WO2004008683A2 - Automated network security system and method - Google Patents
Automated network security system and method Download PDFInfo
- Publication number
- WO2004008683A2 WO2004008683A2 PCT/IL2003/000579 IL0300579W WO2004008683A2 WO 2004008683 A2 WO2004008683 A2 WO 2004008683A2 IL 0300579 W IL0300579 W IL 0300579W WO 2004008683 A2 WO2004008683 A2 WO 2004008683A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- access
- network
- user
- wireless network
- wireless
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
- H04L9/3273—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0431—Key distribution or pre-distribution; Key agreement
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0433—Key management protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W74/00—Wireless channel access, e.g. scheduled or random access
Definitions
- the present invention relates generally to wireless communication networks and, more particularly, to systems and methods for automatically providing secure communications between devices over a wireless network.
- WLANs wireless LANs
- WLAN access points which provide wireless devices entry to wired networks
- WNICs wireless network interface cards
- WNICS are made by multiple manufacturers, they generally do not include authentication certificates or other identifiers which are found in other wireless devices such as, for example, cellular phones.
- APs and WNICs do include a unique hardware identifier for the device in the form of a media access control (MAC) address.
- MAC media access control
- both base station and mobile stations are manufactured by a limited group of vendors and manufacturers. Additionally, the cellular networks are made up of a standardized configuration. These factors make it relatively easy to coordinate hardware-based authentication and encryption. In contrast, for wireless IEEE 802.11 LANs there are over fifty device vendors, multiple manufacturers, and a large number of possible network configurations. Accordingly, it is a far greater challenge to authenticate valid users and enable data encryption in IEEE 802.11 wireless networks.
- the WLAN standard as defined by the IEEE 802.11 specification, defines two authentication algorithms for 802.11 -based networks.
- a first form of authentication is referred to as an Open System method.
- the Open System employs a null authentication algorithm in that any station requesting authentication is granted access.
- a second form of authentication is referred to as a Shared Key Mode System method.
- the Shared Key Mode System requires that both a requesting station and a granting station are configured with matching encryption keys. For example, the requesting station sends an authentication request to the granting station.
- the granting station sends a plain text challenge frame to the requesting station.
- the requesting station encrypts the challenge frame and sends it back to the granting station.
- the granting station attempts to decrypt the frame, and if the resulting plain text matches what the granting station originally sent, then the requesting station has a valid key and is granted access.
- the inventors have realized that the process of configuring a Shared Key Mode system typically requires human intervention and, as such, is inefficient. Accordingly, there is a need for an improved method for automatically providing secure communications between devices over a wireless network.
- the wireless network includes a server and a software agent installed on the server.
- the method includes automatically installing the software agent on the requesting device; executing the software agent on the requesting device to gather identification information from the device, prompting a user of the device to provide authentication information and transmitting the identification and authentication information to the server.
- the server verifies the identification and authentication information. When successfully verified, the server stores the identification and authentication information on an authorized access list, provides a unique key to the requesting device and grants the device access to the wireless network.
- the server When unsuccessfully verified, the server stores the identification and authentication information on an unauthorized access list and denies the requesting device access to the wireless network.
- the method includes receiving the unique key corresponding to the requesting device; retrieving the identification and authentication information corresponding to the unique key; comparing the identification and authentication information with the authorized and unauthorized lists; and based on the comparison, granting or denying the requesting device access to the wireless network.
- the server when denying a requesting device access, the server generates a notification message that an unauthorized device has attempted to access the wireless network.
- the server when granting a requesting device access, the server provides access in accordance with the user operating the requesting device existing network access rights.
- the initial connection by a requesting device is limited to an isolated network segment with no access to network resources.
- FIG. 1 is a simplified block diagram of a conventional wireless local area network
- FIGs. 2A and 2B are a simplified block diagram of a wireless local area network (WLAN) constructed and operative in accordance with one embodiment of the present invention
- FIG. 3 is a flow diagram illustrating operations of application programming logic incorporating techniques, in accordance with one embodiment of the present invention, for automatically providing secure communications over the WLAN of FIGs 2 A and 2B; and
- FIG. 4 depicts a security record, in accordance with one embodiment of the present invention.
- FIG. 1 illustrates a conventional wireless local area network (WLAN) 10.
- WLAN wireless local area network
- WLAN 10 includes a server module 12 connected via a wired communication bus 14 to peripheral devices such as, for example, a network laser printer 16.
- a plurality of wireless access points (APs) 18 are coupled to the communication bus 14 through a wired Ethernet connection.
- Wireless APs 18 are adapted to send and receive data to a plurality of wireless devices, shown generally at 20.
- the data include, for example, data content, requests for and receipt of server module-based services, and the like.
- Devices 20 include wireless-enabled computing devices such as, for example, laptop and notebook computers, personal digital assistants (PDAs), pagers and radio telephones, having wireless network interface cards (WNICs) installed therein.
- PDAs personal digital assistants
- WNICs wireless network interface cards
- WLAN 10 Through manual setup and installation operations it is possible to transform WLAN 10 from its default Open System configuration to a secure Shared Key Mode configuration. Due to the amount of time and effort required for such manual implementation, however, this solution is practical only for very small networks. As a result, security in most wireless networks is not implemented, leaving them vulnerable to eavesdropping, unauthorized access, and a variety of other attacks.
