Patent application number | Description | Published |
20090060188 | DETERMINING SECURITY STATES USING BINARY OUTPUT SEQUENCES - A system for determining security associations using binary output sequences is described. In an example systematic embodiment, a first device is coupled over a network to a second device. Each device includes a processor and an indicator mechanism coupled to the processor. The indicator mechanism is configured to output a binary representation of a security state established between the devices to a user in perceivable proximity to at least one of the devices. A computer readable storage medium is coupled to the processor and includes executable instructions for the processor. The instructions when executed by the processor initiate a security transaction between the devices. The security transaction includes a protocol that uses one or more public keys to establish a security state between the devices. The indicator mechanism then outputs the binary representation to the user based on the established security state. | 03-05-2009 |
20090220080 | Application-Level Service Access to Encrypted Data Streams - Techniques for securely providing cryptographic keys to trusted intermediate nodes or monitoring devices are described so that SSL, TLS, or IPSec communications can be monitored, compressed over a WAN, or otherwise used. In an embodiment, a trusted intermediate node establishes a secure connection to a key server; receiving session identification data for an encrypted session between a client and a content server during negotiation of the encrypted session, and storing a copy of the session identification data; requesting from the key server, over the secure connection, a decryption key associated with the encrypted session; receiving an encrypted message communicated between the client and the content server; forwarding the encrypted message without modification to a destination address in the encrypted message; and decrypting the encrypted message using the decryption key to result in decrypted data and using or storing the decrypted data in a storage unit. | 09-03-2009 |
20100034207 | ENFORCING THE PRINCIPLE OF LEAST PRIVILEGE FOR LARGE TUNNEL-LESS VPNs - Techniques for secure communication in a tunnel-less VPN are provided. A key server generates and provides, to each VPN gateway, different, yet mathematically-related keying material. A VPN gateway receives distinct keying material for each designated address block (e.g., subnet) behind the VPN gateway. In response to receiving a packet from one a source host whose address falls within one of the designated address blocks, the VPN gateway identifies the appropriate keying material. The VPN gateway determines an identifier for the address block that includes the destination address. The identifier and the identified keying material are used to generate a key. The VPN gateway encrypts the packet with the key and forwards the encrypted packet to the destination host. | 02-11-2010 |
20100142711 | GROUP KEY MANAGEMENT RE-REGISTRATION METHOD - In an embodiment, a fast group key management re-registration is described. One computer-implemented method comprises, at a key server: receiving a registration request from a network element to join a group of network elements managed by the key server; generating and storing a group member registration state comprising information identifying the network element within the group of network elements; generating a token using information from the group member registration state, wherein the token identifies the network element within the group; deleting the group member registration state for the network element at the key server; generating an encrypted token by encrypting the token using a secret key that is local to the key server; sending the encrypted token to the network element; receiving the encrypted token along with a re-registration request from the network element to re-join the group of network elements; and re-registering the network element using the encrypted token. | 06-10-2010 |
20100220856 | PRIVATE PAIRWISE KEY MANAGEMENT FOR GROUPS - In an example embodiment, a key generation system (KGS) is used to generate private pairwise keys between peers belonging to a group. Each member of the group is provisioned with a set of parameters which allows each member to generate a key with any other member of the group; however, no group member can derive a key for pairings involving other group members. The private pairwise keys may be used to derive session keys between peers belonging to the group. Optionally, an epoch value may be employed to derive the private pairwise keys. | 09-02-2010 |
20100223458 | PAIR-WISE KEYING FOR TUNNELED VIRTUAL PRIVATE NETWORKS - In an embodiment, a method for generating and distributing keys retains the scalability of a group VPN, but also provides true pair-wise keying such that an attacker who compromises one of the devices in a VPN cannot use the keys gained by that compromise to decrypt the packets from the other gateways in the VPN, or spoof one of the communicating gateways. The method is resistant to collusion when co-operating attackers overtake several VPN gateways and observe the keys stored in those gateways. In an embodiment, a VPN gateway comprises a cryptographic data processor configured to encrypt and to decrypt data packets; group key management logic; and Key Generation System logic. In one approach a gateway performs, in relation to adding a group member, receiving in a security association (SA) message secret data for use in the KGS; and derives keys for secure communication with one or more peer VPN gateways using the secret data. | 09-02-2010 |
20100306816 | AUTHENTICATION VIA MONITORING - Systems, methods, and other embodiments associated with authentication via monitoring are described. One example method includes detecting a data flow in which indicia of identity (DFWIOI) travel between a first endpoint and a second endpoint. The DFWIOI may be partially encrypted. The example method may also include collecting an identity data associated with the DFWIOI from the DFWIOI, the first endpoint, the second endpoint, and so on. The example method may also include making an authentication policy decision regarding the DFWIOI based, at least in part, on the identity data. The example method may also include controlling a networking device associated with the DFWIOI based, at least in part, on the authentication policy decision. | 12-02-2010 |
