable storage media |
US7653020B2 (en) | 2004-01-28 | 2010-01-26 | Harris Corporation | Wireless ultra wideband network having interference mitigation and related methods |
US7177957B2 (en) | 2004-03-11 | 2007-02-13 | Dell Products L.P. | System and method for configuring information handling system networked peripherals |
US20060013160A1 (en) | 2004-07-19 | 2006-01-19 | Haartsen Jacobus C | Peer connectivity in ad-hoc communications systems |
CN100576804C (en) | 2004-07-30 | 2009-12-30 | 微软公司 | Be used to provide the system and method for secure network access |
US8578063B2 (en) | 2004-08-20 | 2013-11-05 | Mitsubishi Kagaku Media Co., Ltd. | Self-labeling digital storage unit |
US20060069819A1 (en) | 2004-09-28 | 2006-03-30 | Microsoft Corporation | Universal serial bus device |
US7747797B2 (en) | 2004-09-28 | 2010-06-29 | Microsoft Corporation | Mass storage device with near field communications |
US7710587B2 (en) | 2004-10-18 | 2010-05-04 | Microsoft Corporation | Method and system for configuring an electronic device |
US7826833B2 (en) | 2005-02-17 | 2010-11-02 | Madhavan P G | Channel assay for thin client device wireless provisioning |
US7616588B2 (en) | 2005-03-31 | 2009-11-10 | Microsoft Corporation | Simplified creation and termination of an ad hoc wireless network with internet connection sharing |
US20060279412A1 (en) | 2005-06-13 | 2006-12-14 | Holland Joshua H | System for using RFID tags as data storage devices |
US7455218B2 (en) | 2005-06-20 | 2008-11-25 | Microsoft Corproation | Rich object model for diverse Auto-ID tags |
-
2004
- 2004-03-23 US US10/806,772 patent/US20050149732A1/en not_active Abandoned
- 2004-03-23 US US10/806,369 patent/US7546357B2/en active Active
- 2004-12-22 ZA ZA200410331A patent/ZA200410331B/en unknown
-
2005
- 2005-01-07 CN CNA2005100040546A patent/CN1761256A/en active Pending
-
2009
- 2009-04-13 US US12/422,750 patent/US7930374B2/en active Active
-
2011
- 2011-04-18 US US13/088,943 patent/US8145735B2/en not_active Expired - Lifetime
Patent Citations (36)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6563928B1 (en) * | 1995-05-18 | 2003-05-13 | Certicom Corp. | Strengthened public key protocol |
US5933504A (en) * | 1995-05-18 | 1999-08-03 | Certicom Corp. | Strengthened public key protocol |
US5930362A (en) * | 1996-10-09 | 1999-07-27 | At&T Wireless Services Inc | Generation of encryption key |
US6078667A (en) * | 1996-10-10 | 2000-06-20 | Certicom Corp. | Generating unique and unpredictable values |
US6178507B1 (en) * | 1997-02-03 | 2001-01-23 | Certicom Corp. | Data card verification system |
US20010014153A1 (en) * | 1997-10-14 | 2001-08-16 | Johnson Donald B. | Key validation scheme |
US6195433B1 (en) * | 1998-05-08 | 2001-02-27 | Certicom Corp. | Private key validity and validation |
US6052720A (en) * | 1998-05-14 | 2000-04-18 | Sun Microsystems, Inc. | Generic schema for storing configuration information on a server computer |
US6449642B2 (en) * | 1998-09-15 | 2002-09-10 | Microsoft Corporation | Method and system for integrating a client computer into a computer network |
US6148354A (en) * | 1999-04-05 | 2000-11-14 | M-Systems Flash Disk Pioneers Ltd. | Architecture for a universal serial bus-based PC flash disk |
US7058180B2 (en) * | 2000-02-08 | 2006-06-06 | Swisscom Mobile Ag | Single sign-on process |
US6907532B2 (en) * | 2000-03-04 | 2005-06-14 | Telefonaktiebolaget Lm Ericsson (Publ) | Communication node, communication network and method of recovering from a temporary failure of a node |
US7181542B2 (en) * | 2000-04-12 | 2007-02-20 | Corente, Inc. | Method and system for managing and configuring virtual private networks |
US7181012B2 (en) * | 2000-09-11 | 2007-02-20 | Telefonaktiebolaget Lm Ericsson (Publ) | Secured map messages for telecommunications networks |
US6526264B2 (en) * | 2000-11-03 | 2003-02-25 | Cognio, Inc. | Wideband multi-protocol wireless radio transceiver system |
