Inventors list

Assignees list

Classification tree browser

Top 100 Inventors

Top 100 Assignees


Protection at a particular protocol layer

Subclass of:

713 - Electrical computers and digital processing systems: support

713150000 - MULTIPLE COMPUTER COMMUNICATION USING CRYPTOGRAPHY

Patent class list (only not empty are listed)

Deeper subclasses:

Class / Patent application numberDescriptionNumber of patent applications / Date published
713152000 Application layer security 46
Entries
DocumentTitleDate
20130031356SUPPORTING SECURE SESSIONS IN A CLOUD-BASED PROXY SERVICE - A proxy server in a cloud-based proxy service receives a secure session request from a client device for a secure session. The secure session request is received at the proxy server as a result of a Domain Name System (DNS) request for a domain resolving to the proxy server. The proxy server participates in a secure session negotiation with the client device including transmitting a digital certificate to the client device that is bound to domain and multiple other domains. The proxy server receives an encrypted request from the client device for an action to be performed on a resource that is hosted at an origin server corresponding to the domain. The proxy server decrypts the request and participates in a secure session negotiation with the origin server including receiving a digital certificate from the origin server. The proxy server encrypts the decrypted request using the digital certificate from the origin server and transmits the encrypted request to the origin server.01-31-2013
20110208959METHOD AND SYSTEM FOR REDUCING PACKET OVERHEAD FOR AN LTE ARCHITECTURE WHILE SECURING TRAFFIC IN AN UNSECURED ENVIRONMENT - A first packet is received at a network element from an E-UTRAN Node B (eNB) of an E-UTRAN access network via a secured communications tunnel of a secured connection, where the first packet encapsulates a second packet therein. It is determined whether the network element serves both a security gateway functionality and a serving gateway functionality of a core packet network based on the first packet and the second packet. The network element negotiates with the eNB to switch further communications from a tunnel mode to a transport mode of the secured connection if it is determined that the network element serves both the security gateway functionality and the serving gateway functionality. Thereafter, the network element exchanges further packets with the eNB via the transport mode of the secured connection after the eNB switches from the tunnel mode to the transport mode.08-25-2011
20090193248Processing Multiple Wireless Communications Security Policies - A computer program product for processing wireless data packets allows for processing packets to consolidate security processing. Security processing is performed in accordance with multiple security policies. This processing is done in a single front end processing block. Different security processes can be performed in parallel. Processing overhead is reduced by eliminating the need to redundantly check packet characteristics to assess the different security requirements imposed by security policies. Further, the present invention also substantially reduces the CPU cycles required to transport data back and forth from memory to a cryptographic coprocessor.07-30-2009
20090193247PROPRIETARY PROTOCOL TUNNELING OVER EAP - Methods and apparatus provide tunneling one authentication framework over a more widely accepted framework (e.g., EAP). In this manner, pluralities of strong authentication protocols are wirelessly enabled between a supplicant and server that are not otherwise wirelessly enabled. During use, packets are wirelessly transmitted and received between the supplicant and server according to EAP's prescribed message format, including a wireless access point. In a tunnel, various authentication protocols form the payload component of the message format which yields execution capability of more than one protocol, instead of the typical single protocol authentication. Certain tunneled frameworks include NMAS, LDAP/SASL, Open LDAP/SLAPD, or IPSEC. Computer program products, computing systems and various interaction between the supplicant and server are also disclosed.07-30-2009
20110202755SYSTEMS AND METHODS FOR SECURING DATA IN MOTION - Two approaches are provided for distributing trust among a set of certificate authorities. Both approaches are equally secure. In each approach, a secure data parser is integrated with any suitable encryption technology. Each approach may be used to secure data in motion. One approach provides methods and systems in which the secure data parser is used to distribute trust in a set of certificate authorities during initial negotiation (e.g., the key establishment phase) of a connection between two devices. Another approach of the present invention provides methods and systems in which the secure data parser is used to disperse packets of data into shares. A set of tunnels is established within a communication channel using a set of certificate authorities, keys developed during the establishment of the tunnels are used to encrypt shares of data for each of the tunnels, and the shares of data are transmitted through each of the tunnels. Accordingly, trust is distributed among a set of certificate authorities in the structure of the communication channel itself.08-18-2011
20120246462SYSTEM AND METHODS FOR PROVIDING LIVE STREAMING CONTENT USING DIGITAL RIGHTS MANAGEMENT-BASED KEY MANAGEMENT - In the present disclosure, a DRM (in this case IPRM) system may be used to deliver media content keys to a player device in a live streaming environment and take advantage of all DRM related functionalities that come with it, such as proximity control, copy protection enforcement and rights verification. A playlist may be used to deliver a key identifier for encrypted live streaming content.09-27-2012
20120210122PERSONAL ENCRYPTION DEVICE - A method and system for securing a handheld computing device is described. A personal encryption device may be physically connected to a handheld computing device. Responsive to the connection, a main screen user interface may be displayed on a display of the handheld computing device. The main screen user interface may include at least one cryptography option for a user of the handheld computing device. A user-defined input representative of selection of a first cryptography option of the at least one cryptography option may be received, and at least one cryptography process associated with the selected first cryptography option may be implemented by the handheld computing device and personal encryption device. The cryptography options may include encryption, decryption, digital signatures, and digital signature verification.08-16-2012
20130042100METHOD AND APPARATUS FOR FORCED PLAYBACK IN HTTP STREAMING - Systems and methods for enforcing playback of a specific portion of the content in an open non-certified media player/renderer are provided. In accordance with such systems and methods, a key is extracted from a content portion for which playback is to be forced. The extracted key allows a client the ability to gain access to additional/remaining content. Moreover, the existence of forced content, the mechanism(s) utilized for forcing playback, as well as a particular position in the timeline associated with the forced playback are signaled to the client on/through which the open non-certified media player/renderer is implemented.02-14-2013
20090125712NETWORK COMMUNICATIONS SECURITY AGENT - One embodiment of an inventive networking environment includes clients called sending clients because they send network content through a network, and clients called receiving clients because they receive the network content from the sending clients through the network. Both sending clients and receiving clients are “clients” in that they rely on a management server to orchestrate the secure transfer of information from sending clients to receiving clients.05-14-2009
20090044006SYSTEM FOR BLOCKING SPAM MAIL AND METHOD OF THE SAME - The present invention generally relates to a system for blocking spam mail and a method of the same, and the system in accordance with the present invention, comprising: a Mail transceiver receiving the e-mail, temporarily storing the e-mail in a temporary storage for a set time after authentication mail is transmitted, and deleting the e-mail it a sender's response is not received within the set time, then transmitting the temporarily stored e-mail to mail accounts of recipients of a mail server if the sender's response is received within the set time; an authenticator list classifying and storing, according to each recipient, an e-mail address of the sender authenticated through the authentication mail and an e-mail address of a random sender registered by the recipients of the e-mail to receive the e-mail without authentication; and an authentication processor retrieving whether the e-mail address of the sender is included in the authenticator list, sending the authentication mail to the e-mail address of the sender if the e-mail address of the sender is not included in the authenticator list, and authenticating the sender according to the sender's access and response for the authentication mail.02-12-2009
20090327696AUTHENTICATION WITH AN UNTRUSTED ROOT - Techniques and systems for authentication with an untrusted root between a client and a server are disclosed. In some aspects, a client may connect to a server. The server and client may initiate a secure connection by exchanging certificates. The server may accept a client certificate having an untrusted root that does not chain up to a root certificate verifiable to the server certificate authority. In further aspects, the server may enable the client to associate an untrusted certificate with an existing account associated with the server. The client certificate may be hardware based or generated in software, and may be issued to the client independent of interactions with the server.12-31-2009
20090313464MIXED MODE SECURITY FOR MESH NETWORKS - Mixed mode security is provided for a mesh network comprising a plurality of open mesh points and at least one secure mesh point that is capable of sending and receiving encrypted traffic. Aspects of the exemplary embodiment include configuring the secure mesh point to forward unencrypted traffic received from one of the plurality of open mesh points; and configuring the secure mesh point to be a source of unencrypted source traffic, and to receive unencrypted traffic that is destined for the secure mesh point to enable routes in the mesh network to terminate at the secure mesh point.12-17-2009
20130061039METHOD AND SYSTEM FOR SECURING DATA UTILIZING RECONFIGURABLE LOGIC - A method, an article of manufacture, and a process are provided for securing data sets by dynamically hopping amongst a variety of data encryption and/or manipulation protocols. Such dynamic protocol hopping can be implemented in reconfigurable logic. The encryption protocol applied to the data set is selected from among a plurality of encryption protocols. Preferably, the selection can be driven by a random number generator.03-07-2013
20130061038Proxy Apparatus for Certificate Authority Reputation Enforcement in the Middle - Network security administrators are enabled with their customizable certificate authority reputation policy store which is informed by an independent certificate authority reputation server. The custom policy store overrides trusted root certificate stores accessible to an operating system web networking layer or to a third party browser. Importing revocation lists or updating browsers or operating system is made redundant. The apparatus redirects or rewrites traffic to protect a plurality of endpoints from a man-in-the-middle attack when a certificate authority has lost control over certificates used in TLS.03-07-2013
20090271613METHOD AND SYSTEM FOR PROVIDING NON-PROXY TLS/SSL SUPPORT IN A CONTENT-BASED LOAD BALANCER - Methods and systems for providing non-proxy Secure Sockets Layer and Transport Layer Security (SSL/TLS) support in a content-based load balancer are described. A Transmission Control Protocol (TCP) connection is accepted from a client, and an SSL/TLS connection is established with the client such that random data used in key generation is created. A request is received from the client, and the request is decrypted. The request is processed, a target stack is selected, and the TCP connection, the SSL/TLS connection, and the random data are transferred to the selected target stack such that the client and selected target stack maintain an end-to-end TCP connection with a non-proxy SSL/TLS connection.10-29-2009