- FIGs. 2A and 2B illustrate a wireless local area network (WLAN) 100 constructed and operative in accordance with one embodiment of the present invention.
- WLAN 100 includes a server module 112, a wired communication bus 114, and at least one wireless AP 118 coupled to communication bus 114 through a wired Ethernet connection.
- Wireless AP 118 is assigned a unique IP (Internet Protocol) address and is operative to send data to and to receive data from a plurality of wireless devices 120, such as a wireless-enabled laptop computer.
- the data are transmitted between wireless devices 120 and wireless AP 118 by way of radio frequency (RF), infrared (IR) signals or the like, illustrated in FIGs. 2A and 2B as signals 124 and 124', respectively.
- RF radio frequency
- IR infrared
- Communication between wireless AP 118 and wireless devices 120 is conducted in accordance with a wireless data transmission protocol such as, for example, IEEE- 802.11 Wireless LAN Medium Access Control and Physical Layer Specification, which is incorporated by
- Wireless devices 120 communicate with other devices coupled to the WLAN 100 (e.g. , server module 112) via wireless AP 118 and communication bus 114. Accordingly, wireless AP 118 is a bridge between the wireless devices and the devices coupled to the wired network (via communication bus 114). Security protocols executing on server 112 manage security of both wireless AP 118, which resides on the wired network, and wireless devices 120, which use wireless communications to access the wired network via wireless AP 118.
- a software module 122 referred to herein as a Virtual locksmithTM (NL), is resident on server module 112 (FIG. 2 A), and is operative to function as an "intelligent software agent" to automatically carry out authentication and verification tasks as shall be described more fully below.
- NL 122 is automatically downloaded from server module 112 via wireless AP 118 and wireless channel 124 (unencrypted) to wireless device 120 and is automatically installed thereon (as illustrated in FIG 2B at 122').
- NL 122' is operative to collect information about the particular wireless device and the user of the device. This information is automatically sent to server module 112 for verification and authentication.
- server module 112 distributes encryption keys via NL 122' to wireless device 120, and the user is allowed access to network 100 using an encrypted channel 124' (FIG. 2B).
- FIG. 2B an exemplary operation of the present invention may be appreciated.
- the Virtual locksmithTM module is automatically downloaded from the network server to the user's wireless device (Block 210) and installed thereon.
- the VL module collects device information and presents a logon screen, which may include a request for additional authentication information as defined by management and security personnel of the network (Block 220).
- the user then enters authentication information (Block 230) which may incorporate standard authentication methods such as, for example, Extensible Authentication Protocol (EAP), password authentication (PAP), Challenge Handshake Authentication Protocol (CHAP), and/or one-time passwords such as generated by RSA's SecurelDTM product, or a social security number taken from a data store of human resources information.
- EAP Extensible Authentication Protocol
- PAP password authentication
- CHAP Challenge Handshake Authentication Protocol
- one-time passwords such as generated by RSA's SecurelDTM product
- a social security number taken from a data store of human resources information.
- the authentication information may be input through a physical identification system employing a biometric device.
- the VL module then sends the device information and the user authentication information to the network server (Block 240) and this information is stored in a data store (Block 260) accessible by the server.
- An authentication and verification process is then carried out on the server
- the authorization credentials may include, but are not limited to, information such as user name, password, one-time password (e.g. a dynamic password used in products such as SecurelDTM), personal information, biometric identifier or any other user authentication technique.
- the network server may pass authentication input to supplemental authorization servers (not shown), such as network permissions applications, RADIUS authentication servers, and/or additional authorization servers as required.
- supplemental authorization servers such as network permissions applications, RADIUS authentication servers, and/or additional authorization servers as required.
- customization may include requesting, in addition to user name and password, an additional piece of information such as a- personal identification number.
- the server then passes the personal identification number to a data store (e.g., a Human Resource Department's database), and queries for verification of this user's personal identification number in the data store.
- a data store e.g., a Human Resource Department's database
- a wireless network operative in accordance with the present invention may also include a trusted network user access control mechanism for incorporating existing network permissions applications used to create, manage and maintain user names, passwords and other authorization credentials.
- access control mechanisms include, for example, Novell's Directory ServicesTM, Microsoft's Active DirectoryTM, HP's OpenviewTM network permissions module, and the like.
- the network server interfaces with these products by relaying authorization information from users and querying these systems to validate authorized users. Validated users are granted access to the network (Blocks 280 and 300) while invalid users are disconnected and possibly added to a "Black List" (i.e., unauthorized access list) to prevent wireless access in the future (Block 290).
- Black List i.e., unauthorized access list
- the VL module on the user's device is automatically configured so as to provide encryption keys necessary for accessing the network (Block 280).
- the authenticated user attempts to access the network on subsequent occasions, the user's device is recognized as a valid device, and access to the network is allowed.
- the encryption keys are automatically changed (Block 300) at regular intervals, e.g., every ten minutes, in a process known as Key Rollover.
- FIG. 4 provides an exemplary record of the type of information which may be stored in a data storage device of a wireless network operative in accordance with the present invention.
- the record may include user information (410) including user name, device information (420) including type, serial number and operating system of the device, and authentication rules (430).
- the authentication rules are utilized to implement any of a number of wireless security measures, such the Key Rollover period or access restrictions which may bar access during certain times of the day or to certain individuals or user groups within an organization.
- a wireless network operative in accordance with the present invention may include lists of both authorized and unauthorized users and/or devices.
