5910 results about "Protocol for Carrying Authentication for Network Access" patented technology

A portable wireless communications subscriber audio and/or video player apparatus and system and method for selecting, requesting, downloading, and playing audio and/or video data content files from an Internet-based database server. The wireless link is preferably implemented in accordance with the WiFi protocol, which allows connectivity to the Internet by being in proximity with a local base station or WiFi hotspot (i.e., publicly available local wireless access hub connected to the Internet). The portable wireless communications subscriber audio and/or video player apparatus and system preferably include a security means for monitoring and blocking unauthorized use of the player apparatus and system. The player apparatus further preferably has the capability to communicate with other neighboring player apparatus for the purpose of exchanging content data files, playlists and personal messages.

The present invention provides a method and apparatus for increasing the performance of world-wide-web traffic over the Internet. A distributed network of specialized nodes of two types is dispersed around the Internet. A web client's requests are directed to a node of the first type chosen to be close to the client, and the client communicates with this node using a standard protocol such as HTTP. This first node receives the request, and communicates the request to a node of the second type chosen to be close to the request's ultimate destination (e.g., a web server capable of generating a response to the request.) The first node communicates the request to the second node using a different, specialized, protocol that has been designed for improved performance and specifically to reduce traffic volume and to reduce latency. The second node receives communication from the first node using this specialized protocol, converts it back to a standard protocol such as HTTP, and forwards the request to the destination computer or server. Responses from the destination to the client take the corresponding reverse route, and also are carried over a specialized protocol between the two nodes. In addition, these nodes can employ other techniques such as web caches that avoid or improve some communication steps. Thus, specialized, proprietary, or complex protocols and techniques can be quickly deployed to enhance web performance without requiring significant changes to the clients or servers.

Implementations of the present invention efficiently establish secure connections between a client and server, at least in part by authenticating the client and server early on in the connection setup phases. A client initiating a connection with a server identifies the secure communication protocols enabled at the client, and identifies these protocols in a connection request it sends to the server. The server processes the message and responds with a communication protocol it deems appropriate for the connection. The client and server then exchange appropriate authentication information, and then establish a connection session that implements the chosen communication protocol, and encrypts messages using the negotiated communication protocol. Additional implementations relate to reestablishing dropped connections behind virtual Internet Protocol addresses, without necessarily having to recommit much connection resource overhead.

A telecommunications system and method is disclosed for providing a substantially immediate electronic receipt after a consumer has made a purchase. When a consumer makes a purchase, the sales terminal, which is attached with a short message/e-mail sending capable terminal, can generate and route a short message along with the detailed purchase information to a transport address or alias address associated with the consumer via a Gatekeeper for the Internet for the area that the sales terminal is located in. Upon receipt of the short message, the Gatekeeper can then convert the alias address to the transport address, if the alias address is given and the consumer does not want the short message sent to the alias address, and forward the short message through the Internet to that transport address (or alias address) as an Internet Protocol datagram for storage and retrieval of the short message by the consumer either immediately or at a later time.

Malicious network activities do not make use of the Domain Name System (DNS) protocol to reach remote targets outside a local network. This DNS-based enforcement system for confinement and detection of network malicious activities requires that every connection toward a resource located outside the local network is blocked by default by the local enforcement box, e.g. a firewall or a proxy. Outbound connections are allowed to leave the local network only when authorized directly by an entity called the DNS Gatekeeper.

The present invention is drawn to an apparatus and method for providing secure network communication. Each node or computer on the network has a secure, intelligent network interface with a coprocessor that handles all network communication. The intelligent network interface can be built into a network interface card (NIC) or be a separate box between each machine and the network. The intelligent network interface encrypts outgoing packets and decrypts incoming packets from the network based on a key and algorithm managed by a centralized management console (CMC) on the network. The intelligent network interface can also be configured by the CMC with dynamically distributed code to perform authentication functions, protocol translations, single sign-on functions, multi-level firewall functions, distinguished-name based firewall functions, centralized user management functions, machine diagnostics, proxy functions, fault tolerance functions, centralized patching functions, Web-filtering functions, virus-scanning functions, auditing functions, and gateway intrusion detection functions.

In a network including WAN accelerators and segment-oriented file servers, a method comprises responding to a client request to manipulate a file via a network file protocol by receiving a first request at a first WAN accelerator, wherein the request is a request to open a file located at a file server that is a segment-oriented file server, sending a local request for the file, corresponding to the first request, from the WAN accelerator to the file server, using a segment-aware network request protocol, returning at least a portion of the requested file in the form of a representation of a data map corresponding to the at least a portion of the requested file stored on the file server and using a data map for reconstruction of the requested file.