20090271612METHOD, SYSTEM AND DEVICE FOR REALIZING MULTI-PARTY COMMUNICATION SECURITY - A method for realizing multi-party communication security includes: performing identification authentication and negotiating to create an initiation session through running the transport layer security protocol or datagram transport layer security protocol by a Group Control and Keying Server and a group member device; distributing a group session and a rekeying session to the group member device through running a group key management sub-protocol on the Group Control and Keying Server and the group member devices; rekeying through running the group key management sub-protocol on the Group Control and Keying Server and the group member devices, when a rekeying event is detected by the Group Control and Keying Server. A relevant multi-party communication security system and a device are further provided in the present invention.10-29-2009
20120117375SYSTEMS AND METHODS FOR OPTIMIZING SSL HANDSHAKE PROCESSING - A method for buffering SSL handshake messages prior to computing a message digest for the SSL handshake includes: conducting, by an appliance with a client, an SSL handshake, the SSL handshake comprising a plurality of SSL handshake messages; storing, by the appliance, the plurality of SSL handshake messages; providing, by the appliance to a message digest computing device in response to receiving a client finish message corresponding to the SSL handshake, the plurality of SSL handshake messages; receiving, by the appliance from the message digest computing device, a message digest corresponding to the provided messages; determining by the appliance, the message digest matches a message digest included in the SSL client finish message; and completing, by the appliance with the client, the SSL handshake. Corresponding systems are also described.05-10-2012
20090265542Home Node B System Architecture - Some embodiments provide methods and systems for integrating a first communication system with a core network of a second communication system that has a licensed wireless radio access network. The first communication system includes one or more user hosted access points that operate using short range licensed wireless frequencies in order to establish service regions of the first communication system and a network controller for communicatively coupling the service regions to the core network. The first communication system includes a Home Node-B (HNB) system where the access points are Home Node-Bs and the network controller is a HNB Gateway (HNB-GW). Some embodiments define multi-layered protocol stacks for implementing management functionality and control plane functionality for the access points and the network controller. The HNB is connected to the HNB-GW via the Iuh interface. The Iuh management functionality is provided via a HNBAP protocol layer and control plane functionality, such as relay of RANAP, is provided via a RUA protocol layer.10-22-2009
20120272054Method and system for protecting security of the third layer mobility user plane data in NGN - The disclosure discloses a method for protecting security of layer-3 mobility user plane data in Next Generation Network (NGN), includes: performing authentication by a terminal with an authentication server; after the authentication is passed, obtaining a shared key material by both the terminal and the authentication server; generating, by the terminal and the authentication server, a mobility data security key according to the shared key material; transmitting, by the authentication server, the generated mobility data security key to a mobility data transmission module; protecting security of the layer-3 mobility user plane data, by the terminal and the mobility data transmission module, by using the mobility data security key. The disclosure also discloses a system for protecting security of layer-3 mobility user plane data in NGN. By using the method and the system provided by the disclosure, the protection for security of user plane data between the NGN user and the NGN network side is realized, and the security of user plane data of the terminal in layer-3 mobility session is enhanced.10-25-2012
20090006840Using an identity-based communication layer for computing device communication - A computer architecture for enterprise device applications provides a real-time, bi-directional communication layer for device communication. An identity-based communications layer provides for secure, end-to-end telemetry and control communications by enabling mutual authentication and encryption between the devices and the enterprise. The identity-based communications layer is situated between a network layer and an application layer and transmits a message between two devices identified by a global address. The global address specifies a protocol, a network, and an address meaningful for the combination of the protocol and the network.01-01-2009
20130166903Communication of Information between a Plurality of Network Elements - A communications protocol interface may be configured as being divisible into a core portion and an extensible portion. The extensible portion of the communications protocol interface may be further configured so that each network element can communicate a unique and optimally small subset of actual interoperable data that corresponds to at least a portion of a larger defined data set. A software generator program may be configured to generate a set of extensible source code that operates upon the subset of actual data and that directs the execution of the extensible portion of the communications protocol interface for a particular network element.06-27-2013
20130166904MULTIMEDIA PRIVACY ENHANCER - The disclosure relates to a method and a system for protecting private multimedia content which comprises a central server in communication with a client application, characterized in that a user uploads a private multimedia content to the central server and a reference file is generated including a pointer to the private multimedia content and access requirements associated. The reference file is uploaded to multimedia servers and other users of the network download it through a web browser. The client application extracts the pointer from the reference file and sends a request to the central server, where it is checked if the request fulfils the access requirements associated for the private multimedia content requested.06-27-2013
20110035580MEDIA ACCESS CONTROL SECURITY MANAGEMENT IN PHYSICAL LAYER - A media access control (MAC) security (MACsec) function block may implement MACsec protocols on a network. A physical layer device (PHY) may connect to the MACsec function block and an interface register configured to store command information for the MACsec function block. A central processing unit (CPU) may provide the command information for the MACsec function block to the PHY via a management data input/output (MDIO) bus. The PHY may execute either a read command or a write command against the MACsec function block based on the command information, receive, from the MACsec function block, a response corresponding to the execution of the read command or write command against the MACsec function block, and provide the response to the CPU via the MDIO bus.02-10-2011
20110283101System to Enable Detecting Attacks Within Encrypted Traffic - A system and method for detecting network attacks within encrypted network traffic received by a protected network includes a decryption module and an adaptor module. This system and method can be inserted and used with multiple types of operating systems.11-17-2011
20100268933METHOD FOR NETWORK TRAFFIC MIRRORING WITH DATA PRIVACY - Systems and methods are provided for preserving the privacy of data contained in mirrored network traffic. The mirrored network traffic may comprise data that may be considered confidential, privileged, private, or otherwise sensitive data. For example, the data payload of a frame of mirrored network traffic may include private Voice over IP (VoIP) communications between users on one or more networks. The present invention provides various techniques for securing the privacy of data contained in the mirrored network traffic. Using the techniques of the present invention, network traffic comprising confidential, privileged, private, or otherwise sensitive data may be mirrored in such a manner as to provide for the privacy of such data over at least a portion if not all of the mirrored communications between the mirror source point and the minor destination point.10-21-2010
20110289311METHOD OF PERFORMANCE-AWARE SECURITY OF UNICAST COMMUNICATION IN HYBRID SATELLITE NETWORKS - A method and apparatus utilizes Layered IPSEC (LES) protocol as an alternative to IPSEC for network-layer security including a modification to the Internet Key Exchange protocol. For application-level security of web browsing with acceptable end-to-end delay, the Dual-mode SSL protocol (DSSL) is used instead of SSL. The LES and DSSL protocols achieve desired end-to-end communication security while allowing the TCP and HTTP proxy servers to function correctly.11-24-2011
20090287920METHOD FOR ESTABLISHING BI-DIRECTIONAL MESSAGING COMMUNICATIONS WITH WIRELESS DEVICES AND WITH REMOTE LOCATIONS OVER A NETWORK - A method, server, device and computer readable medium for establishing a bi-directional communication session between a first device and a server is provided. During the method, a first transport layer connection between the first device and the server is established. The first device is then authenticated with the server over the first transport layer connection. In the event that authenticating the first device is successful, the server and the first device establish a persistent, bi-directional communication session over the first transport layer connection.11-19-2009
20120110320Automatic Secure Client Access - Providing secure network access in a networked client device. A client device is provided with a secure connection adapter. In operation, the secure connection adapter detects the network environment of the client device and determines of the network environment is trusted or untrusted. If the client device is operating in an untrusted network environment, the secure connection adapter establishes a secure connection to an enterprise host using a secure tunnel such as IPSec, SSL, or other secure connection. Programs executing on the client device now operate in the secure network environment, with all network activity routed through the secure connection to the enterprise. Optionally, a split tunnel mechanism may be used to direct some network traffic directly to the Internet from the client device.05-03-2012
20100088504System and Method for Implementing an Enhanced Transport Layer Security Protocol - A system and method for implementing an enhanced transport layer security (ETLS) protocol is provided. The system includes a primary server, an ETLS servlet and an ETLS software module. The primary server operates on a computer network and is configured to communicate over the computer network using a non-proprietary security protocol. The ETLS servlet also operates on the computer network and is securely coupled to the primary server. The ETLS servlet is configured to communicate over the computer network using an ETLS security protocol. The ETLS software module operates on a mobile device, and is configured to communicate over the computer network using either the non-proprietary security protocol or the ETLS security protocol. Operationally, the ETLS software module initially contacts the server over the computer network using the non-proprietary security protocol, and subsequently contacts the server through the ETLS servlet using the ETLS security protocol.04-08-2010
20090094452Efficient Certified Email Protocol - An exemplary optimistic protocol for a two-party transaction includes a setup sub-protocol that includes an authorized Diffie-Hellman key agreement, an exchange sub-protocol that includes sending a certificate from a sending party to a receiving party and sending a receipt from the receiving party to the sending party and a dispute sub-protocol that includes a dispute resolution mechanism for resolving disputes between the sending party and the receiving party due to sending of an invalid certificate, due to sending an invalid receipt, or due to abortion of the exchange sub-protocol. Other exemplary methods, systems, etc., are also disclosed.04-09-2009
20110173439Stateless Cryptographic Protocol-based Hardware Acceleration - According to one embodiment of the invention, a method comprises an operation of commencing a first phrase and passing control of an authentication handshaking protocol. The first phase is commenced for establishing a secure communication path by a data path processor within a first network device. The first phrase comprises an exchange of data during an authentication handshaking protocol. The passing of control for authentication handshaking protocol by the data path processor to a control path processor is conducted to complete the authentication handshaking protocol.07-14-2011
