WO2002073930A1 - Dispositif portable pour securiser le trafic de paquets dans une plate-forme hote - Google Patents
Dispositif portable pour securiser le trafic de paquets dans une plate-forme hote Download PDFInfo
- Publication number
- WO2002073930A1 WO2002073930A1 PCT/FR2002/000494 FR0200494W WO02073930A1 WO 2002073930 A1 WO2002073930 A1 WO 2002073930A1 FR 0200494 W FR0200494 W FR 0200494W WO 02073930 A1 WO02073930 A1 WO 02073930A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- security
- packet
- policy
- platform
- parameters
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
Definitions
- the present invention relates generally to the security of packets transmitted in packet networks such as the Internet.
- IP packets transmitted from and received by a host platform such as a personal digital assistant, a mobile radiotelephone, a laptop, etc.
- a host platform such as a personal digital assistant, a mobile radiotelephone, a laptop, etc.
- security information acting on the traffic of packets and linked to a user using the host platform.
- the security means are installed on an application of the reception terminal, such as the application APPLI1.
- a particular application for example an internet browser, through which the user accesses easily to his personal security information, is thus secure.
- the security linked to an application is not dependent on the hardware constituting the reception terminal.
- security means must be duplicated on each of the APPLII to APLLI6 applications implemented in the terminal. This solution does not offer portability of information related to user security beyond the application in which this solution has been specifically provided.
- transport layer C4 making it possible to send messages from one application to another application for example by means of the UDP protocol
- security means implemented in one of the transport protocols TCP advantageously remedies the duplication of security means in each of the applications APPLIl to APPLI6 which then all benefit from these security means.
- the security means are strongly attached to the platform and not to the user thereof, although he must authenticate himself as often as possible in order to be able to use it. If another transport protocol, such as the UDP protocol, must be secure, then the security means must be duplicated in the other UDP transport protocol in the same way as in the first TCP protocol.
- This second known solution does not also offer the portability of information related to security, of the user.
- the implementation of security means in this layer has numerous advantages. Means of security being processed at a single "funnel" point in the protocol stack, the management of security means and the keys associated with them is optimized.
- the software implementing security means in the upper layers C4 to C7 can thus advantageously not implement security means by relying on the unique security of the layer C3. All the applications as well as the various transport protocols benefit from the security means in an almost transparent manner.
- the security means are strongly attached to the platform and not a user. In the present case, these security means "move away" even more from the user.
- this third solution does not also offer the portability of information related to user security.
- this fourth solution has the disadvantage of being very linked to the hardware infrastructure and offers much less and less security means flexible than those offered in layer C3.
- the implementations of security means in the aforementioned layers C2, C3, C4 and C7 show that the more the implementation is carried out in a low layer of the OSI model, the more the overall security is transparent and offered for all the applications of the platform. .
- the security means are deeply linked to the platform and therefore move away from the user in relation to the personalized services which can be provided to him. and certainty about the identity of the user who uses the platform.
- microcontroller card as an electronic portable device offer portability of security parameters linked to a given user, the security means being implemented in at least one application of the application layer C7 of the OSI model.
- a first type of smart card relating to a SIM (Subscriber Identity Module) identity card removable from a radiotelephone terminal playing the role of host platform
- cryptographic keys are stored in the smart card.
- the smart card authenticates the user without the cryptographic keys being known outside the card.
- the smart card is intimately linked to its owner-user and the user's personal security data are easily portable from one platform to another. This also facilitates the deployment of the application.
- the commands are issued by the application which is implemented outside the card.
- a key called session key is generated inside the card.
- the session key is transmitted by the smart card outside of the latter, to the reception terminal which subsequently uses this session key to encrypt the communication.
- this session key is provided outside the card, the card no longer has control over the use of the key, particularly over time.
- the smart card is therefore not able to provide the user with perfect security for data exchanged with regard to the use which will be made later of its own keys.
- reception terminal external to the card must carry software that contains most of the application, the card being mainly used here only for storing keys and performing cryptographic calculations.
- the decision-making aspects of the application are localized and reserved for the terminal external to the smart card, which gives it a relatively limited responsibility.
- the smart card For a second type smart card connected to the host platform such as a personal computer PC, the smart card is used in particular in secure electronic mail applications using an electronic signature and an encryption of an electronic mail message.
- the smart card stores public cryptographic keys as well as a private key and a certificate intimately linked to the user possessing the card and is used for its cryptographic calculations producing message signatures.
- the user's personal security data on the card is still easily portable from one platform to another. The deployment of public key infrastructure is thus facilitated.
