172 results about "Transport Layer Security" patented technology

Improvements in security processing are disclosed which enable security processing to be transparent to the application. Security processing (such as Secure Sockets Layer, or "SSL", or Transport Layer Security, or "TLS") is performed in (or controlled by) the stack. A decision to enable security processing on a connection can be based on configuration data or security policy, and can also be controlled using explicit enablement directives. Directives may also be provided for allowing applications to communicate with the security processing in the stack for other purposes. Functions within the protocol stack that need access to clear text can now be supported without loss of security processing capability. No modifications to application code, or in some cases only minor modifications (such as inclusion of code to invoke directives), are required to provide this security processing. Improved offloading of security processing is also disclosed, which provides processing efficiencies over prior art offloading techniques.

A system for securing communications between a client and an application server comprises a session key management server and the application server. The system enables network address translation firewall traversal. The session key management server comprises a key management application, a session key database, and a notification services application. The key management application receives a first transport layer security connection request from the client and negotiates a device session master key with the client as part of the transport layer security exchange. The session key database is coupled to the key management application for storing the device session master key in conjunction with an identification of the client. The notification services application coupled to the session key database and provides a notification message to subscribing application servers. The notification message comprises the device session master key in conjunction with an identification of the client.

A method and system for controlling admission of new nodes to a secured conference combines transport layer security mechanism and application layer certificate exchange. A new node that is not directly connected to the top provider of the conference sends a request to join the conference and a certification identifying itself to a first conference node connected to the top provider. The first node performs transport level authentication of the new node, and then forwards the request and certificate of the new node on an application level to the top provider. The top provider verifies the identity of the new node based on the certificate. If the new node is allowed to join the conference, the top provider updates a list of conference participants and makes the certificate of the new node available to other conference nodes so that they can also verify the identity of the new node.

A method of authentication and authorization over a communications system is provided. Disclosed herein are systems and methods for creating a cryptographic evidence, called authentication/authorization evidence, AE, when a successful authentication/authorization between a client and an authentication server is complete. There are a variety of methods for generating AE. For instance, the AE can be data that is exchanged during the authentication signaling or data that results from it. A distinctive point being that AE results from the authentication process and is used as prior state for the following TLS exchange. An example for creation of AE, is as follows: EAP authentications typically result in an Extended Master Session Key (EMSK). The EMSK can be used to create an Evidence Master Key (EMK) that can then be used to create AE for a variety of servers.

Improvements in security processing are disclosed which enable security processing to be transparent to the application. Security processing (such as Secure Sockets Layer, or "SSL", or Transport Layer Security, or "TLS") is performed in (or controlled by) the stack. A decision to enable security processing on a connection can be based on configuration data or security policy, and can also be controlled using explicit enablement directives. Directives may also be provided for allowing applications to communicate with the security processing in the stack for other purposes. Functions within the protocol stack that need access to clear text can now be supported without loss of security processing capability. No modifications to application code, or in some cases only minor modifications (such as inclusion of code to invoke directives), are required to provide this security processing. Improved offloading of security processing is also disclosed, which provides processing efficiencies over prior art offloading techniques.

A security key, such as an encryption key, is generated so as to make it more difficult for eavesdroppers to identify the key. Specifically, a cryptographically secure random number generator generates a random bit sequence that is included in a seed. This random seed is provided along with a negotiated master secret to a key generation module. The key generation module may implement a pseudo random function that is in accordance with the Transport Layer Security (TLS) protocol or the Wireless Transport Layer Security (WTLS) protocol. This key may then be used to encrypt a plain text message to form an encrypted data packet. The encrypted data packet also includes the random seed in unencrypted form. The encrypted data packet may be transmitted over a public network to a recipient with reduced risk of eavesdropping.

Embodiments of the present invention address deficiencies of the art in respect to security enforcement point operability in a TLS secured communications path and provide a novel and non-obvious method, system and computer program product for the secure sharing of TLS session keys with trusted enforcement points. In one embodiment of the invention, a method for securely sharing TLS session keys with trusted enforcement points can be provided. The method can include conducting a TLS handshake with a TLS client to extract and decrypt a session key for a TLS session with the TLS client traversing at least one security enforcement point. The method further can include providing the session key to a communicatively coupled key server for distribution to the at least one security enforcement point. Finally, the method can include engaging in secure communications with the TLS client over the TLS session.

A method for locating partial discharge of electrical equipment is used for detecting and locating partial discharge of the electrical equipment. The technical scheme includes the steps: firstly, using three ultrasonic array sensors to receive partial discharge ultrasonic signals at different positions of the electrical equipment and forming an array model; then, converting broadband signals received by the three ultrasonic array sensors into narrow-band signals by applying a TLS (transport layer security)-based broadband focus algorithm, and obtaining azimuth information of partial discharge sources according to a narrow-band direction-finding algorithm combining the phase matching principle and cloud optimization search; and finally, determining specific positions of electrical equipment partial discharge by means of a partial discharge source location algorithm based on global optimization search of a modified genetic algorithm. The invention simultaneously provides an improved system for locating partial discharge. Compared with a traditional method for locating partial discharge, the method has the advantages of small calculation amount, high direction-finding precision, accuracy in location, high convergence rate and the like, and the system for locating partial discharge is simple in structure, low in cost and high in location precision.