20100125729SYSTEM AND METHOD OF PERFORMING ELECTRONIC TRANSACTIONS - A system and method of performing electronic transactions between a server computer and a client computer. The method implements a communication protocol with encrypted data transmission and mutual authentication between a server and a hardware device via a network, performs a decryption of encrypted server responses, forwards the decrypted server responses from the hardware device to the client computer, displays the decrypted server responses on a client display, receives requests to be sent from the client computer to the server, parses the client requests for predefined transaction information by the hardware device, encrypts and forwards client requests, displays the predefined transaction information upon detection, forwards and encrypts the client request containing the predefined transaction information to the server if a user confirmation is received, and cancels the transaction if no user confirmation is received.05-20-2010
20100281250AUTHENTICATION AND ENCRYPTION METHOD AND APPARATUS FOR A WIRELESS LOCAL ACCESS NETWORK - This invention pertains to the field of Wireless Local Area Network (WLAN). This invention allows a secure connection of a user client station to a base unit. The secure connection comprises the use of authentication and encryption means. The base unit comprises a switching unit, at least one firewall, an authentication/encryption unit and at least one port device. The invention also provides a secure roaming scheme when a roaming is performed by a wireless user.11-04-2010
20080215877Offload Processing for Secure Data Transfer - Improvements in security processing are disclosed which enable security processing to be transparent to the application. Security processing (such as Secure Sockets Layer, or “SSL”, or Transport Layer Security, or “TLS”) is performed in (or controlled by) the stack. A decision to enable security processing on a connection can be based on configuration data or security policy, and can also be controlled using explicit enablement directives. Directives may also be provided for allowing applications to communicate with the security processing in the stack for other purposes. Functions within the protocol stack that need access to clear text can now be supported without loss of security processing capability. No modifications to application code, or in some cases only minor modifications (such as inclusion of code to invoke directives), are required to provide this security processing. Improved offloading of security processing is also disclosed, which provides processing efficiencies over prior art offloading techniques. Offload components can be controlled from the kernel, an SSL layer or an application.09-04-2008
20100005288SYSTEMS AND METHODS FOR ADJUSTING THE MAXIMUM TRANSMISSION UNIT BY AN INTERMEDIARY DEVICE - The present invention is generally directed towards a remote access architecture for providing peer-to-peer communications and remote access connectivity. In one embodiment, the remote access architecture of the present invention provides a method for establishing a direct connection between peer computing devices via a third computing device, such as a gateway. Additionally, the present invention provides the following techniques to optimize peer-to-peer communications: 1) false acknowledgement of receipt of network packets allowing communications via a lossless protocol of packets constructed for transmission via a lossy protocol, 2) payload shifting of network packets allowing communications via a lossless protocol of packets constructed for transmission via a lossy protocol, 3) reduction of packet fragmentation by adjusting the maximum transmission unit (MTU) parameter, accounting for overhead due to encryption, 4) application-aware prioritization of client-side network communications, and 5) network disruption shielding for reliable and persistent network connectivity and access.01-07-2010
20100138648INFORMATION PROCESSING APPARATUS - To efficiently perform encryption/decryption and message authentication processing for a plurality of messages in parallel, an information processing apparatus includes a plurality of encryption/decryption and message authentication units which can perform encryption/decryption processing and message authentication processing by switching between them in a predetermined block unit, and are configured to be operable in parallel, and a data transfer control unit which distributes processing target data associated with an encryption/decryption and message authentication processing request to the plurality of encryption/decryption and message authentication units. The data transfer control unit distributes the processing target data so that each of the plurality of encryption/decryption and message authentication units alternately performs the encryption/decryption processing and the message authentication processing in the predetermined block unit for each processing request included in a plurality of processing requests.06-03-2010
20090265543Home Node B System Architecture with Support for RANAP User Adaptation Protocol - Some embodiments are implemented in a communication system that includes a first communication system comprised of a licensed wireless radio access network and a core network, and a second communication system comprising a plurality of user hosted access points and a network controller. In some embodiments, each access point operates using short range licensed wireless frequencies to establish a service region. In some embodiments, the network controller communicatively couples the core network to the plurality of access points. The method uses three sets of protocol layers: a security layer, a transport layer, and a layer for transferring Radio Access Network Application Part (RANAP) messages, to communicate between the network controller and one of the access points. The method also uses the Iuh interface for the transport of messages across the three sets of protocol layers.10-22-2009
20090265541ADDRESSING AND ROUTING MECHANISM FOR WEB SERVER CLUSTERS - A method of establishing a Host Identity Protocol session between first and second Host Identity Protocol enabled hosts, where at least said second host is located behind a reverse-proxy. The method comprises providing the reverse-proxy with Diffie-Hellman public keying material of the second host, sending said Diffie-Hellman public keying material from the reverse-proxy to the first host as part of the Host Identity Protocol base exchange procedure, this material being bound to the Host Identity of the reverse-proxy for the purpose of the Host Identity Protocol session, and, at the first host, using the Host Identity of the reverse-proxy as the correspondent Host Identity for the Host Identity Protocol session, and, at the second host, using the Host Identity of the reverse-proxy as the originating Host Identity for the Host Identity Protocol session.10-22-2009
20080288772SYSTEM FOR STORING ENCRYPTED DATA BY SUB-ADDRESS - A system and method for storing encrypted electronic data using a transmission Control Protocol (TCP), requires leaving both the header and the first 48 bytes of the “0” data packet in the data area of the TCP format in clear text. Consequently, the data can be routed to a main address (storage facility), and then to a sub-address (storage device) for storage. A single compression/encryption operation can be accomplished, before storage, at the host (server), the network switch, or the final storage device.11-20-2008
20100138649TRANSMISSION OF PACKET DATA OVER A NETWORK WITH SECURITY PROTOCOL - A method, device, system and computer program for providing a transport distribution scheme for a security protocol are disclosed. A first packet data connection is established to a remote node for transmitting packet data over a network with a security protocol. An authentication procedure is performed with the remote node via the first packet data connection for establishing a security protocol session with the remote node. At least one security parameter is negotiated with the remote node for transmitting packets through the first packet data connection. A second packet data connection is established to the remote node, and at least one security parameter is negotiated with the remote node for use with the second packet data connection. The first and second packet data connections are handled as packet data subconnections associated with the security protocol session.06-03-2010
20110145563SECURED FILE-BASED APPLICATION PROGRAMMING INTERFACE - Data communication security systems and methods are disclosed. One such system includes a network interface configured for transport layer protocol communications at a communication port. The network interface includes a security module communicatively connected to a transport layer data path. The system further includes a file-based application programming interface defining a plurality of attributes of the network interface and including at least one attribute associated with data encryption managed by the security module and accessible for use in logical I/O operations.06-16-2011
20090063849DEVICE CERTIFICATE BASED APPLIANCE CONFIGURATION - Embodiments of the present invention address deficiencies of the art in respect to configuring a computing appliance and provide a method, system and computer program product for device certificate based virtual appliance configuration. In one embodiment of the invention, a virtual appliance secure configuration method can be provided. The method can include mounting non-volatile storage to the virtual appliance, retrieving a device certificate from the mounted storage and extracting a signature from the device certificate, activating the virtual appliance in a network domain and acquiring an adapter address and unique identifier for the virtual appliance, and authenticating the signature with the adapter address and unique identifier to ensure a unique active instance of the virtual appliance.03-05-2009
20090100259MANAGEMENT NETWORK SECURITY FRAMEWORK AND ITS INFORMATION PROCESSING METHOD - A management network security framework and its information processing method are disclosed. The management network security framework under the present disclosure includes a management station and a managed device. The method under the present disclosure includes: a secure transfer channel is established between the management station and the managed device; the managed device authenticates the management station; and information is exchanged between the management station and the managed device through the secure transfer channel. The embodiment of the present disclosure combines the AAA system, the upper-layer management protocol and the lower-layer security protocol organically.04-16-2009
20080263352Authentication system and method - A security protocol for use by computing devices communicating over an unsecured network is described. The security protocol makes use of secure data provided to a peripheral memory device from a server via a secure connection. When the peripheral memory device is coupled to a computing device that attempts to establish a secure connection to the server, the secure data is used to verify that the server is authentic. Similarly, the secure data assists the server in verifying that the request to access the server is not being made by a malicious third party.10-23-2008
20110231650USE AND GENERATION OF A SESSION KEY IN A SECURE SOCKET LAYER CONNECTION - The invention describes a method and system for verifying the link between a public key and a server's identity without relying on the trustworthiness of the root certificate of the server's certificate chain. The system establishes a secure socket layer type connection between a client and a server. The client and the server create an identical authentication key using a shared secret known to the server and the client. Next, the server transmits a first encrypted message to the client, wherein the first encrypted message includes the server's public key encrypted with the authentication key. Then, the client decrypts the first encrypted message and verifies the correctness of that message including comparing the public key included in the decrypted first encrypted message to the public key transmitted during the set-up of the secure socket layer type connection to authenticate the client.09-22-2011