- an access control table defining a list of permitted or excluded devices typically is stored in hardware at a wireless access point (AP).
- AP wireless access point
- the access control table identifies devices by their MAC address which is unique to each WNIC.
- the amount of included and excluded devices is limited to the number of lines in the access control table. Since it is stored in hardware, the amount of space varies from vendor to vendor and typically ranges between 16 and 256 devices per access point. It will be appreciated that this is not nearly enough capacity for the amount of devices in a typical corporate or public environment.
- the present invention overcomes this problem by dynamically creating, managing and maintaining lists of included and excluded devices.
- dynamic access control list management the system in accordance with the invention is able to overcome the limitation of devices imposed by current access table implementations.
- device and user management is done via a centralized management console (not shown) associated with the network.
- the VL module may be used to send a specific software application from the network server to a wireless device accessing the network and then to monitor the amount of time the user has accessed services provided by the application provider. At pre-defined intervals, the VL module sends a message to a central server about the amount of time those services were accessed; the central server stores the information and provides the usage information to companies participating in billing and reconciliation agreements.
- Quality of Service In the current state of the art, since disparate users on a computer network each have different computing requirements, efficient use of the computer network is facilitated through proper bandwidth allocation. Proper bandwidth allocation for both private and public networks is often referred to as Quality of Service (QoS). In wired networks, bandwidth allocation is typically handled by network routers connected to network interface cards. In wireless applications, it is difficult to measure bandwidth usage. In one implementation of the present invention, the VL module is operative to deliver a software application to the user's device which measures the amount of bandwidth consumed by the user. The bandwidth utilization information is then sent at pre-determined intervals to a central server where the information is forwarded to load balancing hardware for bandwidth allocation and ensuring of Quality of Service.
- QoS Quality of Service
- ISPs Internet Service Providers
- bandwidth usage will be stored on the server and forwarded to a billing system in order to charge the customer.
- the VL module may be operative to install a software application on each user's device which records the IP address of the user during specific Internet sessions. The IP address information is then sent to an IP address location system, which in the current state of the art charts IP addresses according their geographical location. This information is then stored in the server, thus giving the IT administrator a map of the last known location of mobile employees at a given time.
- the VL module may be operative to identify the access point through which the user is accessing the network, including its signal quality and direction, and to send this information to the server. The user's location may then be identified based upon the known location of the access point.
- the VL module is operative to simultaneously install one or more software programs located on the server, to multiple wireless clients.
- Configuration There are many cases where IT departments in companies want to have uniform configuration of wireless devices. These configuration parameters may include, but are not limited to, assignment of IP address, assignment of a wireless network name (also known as an SSID - Service Set Identifier) and determining of security method (WEP enabled or disabled, encryption key size of 64 or 128 bit, etc.).
- the VL module is operative to download configuration information to one or more client devices in order to ensure proper configuration and make efficient use of IT resources.
- the VL module is operative to both perform authentication, and if successful, install the certificate on the client device. Since the VL module creates an encrypted channel, as described above, the certificate is passed securely to the client device.
- Isolated Network Segment According to one embodiment of the present invention, the initial communication between the user and the network is restricted to an isolated network segment which is not connected to the rest of the network. Only after the user is authenticated and encryption keys enabled on his device is the user provided access to the rest of the network.
- Security Policy is a document which dictates the security regulations to be practiced for a specific company or organization. It is recommended by security experts that, as wireless communications become more ubiquitous, specific reference to Wireless Security Policy should be addressed as part of a general Security Policy document. In the current state of the art, it is very difficult to enforce a specific wireless security policy, since it is difficult to differentiate between wired and wireless users.
- the VL module is operative to send a software application to the client (user device), which is capable of implementing a Wireless Security Policy.
- an authenticated user may only access the wireless network from a single identified device. In this version, once an authorized user has successfully accessed the wireless network with identified device A, he will be denied access to the network if he attempts to access the network from device B.
- an authenticated user may be allowed access to the network from more than one device. Under such a policy, even though the user has previously accessed the wireless network from device A, he will be given a unique encryption key for device B and will be able to access the network both from device A and from device B.
- an alert may be sent to appropriate management and security personnel for additional verification and control.
- multiple authenticated users may be allowed to use shared identified devices to access the wireless network. For example, a user X may have accessed the wireless network with identified device A, and a user Y may have accessed the wireless network with identified device B. According to this security policy, the authenticated users may share the identified devices. Therefore, if user X attempts to access the network with device B, he will be provided access using the encryption keys for device B, although his access rights will be limited to those granted to him, and not those granted to user Y. 9. Guest Users - In yet another version of a security policy that may be implemented in accordance with the present invention, guest users may use unidentified devices and are granted guest permission for accessing the wireless network.
- the VL module may be operative to provide the visitor with a temporary encryption key and to identify the visitor's device as a guest device. This information may be stored on the network server and used later for verification the next time the guest user or guest device attempts to access the wireless network.
- the security policy of the company or organization may dictate that the guest user is barred from accessing the wireless network a second time, and in such event the guest will be denied access and his device placed on the unauthorized list.
- the security policy may allow the visitor to regain access to the wireless network, but only after confirmation by a system administrator who has received an alert concerning the attempted access to the network.