A distributed network-attached storage network provides content distribution using conventional file transfer protocols such as NFS and CIFS. A filer proxy accepts a client request and translates the client request to a file transfer protocol accepted at the file system having the file requested in the client request. The filer proxy generates a file handle for the file containing redundant filer proxy information to be used for failover to a backup filer proxy in the event of a network error or failure of an original filer proxy. The file handle also contains information for network security purposes such as detection of forged file handles.

The invention is a cryptographic server providing interoperability over multiple algorithms, keys, standards, certificate types and issuers, protocols, and the like. Another aspect of the invention is to provide a secure server, or trust engine, having server-centric keys, or in other words, storing cryptographic keys on a server. The server-centric storage of keys provides for user-independent security, portability, availability, and straightforwardness, along with a wide variety of implementation possibilities.

Firewalls and network address translators (NAT) provide many advantages for client and the Internet itself, however, these devices break many existing transmission control protocol (TCP)/Internet Protocol (IP) applications, since they conceal the identity of IP clients (i.e., peers) and block transmission control protocol (TCP) call setup requests. Firewalls and NATs make it impossible for one TCP peer to discover another and establish a connection. Embodiments of this invention provides a system and a protocol to enable two TCP peers that exist behind one or more firewalls and NATs to automatically setup a true peer-to-peer TCP connection and exchange data without making changes to the firewall or NAT devices or existing TCP-based applications. In embodiments of this invention, the synchronization between the blind TCP peers is achieved using a system that consists of a registration server, an agent application, and a virtual network interface that together relay and replicate the control signals between the two TCP peers. In addition, embodiments of this invention are also used to traverse the NAT and establish a bi-directional peer-to-peer TCP connection in the firewall.

A Voice over Internet Protocol (VoIP) network is described in which session state is maintained in access switches, but not signaling gateways which maintain transaction state only during pendency of a related transaction. The signaling gateway further provides transparent inter-operation between the VoIP network and non-IP networks, such as the PSTN, by means of a translator which directly translates messages between the networks.

Various embodiments relate to a Cloud Data Center, a system comprising the Cloud Data Center, and a related method. The Cloud Data Center may include a logical customer edge router to send packets between addresses in a private enterprise network and addresses in a logical network within a cloud network using Layer 2 protocol and MAC addressing. The logical network may have resources, known as virtual machines, allocated to the private enterprise network and may share a common IP address space with the private enterprise network. A directory at the Cloud Data Center may correlate the enterprise IP addresses of virtual machines with a MAC address, cloud IP address, and a location IP address within the logical network. The Cloud Data Center may double encapsulate packets with MAC, cloudIP, and locIP headers, when sending a packet to a destination in the logical network.

This disclosure describes systems and methods related to facilitating payments via a peer-to-peer protocol. Tokenized information associated with a payment transaction may be obtained. Establishment of a peer-to-peer communications session with a payment recipient device may be facilitated. The tokenized information to the recipient device via the established peer-to-peer communications session may be communicated in order to facilitate completion of the payment transaction.

A system and method for generating and transmitting false packets along with a true packet to thereby hide or obscure the actual message traffic. A new extension header having a plurality of fields is positioned in the hierarchy of Internet protocol headers that control passage of the false packets and the true packet through the network. A sending host computer generates a plurality of false packets for each true packet and transmits the false packets and the true packet containing the Internet protocol headers and the extension header over the network. The new extension header is decrypted and re-encrypted each host that handles a message packet that uses the new extension header to control the random re-encryption of the true packet body at random hosts and the random generation of false packets at each host visited by a true packet, at the recipient of the true packet, and at any hosts that receive a false packet.

According to some embodiments, systems and methods for binding dynamic host configuration and network access authentication are provided related to, inter alia, interactions between a PAA (PANA Authentication Agent) and a DHCP (Dynamic Host Configuration Protocol) server, such as, e.g., for synchronization between the PANA SA state and the DHCP SA state, such as, e.g., maintaining synchronization when a connection is lost. In some embodiments, systems and methods for binding network bridge and network access authentication are also provided related to, inter alia, interactions between a PAA and a layer-2 switch, such as, e.g., for avoiding service thefts and the like (such as, e.g., MAC address and/or IP address spoofing) in the context of, e.g., the above. In some other embodiments, systems and methods for bootstrapping multicast security from network access authentication protocol are also provided related to, inter alia, key management for protected IP multicast streams, such as, e.g., to avoid IP multicast streams unnecessarily received and/or processed by unauthorized receivers connected to the same layer 2 segment as authorized receivers in the context of, e.g., the above.