US20020090085A1 (en) * | 2000-12-27 | 2002-07-11 | Vanstone Scott A. | Method of public key generation |
US6693651B2 (en) * | 2001-02-07 | 2004-02-17 | International Business Machines Corporation | Customer self service iconic interface for resource search results display and selection |
US7130425B2 (en) * | 2001-03-02 | 2006-10-31 | Ati International Srl | Method and apparatus for providing a bus-encrypted copy protection key to an unsecured bus |
US20020152384A1 (en) * | 2001-04-12 | 2002-10-17 | Microsoft Corporation | Methods and systems for unilateral authentication of messages |
US20020152380A1 (en) * | 2001-04-12 | 2002-10-17 | Microsoft Corporation | Methods and systems for unilateral authentication of messages |
US6654841B2 (en) * | 2001-05-03 | 2003-11-25 | Power Quotient International Company, Inc. | USB interface flash memory card reader with a built-in flash memory |
US20030101247A1 (en) * | 2001-11-07 | 2003-05-29 | Microsoft Corporation | Method and system for configuring a computer for real-time communication |
US7181620B1 (en) * | 2001-11-09 | 2007-02-20 | Cisco Technology, Inc. | Method and apparatus providing secure initialization of network devices using a cryptographic key distribution approach |
US6687492B1 (en) * | 2002-03-01 | 2004-02-03 | Cognio, Inc. | System and method for antenna diversity using joint maximal ratio combining |
US6785520B2 (en) * | 2002-03-01 | 2004-08-31 | Cognio, Inc. | System and method for antenna diversity using equal power joint maximal ratio combining |
US7188365B2 (en) * | 2002-04-04 | 2007-03-06 | At&T Corp. | Method and system for securely scanning network traffic |
US7269730B2 (en) * | 2002-04-18 | 2007-09-11 | Nokia Corporation | Method and apparatus for providing peer authentication for an internet key exchange |
US6850735B2 (en) * | 2002-04-22 | 2005-02-01 | Cognio, Inc. | System and method for signal classiciation of signals in a frequency band |
US6728517B2 (en) * | 2002-04-22 | 2004-04-27 | Cognio, Inc. | Multiple-input multiple-output radio transceiver |
US6714605B2 (en) * | 2002-04-22 | 2004-03-30 | Cognio, Inc. | System and method for real-time spectrum analysis in a communication device |
US20030225971A1 (en) * | 2002-05-29 | 2003-12-04 | Yuji Oishi | USB storage device and program |
US20040002943A1 (en) * | 2002-06-28 | 2004-01-01 | Merrill John Wickens Lamb | Systems and methods for application delivery and configuration management of mobile devices |
US20040010429A1 (en) * | 2002-07-12 | 2004-01-15 | Microsoft Corporation | Deployment of configuration information |
US6700450B2 (en) * | 2002-07-29 | 2004-03-02 | Cognio, Inc. | Voltage-controlled oscillator with an automatic amplitude control circuit |
US20040024875A1 (en) * | 2002-07-30 | 2004-02-05 | Microsoft Corporation | Schema-based services for identity-based access to device data |
US20040038592A1 (en) * | 2002-08-21 | 2004-02-26 | Fu-I Yang | USB flash drive |
Cited By (122)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7574603B2 (en) | 2003-11-14 | 2009-08-11 | Microsoft Corporation | Method of negotiating security parameters and authenticating users interconnected to a network |
US20090276828A1 (en) * | 2003-11-14 | 2009-11-05 | Microsoft Corporation | Method of negotiating security parameters and authenticating users interconnected to a network |
US8275989B2 (en) | 2003-11-14 | 2012-09-25 | Microsoft Corporation | Method of negotiating security parameters and authenticating users interconnected to a network |
US20050108531A1 (en) * | 2003-11-14 | 2005-05-19 | Microsoft Corporation | Method of negotiating security parameters and authenticating users interconnected to a network |
US20110196946A1 (en) * | 2004-01-07 | 2011-08-11 | Microsoft Corporation | Configuring network settings using portable storage media |