Abstract
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/521,429 US20050254652A1 (en) | 2002-07-16 | 2003-07-14 | Automated network security system and method |
EP03764104A EP1532766A2 (en) | 2002-07-16 | 2003-07-14 | Automated network security system and method |
AU2003242968A AU2003242968A1 (en) | 2002-07-16 | 2003-07-14 | Automated network security system and method |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US39650702P | 2002-07-16 | 2002-07-16 | |
US60/396,507 | 2002-07-16 |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2004008683A2 true WO2004008683A2 (en) | 2004-01-22 |
WO2004008683A3 WO2004008683A3 (en) | 2004-03-18 |
Family
ID=30116038
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/IL2003/000579 WO2004008683A2 (en) | 2002-07-16 | 2003-07-14 | Automated network security system and method |
Country Status (4)
Country | Link |
---|---|
US (1) | US20050254652A1 (en) |
EP (1) | EP1532766A2 (en) |
AU (1) | AU2003242968A1 (en) |
WO (1) | WO2004008683A2 (en) |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2004107654A1 (en) * | 2003-05-30 | 2004-12-09 | Bluegiga Technologies Oy | Wireless agent application for short-distance connections |
WO2006039178A1 (en) * | 2004-09-30 | 2006-04-13 | Intel Corporation | Method, apparatus and system for maintaining a persistent wireless network connection |
GB2425373A (en) * | 2005-04-21 | 2006-10-25 | Palm Tree Technology Ip Ltd | Authenticating a transaction using unique single-use templates |
WO2006136750A3 (en) * | 2005-06-20 | 2007-05-03 | France Telecom | Authenticating a sever prior to sending identification data of a client |
CN1327663C (en) * | 2005-08-12 | 2007-07-18 | 华为技术有限公司 | Method of user access radio communication network and radio network cut in control device |
GB2445778A (en) * | 2007-01-10 | 2008-07-23 | Nec Corp | Receiving the lock status of a device from a server database |
CN100428714C (en) * | 2004-11-22 | 2008-10-22 | 华为技术有限公司 | Random channel access method in access physical layer for wireless telecommunication system |
US20120185928A1 (en) * | 2003-06-30 | 2012-07-19 | Sony Corporation | Device registration system, device registration server, device registration method, device registration program, storage medium, and terminal device |
US8420160B2 (en) | 2006-09-15 | 2013-04-16 | Intermetallics Co., Ltd. | Method for producing sintered NdFeB magnet |
US8935769B2 (en) | 2012-09-28 | 2015-01-13 | Liveensure, Inc. | Method for mobile security via multi-factor context authentication |
US20170032294A1 (en) * | 2015-07-29 | 2017-02-02 | International Business Machines Corporation | Discovery and communication of team dynamics |
US9754097B2 (en) | 2014-02-21 | 2017-09-05 | Liveensure, Inc. | Method for peer to peer mobile context authentication |
Families Citing this family (59)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
AU2003260071A1 (en) | 2002-08-27 | 2004-03-19 | Td Security, Inc., Dba Trust Digital, Llc | Enterprise-wide security system for computer devices |
US7665125B2 (en) * | 2002-09-23 | 2010-02-16 | Heard Robert W | System and method for distribution of security policies for mobile devices |
US7437752B2 (en) * | 2002-09-23 | 2008-10-14 | Credant Technologies, Inc. | Client architecture for portable device with security policies |
US20060190984A1 (en) * | 2002-09-23 | 2006-08-24 | Credant Technologies, Inc. | Gatekeeper architecture/features to support security policy maintenance and distribution |
US7665118B2 (en) * | 2002-09-23 | 2010-02-16 | Credant Technologies, Inc. | Server, computer memory, and method to support security policy maintenance and distribution |
US7440573B2 (en) * | 2002-10-08 | 2008-10-21 | Broadcom Corporation | Enterprise wireless local area network switching system |
KR100479260B1 (en) * | 2002-10-11 | 2005-03-31 | 한국전자통신연구원 | Method for cryptographing wireless data and apparatus thereof |
US7249177B1 (en) * | 2002-11-27 | 2007-07-24 | Sprint Communications Company L.P. | Biometric authentication of a client network connection |
US8281374B2 (en) * | 2005-09-14 | 2012-10-02 | Oracle International Corporation | Attested identities |
US10275723B2 (en) * | 2005-09-14 | 2019-04-30 | Oracle International Corporation | Policy enforcement via attestations |
US10063523B2 (en) * | 2005-09-14 | 2018-08-28 | Oracle International Corporation | Crafted identities |
US9781154B1 (en) | 2003-04-01 | 2017-10-03 | Oracle International Corporation | Systems and methods for supporting information security and sub-system operational protocol conformance |
US8468330B1 (en) | 2003-06-30 | 2013-06-18 | Oracle International Corporation | Methods, systems, and data structures for loading and authenticating a module |
US7496951B2 (en) * | 2003-07-15 | 2009-02-24 | Canon Kabushiki Kaisha | Network apparatus and control method therefor |
EP2733656A1 (en) * | 2003-12-23 | 2014-05-21 | Trust Digital, LLC | System and method for enforcing a security policy on mobile devices using dynamically generated security profiles |
FR2867344B1 (en) * | 2004-03-04 | 2006-06-02 | Cit Alcatel | DETERMINATION OF QUALITY OF SERVICE PARAMETERS OF A NETWORK FROM A RADIO COMMUNICATION TERMINAL |