Systems and methods are provided which implement a bridge server to provide user access to one or more secure applications. A bridge server of embodiments is disposed between a user and a secure application and invokes bridge server security protocols with respect to the user and secure application security protocols with respect to the secure application. In operation according to embodiments, client applications will link into a bridge server, the user will be authenticated by the bridge server, and a valid user will be correlated to an account of the secure application by the bridge server. Bridge servers of embodiments facilitate providing features with respect to secure application user access unavailable using the secure application security protocols.

A client-server authentication method for use where a server process has access to a repository storing cipher-protected client passwords. The method includes applying the same cipher function to the client's copy of its password as was previously applied to generate the stored cipher-protected client passwords. This ensures that both the client and server have access to an equivalent cipher-protected client password-providing a shared secret for driving a mutual challenge-response authentication protocol without having to convert the password into cleartext at the server. The invention can be implemented without significant additional software infrastructure in a UNIX environment. Client passwords are typically stored in the UNIX password repository under the protection of the crypt( ) function applied to the combination of the password and a random number (a "salt'). By sending the salt to the client system together with the server's initial challenge of the authentication protocol, a process at the client is able to apply the crypt( ) function to the client password with the same salt such that the client and server have a shared secret for use as, or to generate, a common session key for the authentication.

Methods among nodes of a computer network for establishing a connection between the server and the client. A client node sends a session-invitation message to a server node. The session-invitation message is a message in a first protocol that establishes a channel at the level of the first protocol between the client and the server according to parameters of the session-invitation message that specify characteristics of session in a second protocol. An intermediary node of the network adding new information to the session-invitation message requesting modification of the session policies, and transmits the session-invitation message to the server node. The server receives the session-invitation message, and sends a provisional response back to the client, and holding in abeyance a success or failure response to the session-invitation, without establishing a channel at the level of the first protocol if no such channel is previously established, and without disrupting a channel at the level of the first protocol if such channel has been previously established. When the client receives the provisional response, it reconfigures the characteristics of the session of the second protocol, and sends an amended request to the server. When the server receives the amended request, the server sends a success or failure response to the client, the content of the response being based at least in part on the amended session-invitation, and being of a form defined in the protocol as being an appropriate response form for reply to the original session-invitation message.

A system, apparatus, and method are disclosed for providing quality of service (QoS) for a network data connection. The network data connection uses a network protocol selectable from a plurality of network protocols. A QoS module can receive a request for a generic QoS and apply this to the network protocol using a specific QoS associated with the protocol. The QoS module may include features for automatic management of QoS and a user interface for changing data connection parameters.

Embodiments of the invention include apparatuses, methods, and computer-program products that provide for a unique financial transaction security system. In one embodiment, the financial transaction security system receives a security protocol from a user. The security protocol includes instructions for allowing transactions without authentication and security features for the user if authentication is necessary. The system then determines that the user is conducting a transaction, compares the transaction to the instructions, and determines whether the transaction can occur without authentication. If the user is required to authenticate his identity, the system requests input from the user, compares the input to the security feature, and determines if the user is authenticated. The user is able to customize both the instructions and the security features to provide greater control over financial transaction security.

In one embodiment of the present invention, a messaging program at a remote computer can send a first message to a portal computer according to a one-way protocol such as HTTP. A portal program at the portal computer can receive the first message and determine if information should be sent to the portal computer. If so, the portal computer can generate a reply message that includes the information and send the reply message to remote computer on the same connection over which the first message was received. In this manner, the portal computer can send configuration control information and other information to the messaging program without requiring leased lines, dial-up connections or a VPN. Moreover, since the communication according to the one-way protocol was initiated at the remote computer, a firewall will allow the remote computer to receive the reply message.

A client is authenticated to a network resource wherein the client is coupled to a biometric sensor. The client signals a request to the network resource (e.g., by connecting to an access point). The network resource initiates a point-to-point LAN authentication protocol between the network resource and the client. The network resource requests biometric data from the client via the LAN authentication protocol (optionally either before or after authenticating with other credentials). The client captures biometric data of an attendant user of the client. The client transmits the captured biometric data to the network resource via the LAN authentication protocol. The network resource encapsulates the biometric data in the LAN authentication protocol into an authentication server protocol and forwards the encapsulated biometric data to an authentication server. The authentication server compares the biometric data to a biometric template stored in conjunction with the authentication server for making a determination whether the attendant user should be granted access to the network resource. The authentication server sends either an access-accept message or an access-deny message in the authentication server protocol to the network resource in response to the determination. The network resource grants access to the client only after receiving an access-accept message.