- Each encryption session key being decrypted by the smart card and supplied to the host platform, confidence in the subsequent use of the encryption / decryption keys provided by the card essentially rests on the host platform to which the card is connected in particular during decision-making phases and data encryption.
- the computer external to the card must still embed the software containing the largest part of the application, the card being used only to contain keys and to perform cryptographic calculations.
- the decision-making aspects of the application are still localized and reserved for the outside, that is to say the computer outside the smart card.
- a smart card is comparable to a portable safe which can be opened by knowing a combination, such as authentication of its holder-user by PIN identification code for example, which allows generation of a new session key by the card which is then supplied to the host platform. Confidence then rests in part on the platform hosting the smart card.
- the domain of IPSec security on the internet organized by the IETF instance defines an implementation of security means at the level of the network layer C3 of the OSI model.
- the comments RFC2401 "IPSec architecture" of the IETF instance recommend in particular a host implementation which can be an "OS Integration” implementation which integrates with the operating system of the host platform, or a "Bump-In-The” implementation.
- -Stack "(BITS) which is inserted between the network layer C3 and the link layer C2.
- One of the major drawbacks of implementing IPSec security means lies in the deployment and management of the public key infrastructure which is relatively complex. By implementing security at the level of the network layer C3, the notion of the user who uses the platform is lost, the network layer securing a network node but not the particular user. Security settings are attached to one platform and are not portable to another platform.
- the present invention aims to remedy the drawbacks of security systems according to the aforementioned prior art. More specifically, it aims to provide a portable security device securing the traffic in a platform while offering portability of information related to the security of the user, as in the smart card of the second type, but of parameters also linked to packet processing, independent of applications in the host platform, thus facilitating the deployment of key management.
- a portable electronic device removably connected to a host platform linked to a packet network, is characterized in that it comprises a means for memorizing security policies, a means for detecting designation parameters security policy in packets leaving the platform to the network and packets transmitted by the network and entering the platform, and means for processing the outgoing and incoming packets respectively according to security policies designated by the detected designation parameters.
- the portable electronic device of the invention not only contains security data and performs cryptographic calculations, but includes decision-making means for processing all the packets leaving and entering the host platform, that is to say to filter the packets according to respective security policies.
- the means for processing the packets can comprise a means for encrypting and / or encapsulating with an authentication header and / or a confidentiality header an outgoing packet according to the security policy designated by at least a designation parameter included in the outgoing packet, and / or a means for decrypting and / or decapsulating relative to an authentication header and / or a confidentiality header an incoming packet according to the designated security policy by at least one designation parameter included in the incoming packet.
- the invention recommends entrusting the management of policies to a remote management server and thus dynamically managing security policies on the initiative of the portable device during packet communications.
- the portable device may include means for initiating communication with a security policy management server across the network, when the means for processing does not recognize any security policy in correspondence with the detected policy designation parameters in a packet so that the server negotiates a security policy through the device and transmits to the device at least one packet containing designation parameters and parameters on which the negotiated policy depends and which are stored and used in the device to process the packets relating to negotiated policy.
- a security system comprises a host platform 1 such as a personal digital assistant PDA, and a portable electronic device 2 according to the invention in the form of a smart card, called a smart card. microcontroller or integrated circuit card.
- the host platform 1 can be a personal computer PC, in particular a portable computer, a mobile radiotelephone, an internet terminal used in a public terminal, or even an internet terminal located in electronic personal objects such t video game consoles, vehicles, television receivers, landline telephones, home automation or household appliances, etc.
- the host platform 1 is equipped for example with an additional smart card reader 3 which is adapted to the technology of the smart card constituting the portable device 2 and which is connected to the latter. through a two-way link.
- the seven protocol layers C1 to C7 of the OSI open systems interconnection model are implemented as shown diagrammatically in FIG. 2.
- the low physical layer C1 is physically connected to a telecommunications network RES including in particular the network Internet.
- the network layer C3 includes the Internet IP protocol without security means.
- the transport layer. C4 includes for example the TCP and UDP protocols and the last application layer C7 includes several applications.
- the host platform 1 comprises a bypass layer C23 intermediate between the data link layer C2 and the layer C3 network.
- This branch layer is connected to specific ports of the layers C2 and C3 so as to transmit incoming packets PE from the layer C2 to the layer C3 and outgoing packets PS from the layer C3 to the layer C2 through the reader 3, the bidirectional link 4 and a "packet filter" that constitutes the portable device 2.
- the bypass layer C23 thus directs the incoming PE and outgoing PS packets to the portable device 2 without any interpretation or any particular processing of these packets.