20130039487 | Coordinating compression information for unreliable encrypted streams through key establishment protocols - In one embodiment, a method includes transmitting compression information from a sender node to a receiver node in a key establishment protocol exchange and transmitting an encrypted compressed packet from the sender node to the receiver node using an unreliable transport. The compression information is used by the receiver node in decompressing the packet received from the sender node. An apparatus is also disclosed. | 02-14-2013 |
20130091352 | Techniques to Classify Virtual Private Network Traffic Based on Identity - Techniques are provided for obtaining first and second digital certificates from a certificate authority database for establishing a secure exchange between network devices. The first digital certificate contains identity information of a first network device, and the second digital certificate contains classification information of the first network device. In one embodiment, a secure key exchange is initiated with the second network device, and the first and second digital certificates are transmitted as a part of the secure key exchange to the second network device. In another embodiment, the first and second digital certificates are received by an intermediate network device. The first digital certificate is encrypted and is not evaluated by the intermediate network device. The second digital certificate is evaluated for classification information of the first network device. Source information associated with the first network device is stored, and encrypted traffic is processed between the network devices. | 04-11-2013 |
20130145047 | Flow-Based Compression Management - Flow-based data compression is achieved by selecting which of a set flows are compressed, which packets within each flow are compressed, and the level of effort applied to compress each packet. Compression scheduling across multiple flows excludes certain packets in respective flows from compression by way of skip patterns in a table or that are generated by a geometrically progressive skip scheme. Compression scheduling may include adjusting the level of compression effort. | 06-06-2013 |
20140044262 | Low Latency Encryption and Authentication in Optical Transport Networks - Data to be transmitted across an Optical Transport Network (OTN) is encrypted with a non-malleable encryption algorithm. An authentication code configured to allow authentication of the data with a low latency encryption algorithm is generated. A packet is generated which is configured to be transferred across the OTN and contains the encrypted data and the authentication code. The packet is transmitted across the OTN. Non-malleable encryption, origin authentication, data integrity and anti-replay protection are provided for OTNs over Dense Wavelength Division Multiplexed (DWDM) links. In one example, XTS-AES encryption and GMAC authentication techniques are combined to secure OTN frames. | 02-13-2014 |
20140359277 | NETWORK SECURITY USING ENCRYPTED SUBFIELDS - In one embodiment, a method includes receiving from a secure device, an encrypted rule at a first network device, receiving at the first network device, a packet containing at least one encrypted subfield from a second network device, the subfield encrypted based on a key received at the second network device from the secure device, and determining if the encrypted subfield matches the encrypted rule. An apparatus and logic are also disclosed herein. | 12-04-2014 |
20150033014 | Compact and Efficient Communication Security through Combining Anti-Replay with Encryption - A method of providing anti-replay protection, authentication, and encryption with minimal data overhead is provided. A sender uses an arbitrary-length pseudorandom permutation to encrypt messages that include plaintext and successively increasing sequence numbers, to produce ciphertext messages. The sender transmits the ciphertext messages. A receiver receives the ciphertext messages and, for each received ciphertext message, performs the following operations. The receiver decrypts the given ciphertext message to recover plaintext and a candidate sequence number from the message. The receiver determines if the candidate sequence number is in any one of multiple acceptable sequence number windows having respective sequence number ranges that are based on at least one of a highest sequence number previously accepted and a last sequence number that was previously rejected, as established based on processing of previously received ciphertext messages. | 01-29-2015 |
20150067337 | Techniques to Classify Virtual Private Network Traffic Based on Identity - Techniques are provided for obtaining first and second digital certificates from a certificate authority database for establishing a secure exchange between network devices. The first digital certificate contains identity information of a first network device, and the second digital certificate contains classification information of the first network device. In one embodiment, a secure key exchange is initiated with the second network device, and the first and second digital certificates are transmitted as a part of the secure key exchange to the second network device. In another embodiment, the first and second digital certificates are received by an intermediate network device. The first digital certificate is encrypted and is not evaluated by the intermediate network device. The second digital certificate is evaluated for classification information of the first network device. Source information associated with the first network device is stored, and encrypted traffic is processed between the network devices. | 03-05-2015 |