20110231649AGGRESSIVE REHANDSHAKES ON UNKNOWN SESSION IDENTIFIERS FOR SPLIT SSL - A traffic management device (TMD), system, and processor-readable storage medium are directed to monitoring an encrypted session between a client and a server, determining that the session identifier is unknown, and requesting a renegotiation of the session to acquire a session identifier for the renegotiated session. Determination that the session identifier is unknown may be based on interception and analysis of handshake messages sent by the client and/or the server. Following such determination, a renegotiation of the encrypted session may be triggered by sending a renegotiation request to the client, and a session identifier for the renegotiated session may be determined based on information extracted from subsequent handshake messages exchanged between the client and server during the renegotiation. Determination of the session identifier may enable decryption, encryption and modification of subsequent communications traffic, for example insertion of third party content into traffic sent to the client.09-22-2011
20090254745EFFICIENT SECURITY FOR MASHUPS - The present invention provides a method that facilitates secure cross domain mashups in an efficient fashion. The invention allows a first entity, the Masher, to establish at a second entity, the User, a secure mashup by obtaining information from, or taking actions at, a third entity, the Mashee, by using a novel twist to the SSL protocol. The invention is further extended to secure a hub and widget architecture, which allows one Masher to establish at a User, communication with several Mashees. Mutual authentication of all entities, key distribution for authentication, privacy and code verification and dynamic authorization based on the certificate information are provided by the invention.10-08-2009
20100161958Device for Realizing Security Function in Mac of Portable Internet System and Authentication Method Using the Device - The present invention relates to a device for performing a security function in a medium access control (MAC) layer in a wireless portable Internet system and an authentication method thereof. In the wireless portable Internet system including a physical layer and the MAC layer, a security sublayer (i.e., the device for performing the security function in the MAC layer) is provided on an MAC common part sublayer. The security sublayer includes a privacy key management (PKM) control management module, a traffic data encryption/authentication module, a control message processing module, a message authentication module, a Rivest Shamir Adleman (RSA)-based authentication module, an authentication control/security association (SA) control module, and an extensible authentication protocol (EAP) encapsulation/decapsulation module.06-24-2010
20080307218System and method for using an out-of-band device to program security keys - A provisioning device is provided that communicates over a trusted out-of-band communications channel to digital electronic devices in order to exchange security data such as passwords and private or public keys, thereby establishing a secure communications network between the devices.12-11-2008
20130219166HARDWARE BASED IDENTITY MANAGER - A method for providing authentication credentials to a server over a communications network includes initiating communication with a server over a communications network. The communication is to be established using a secure connection. A message is received from the server over the communications network as well as a request for a digital certificate associated with a first user account accessible to the server. An encrypted private key is decrypted in a secure hardware module to obtain a decrypted private key. The decrypted private key is associated with the first user account. The message received from the server is passed to the secure hardware module. The message is digitally signed in the secure hardware module using the decrypted private key. The digital certificate and the digitally signed message are sent to the server over the communication network.08-22-2013
20100191956METHOD AND APPARATUS OF COMMUNICATING SECURITY/ENCRYPTION INFORMATION TO A PHYSICAL LAYER TRANSCEIVER - An apparatus for providing link layer security in a Physical Layer Transceiver (PHY) is disclosed. In one embodiment, the apparatus may comprise analog circuitry configured to interface with a data transmission medium, digital circuitry configured to interface with a Media Access Controller (MAC); and a crypto engine coupled to the digital circuitry. Single interface and multiple interface schemes are provided to control both PHY and crypto functions. Embodiments are disclosed where the PHY controls the crypto device, and where the crypto device controls the PHY.07-29-2010
20100153702TLS KEY AND CGI SESSION ID PAIRING - The prevention of impersonation attacks based on hijacked common gateway interface (CGI) session IDs is disclosed. In accordance with one embodiment, a secured communication channel is formed between a server and a client using an initial transport layer security (TLS) key. Additionally, an authenticated CGI session is formed over the secured communication channel based on an initial CGI session identifier (ID). Further, the initial CGI session ID and the initial TLS key are combined into a pair. Next, incoming data that includes an incoming CGI session ID is received via a secured communication channel. An incoming TLS key of the secured communication channel that carries the incoming CGI session ID is then retrieved. Based on the retrieved incoming TLS key, the incoming data is permitted to execute on the server when the incoming TLS key matches the initial TLS key of the pair.06-17-2010
20100153701Layer two encryption for data center interconnectivity - Systems, methods, and other embodiments associated with layer two (L06-17-2010
20100235619IMAGE PROCESSING APPARATUS, COMMUNICATION SYSTEM, CONTROL METHOD THEREOF, AND STORAGE MEDIUM - An apparatus connected to a network via a network interface device and capable of executing encrypted communication with an external device on the network requests that a first algorithm to be used in the encrypted communication with the external device is changed to a second algorithm included in the network interface device when the apparatus detects that a condition for shifting to a power saving mode, in which power consumption is smaller than that in a normal power mode, is satisfied while the apparatus is operated in the normal power mode.09-16-2010
20100228964Ethernet PHY Level Security - A system and method are provided for securing links at the physical (PHY) layer in an IEEE 802.3 Ethernet communication system. A local device (LD) receives an electrical waveform representing link partner security information from a network-connected link partner (LP) via unformatted message pages. The LD accesses predetermined LP reference information stored in a tangible memory medium. The LD compares the received LP security information to the LP reference information. In response to the LD matching the received LP security information to the LP reference information, a secure link to the LP is verified. Likewise, the LD may send electrical waveforms representing security information to the LP via the unformatted message pages. In response to the LP matching the LD security information to the LD reference information, a secure link to the LD is verified.09-09-2010
20100241846SYSTEM AND METHOD FOR ESTABLISHING A VIRTUAL PRIVATE NETWORK - A system and method for establishing a virtual private network (VPN) between a client and a private data communication network. An encrypted data communication session, such as a—Secure Sockets Layer (SSL) data communication session, is established between a gateway and the client over a public data communication network. The gateway then sends a programming component to the client for automatic installation and execution thereon. The programming component operates to intercept communications from client applications destined for resources on the private data communication network and to send the intercepted communications to the gateway via the encrypted data communication session instead of to the resources on the private data communication network.09-23-2010
20100235620Method and Arrangement for Deciding a Security Setting - The present invention relates to a method and arrangements in a mobile telecommunications network including a plurality of access points (09-16-2010
20100161959METHOD AND APPARATUS FOR EXTENDING TRANSPORT LAYER SECURITY PROTOCOL FOR POWER-EFFICIENT WIRELESS SECURITY PROCESSING - Embodiments of the invention relate to apparatus, system and method for security extensions to the IETF Transport Layer Protocol (TLS) and IPsec standards that enable wireless devices to perform power-efficient and streamlined security packet processing. Embodiments of the invention enable a processor to use its existing cryptographic processing engines (e.g., AES-CCM) to perform TLS and IPsec security processing. Packets processed for WLAN and TLS security are processed pipelined, eliminating the multi-loop processing that currently exists, and decreases power consumed to process each packet. In addition, the host/chipset complex is woken up after all security processing has been done in the WNIC.06-24-2010
20100049965METHOD AND APPARATUS FOR PROTECTING PERSONAL INFORMATION IN A HOME NETWORK - A method for protecting personal information in a home network is provided, in which a controlled device receives a subscribe request for a service of the controlled device, from a control point, and accepts the subscribe request. The controlled device receives information about the control point from the control point, and performs event delivery to the control point according to a policy that is set based on the information about the control point, when an event occurs in the controlled device.02-25-2010
20090327695SYSTEMS AND METHODS FOR APPLYING ENCRYPTION TO NETWORK TRAFFIC ON THE BASIS OF POLICY - An information handling system including a receiver for inbound data destined for delivery to a network node, an encryption recognition engine operable to identify whether the inbound data received by the receiver is encrypted and an encryption policy application engine operable to apply encryption policy to the inbound data on the basis of encryption properties identified by the encryption recognition engine in the inbound data. The system may further include an encryption engine operable to selectively encrypt the inbound data on the basis of the encryption policy as applied by the encryption policy application engine and a packet delivery engine operable to deliver the inbound data to its destination.12-31-2009
20090327697NETWORK SECURITY PROCESSING METHOD AND SYSTEM FOR SELECTING ONE OF SOFTWARE AND HARDWARE CRYPTOGRAPHIC MODULES BY MEANS OF MULTIMEDIA SESSION INFORMATION - In a network security processing method and system for selecting one of software and hardware cryptographic modules by means of multimedia session information, the method includes the following steps: subjecting a plurality of packets of a multimedia session to signaling processing so as to obtain multimedia session information contained in the multimedia session, subjecting the multimedia session to a key authentication negotiation and according to the multimedia session information, making a determination to activate one of the software cryptographic module and the hardware cryptographic module. If the hardware cryptographic module is activated, the hardware cryptographic module performs network security processing of the packets of the multimedia session. If the software cryptographic module is activated, the software cryptographic module performs the network security processing of the packets of the multimedia session.12-31-2009
20090319771CONTEXT AWARE SECURITY - Layered semantic security provides a high degree of security for a mobile device based upon contextual awareness that dynamically changes based upon interaction between a user and a near communication device, which in turn interacts with a network, which ultimately interacts to a far communication device. Generating a shared secret key with a master secret and this changing contextual information based on context awareness provides immunity to chosen plain text attacks by providing semantic security at each layer. Thereby, relying upon the overall robustness of the layering of semantic security, processing and power resources consumed can be advantageously adjusted dynamically to enhance concurrent use and service life of a mobile communication device.12-24-2009