US20050245235A1 (en) * | 2004-04-29 | 2005-11-03 | Sarosh Vesuna | System and method for wireless network security |
US7711835B2 (en) | 2004-09-30 | 2010-05-04 | Citrix Systems, Inc. | Method and apparatus for reducing disclosure of proprietary data in a networked environment |
US8613048B2 (en) | 2004-09-30 | 2013-12-17 | Citrix Systems, Inc. | Method and apparatus for providing authorized remote access to application sessions |
US7748032B2 (en) | 2004-09-30 | 2010-06-29 | Citrix Systems, Inc. | Method and apparatus for associating tickets in a ticket hierarchy |
US20060075230A1 (en) * | 2004-10-05 | 2006-04-06 | Baird Leemon C Iii | Apparatus and method for authenticating access to a network resource using multiple shared devices |
US8024568B2 (en) | 2005-01-28 | 2011-09-20 | Citrix Systems, Inc. | Method and system for verification of an endpoint security scan |
EP1866789B8 (en) | 2005-02-28 | 2020-04-15 | McAfee, LLC | Mobile data security system and methods |
US8572676B2 (en) | 2008-11-06 | 2013-10-29 | Mcafee, Inc. | System, method, and device for mediating connections between policy source servers, corporate repositories, and mobile devices |
WO2007070842A2 (en) * | 2005-12-15 | 2007-06-21 | Josef Berger | System and methods for initiating, maintaining, and delivering personalized information by communication server |
US20070165582A1 (en) * | 2006-01-18 | 2007-07-19 | Puneet Batta | System and method for authenticating a wireless computing device |
WO2007103818A2 (en) * | 2006-03-02 | 2007-09-13 | Vxv Solutions, Inc. | Methods and apparatus for implementing secure and adaptive proxies |
WO2007114716A1 (en) | 2006-04-03 | 2007-10-11 | Resonance Holdings Limited | Methods for determining proximity between radio frequency devices and controlling switches |
US20080070544A1 (en) * | 2006-09-19 | 2008-03-20 | Bridgewater Systems Corp. | Systems and methods for informing a mobile node of the authentication requirements of a visited network |
US20080122687A1 (en) * | 2006-09-21 | 2008-05-29 | Nelson Fredrick W | System and method for providing authorization to use corrections provided by an RTK base station |
US8259568B2 (en) | 2006-10-23 | 2012-09-04 | Mcafee, Inc. | System and method for controlling mobile device access to a network |
US8533846B2 (en) | 2006-11-08 | 2013-09-10 | Citrix Systems, Inc. | Method and system for dynamically associating access rights with a resource |
US7950045B2 (en) * | 2006-12-13 | 2011-05-24 | Cellco Partnership | Techniques for managing security in next generation communication networks |
US8032115B1 (en) * | 2007-02-05 | 2011-10-04 | Clear Wireless Llc | Global WiMAX device registry |
US8370491B1 (en) | 2007-06-20 | 2013-02-05 | Clearwire Ip Holdings Llc | Open mobile alliance provisioning via a global wimax device registry |
US8051036B2 (en) * | 2007-06-28 | 2011-11-01 | Alcatel Lucent | Method and apparatus for management and updating of distributed user databases |
NZ564196A (en) * | 2007-12-10 | 2010-08-27 | Resonance Holdings Ltd | Electronic lock for security system and key on a wireless device including methods of encoding data |
AT506344B1 (en) * | 2008-01-30 | 2015-06-15 | Evva Sicherheitstechnologie | METHOD AND DEVICE FOR CONTROLLING THE ACCESS CONTROL |
WO2010042580A1 (en) * | 2008-10-08 | 2010-04-15 | Citrix Systems, Inc. | Systems and methods for allocating bandwidth by an intermediary for flow control |
US20100115599A1 (en) * | 2008-11-05 | 2010-05-06 | Appsware Wireless, Llc | Method and system for securing data from a point of sale device over an external network |
US8966610B2 (en) * | 2008-11-05 | 2015-02-24 | Apriva, Llc | Method and system for securing data from a non-point of sale device over an external network |
US20100115624A1 (en) * | 2008-11-05 | 2010-05-06 | Appsware Wireless, Llc | Method and system for securing data from a point of sale device over a lan |
US20100115127A1 (en) * | 2008-11-05 | 2010-05-06 | Appsware Wireless, Llc | Method and system for securing data from a non-point of sale device over a lan |
US20100114723A1 (en) * | 2008-11-05 | 2010-05-06 | Appsware Wireless, Llc | Method and system for providing a point of sale network within a lan |
US20100115600A1 (en) * | 2008-11-05 | 2010-05-06 | Appsware Wireless, Llc | Method and system for securing data from an external network to a point of sale device |
US8732813B2 (en) * | 2008-11-05 | 2014-05-20 | Apriva, Llc | Method and system for securing data from an external network to a non point of sale device |
EP2194686A1 (en) * | 2008-12-03 | 2010-06-09 | Panasonic Corporation | Secure tunnel establishment upon attachment or handover to an access network |
WO2010090533A2 (en) | 2009-01-07 | 2010-08-12 | Resonance Holdings Limited | Bluetooth authentication system and method |
KR100924391B1 (en) * | 2009-04-17 | 2009-11-03 | 주식회사 로그 | Apparatus and method for identifying user terminal |
EP2278834A1 (en) * | 2009-06-30 | 2011-01-26 | Alcatel Lucent | A method for transferring data between a client and a server in a telecommunication network, as well as a system, a server, a client and a node |
US9119070B2 (en) * | 2009-08-31 | 2015-08-25 | Verizon Patent And Licensing Inc. | Method and system for detecting unauthorized wireless devices |