US8145735B2 (en) | 2004-01-07 | 2012-03-27 | Microsoft Corporation | Configuring network settings using portable storage media |
US20080232382A1 (en) * | 2004-01-15 | 2008-09-25 | Matsushita Electric Industrial Co., Ltd. | Mobile Wireless Communication System, Mobile Wireless Terminal Apparatus, Virtual Private Network Relay Apparatus and Connection Authentication Server |
US7941843B2 (en) * | 2004-01-15 | 2011-05-10 | Panasonic Corporation | Mobile wireless communication system, mobile wireless terminal apparatus, virtual private network relay apparatus and connection authentication server |
US7895648B1 (en) * | 2004-03-01 | 2011-02-22 | Cisco Technology, Inc. | Reliably continuing a secure connection when the address of a machine at one end of the connection changes |
US20050251589A1 (en) * | 2004-05-04 | 2005-11-10 | Jung-Chung Wang | Method of authenticating universal serail bus on-the-go device |
US20230083997A1 (en) * | 2005-01-21 | 2023-03-16 | Blackberry Limited | Elliptic Curve Random Number Generation |
US11876901B2 (en) * | 2005-01-21 | 2024-01-16 | Malikie Innovations Limited | Elliptic curve random number generation |
US20060285693A1 (en) * | 2005-06-16 | 2006-12-21 | Amit Raikar | Method and apparatus for automatic and secure distribution of a symmetric key security credential in a utility computing environment |
US7822982B2 (en) * | 2005-06-16 | 2010-10-26 | Hewlett-Packard Development Company, L.P. | Method and apparatus for automatic and secure distribution of a symmetric key security credential in a utility computing environment |
US20070130069A1 (en) * | 2005-12-06 | 2007-06-07 | Microsoft Corporation | Encapsulating Address Components |
US20070214502A1 (en) * | 2006-03-08 | 2007-09-13 | Mcalister Donald K | Technique for processing data packets in a communication network |
US7675867B1 (en) | 2006-04-19 | 2010-03-09 | Owl Computing Technologies, Inc. | One-way data transfer system with built-in data verification mechanism |
WO2007124671A1 (en) * | 2006-04-30 | 2007-11-08 | Huawei Technologies Co., Ltd. | A method, device and system of negotiating the encrypting algorithm between the user equipment and the network |
US8327437B2 (en) | 2006-06-14 | 2012-12-04 | Certes Networks, Inc. | Securing network traffic by distributing policies in a hierarchy over secure tunnels |
US7774837B2 (en) | 2006-06-14 | 2010-08-10 | Cipheroptics, Inc. | Securing network traffic by distributing policies in a hierarchy over secure tunnels |
US20080016550A1 (en) * | 2006-06-14 | 2008-01-17 | Mcalister Donald K | Securing network traffic by distributing policies in a hierarchy over secure tunnels |
US20110013776A1 (en) * | 2006-06-14 | 2011-01-20 | Cipheroptics, Inc. | Securing Network Traffic by Distributing Policies in a Hierarchy Over Secure Tunnels |
US20080222693A1 (en) * | 2006-08-08 | 2008-09-11 | Cipheroptics, Inc. | Multiple security groups with common keys on distributed networks |
US20080040775A1 (en) * | 2006-08-11 | 2008-02-14 | Hoff Brandon L | Enforcing security groups in network of data processors |
US8082574B2 (en) | 2006-08-11 | 2011-12-20 | Certes Networks, Inc. | Enforcing security groups in network of data processors |
US20080072281A1 (en) * | 2006-09-14 | 2008-03-20 | Willis Ronald B | Enterprise data protection management for providing secure communication in a network |
US20080072033A1 (en) * | 2006-09-19 | 2008-03-20 | Mcalister Donald | Re-encrypting policy enforcement point |
US8379638B2 (en) | 2006-09-25 | 2013-02-19 | Certes Networks, Inc. | Security encapsulation of ethernet frames |
US20080075073A1 (en) * | 2006-09-25 | 2008-03-27 | Swartz Troy A | Security encapsulation of ethernet frames |
US20080075088A1 (en) * | 2006-09-27 | 2008-03-27 | Cipheroptics, Inc. | IP encryption over resilient BGP/MPLS IP VPN |
US20080127327A1 (en) * | 2006-09-27 | 2008-05-29 | Serge-Paul Carrasco | Deploying group VPNS and security groups over an end-to-end enterprise network |