20090113201SCALEABLE ARCHITECTURE TO SUPPORT HIGH ASSURANCE INTERNET PROTOCOL ENCRYPTION (HAIPE) - A scalable internet protocol (IP) encryption system includes a cryptographic unit that processes sensitive data for packet encryption/decryption and data authentication. A first processing unit with an optional IP Layer hardware accelerator includes a data processing subsystem that processes sensitive data and forwards the data to the cryptographic unit for encryption and data authentication. A management subsystem is operative with the cryptographic unit for configuring IP networking functions and distributing network configuration information to the data processing subsystem through the cryptographic unit. Data processing is separated from management and control functions at the data processing and management subsystems. A second processing unit with an optional IP Layer hardware accelerator receives the encrypted data from the cryptographic unit and processes the encrypted data for IP packet routing, fragmentation and reassembly and receives network configuration information from the management subsystem via the cryptographic unit.04-30-2009
20090113203Network System - An encryption communication module on the side of a service providing server reports a global IP address allocated to an NAPT router on the service providing server side and a port number of an outside UDP header used on the global side to an authentication/key exchange server. When receiving an encryption packet from an encryption communication module on the user terminal side, the encryption communication module on the service providing server side overwrite a source/destination IP address of an inside IP header by a source/destination IP address of an outside IP header. The encryption communication module further changes a source port number of an inside TCP•UDP header to a unique value for each communication session in the encryption communication having the same source IP address in the outside IP header. The inverse header change is made when the packet is transmitted to the encryption communication module of the user terminal side.04-30-2009
20100306525EFFICIENT DISTRIBUTION OF COMPUTATION IN KEY AGREEMENT - In Transport Layer Security (TLS) or other communication protocols, the load on the server may be lowered by reducing the number of expensive decryption operations that the server has to perform. When a client contacts a server, the client sends the server the client's public key. The server chooses a secret value, encrypts the value with the client's public key, and sends the encrypted value to the client. When the client decrypts the secret, the server and client share a secret value, which may be used to derive an encryption key for further messages. In many key agreement schemes, the client chooses and encrypts the secret value, and the server recovers the value with an expensive decryption operation. By instead having the server choose the value and send it to the client, an expensive decryption operation is redistributed from the server to the client, thereby freeing server resources.12-02-2010
20100325419SYSTEMS AND METHODS FOR ENCODING THE CORE IDENTIFIER IN THE SESSION IDENTIFIER - The present invention is directed towards systems and methods for managing SSL session persistence and reuse in a multi-core system. A first core may indicate that an SSL session established by the first core is non-resumable. Responsive to the indication, the core may set an indicator at a location in memory accessible by each core of the multi-core system, the indicator indicating that the SSL session is non-resumable. A second core of the multi-core system may receive a request to reuse the SSL session. The request may include a session identifier of the SSL session. In addition, the session identifier may identify the first core as an establisher of the SSL session. The second core can identify from encoding of the session identifier whether the second core is not the establisher of the SSL session. Responsive to the identification, the second core may determine whether to resume the SSL session.12-23-2010
20100325420SYSTEMS AND METHODS FOR HANDLING SSL SESSION NOT REUSABLE ACROSS MULTIPLE CORES - The present invention is directed towards systems and methods for managing SSL session persistence and reuse in a multi-core system. A first core may indicate that an SSL session established by the first core is non-resumable. Responsive to the indication, the core may set an indicator at a location in memory accessible by each core of the multi-core system, the indicator indicating that the SSL session is non-resumable. A second core of the multi-core system may receive a request to reuse the SSL session. The request may include a session identifier of the SSL session. In addition, the session identifier may identify the first core as an establisher of the SSL session. The second core can identify from encoding of the session identifier whether the second core is not the establisher of the SSL session. Responsive to the identification, the second core may determine whether to resume the SSL session.12-23-2010
20100332822WIRELESS MULTIBAND SECURITY - A network device includes a first physical layer (PHY) module, a second physical layer (PHY) module, and a security module. The first PHY module is configured to operate in a first frequency band. The second PHY module is configured to operate in a second frequency band. The security module is configured to establish security for the first frequency band responsive to the network device operating in the first frequency band. The security module is further configured to establish security for the second frequency band prior to the network device switching operation from the first frequency band to the second frequency band.12-30-2010
20090132806Method for agreeing between at least one first and one second communication subscriber to security key for securing communication link - The use of suitable measures in a method for agreeing on a security key between at least one first and one second communication station to secure a communication link is improved so that the security level for the communication is increased and the improved method can be combined with already available methods. A first parameter is determined from an authentication and key derivation protocol. In addition, an additional parameter is sent securely from the second to the first communications station. A security key is then determined from the first parameter and the additional parameter.05-21-2009
20100131751SUPPORT OF PHYSICAL LAYER SECURITY IN WIRELESS LOCAL AREA NETWORKS - A method and an apparatus for performing physical layer security operation are disclosed. A physical layer performs measurements continuously, and reports the measurements to a medium access control (MAC) layer. The MAC layer processes the measurements, and sends a security alert to a security manager upon detection of an abnormal condition based on the measurements. The security manager implements a counter-measure upon receipt of the security alert. The measurements include channel impulse response (CIR), physical medium power measurement, automatic gain control (AGC) value and status, automatic frequency control (AFC) gain and status, analog-to-digital converter (ADC) gain, Doppler spread estimate, and/or short preamble matched filter output. The security manager may switch a channel, switch a channel hopping policy, change a back-off protocol, or change a beamforming vector upon reception of the security alert.05-27-2010
20100131750METHOD TO CONSTRUCT A HIGH-ASSURANCE IPSEC GATEWAY USING AN UNMODIFIED COMMERCIAL IMPLEMENTATION - A system and method of providing secure communications is provided. Messages are encrypted or decrypted in protected memory of a processor. Outbound messages from a secure network are prepared for encryption by adding a header outside of the protected memory and then encrypted in the protected memory. The encryption is performed by retrieving a key from a key cache as designated by rules in the header. The encrypted message is sent to the unsecure network. An inbound message from an unsecure network that is received in unprotected memory is sent to a decryption module in protected memory. The inbound message is decrypted using a key designated in its header and retrieved from the key cache. The decrypted message is returned to the unprotected memory, where it is stripped of the encryption header and then sent to its destination within the secure network.05-27-2010
20110087878ENABLING QoS FOR MACsec PROTECTED FRAMES - Embodiments associated with enabling Quality of Service (QoS) for MACsec protected frames are described. One example method includes identifying a security indicator in an encrypted network communication and selectively forwarding the encrypted network communication according to a QoS policy. The example method may also include selectively storing a control packet security indicator sniffed from a control packet network communication in response to determining that a match exists between a control packet identification field and a QoS database entry.04-14-2011
20090210696Method of bootstrapping an authenticated data session configuration - An inventive method is disclosed for bootstrapping a trusted client public key at the server side in a client-server model of e-commerce or distributed computer applications. Generally, the invention integrates security technique elements and user procedural elements in such a way that no vulnerability arises due to the decoupling of elements. It is thus aimed at high security application areas. The readily available support of X.509 client security certificates in web browsers is advantageous for easy deployment at the client side. However, serious usability flaws deter the use of client certificates despite their potential for high security client authentication. The invention circumvents this contradiction at the client registration phase, and extends the benefits of simplified reliance on client public-private key pair to production use of the circumvention. Many variations of the inventive idea are disclosed, including the use of a dummy client security certificate that addresses the interoperability pitfalls of the X.509 technology while the trust in the client public key rests on other elements of the inventive method.08-20-2009
20090217029KERBEROS TICKET VIRTUALIZATION FOR NETWORK LOAD BALANCERS - An exemplary group ticket for a Kerberos protocol includes a service ticket encrypted with a dynamic group key and a plurality of enveloped pairs where each pair includes a name associated with a member of a group and an encrypted the dynamic group key for decryption by a key possessed by the member of the group where decryption of an encrypted dynamic group key allows for decryption of the service ticket. Other exemplary methods, systems, etc., are also disclosed.08-27-2009
20110252227METHODS AND SYSTEMS TO BIND A DEVICE TO A COMPUTER SYSTEM - Methods and systems to bind a computer device to one or more computer systems, such that only an authorized computer system may access a protected portion of the device. A processor within the computer system may provide a proxy environment to interface between the device and a trusted environment of the computer system, such as a management environment that is secure from the proxy environment. The device may be configured to authenticate the trusted environment through the proxy environment, and to verify integrity of messages exchanged with the trusted environment through the proxy environment. Authentication may include a SSL and/or TSL handshake protocol. The device may be configured to authenticate a certificate, such as an X.509 certificate, a certificate chain, and/or a hash thereof. The device may include computer memory, a printer, display, circuit board, keyboard, mouse, pointing device, and/or other physical device.10-13-2011
20110154017SYSTEMS AND METHODS FOR EVALUATING AND PRIORITIZING RESPONSES FROM MULTIPLE OCSP RESPONDERS - The present invention is directed towards systems and methods for determining a status of a client certificate from a plurality of responses for an Online Certificate Status Protocol (OCSP) request. An intermediary device between a plurality of clients and one or more servers identifies a plurality of OCSP responders for determining a status of a client certificate responsive to receiving the client certificate from a client during a Secure Socket Layer (SSL) handshake. Each of the plurality of OCSP responders may transmit a request for the status of the client certificate to a uniform resource locator corresponding to each OCSP responder. The intermediary device may determine a single status for the client certificate from a plurality of statuses of the client certificate received via responses from each uniform resource locator.06-23-2011
20110016307Authorization, authentication and accounting protocols in multicast content distribution networks - An end user computer is assigned a multicast content distribution group by a network service intelligence platform. The network service intelligence platform authenticates a token sent by the user and signed by a third part content controller, and provides the user with credentials for joining the group. The credentials include an authorization key as well as identifications of the user and the requested content. The credentials are encrypted and authenticated by the third party content controller. The user includes the encrypted and authenticated credentials in a join request sent to a network resource, such as an edge router. After verifying the credentials, the network resource adds the end user computer to the multicast group.01-20-2011