A method for handling user identity and privacy, wherein a first Session Initiation Protocol (SIP) proxy is about to forward a SIP request to a next SIP proxy includes the step of determining whether Transport Layer Security (TLS) is supported in a hop to a next SIP proxy. When TLS is supported, the method includes establishing a TLS connection to the hop to the next SIP proxy, requesting a certificate from the next SIP proxy, receiving the certificate, verifying the certificate and trustworthiness of a network of the next SIP proxy and retaining identity information when the certificate and the trustworthiness of the network is verified. When TLS is not supported, or when the certificate is not verified, or when the trustworthiness of the network is not verified, the identity information is removed. Thereafter, the SIP request is forwarded over the TLS connection.

Methods and systems for providing non-proxy Secure Sockets Layer and Transport Layer Security (SSL/TLS) support in a content-based load balancer are described. A Transmission Control Protocol (TCP) connection is accepted from a client, and an SSL/TLS connection is established with the client such that random data used in key generation is created. A request is received from the client, and the request is decrypted. The request is processed, a target stack is selected, and the TCP connection, the SSL/TLS connection, and the random data are transferred to the selected target stack such that the client and selected target stack maintain an end-to-end TCP connection with a non-proxy SSL/TLS connection.

A computer system can send a secure request over a named-data network to a remote device by generating an Interest with encrypted name components. During operation, the computer system can receive or obtain a request for data, such as from a local user or from a local application. If the system cannot satisfy the request locally, the system can determine at least a routable prefix and a name suffix associated with the request. The system can generate the secure Interest for the request by determining an encryption key that corresponds to a session with the remote computer system, and encrypts the name suffix using the session encryption key. The system then generates an Interest whose name includes the routable prefix and the encrypted name suffix, and disseminates the Interest over a named-data network to send the request to the remote computer system.

A transport layer security (TLS) connection is established between a signature device and the host computer via an interface (e.g., a universal serial bus (USB) interface). The signature device acts as a TLS server, and the host computer acts as a TLS client. Data such as pen data, control data, or image data may be received or transmitted via a USB bulk transfer mechanism. In one aspect, the host computer sends a command via the interface to the signature device to generate a new key pair, receives a certificate signing request (CSR) from the signature device via the interface, sends the CSR to a user certificate authority, receives a public key certificate from the user certificate authority, and sends the public key certificate to the signature device via the interface.

The invention discloses a realization method for transport layer security in a session initiation protocol (SIP) network based on a shared key. The method comprises the following steps: (a) a shared main key and a derivation algorithm are stored at a SIP terminal and in an authentication center (AuC); (b) the SIP terminal is interacted with a network side device based on a SIP security negotiation standard frame, the support for the security protocol of the transport layer is increased, and the SIP terminal and the SIP network side respectively generate the required encryption and integrity protection keys, so as to realize the transport layer security of the SIP network. By adopting the method, the TCP negotiation in the SIP network can be realized, the method not only can be suitable for the connection transport of the SIP such as TCP, UDP, etc., but also can ensure the security of information transmission in the SIP network; the method not only can be suitable for soft switching and IMS network, but also can be suitable for other networks which adopt the SIP as the control protocol, for example, the SIP-based VoIP network.

The invention provides a method and device for loading a digital certificate in SSL/TLS communication. The method comprises the steps that a handshake request message sent by a client based on a secure socket layer protocol SSL or a transport layer security protocol TLS is received; a key exchange mode and a first signature mode supported by the client are verified according to the handshake request message; whether the key exchange mode and the first signature mode match the currently loaded digital certificate is determined; if not, another digital certificate matching the key exchange mode and the first signature mode is loaded; and a handshake response message is returned to the client according to the key exchange mode and the first signature mode, wherein the key exchange mode and the first signature mode successfully match the digital certificate. According to the embodiment of the invention, the appropriate digital certificate is dynamically loaded during handshake negotiation to ensure successful SSL/TLS handshake negotiation.

The invention discloses an end-to-end secret key negotiation method for VoIP (Voice Over Internet Protocol) real-time data safety transmission, which is applicable to mobile phone terminals. The method comprises the following steps of (1) in a signal security transmission stage, adopting a TLS (Transport Layer Security) protocol to bidirectionally authenticating and protecting an SIP (Session Initiation Protocol) signal; (2) in an end-to-end secret key negotiation stage, adopting a two-layer encryption way, at a first layer, respectively adopting the TLS protocol to protect between a communication initiator and a server as well as between the server and a communication receiver, and at a second layer, respectively using SM2 (Signal Module) public keys of the communication initiator and the communication receiver to protect secret key negotiation parameter information of the communication initiator and the communication receiver. According to the end-to-end secret key negotiation method for VoIP (Voice Over Internet Protocol) real-time data safety transmission, the two-layer encryption way is adopted to protect the secret key negotiation parameters, and the signal is bidirectionally authenticated and protected at the signal transmission stage, so that the safety of information transmission is greatly improved.

The invention provides a message sending and receiving method, device and system. The message sending method comprises the following steps of: sending a client handshaking message to a server, wherein the client handshaking message carries identification of a server certificate cached by the client; receiving a server handshaking message sent by the server, wherein when the server determines the identification of the server certificate cached by the client comprises identification of a certificate to be used by the server, the server handshaking message carries the identification of the certificate to be used by the server; and encrypting a client secrete key exchange message to be sent through a searched public key in the server certificate, and sending the encrypted client secrete key exchange message to the server. With the adoption of the message sending and receiving method, device and system provided by the invention, the data amount in a TLS (Transport Layer Security) handshaking process can be reduced; the time of occupying the TLS handshaking process is shortened; and the speed of TLS connection can be further improved.