US8284943B2 (en) | 2006-09-27 | 2012-10-09 | Certes Networks, Inc. | IP encryption over resilient BGP/MPLS IP VPN |
US8607301B2 (en) | 2006-09-27 | 2013-12-10 | Certes Networks, Inc. | Deploying group VPNS and security groups over an end-to-end enterprise network |
US20080104692A1 (en) * | 2006-09-29 | 2008-05-01 | Mcalister Donald | Virtual security interface |
US8046820B2 (en) | 2006-09-29 | 2011-10-25 | Certes Networks, Inc. | Transporting keys between security protocols |
US8104082B2 (en) | 2006-09-29 | 2012-01-24 | Certes Networks, Inc. | Virtual security interface |
US20080104693A1 (en) * | 2006-09-29 | 2008-05-01 | Mcalister Donald | Transporting keys between security protocols |
US20080162922A1 (en) * | 2006-12-27 | 2008-07-03 | Swartz Troy A | Fragmenting security encapsulated ethernet frames |
US20080195863A1 (en) * | 2007-02-09 | 2008-08-14 | Microsoft Corporation | Securing wireless communications between devices |
US7818571B2 (en) | 2007-02-09 | 2010-10-19 | Microsoft Corporation | Securing wireless communications between devices |
US20080192739A1 (en) * | 2007-02-14 | 2008-08-14 | Serge-Paul Carrasco | Ethernet encryption over resilient virtual private LAN services |
US7864762B2 (en) | 2007-02-14 | 2011-01-04 | Cipheroptics, Inc. | Ethernet encryption over resilient virtual private LAN services |
US20090276524A1 (en) * | 2007-03-19 | 2009-11-05 | Fujitsu Limited | Thin client terminal, operation program and method thereof, and thin client system |
US8281038B2 (en) | 2007-03-19 | 2012-10-02 | Fujitsu Limited | Thin client terminal, operation program and method thereof, and thin client system |
US20090034738A1 (en) * | 2007-07-31 | 2009-02-05 | Charles Rodney Starrett | Method and apparatus for securing layer 2 networks |
WO2009026771A1 (en) * | 2007-08-24 | 2009-03-05 | Guan, Haiying | The method for negotiating the key, encrypting and decrypting the information, signing and authenticating the information |
US20090089593A1 (en) * | 2007-10-02 | 2009-04-02 | Sony Corporation | Recording system, information processing apparatus, storage apparatus, recording method, and program |
US8612452B2 (en) | 2007-11-05 | 2013-12-17 | Canon Kabushiki Kaisha | Information processing apparatus, control method therefor, and storage medium |
US20090119318A1 (en) * | 2007-11-05 | 2009-05-07 | Canon Kabushiki Kaisha | Information processing apparatus, control method therefor, and storage medium |
US8126896B2 (en) * | 2007-11-05 | 2012-02-28 | Canon Kabushiki Kaisha | Information processing apparatus, control method therefor, and storage medium |
CN101911017A (en) * | 2007-12-31 | 2010-12-08 | 数据逻辑移动公司 | Systems and methods for configuring, updating, and booting an alternate operating system on a portable data reader |
US20090240942A1 (en) * | 2008-03-20 | 2009-09-24 | Canon Kabushiki Kaisha | Long term key establishment for embedded devices |
US8732453B2 (en) | 2010-07-19 | 2014-05-20 | Owl Computing Technologies, Inc. | Secure acknowledgment device for one-way data transfer system |
US20120023325A1 (en) * | 2010-07-20 | 2012-01-26 | Gemtek Technology Co., Ltd. | Virtual private network system and network device thereof |
US8793780B2 (en) | 2011-04-11 | 2014-07-29 | Blackberry Limited | Mitigation of application-level distributed denial-of-service attacks |
US9871827B2 (en) * | 2012-01-12 | 2018-01-16 | Blackberry Limited | System and method of lawful access to secure communications |
US20160344775A1 (en) * | 2012-01-12 | 2016-11-24 | Blackberry Limited | System and method of lawful access to secure communications |
US20130333008A1 (en) * | 2012-06-07 | 2013-12-12 | Authentify, Inc. | Enhanced 2chk authentication security with query transactions |
US9716691B2 (en) * | 2012-06-07 | 2017-07-25 | Early Warning Services, Llc | Enhanced 2CHK authentication security with query transactions |