20130166905METHODS AND ARRANGEMENTS FOR SECURE COMMUNICATION OVER AN IP NETWORK - The embodiments of the present invention relate to a method in a transmitting node; a method in a receiving node; a transmitting node and a receiving node in an IP network employing Internet security. The receiving node comprises a Receiving Unit, a Processing Unit and a Transmitting Unit. When an IP packet is received, the Processing Unit is adapted to derive a Security Association and a Traffic Class associated with the IP packet. The Processing unit is also adapted to maintain one anti-replay window for each Traffic Class within the Security Association and to determine if a sequence number of the IP packet is within the anti-replay window of the Traffic Class and is not a duplicate of an earlier received packet. If said sequence number is not within the anti-replay window or is a duplicate of an earlier received packet, the packet is dropped.06-27-2013
20100122078SYSTEMS AND METHODS FOR CREATING A CODE INSPECTION SYSTEM - A code inspection system produces a dynamic decoy machine that closely parallels one or more protected systems. The code inspection system can analyze and monitor one or more protected systems, and as those protected systems are updated, altered or modified, the dynamic decoy machine, in which potentially malicious code is tested, can also be updated. Thus, the dynamic decoy machine can accurately reflect the current state of the one or more protected systems such that the potentially destructive nature, if any, of suspicious code can be evaluated as if it were in the actual environment of the protected system, without jeopardizing the security of the protected system.05-13-2010
20100064130SECURE HOST CONNECTION - The present patent disclosure describes a system and method for maintaining persistent secure connections between a terminal and a host. The system comprises a session manager component for storing session information associated with a terminal identifier (ID) of the terminal, the session information comprising a client connection ID for identifying a persistent secure client connection and a terminal connection ID for identifying a secure terminal connection. The system also comprises a connection manager component for establishing communication between the persistent secure client connection, identified by the client connection ID, and the secure terminal connection, identified by the terminal connection ID. The method comprises the step of storing session information associated with a terminal identifier (ID) of the terminal, the session information comprising a client connection ID for identifying a persistent secure client connection and a terminal connection ID for identifying a secure terminal connection. The method further comprises the step of establishing communication between the persistent secure client connection, identified by the client connection ID, and the secure terminal connection, identified by the terminal connection ID.03-11-2010
20120204025SYSTEM AND METHOD FOR CLIENT-SIDE AUTHENTICATION FOR SECURE INTERNET COMMUNICATIONS - A system and method for client-side authentication for secure Internet communications is disclosed. In one embodiment, an intermediate device receives a web browser secure socket layer certificate from a web browser, authenticates the web browser using the secure socket layer certificate, and then re-signs the secure socket layer certificate with an intermediate device public key and an intermediate device certificate authority signature. The intermediate device sends the re-signed secure socket layer certificate to a web server and the web server authenticates the intermediate device using the re-signed secure socket layer certificate. In another embodiment, an intermediate device receives a web browser secure socket layer certificate from a web browser, inserts the web browser secure socket layer certificate into a HTTP header of a packet, and sends the packet to a web server.08-09-2012
20100268932SYSTEM AND METHOD OF VERIFYING THE ORIGIN OF A CLIENT REQUEST - A system and method for verifying the origin of a client request. The system includes two devices, a “Security Device” which resides within the web-server in the client end, and an “Authenticator Device” which resides within the web-server in the server end. The “Security Device” adds an Extended Validation SSL (EV SSL) certificate to the client-side web-request. The “Authenticator Device” then parses the http request from the client, gets the EV SSL certificate and gets the “Organization Name” of the client from this EV SSL certificate. If the “Organization Name” matches a list of “Organization” that the “Authenticator Device” is allowed to do a transaction, then the client request is authenticated and the transaction goes through, else the client-request is denied.10-21-2010
20090282236Method And Apparatuses For Establishing A Secure Channel Between A User Terminal And A SIP Server - A method of establishing a secure communication channel between a user terminal (11-12-2009
20110154018SYSTEMS AND METHODS FOR FLASH CROWD CONTROL AND BATCHING OCSP REQUESTS VIA ONLINE CERTIFICATE STATUS PROTOCOL - The present invention is directed towards systems and methods for batching OCSP requests and caching corresponding responses. An intermediary between a plurality of clients and one or more servers receives a first client certificate during a first SSL handshake with a first client and a second client certificate during a second SSL handshake with a second client. The intermediary may identify that the statuses of the client certificates are not in a cache of the intermediary. An OCSP responder of the intermediary may transmit a single request to an OCSP server to determine the statuses. The intermediary may determine, from a single response received from the OCSP server, whether to establish SSL connections with the clients based on the statuses. The intermediary may store the statuses to the cache for determining whether to establish a SSL connection in response to receiving a client certificate from the first client.06-23-2011
20090113202System and method for providing secure network communications - A method includes receiving a data message, from a first embedded node, in a first end point device. The first data message is addressed to a second embedded node. The method also includes encrypting the first data message to produce an encrypted data message, where the encryption is transparent to the first embedded node. The method further includes transmitting the encrypted data message to a second end point device. An apparatus includes a plurality of embedded node ports each configured to communicate with an embedded node. The apparatus also includes an encrypted communications link port configured to communicate with an end point device. The apparatus further includes a controller connected to communicate with the embedded node ports and the encrypted communications link port. In addition, the apparatus includes a storage connected to be read from and written to by the controller.04-30-2009
20110055550METHOD AND APPARATUS FOR PRESERVING SECURITY IN VIDEO MULTICASTING SERVICE - A method and an apparatus for maintaining information security in a video multicasting service are provided. The method includes: generating a network abstraction layer unit using received video information; encrypting the network abstraction layer unit of the video information; realtime transport protocol (RTP) packetizing the encrypted network abstraction layer unit of the video information; recording unit format information and field information, included in the network abstraction layer of the video information being stored in a memory, in a header extension field of the RTP header; and transmitting the RTP packet including the encrypted video information to a routing device.03-03-2011
20080256353Method and Apparatus for Hiding Information in Communication protocol - A method and apparatus for hiding information in a communication protocol signal are disclosed. The apparatus comprises a bit selection unit, an information encoding unit and an information decoding unit, wherein the bit selection unit selects suitable bits in the signal for hiding information, the information encoding unit encodes the information into the suitable bits selected by the bit selection unit, and the information decoding unit decodes the information encoded in the suitable bits.10-16-2008
20110264905SYSTEMS AND METHODS FOR SPLIT PROXYING OF SSL VIA WAN APPLIANCES - The present invention is directed towards systems and methods for split proxying Secure Socket Layer (SSL) communications via intermediaries deployed between a client and a server. The method includes establishing, by a server-side intermediary, a SSL session with a server. A client-side intermediary may establish a second SSL session with a client using SSL configuration information received from the server-side intermediary. Both intermediaries may communicate via a third SSL session. The server-side intermediary may decrypt data received from the server using the first SSL session's session key. The server-side intermediary may transmit to the client-side intermediary, via the third SSL session, data encrypted using the third SSL session's session key. The client-side intermediary may decrypt the encrypted data using the third SSL session's session key. The client-side intermediary may transmit to the client the data encrypted using the second SSL session's session key.10-27-2011
20100293369METHOD FOR REACTIVATION OF A SECURE COMMUNICATION LINK - The invention relates to a method of reactivating a safe communication connection between client computers and a server after restarting the server, wherein safe communication connections are provided between the server and the client computers for the transmission of data. After restarting, or rebooting the server, a data packet is therefore transmitted (11-18-2010
20110145562SYSTEM AND METHOD FOR SECURELY TRANSFERING CONTENT FROM SET-TOP BOX TO PERSONAL MEDIA PLAYER - A media player is provided for receiving session data from a security socket layer. The session data includes encrypted content data, a content key and digital rights data, wherein the content key and the digital rights data have been encrypted with a SSL session key. The said media player includes a first processor portion and a second processor portion. The first processor portion is arranged to receive the session data, has a second key. The first processor portion and can generate the SSL session key and can decrypt the session data with the SSL session key. The first processor portion can further re-encrypt the decrypted content key with the second key and can output the re-encrypted content key and digital rights data. The second processor portion is arranged to receive the re-encrypted content key and digital rights data. The first processor portion can further decrypt the content, and is externally inaccessible.06-16-2011
20110078436COMMUNICATION APPARATUS, METHOD FOR CONTROLLING COMMUNICATION APPARATUS AND STORAGE MEDIUM - A control method for controlling an apparatus for performing IPsec communication, and performing negotiation for generating IPsec SA includes performing the negotiation by proposing all combinations of an encryption algorithm, a hash algorithm, and a DH group to a counter apparatus, extracting a combination, which is selected by the counter apparatus, out of all the combinations in a case where the IPsec SA has been successfully generated by the negotiation, storing and using the extracted one combination as an IKE determined value.03-31-2011
20090300345Concept for Client Identification and Authorization in an Asynchronous Request Dispatching Environmnet - The present invention provides client and server identity validation in an asynchronous request dispatching environment with client-side aggregation. An application server receives an asynchronous include request from a client. A first unique identifier associating the client with the asynchronous include is generated and sent to a results server. A second unique identifier identifying the results server is generated and sent to the application server. Results of the asynchronous include are stored in the results server. The application server sends the first and second unique identifiers to the client, which polls the results server and sends the second unique identifier to the results server. The results server uses the second unique identifier to verify the identity of the client. The results server sends the first unique identifier to the client. The client uses the first unique identifier to validate the identity of the results server.12-03-2009