A method to enable access to resources hosted in a compute cloud begins upon receiving a registration request to initiate a user's registration to use resources hosted in the compute cloud. During a registration process initiated by receipt of the registration request, a federated single sign-on (F-SSO) request is received. The F-SSO request includes an assertion (e.g., an HTTP-based SAML assertion) having authentication data (e.g., an SSH public key, a CIFS username, etc.) for use to enable direct user access to a resource hosted in the compute cloud. Upon validation of the assertion, the authentication data is deployed within the cloud to enable direct user access to the compute cloud resource using the authentication data. In this manner, the cloud provider provides authentication, single sign-on and lifecycle management for the user, despite the “air gap” between the HTTP protocol used for F-SSO and the non-HTTP protocol used for the user's direct access to the cloud resource.

A system that incorporates teachings of the present disclosure may include, for example, a Unified Messaging System (UMS) having a Session Border Controller (SBC) to receive a Session Initiation Protocol Uniform Resource Identifier (SIP URI), detect from a host portion of the SIP URI that the SIP URI is associated with a failover communication session, update a user portion of the SIP URI to indicate a failure disposition, and route the updated SIP URI to a call agent of the UMS. Additional embodiments are disclosed.

A service gateway provides a proxy between a client protocol and a plurality of standard communication protocols. The service gateway provides asymmetrical routing, data compression and encryption to optimize client processing power and communication link bandwidth. The service gateway enables content translation between clients and service providers. The service gateway keeps track of client available memory and sequence numbers in messages to generate error codes when applicable. A store and forward message capability is provided along with abstract session identifiers. The service gateway supports user datagram protocol.

In asynchronous public network, synchronous leaderless Byzantine consensus protocol operating with guaranteed safety and time-bound termination of individual protocol rounds is enabled with nodes having clustered architecture and highly available data transactions, and implemented with algorithm that defuses the effect of stop-faulty processes and bypasses the partitioned network links. Utilizing the time-bound consensus, a protocol and architecture for cross-chain transactions accomplish safe interoperability across blockchain networks. Multiple cross-chain transacting networks interconnected in a federation overcome the limitations of blockchain networks with monolithic ledgers in regard to transaction latency, scalability of throughput, volume of managed data, and openness for further interoperability.

A method and system for load balancing over a cluster of authentication, authorization and accounting (AAA) servers. The method performs a distribution of AAA requests among AAA servers having an active AAA connection with an AAA client. The method includes establishing TCP connections with a plurality of AAA servers, using a TCP connection request received from at least one AAA client; opening AAA connections with a plurality of AAA servers, using an AAA connection request received from at least one AAA client, and distributing AAA requests to AAA servers with an active AAA connection according to a predefined load balancing algorithm. The invention is further capable of multiplexing outbound messages and requests received from a plurality of AAA servers. The AAA protocol supported by the invention includes, but is not limited to, a Diameter protocol, a lightweight directory access protocol (LDAP), and the likes.

The present invention provides an NAT (Network Address Translator) traversal method in Session Initiation Protocol (SIP) for solving the problems of SIP in Internet phone (VoIP) under current Internet environment. In other words, the present invention solves the SIP problems caused by NAT (Network Address Translator) that P2P (Peer to Peer) transmission cannot traverse the NAT firewall directly. The major content of the present invention is that the computer conducts multiple detections before issueing an Invite message in order to detect the rule of the NAT server to assign port number

A method for a client and server based messaging system efficiently exchanges messages over an IP connection in a wireless network. Also included is an automated method by which a messaging client can request intelligent and efficient presence updates from the wireless network by utilizing timers and adapt such timers based on load conditions in the wireless network.

A method and apparatus for communicating gaming machine settings is disclosed. In one embodiment a universal configuration communication protocol is provided for retrieving or modifying, over a network, current gaming machine setting of a remotely located gaming machine. A translation table may be implemented with the communication protocol to achieve variable translation between different gaming machine platforms. In one embodiment the gaming machine status is requested prior to activating the communication protocol to prevent interruption of game play. In one embodiment activation of the communication protocol may result in the gaming machine momentarily entering an inactive status.