US9584316B1 (en) | 2012-07-16 | 2017-02-28 | Wickr Inc. | Digital security bubble |
US9667417B1 (en) | 2012-07-16 | 2017-05-30 | Wickr Inc. | Digital security bubble |
US9628449B1 (en) | 2012-07-16 | 2017-04-18 | Wickr Inc. | Multi party messaging |
US9729315B2 (en) | 2012-07-16 | 2017-08-08 | Wickr Inc. | Initialization and registration of an application |
US9876772B1 (en) | 2012-07-16 | 2018-01-23 | Wickr Inc. | Encrypting and transmitting data |
US20150095649A1 (en) * | 2013-04-22 | 2015-04-02 | Unisys Corporation | Community of interest-based secured communications over ipsec |
US9596077B2 (en) * | 2013-04-22 | 2017-03-14 | Unisys Corporation | Community of interest-based secured communications over IPsec |
US9830089B1 (en) | 2013-06-25 | 2017-11-28 | Wickr Inc. | Digital data sanitization |
US11924361B1 (en) | 2013-06-25 | 2024-03-05 | Amazon Technologies, Inc. | Secure time-to-live |
US10567349B2 (en) | 2013-06-25 | 2020-02-18 | Wickr Inc. | Secure time-to-live |
US9866591B1 (en) | 2013-06-25 | 2018-01-09 | Wickr Inc. | Enterprise messaging platform |
US10129260B1 (en) | 2013-06-25 | 2018-11-13 | Wickr Inc. | Mutual privacy management |
US11509488B2 (en) | 2013-06-25 | 2022-11-22 | Amazon Technologies, Inc. | Secure time-to-live |
US20150113277A1 (en) * | 2013-10-21 | 2015-04-23 | Aruba Networks, Inc. | Provisioning Devices For Secure Wireless Local Area Networks |
US9515824B2 (en) * | 2013-10-21 | 2016-12-06 | Aruba Networks, Inc. | Provisioning devices for secure wireless local area networks |
US20160285845A1 (en) * | 2013-10-31 | 2016-09-29 | Ubiqu B.V. | Method for setting up, via an intermediate entity, a secure session between a first and a second entity, and corresponding entities and computer program products |
WO2015065189A1 (en) * | 2013-10-31 | 2015-05-07 | Ubiqu B.V. | Method for setting up, via an intermediate entity, a secure session between a first and a second entity, and corresponding entities and computer program products |
NL2011717C2 (en) * | 2013-10-31 | 2015-05-04 | Ubiqu B V | A first entity, a second entity, an intermediate node, methods for setting up a secure session between a first and second entity, and computer program products. |
US10396982B1 (en) | 2014-02-24 | 2019-08-27 | Wickr Inc. | Key management and dynamic perfect forward secrecy |
US10382197B1 (en) | 2014-02-24 | 2019-08-13 | Wickr Inc. | Key management and dynamic perfect forward secrecy |
US9698976B1 (en) | 2014-02-24 | 2017-07-04 | Wickr Inc. | Key management and dynamic perfect forward secrecy |
US11394697B2 (en) * | 2014-06-18 | 2022-07-19 | Visa International Service Association | Efficient methods for authenticated communication |
CN111355749A (en) * | 2014-06-18 | 2020-06-30 | 维萨国际服务协会 | Efficient method for authenticated communication |
US10574633B2 (en) * | 2014-06-18 | 2020-02-25 | Visa International Service Association | Efficient methods for authenticated communication |
CN106664206A (en) * | 2014-06-18 | 2017-05-10 | 维萨国际服务协会 | Efficient methods for authenticated communication |
US20220353252A1 (en) * | 2014-06-18 | 2022-11-03 | Visa International Service Association | Efficient methods for authenticated communication |
US20150372811A1 (en) * | 2014-06-18 | 2015-12-24 | Eric Le Saint | Efficient methods for authenticated communication |
US9584530B1 (en) | 2014-06-27 | 2017-02-28 | Wickr Inc. | In-band identity verification and man-in-the-middle defense |
US11588637B2 (en) * | 2014-08-29 | 2023-02-21 | Visa International Service Association | Methods for secure cryptogram generation |
US9654288B1 (en) | 2014-12-11 | 2017-05-16 | Wickr Inc. | Securing group communications |
US11856104B2 (en) | 2015-01-27 | 2023-12-26 | Visa International Service Association | Methods for secure credential provisioning |