US8935384B2 (en) | 2010-05-06 | 2015-01-13 | Mcafee Inc. | Distributed data revocation using data commands |
HU230974B1 (en) * | 2011-09-06 | 2019-07-29 | General Electric Company | Monitoring system and method |
US8813194B2 (en) * | 2011-10-27 | 2014-08-19 | At&T Intellectual Property I, L.P. | Enabling access to a secured wireless local network without user input of a network password |
US9258298B2 (en) | 2013-03-04 | 2016-02-09 | Arris Enterprises, Inc. | Simplified configuration of a network device |
CN109962826B (en) * | 2014-11-07 | 2022-07-26 | 创新先进技术有限公司 | Network connection method and device |
US9407624B1 (en) | 2015-05-14 | 2016-08-02 | Delphian Systems, LLC | User-selectable security modes for interconnected devices |
US10637655B1 (en) * | 2018-01-09 | 2020-04-28 | Amdocs Development Limited | System, method, and computer program for providing seamless data access from different internet service providers |
US10812537B1 (en) * | 2018-07-23 | 2020-10-20 | Amazon Technologies, Inc. | Using network locality to automatically trigger arbitrary workflows |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20010041556A1 (en) * | 1998-07-13 | 2001-11-15 | Openwave Systems Inc. | Method and architecture for managing a fleet of mobile stations over wireless data networks |
US20020072348A1 (en) * | 2000-12-13 | 2002-06-13 | Motorola, Inc. | Mobile personal security monitoring service |
Family Cites Families (55)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5870474A (en) * | 1995-12-04 | 1999-02-09 | Scientific-Atlanta, Inc. | Method and apparatus for providing conditional access in connection-oriented, interactive networks with a multiplicity of service providers |
EP0520709A3 (en) * | 1991-06-28 | 1994-08-24 | Digital Equipment Corp | A method for providing a security facility for remote systems management |
JP3444911B2 (en) * | 1992-10-29 | 2003-09-08 | 株式会社リコー | Electrophotographic photoreceptor |
US5828893A (en) * | 1992-12-24 | 1998-10-27 | Motorola, Inc. | System and method of communicating between trusted and untrusted computer systems |
US6135646A (en) * | 1993-10-22 | 2000-10-24 | Corporation For National Research Initiatives | System for uniquely and persistently identifying, managing, and tracking digital objects |
US5371794A (en) * | 1993-11-02 | 1994-12-06 | Sun Microsystems, Inc. | Method and apparatus for privacy and authentication in wireless networks |
US5548721A (en) * | 1994-04-28 | 1996-08-20 | Harris Corporation | Method of conducting secure operations on an uncontrolled network |
US5889866A (en) * | 1994-06-30 | 1999-03-30 | Intel Corporation | Method and apparatus for controlling access to detachably connectable computer devices using an encrypted password |
US5583933A (en) * | 1994-08-05 | 1996-12-10 | Mark; Andrew R. | Method and apparatus for the secure communication of data |
US5513245A (en) * | 1994-08-29 | 1996-04-30 | Sony Corporation | Automatic generation of private authentication key for wireless communication systems |
US5604490A (en) * | 1994-09-09 | 1997-02-18 | International Business Machines Corporation | Method and system for providing a user access to multiple secured subsystems |
FR2727269B1 (en) * | 1994-11-21 | 1997-01-17 | Allegre Francois | ACCESS CONTROL SYSTEM FOR COMPUTER MACHINES CONNECTED IN A PRIVATE NETWORK |
US5956715A (en) * | 1994-12-13 | 1999-09-21 | Microsoft Corporation | Method and system for controlling user access to a resource in a networked computing environment |
JPH11502982A (en) * | 1995-03-30 | 1999-03-09 | ブリティッシュ・テレコミュニケーションズ・パブリック・リミテッド・カンパニー | Detect unauthorized use of communication services |
US5699513A (en) * | 1995-03-31 | 1997-12-16 | Motorola, Inc. | Method for secure network access via message intercept |
US5633931A (en) * | 1995-06-30 | 1997-05-27 | Novell, Inc. | Method and apparatus for calculating message signatures in advance |
JP3272213B2 (en) * | 1995-10-02 | 2002-04-08 | インターナショナル・ビジネス・マシーンズ・コーポレーション | Authentication method for IC card and information processing device |
US5943423A (en) * | 1995-12-15 | 1999-08-24 | Entegrity Solutions Corporation | Smart token system for secure electronic transactions and identification |
US5862480A (en) * | 1995-12-26 | 1999-01-19 | Motorola, Inc. | Method and apparatus for managing service accessibility between differing radio telecommunication networks |
US5802510A (en) * | 1995-12-29 | 1998-09-01 | At&T Corp | Universal directory service |
US5870475A (en) * | 1996-01-19 | 1999-02-09 | Northern Telecom Limited | Facilitating secure communications in a distribution network |
US5818936A (en) * | 1996-03-15 | 1998-10-06 | Novell, Inc. | System and method for automically authenticating a user in a distributed network system |
US5940589A (en) * | 1996-03-21 | 1999-08-17 | Mci Corporation | Method and apparatus for validating a subscriber terminal on a telecommunication network |
US5825877A (en) * | 1996-06-11 | 1998-10-20 | International Business Machines Corporation | Support for portable trusted software |
US6088451A (en) * | 1996-06-28 | 2000-07-11 | Mci Communications Corporation | Security system and method for network element access |