20100031016PROGRAM METHOD, AND DEVICE FOR ENCRYPTION COMMUNICATION - An encryption communication method for performing communication that includes a data transfer phase for transmission of content data and a handshake phase for user authentication or agreement on the transmission method for content data, the method comprising: storing one set of a plurality of content data for multiple users in a common transmission communication region provided for the multiple users; transferring the stored one set of the plurality of content data during the data transfer phase when transferring content data of the multiple users to a communication target device; and receiving the stored one set of the plurality of content data using a plurality of transmission-reception communication regions provided for each of the multi users is provided.02-04-2010
20100017595Security In Networks - Embodiments related to security in networks are described and depicted.01-21-2010
20120042160SYSTEM AND METHOD FOR COGNIZANT TRANSPORT LAYER SECURITY (CTLS) - A method of authentication and authorization over a communications system is provided. Disclosed herein are systems and methods for creating a cryptographic evidence, called authentication/authorization evidence, AE, when a successful authentication/authorization between a client and an authentication server is complete. There are a variety of methods for generating AE. For instance, the AE can be data that is exchanged during the authentication signaling or data that results from it. A distinctive point being that AE results from the authentication process and is used as prior state for the following TLS exchange. An example for creation of AE, is as follows: EAP authentications typically result in an Extended Master Session Key (EMSK). The EMSK can be used to create an Evidence Master Key (EMK) that can then be used to create AE for a variety of servers.02-16-2012
20110307692METHOD AND APPARATUS TO PROVIDE FAILOVER CAPABILITY OF CACHED SECURE SESSIONS - A method, apparatus and computer program product for providing failover capability of cached secure sessions is presented. A cached secure session involving a first device and a second device is identified. The cached secure session is encrypted and replicated to a failover device. The encrypted session is then decrypted on the failover to device. An occurrence of a hot failover involving the second device is detected, and processing resumes between the first device and the failover device12-15-2011
20120023324INSIDER THREAT CORRELATION TOOL - Systems and methods for calculating threat scores for individuals within an organization or domain are provided. Aspects of the invention relate to computer-implemented methods that form a predictive threat rating for user accounts. In one implementation, a threat score representing a first time period may be calculated. The first threat score may be calculated from a quantification of a plurality of activity violations across a plurality of control groups. Weighting schemes may be applied to certain activities, controls, and/or user accounts. Further embodiments may be configured to consider additional indicators. Further aspects relate to apparatuses configured to execute methods for ranking individual user accounts. Certain embodiments may not block transmissions that violate predefine rules, however, indications of such improper transmission may be considered when constructing a threat rating.01-26-2012
20120159150SYSTEM AND METHOD FOR IMPLEMENTING AN ENHANCED TRANSPORT LAYER SECURITY PROTOCOL - A system and method for implementing an enhanced transport layer security (ETLS) protocol is provided. The system includes a primary server, an ETLS servlet and an ETLS software module. The primary server operates on a computer network and is configured to communicate over the computer network using a non-proprietary security protocol. The ETLS servlet also operates on the computer network and is securely coupled to the primary server. The ETLS servlet is configured to communicate over the computer network using an ETLS security protocol. The ETLS software module operates on a mobile device, and is configured to communicate over the computer network using either the non-proprietary security protocol or the ETLS security protocol. Operationally, the ETLS software module initially contacts the server over the computer network using the non-proprietary security protocol, and subsequently contacts the server through the ETLS servlet using the ETLS security protocol.06-21-2012
20120159149METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR DESIGNATING A SECURITY LEVEL FOR A COMMUNICATIONS LINK BETWEEN WIRELESS DEVICES - A content issuer entity designates a transport security level for each of a plurality of electronic certificates and provides the electronic certificates to a first wireless device. A second wireless device establishes a communications link to transfer electronic certificate data associated with one or more electronic certificates stored on the first wireless device to the second wireless device via a wireless transaction and determines, for each stored electronic certificate, a transport security level previously designated at the content issuer entity. At the first wireless device, a highest transport security level is determined from among the respective transport security levels associated with the stored electronic certificates. The electronic certificate data is transferred from the first wireless device to the second wireless device via the communications link in accordance with a security measure that corresponds to the highest determined transport security level.06-21-2012
20120110321DATA COMMUNICATION USING PORTABLE TERMINAL - In a method in a portable end device (05-03-2012
20100095109Method for Managing Opaque Presence Indications Within a Presence Access Layer - A method for a presentity to provide private presence information for a watcher. The method includes the presentity providing the private presence information in an encrypted form. The method also includes a presence access layer obtaining the private presence information. The method also includes the presence access layer performing one of decrypting the private presence information and sending the decrypted private presence information to the watcher, and leaving the private presence information in the encrypted form and sending the encrypted private presence information to the watcher, wherein the watcher decrypts the private presence information.04-15-2010
20120131329Method and System for Accessing 3rd Generation Network - A for accessing a 3G network. includes: a terminal accessing a wireless local area network by adopting a WAPI protocol, and notifying an AAA server of a 3G network through an AP of the wireless local area network that the terminal intends to access the 3G network; the AAA server obtaining identity information of the terminal through the AP, and performing an EAP-TLS negotiation process with the terminal through the AP after determining that the terminal is a subscription terminal of the 3G network according to the identity information; and the terminal accessing the 3G network after finishing the EAP-TLS negotiation process. A system for accessing a 3G network includes an AP of a wireless local area network and an AAA server of a 3G network. The present invention reduces unnecessary processes (the message interacting, the certificate verification, the signature verification, and so on) and improves the system efficiency.05-24-2012
20100205427INTRODUCING ENCRYPTION, AUTHENTICATION, AND AUTHORIZATION INTO A PUBLICATION AND SUBSCRIPTION ENGINE - A plurality of protocol stacks are deployed. Each of the protocol stacks includes a plurality of composable protocol modules, and each of the composable protocol modules implements common interfaces. It is detected that a first given one of a plurality of clients wishes to connect to a publication-subscription engine and it is determined whether the first given one of the plurality of clients is to be connected in a secure manner. Responsive to determining that the first given one of the plurality of clients is to be connected in the secure manner, an encrypted instance of a first appropriate one of the plurality of protocol stacks is instantiated to effectuate the secure connection. The first given one of the plurality of clients is authenticated and authorized.08-12-2010
20120216033COMMUNICATION SYSTEM, PRINTING DEVICE, AND SA ESTABLISHMENT METHOD - A communication system includes an SA parameter exchanging portion that builds and deletes SA, and a nonvolatile storage portion that stores at least a part of information for the SA parameter set, wherein, in a case where a printing device is initialized, the printing device has a message transmission portion that transmits a predetermined message to a communication device if a part of information is stored in a nonvolatile storage portion, and the communication device deletes information for performing IPsec communication with the printing device from a nonvolatile storage portion of the communication device in response to reception of the predetermined message.08-23-2012
20120284506METHODS AND APPARATUS FOR PREVENTING CRIMEWARE ATTACKS - A central server configured to mediate communications including establishing secure online sessions between user-controlled devices and 311-08-2012
20100325418SYSTEMS AND METHODS FOR SSL SESSION CLONING - TRANSFER AND REGENERATION OF SSL SECURITY PARAMETERS ACROSS CORES, HOMOGENOUS SYSTEM OR HETEROGENEOUS SYSTEMS - The present invention is directed towards systems and methods for managing SSL session persistence and reuse in a multi-core system. A first core may indicate that an SSL session established by the first core is non-resumable. Responsive to the indication, the core may set an indicator at a location in memory accessible by each core of the multi-core system, the indicator indicating that the SSL session is non-resumable. A second core of the multi-core system may receive a request to reuse the SSL session. The request may include a session identifier of the SSL session. In addition, the session identifier may identify the first core as an establisher of the SSL session. The second core can identify from encoding of the session identifier whether the second core is not the establisher of the SSL session. Responsive to the identification, the second core may determine whether to resume the SSL session.12-23-2010
20120089828SECURE TUNNEL OVER HTTPS CONNECTION - Many secure tunnels require protocols that require special handling, authorization or security certificates, such as L2TP and PPTP. This often eliminates them for use between a corporate or agency network and outside, public networks. A secure socket tunnel protocol (SSTP) adds drivers in both the kernel and user mode to route standard protocol traffic, such as PPP, over a common HTTPS port. In the event of network interruptions, an exchange of a session cookie allows fast reconnection of the underlying HTTPS connection without affecting higher level applications.04-12-2012
20110276797AUTHENTICATION AND AUTHORIZATION FOR INTERNET VIDEO CLIENT - A device is enabled to display Internet TV by accessing a management server with a secret unique ID and receiving back from the server, assuming the ID is approved, a user token and a service list of content servers with knowledge of the user token. A user can select a content server which causes the device to upload its user token and in response receive a content list from the content server, from which content can be selected for display. Neither list may be modified by the device and the device can access only content on a content list.11-10-2011
20130019090Method and apparatus for certificate-based cookie securityAANM Wicker; Jason MatthewAACI PittsboroAAST NCAACO USAAGP Wicker; Jason Matthew Pittsboro NC US - A new cookie attribute is defined for use during secure HTTP transport sessions. This attribute is referred to herein as a “certificate attribute” or “server certificate attribute,” or servcertid. This attribute is adapted to point to a server-supplied certificate and, in particular, a digital certificate, such as an X.509 digital certificate. The cookie attribute includes a value, and that value is designed to correspond to one or more content fields in the digital certificate. According to one embodiment, and during a first https session, a first web application executing on a first server provides a web browser with the cookie having the server certificate identifier attribute set to a value corresponding to a content field in a server certificate. Later, when the browser is accessing a second server during a second https session that differs from the first https session, the browser verifies that the value in the cookie matches a corresponding value in the server certificate received from the second server (during the setup of the second https session) before sending the cookie to the second server. This approach ensures that the cookie is presented only over specified https connections and to trusted organizations (as identified by the servcertid value(s) encoded in the attribute).01-17-2013