WO2016175659A1 (en) * | 2015-04-30 | 2016-11-03 | Ubiqu B.V. | A first entity, a second entity, an intermediate node, methods for setting up a secure session between a first and second entity, and computer program products |
NL2014743A (en) * | 2015-04-30 | 2016-11-07 | Ubiqu B V | A first entity, a second entity, an intermediate node, methods for setting up a secure session between a first and second entity, and computer program products. |
US20180123794A1 (en) * | 2015-04-30 | 2018-05-03 | Ubiqu B.V. | A first entity, a second entity, an intermediate node, methods for setting up a secure session between a first and second entity, and computer program products |
US11206129B2 (en) * | 2015-04-30 | 2021-12-21 | Ubiqu B.V. | First entity, a second entity, an intermediate node, methods for setting up a secure session between a first and second entity, and computer program products |
US9843929B2 (en) | 2015-08-21 | 2017-12-12 | Afero, Inc. | Apparatus and method for sharing WiFi security data in an internet of things (IoT) system |
US10149154B2 (en) | 2015-08-21 | 2018-12-04 | Afero, Inc. | Apparatus and method for sharing WiFi security data in an internet of things (IoT) system |
US10659961B2 (en) | 2015-08-21 | 2020-05-19 | Afero, Inc. | Apparatus and method for sharing WiFi security data in an internet of things (IoT) system |
US9942837B2 (en) | 2015-08-25 | 2018-04-10 | Afero, Inc. | Apparatus and method for a dynamic scan interval for a wireless device |
US10999269B2 (en) * | 2015-12-04 | 2021-05-04 | Samsara Networks Inc. | Authentication of a gateway device in a sensor network |
US10390227B2 (en) * | 2015-12-04 | 2019-08-20 | Samsara Networks Inc. | Authentication of a gateway device in a sensor network |
US20170171747A1 (en) * | 2015-12-14 | 2017-06-15 | Afero, Inc. | System and method for establishing a secondary communication channel to control an internet of things (iot) device |
US10447784B2 (en) | 2015-12-14 | 2019-10-15 | Afero, Inc. | Apparatus and method for modifying packet interval timing to identify a data transfer condition |
US10805344B2 (en) | 2015-12-14 | 2020-10-13 | Afero, Inc. | Apparatus and method for obscuring wireless communication patterns |
US10091242B2 (en) * | 2015-12-14 | 2018-10-02 | Afero, Inc. | System and method for establishing a secondary communication channel to control an internet of things (IOT) device |
US9590956B1 (en) | 2015-12-18 | 2017-03-07 | Wickr Inc. | Decentralized authoritative messaging |
US9584493B1 (en) | 2015-12-18 | 2017-02-28 | Wickr Inc. | Decentralized authoritative messaging |
US9673973B1 (en) | 2015-12-18 | 2017-06-06 | Wickr Inc. | Decentralized authoritative messaging |
US10291607B1 (en) | 2016-02-02 | 2019-05-14 | Wickr Inc. | Providing real-time events to applications |
US11362811B2 (en) | 2016-04-14 | 2022-06-14 | Amazon Technologies, Inc. | Secure telecommunications |
US9590958B1 (en) | 2016-04-14 | 2017-03-07 | Wickr Inc. | Secure file transfer |
US9591479B1 (en) | 2016-04-14 | 2017-03-07 | Wickr Inc. | Secure telecommunications |
US9596079B1 (en) | 2016-04-14 | 2017-03-14 | Wickr Inc. | Secure telecommunications |
US9602477B1 (en) | 2016-04-14 | 2017-03-21 | Wickr Inc. | Secure file transfer |
US11405370B1 (en) | 2016-04-14 | 2022-08-02 | Amazon Technologies, Inc. | Secure file transfer |
US10972257B2 (en) | 2016-06-07 | 2021-04-06 | Visa International Service Association | Multi-level communication encryption |
US11329831B2 (en) | 2016-06-08 | 2022-05-10 | University Of Florida Research Foundation, Incorporated | Practical end-to-end cryptographic authentication for telephony over voice channels |
WO2017214380A1 (en) * | 2016-06-08 | 2017-12-14 | University Of Florida Research Foundation, Incorporated | Practical end-to-end cryptographic authentication for telephony over voice channels |
WO2020025138A1 (en) * | 2018-08-02 | 2020-02-06 | Telefonaktiebolaget Lm Ericsson (Publ) | Secured authenticated communication between an initiator and a responder |