US5787177A (en) * | 1996-08-01 | 1998-07-28 | Harris Corporation | Integrated network security access control system |
US5819047A (en) * | 1996-08-30 | 1998-10-06 | At&T Corp | Method for controlling resource usage by network identities |
US5950195A (en) * | 1996-09-18 | 1999-09-07 | Secure Computing Corporation | Generalized security policy management system and method |
US5784463A (en) * | 1996-12-04 | 1998-07-21 | V-One Corporation | Token distribution, registration, and dynamic configuration of user entitlement for an application level security system and method |
US6076167A (en) * | 1996-12-04 | 2000-06-13 | Dew Engineering And Development Limited | Method and system for improving security in network applications |
US6061346A (en) * | 1997-01-17 | 2000-05-09 | Telefonaktiebolaget Lm Ericsson (Publ) | Secure access method, and associated apparatus, for accessing a private IP network |
US5978918A (en) * | 1997-01-17 | 1999-11-02 | Secure.Net Corporation | Security process for public networks |
US5896499A (en) * | 1997-02-21 | 1999-04-20 | International Business Machines Corporation | Embedded security processor |
US6154843A (en) * | 1997-03-21 | 2000-11-28 | Microsoft Corporation | Secure remote access computing system |
US5974549A (en) * | 1997-03-27 | 1999-10-26 | Soliton Ltd. | Security monitor |
US5960085A (en) * | 1997-04-14 | 1999-09-28 | De La Huerga; Carlos | Security badge for automated access control and secure data gathering |
US5899991A (en) * | 1997-05-12 | 1999-05-04 | Teleran Technologies, L.P. | Modeling technique for system access control and management |
US5968176A (en) * | 1997-05-29 | 1999-10-19 | 3Com Corporation | Multilayer firewall system |
US6070243A (en) * | 1997-06-13 | 2000-05-30 | Xylan Corporation | Deterministic user authentication service for communication network |
US5996077A (en) * | 1997-06-16 | 1999-11-30 | Cylink Corporation | Access control system and method using hierarchical arrangement of security devices |
US5978475A (en) * | 1997-07-18 | 1999-11-02 | Counterpane Internet Security, Inc. | Event auditing system |
US5919257A (en) * | 1997-08-08 | 1999-07-06 | Novell, Inc. | Networked workstation intrusion detection system |
US5971272A (en) * | 1997-08-19 | 1999-10-26 | At&T Corp. | Secured personal identification number |
US6085084A (en) * | 1997-09-24 | 2000-07-04 | Christmas; Christian | Automated creation of a list of disallowed network points for use in connection blocking |
US6148405A (en) * | 1997-11-10 | 2000-11-14 | Phone.Com, Inc. | Method and system for secure lightweight transactions in wireless data networks |
FI108827B (en) * | 1998-01-08 | 2002-03-28 | Nokia Corp | A method for implementing connection security in a wireless network |
US6094487A (en) * | 1998-03-04 | 2000-07-25 | At&T Corporation | Apparatus and method for encryption key generation |
US6148205A (en) * | 1998-06-30 | 2000-11-14 | Motorola, Inc. | Method and apparatus for secure registration within an in-home wireless network |
US6154543A (en) * | 1998-11-25 | 2000-11-28 | Hush Communications Anguilla, Inc. | Public key cryptosystem with roaming user capability |
US6081900A (en) * | 1999-03-16 | 2000-06-27 | Novell, Inc. | Secure intranet access |
US6609115B1 (en) * | 1999-12-30 | 2003-08-19 | Ge Medical Systems | Method and apparatus for limited online access to restricted documentation |
US6662228B1 (en) * | 2000-02-01 | 2003-12-09 | Sun Microsystems, Inc. | Internet server authentication client |
US7089426B1 (en) * | 2000-09-26 | 2006-08-08 | Ati Technologies, Inc. | Method and system for encryption |
US6898628B2 (en) * | 2001-03-22 | 2005-05-24 | International Business Machines Corporation | System and method for providing positional authentication for client-server systems |
US7395067B2 (en) * | 2002-04-15 | 2008-07-01 | Aol Llc, A Delaware Limited Liability Company | Systems and methods for sectoring antennas in a wireless network |
-
2003
- 2003-07-14 EP EP03764104A patent/EP1532766A2/en not_active Withdrawn
- 2003-07-14 US US10/521,429 patent/US20050254652A1/en not_active Abandoned
- 2003-07-14 AU AU2003242968A patent/AU2003242968A1/en not_active Abandoned
- 2003-07-14 WO PCT/IL2003/000579 patent/WO2004008683A2/en not_active Application Discontinuation
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20010041556A1 (en) * | 1998-07-13 | 2001-11-15 | Openwave Systems Inc. | Method and architecture for managing a fleet of mobile stations over wireless data networks |
US20020072348A1 (en) * | 2000-12-13 | 2002-06-13 | Motorola, Inc. | Mobile personal security monitoring service |
Cited By (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2004107654A1 (en) * | 2003-05-30 | 2004-12-09 | Bluegiga Technologies Oy | Wireless agent application for short-distance connections |
US8955085B2 (en) * | 2003-06-30 | 2015-02-10 | Sony Corporation | Device registration system, device registration server, device registration method, device registration program, storage medium, and terminal device |
US20120185928A1 (en) * | 2003-06-30 | 2012-07-19 | Sony Corporation | Device registration system, device registration server, device registration method, device registration program, storage medium, and terminal device |