20130024684ENHANCED APPROACH FOR TRANSMISSION CONTROL PROTOCOL AUTHENTICATION OPTION (TCP-AO) WITH KEY MANAGEMENT PROTOCOLS (KMPS) - A network element supports Transmission Control Protocol Authentication Option (TCP-AO) with a Key Management Protocol (KMP) to authenticate TCP segments over a TCP session. The network element negotiates multiple traffic keys to authenticate TCP segments over a TCP session with a peer network element, and protects the TCP session with the negotiated traffic keys.01-24-2013
20130173906CLONING STORAGE DEVICES THROUGH SECURE COMMUNICATIONS LINKS - New storage devices located remote to old storage devices may be cloned through a secure data communications link established with a secure boot device located in the storage device. The secure communications link cryptographically splits data and encrypts the data for transmission over unsecure public network through the secure communications link. The cloning process may be completed between the new storage device and the old storage device with little or no involvement from other devices.07-04-2013
20080235508Reducing processing load in proxies for secure communications - In one embodiment, a method for providing secure communications using a proxy is provided. The proxy negotiates with a client and a server to determine a session key to use with communications between the client and the proxy and between the proxy and the server. Encrypted data may then be received from the client at the proxy. The proxy can decrypt the encrypted data for processing using the session key. In one embodiment, the decrypted data is not altered. The proxy then sends the encrypted data that was received from the client to the server without re-encrypting the data that was decrypted. Because the proxy did not alter the data in its processing of the decrypted data and the same session key is used between communications for the proxy and the server, the encrypted data stream that was received from the client can be forwarded to the server.09-25-2008
20130179678Stateless Cryptographic Protocol-based Hardware Acceleration - According to one embodiment of the invention, a method comprises an operation of commencing a first phrase and passing control of an authentication handshaking protocol. The first phase is commenced for establishing a secure communication path by a data path processor within a first network device. The first phrase comprises an exchange of data during an authentication handshaking protocol. The passing of control for authentication handshaking protocol by the data path processor to a control path processor is conducted to complete the authentication handshaking protocol.07-11-2013
20130097418METHODS AND APPARATUSES TO PROVIDE SECURE COMMUNICATION BETWEEN AN UNTRUSTED WIRELESS ACCESS NETWORK AND A TRUSTED CONTROLLED NETWORK - A secure communication channel between an access point (AP) device associated with a wireless network and a mobile gateway (GW) device of a packet core network is established. Data is exchanged between the wireless network and the packet core network through the secure channel. A client device (UE) is authenticated through the secure communication channel. Device identity information is received from the AP device. A session request is sent to the packet core network. An IP address for the device is received from the packet core network. The communication between the AP device and the packet core network becomes secure without need to run an IP secure protocol on the UE that saves the battery power on the UE. Establishing the fully secure communication between the UE and the packet core network while saving the UE power provides a significant advantage for the mobile technology world.04-18-2013
20130124851FILE-BASED APPLICATION PROGRAMMING INTERFACE PROVIDING SELECTABLE SECURITY FEATURES - A data communication security system is disclosed that includes a network interface including a first security module implementing a first security architecture, and a second security module implementing a second security architecture different from the first security architecture. The network interface further includes a file-based application programming interface defining a plurality of attributes of the network interface and including at least one attribute associated with data security managed by one of the first and second security modules. The file-based application programming interface includes at least one attribute from among the plurality of attributes that is associated with selecting between the first or second security modules.05-16-2013
20100281249MEDIA INDEPENDENT HANDOVER PROTOCOL SECURITY - An apparatus for providing security to media independent handover service includes a point of service for providing the media independent handover services including an independent authenticator. The independent authenticator authenticates candidate access networks prior to the handover of the mobile devices from serving access networks to the candidate access networks, where each of the serving access networks and the candidate access networks belong to a plurality of heterogeneous access networks having the specific serving media. An access controller applies an access control through an access authentication with the point of service providing the media independent handover services through an authentication server, in which when the access authentication is established between the point of service and the authentication server, the mobile devices are authorized to access the media independent handover services through the point of service for the mobile devices attached between heterogeneous media.11-04-2010
20090013174METHODS AND SYSTEMS FOR HANDLING DIGITAL RIGHTS MANAGEMENT - Systems and methods according to the present invention address this need and others by providing methods and systems for translating media encrypted by various Digital Rights Management (DRM) techniques. This allows end user equipment to receive media in an IMS/IPTV environment when the end user equipment uses a DRM that is different from the media server which is providing the desired media in both unicast and multicast applications.01-08-2009
20100318784CLIENT IDENTIFICATION FOR TRANSPORTATION LAYER SECURITY SESSIONS - Systems, methods, and other embodiments associated with client identification for transportation layer security sessions are described. One example method includes monitoring a first transportation layer security (TLS) communication between a server and a client. The example method may also include interrupting the first TLS communication and causing the first TLS communication to be interrupted. The example method may also include initiating a second TLS communication with a client side device. The second TLS communication may request a certificate from the client side device. The certificate may include secure information that identifies the client. The example method may also include receiving the certificate from the client side device. The example method may also include authenticating the client, the client side device, and so on, based, at least in part, on the certificate.12-16-2010
20120284505DNSSEC SIGNING SERVER - Systems and methods for performing DNSSEC signing are described in which digital signature operations may be performed by a network accessible signing server that is configured to interact with a separate client application. Exemplary methods may include receiving a signing request at the signing server from the client application to sign first data. The signing server may determine an active KSK and/or an active ZSK for the first data. The first data may then be transmitted by the signing server to a digital signature modules, which may include, for example, a hardware support module, or software signing applications. The signing server may receive a digitally signed version of the first data from the digital signature module, and provide the signed first data to the client application.11-08-2012
20130159698CHAOTIC CRYPTOGRAPHY FOR OFDM BASED COMMUNICATIONS SYSTEMS - A chaotic cryptographic technique for orthogonal frequency division multiplexing (OFDM) based wireless/wired communication systems is implemented with an OFDM symbol structure based on symmetric key cryptography. At the receiver side, data detection becomes infeasible without knowledge of the secret key. Without the knowledge of the key, the signal will be a noise-like signal. The computational power required to implement the technique is very low, rendering the system an attractive option for high data rate communications based on OFDM technology. The system security is proportional to (L×N)! where N is the number of subcarriers in the OFDM system and L is the number of OFDM symbols involved in the encryption process. For OFDM applications where ≧256, L may be set to 1 and breaking the system would require N! exhaustive-search trials. In the case that N<256, L may be increased.06-20-2013
20110314271Secure Processing Systems and Methods - This disclosure relates to systems and methods for enabling the use of secret digital or electronic information without exposing the sensitive information to unsecured applications. In certain embodiments, the methods may include invoking, by a client application executing in an open processing domain, a secure abstraction layer configured to interface with secret data protected by a secure processing domain. Secure operations may be securely performed on the secret data by the secure abstraction layer in the secure processing domain based on an invocation from a client application running in the open processing domain.12-22-2011
20110314270ENCRYPTED NETWORK TRAFFIC INTERCEPTION AND INSPECTION - A method of operating a computing device that allows inspecting data that the device attempts to transmit over a network in an encrypted form for presence of malware, viruses or confidential information. The method includes intercepting a request from an application to an encryption component of an operating system to encrypt the data and acquiring encrypted data generated by the encryption component in response to the request. SSL or TLS protocol may be used for encryption. The request may be intercepted using API hooking. The data in an unencrypted form and an identifier of the encrypted data may be provided to a data inspection facility for establishing a correspondence between the unencrypted and encrypted data, using the identifier. The data inspection facility performs inspection of the unencrypted data to determine whether to allow transmission of the encrypted data over the network.12-22-2011
20130198509SYSTEM AND METHOD FOR INNOVATIVE MANAGEMENT OF TRANSPORT LAYER SECURITY SESSION TICKETS IN A NETWORK ENVIRONMENT - An example method includes identifying a transport layer security (TLS) session between a client and a server, parsing one or more TLS messages to identify a session ticket associated with the session, transforming the session ticket into a fixed size session token, and managing the session using the session token to identify the session. The transforming may include computing a hash value of the session ticket using a hashing algorithm. If any of the TLS messages is spread across more than one TLS protocol record, the method can include computing a hash value of a portion of the session ticket encountered in a TLS protocol record using a hashing algorithm, incrementally computing another hash value of another portion of the session ticket encountered in a subsequent TLS protocol record from the previously computed hash value, and repeating the incremental computing until portions of the session ticket have been processed.08-01-2013
20120066489TCP/IP-BASED COMMUNICATION SYSTEM AND ASSOCIATED METHODOLOGY PROVIDING AN ENHANCED TRANSPORT LAYER PROTOCOL - A more secure TCP/IP protocol stack is provided having an enhanced transport layer. Encryption and decryption logic is arranged on the transmission side and on the reception side for processing a payload of a transport layer protocol, such as TCP or UDP. By employing this enhanced transport layer, a cryptograph process communication can be realized by dissolving various kinds of restrictions which a conventional IPsec or SSL possesses without affecting upper layer processing, and, at the same time, maintaining compatibility with the IP layer.03-15-2012

Patent applications in class Protection at a particular protocol layer

Patent applications in all subclasses Protection at a particular protocol layer