CN109845184A (en) * | 2018-08-29 | 2019-06-04 | 区链通网络有限公司 | A kind of data ciphering method and device of instant messaging |
US20210345106A1 (en) * | 2019-01-25 | 2021-11-04 | Kabushiki Kaisha Toshiba | Communication control device and communication control system |
CN113746861A (en) * | 2021-09-13 | 2021-12-03 | 南京首传信安科技有限公司 | Data transmission encryption and decryption method and encryption and decryption system based on state encryption technology |
CN114338153A (en) * | 2021-12-28 | 2022-04-12 | 杭州迪普科技股份有限公司 | IPSec negotiation method and device |
Also Published As
Publication number | Publication date |
---|---|
US7930374B2 (en) | 2011-04-19 |
US7546357B2 (en) | 2009-06-09 |
US20090254639A1 (en) | 2009-10-08 |
US20050149204A1 (en) | 2005-07-07 |
US8145735B2 (en) | 2012-03-27 |
CN1761256A (en) | 2006-04-19 |
ZA200410331B (en) | 2009-04-29 |
US20110196946A1 (en) | 2011-08-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20050149732A1 (en) | Use of static Diffie-Hellman key with IPSec for authentication | |
US8275989B2 (en) | Method of negotiating security parameters and authenticating users interconnected to a network | |
US9819666B2 (en) | Pass-thru for client authentication | |
US7856655B2 (en) | System and method for improved network security | |
EP2105819B1 (en) | Efficient and secure authentication of computing systems | |
US6874089B2 (en) | System, method and computer program product for guaranteeing electronic transactions | |
US8635445B2 (en) | Method for digital identity authentication | |
US7769997B2 (en) | System, method and computer program product for guaranteeing electronic transactions | |
US20160072787A1 (en) | Method for creating secure subnetworks on a general purpose network | |
US8417949B2 (en) | Total exchange session security | |
US20120072717A1 (en) | Dynamic identity authentication system | |
US8091126B2 (en) | Failure recognition | |
CN111130775A (en) | Key negotiation method, device and equipment | |
WO2009018510A1 (en) | Systems and methods for implementing a mutating internet protocol security | |
JP2003224562A (en) | Personal authentication system and program | |
WO2023130970A1 (en) | Trusted measurement-integrated communication method and apparatus | |
Dong et al. | Security Analysis of Real World Protocols | |
Gelashvili | Attacks on re-keying and renegotiation in key exchange protocols | |
Murhammer et al. | A Comprehensive Guide to Virtual Private Networks, Volume I: IBM Firewall, Server and Client Solutions | |
Ekström | Securing a wireless local area network: using standard security techniques | |
Takahashi et al. | Providing ubiquitous networks securely using host identity protocol (HIP) | |
Stan | Jericho Project | |
Zaba | Cryptographic security in the internet protocol suite: Practice and proposals | |
Badra et al. | Hiding User Credentials during the TLS authentication phase | |
Falk | Snabb och säker roaming i WLAN |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: MICROSOFT CORPORATION, WASHINGTON Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:FREEMAN, TREVOR W.;MANCHESTER, SCOTT;MAYFIELD, PAUL G.;AND OTHERS;REEL/FRAME:015030/0678;SIGNING DATES FROM 20040804 TO 20040812 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |
|
AS | Assignment |
Owner name: ROVI CORPORATION, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MICROSOFT CORPORATION;REEL/FRAME:033429/0314 Effective date: 20140708 |
|
AS | Assignment |
Owner name: ROVI TECHNOLOGIES CORPORATION, CALIFORNIA Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNEE NAME TO READ ROVI TECHNOLOGIES CORPORATION PREVIOUSLY RECORDED ON REEL 033429 FRAME 0314. ASSIGNOR(S) HEREBY CONFIRMS THE CORRECTION TO READ ROVI TECHNOLOGIES CORPORATION;ASSIGNOR:MICROSOFT CORPORATION;REEL/FRAME:034503/0252 Effective date: 20141027 |