GB2432090B (en) * | 2004-09-30 | 2009-02-11 | Intel Corp | Method, apparatus and system for maintaining a persistent wireless network connection |
WO2006039178A1 (en) * | 2004-09-30 | 2006-04-13 | Intel Corporation | Method, apparatus and system for maintaining a persistent wireless network connection |
GB2432090A (en) * | 2004-09-30 | 2007-05-09 | Intel Corp | Method, apparatus and system for maintaining a persistent wireless network connection |
KR100920497B1 (en) * | 2004-09-30 | 2009-10-08 | 인텔 코포레이션 | Method, apparatus and system for maintaining a persistent wireless network connection |
CN100428714C (en) * | 2004-11-22 | 2008-10-22 | 华为技术有限公司 | Random channel access method in access physical layer for wireless telecommunication system |
GB2425373B (en) * | 2005-04-21 | 2010-03-24 | Palm Tree Technology Ip Ltd | Network security system |
GB2425373A (en) * | 2005-04-21 | 2006-10-25 | Palm Tree Technology Ip Ltd | Authenticating a transaction using unique single-use templates |
WO2006136750A3 (en) * | 2005-06-20 | 2007-05-03 | France Telecom | Authenticating a sever prior to sending identification data of a client |
CN1327663C (en) * | 2005-08-12 | 2007-07-18 | 华为技术有限公司 | Method of user access radio communication network and radio network cut in control device |
US9392435B2 (en) | 2005-08-12 | 2016-07-12 | Huawei Technologies Co., Ltd. | Method, system and apparatus for accessing a visited network |
US8776184B2 (en) | 2005-08-12 | 2014-07-08 | Huawei Technologies Co., Ltd. | Method, system and apparatus for accessing a visited network |
US8420160B2 (en) | 2006-09-15 | 2013-04-16 | Intermetallics Co., Ltd. | Method for producing sintered NdFeB magnet |
GB2445778A (en) * | 2007-01-10 | 2008-07-23 | Nec Corp | Receiving the lock status of a device from a server database |
US8935769B2 (en) | 2012-09-28 | 2015-01-13 | Liveensure, Inc. | Method for mobile security via multi-factor context authentication |
US9754097B2 (en) | 2014-02-21 | 2017-09-05 | Liveensure, Inc. | Method for peer to peer mobile context authentication |
US9990489B2 (en) | 2014-02-21 | 2018-06-05 | Liveensure, Inc. | System and method for peer to peer mobile contextual authentication |
US20170032294A1 (en) * | 2015-07-29 | 2017-02-02 | International Business Machines Corporation | Discovery and communication of team dynamics |
US20170032308A1 (en) * | 2015-07-29 | 2017-02-02 | International Business Machines Corporation | Discovery and communication of team dynamics |
US10607168B2 (en) * | 2015-07-29 | 2020-03-31 | International Business Machines Corporation | Discovery and communication of team dynamics |
US10607166B2 (en) * | 2015-07-29 | 2020-03-31 | International Business Machines Corporation | Discovery and communication of team dynamics |
Also Published As
Publication number | Publication date |
---|---|
EP1532766A2 (en) | 2005-05-25 |
AU2003242968A1 (en) | 2004-02-02 |
US20050254652A1 (en) | 2005-11-17 |
WO2004008683A3 (en) | 2004-03-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20050254652A1 (en) | Automated network security system and method | |
US11589224B2 (en) | Network access control | |
US9769655B2 (en) | Sharing security keys with headless devices | |
EP2014067B1 (en) | Provisioned configuration for automatic wireless connection | |
US7606242B2 (en) | Managed roaming for WLANS | |
US7336960B2 (en) | Method and apparatus for balancing wireless access based on centralized information | |
US8448257B2 (en) | Method and system for controlling context-based wireless access to secured network resources | |
US9071583B2 (en) | Provisioned configuration for automatic wireless connection | |
US7574731B2 (en) | Self-managed network access using localized access management | |
WO2005083928A1 (en) | Trust inheritance in network authentication | |
US20060112269A1 (en) | Level-specific authentication system and method in home network | |
CN107534664B (en) | Multi-factor authorization for IEEE802.1X enabled networks | |
JP2006109449A (en) | Access point that wirelessly provides encryption key to authenticated wireless station | |
KR100707805B1 (en) | Authentication system being capable of controlling authority based of user and authenticator | |
WO2007128134A1 (en) | Secure wireless guest access | |
AU2018274707B2 (en) | Improvements in and relating to network communications | |
KR20060044494A (en) | Network management system and network management server of co-operating with authentication server | |
KR100819942B1 (en) | Method for access control in wire and wireless network | |
WO2005091159A1 (en) | Authentication system being capable of controlling authority based of user and authenticator. | |
Fisher | Authentication and Authorization: The Big Picture with IEEE 802.1 X | |
Mishra et al. | Authentication and Authorization Issues For Multi-Hop Networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 10521429 Country of ref document: US |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2003764104 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 2003764104 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: JP |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: JP |