- the portable device 2 decides to retransmit predetermined incoming packets PE in the form of incoming packets treated PET at the network layer C3 and predetermined outgoing packets PS in the form of outgoing packets processed PST at the link layer C2 after analyzing and processing the PE and PS packets respectively.
- the bidirectional link 4 for exchanging PE, PET and PS, PST packets between the platform 1 and the portable device 2 can be a wired link or else a wireless link.
- this is for example an eight-contact link according to ISO 7816-3 for smart cards, or else a universal serial bus USB (Universal Serial Bus) so as to offer a relatively high useful speed.
- the reader 3 is then adapted to at least partially receive the smart card 2 in order to electrically connect the reader and the card.
- link 4 When link 4 is wireless, this can be a proximity radio link of the Bluetooth type which requires no physical contact between the portable device and the host platform. For example, it suffices simply to place the portable device 2 constituting the smart card near the host platform 1, the portable device being able to be kept as a badge in the pocket of the user possessing the portable device.
- the reader 3 is then essentially a Bluetooth radio interface which periodically monitors the presence of one or more portable devices 2 also each provided with a Bluetooth radio interface and located near the platform 1, within a very short radius of 1 order of a few tens of centimeters or so in order to avoid any malicious eavesdropping. As soon as the platform 1 has recognized the portable device 2 according to a Bluetooth connection establishment protocol, the portable device 2 automatically manages the security of the packet traffic between the data link layer C2 and the transport layer C3 in the platform -form 1.
- the host platform is completely anonymous and in particular the upper layers C3 to C7 are inaccessible from the RES network.
- the smart card constituting the portable device 2 mainly contains a microprocessor 21, a memory 22 of ROM type including an OS operating system of the card and in particular one or more authentication authentication algorithms.
- user AU AA authentication algorithms, AC privacy and ACH encryption for packets and a specific MPS security policy decision engine to the IPSec internet security domain
- a non-volatile memory 23 such as an EEPROM memory which contains all the personal data DP, including authentication information for the user-possessor of the card and AU means for authenticating the user-possessor with the preceding information, linked to the user-owner of the card 2 as well as to the supplier of the card and of the tables of policies and security parameters TP and TPS
- a memory 24 of RAM type intended for exchanging data with the host platform 1 through the link 4.
- the RAM memory 24 can be included in a communication interface 25 in particular for connecting the portable device 2 to the host platform 1 through the proximity radio link 4 of the type Bluetooth. All the components 21 to 25 are connected by an internal bus 26.
- the cryptographic algorithms ACH, AA and AC, and the MPS engine are so-called "wired” algorithms, for example written in VHDL (Very High Description Language) or in a similar language VERILOG and loaded into a component CPLD (Complex Programmable Logic Device) or FPGA (Field-Programmable Gâte Array), and are thus produced not in software but in hardware in the form of sequential and combinatorial logic.
- VHDL Very High Description Language
- VERILOG VERILOG
- CPLD Complex Programmable Logic Device
- FPGA Field-Programmable Gâte Array
- the portable device Beforehand, before any access to the ACH, AA, AC, MPS security means processing the packets and implemented in the portable device 2, the portable device which has implemented part of the IP protocol, is addressed by an IP address allocated statistically or dynamically, transmitted by the host platform 1 through the link 4 as soon as the reader 3 in it has detected the presence of the device in or near it in order to trigger user authentication.
- the authentication means AU of the user-owner of the card integrated into the portable device 2 call on biometric recognition techniques, in particular reading fingerprints or voice recognition, analysis and comparison with the data stored in the memory. 23 with those read. Thus, no sensitive personal data linked to this authentication of the user leaves the device 2 at any time.
- traditional means such as personal identification code PIN are used, but security is then reduced, or more simply, user authentication is not provided.
- the device 2 After the authentication means AU have authenticated the user authorized to use the portable electronic device 2, the device 2 continues the securing procedure by means in particular of the authentication algorithms AA and of confidentiality AC and of the policy engine. MPS security.
- User authentication allows the user and the administrator of portable electronic devices to access and generate manually or automatically, in particular the personal data DP and the PDP and PPS parameters related to the user.
- IPSec internet security means are only partially implemented in portable device 2 which does not internally contain software which manages the negotiation of security policies or the parameters associated with them.
- the management of security policies and in particular of the keys linked to these policies is delegated to one or more SG management servers remote from the platform 1.
- the portable device As soon as the portable device is connected to the host platform 1 and has authenticated the user, he is connected to the global RES network for his own needs.
- the portable device 2 each time that the portable device 2 needs to negotiate security policies or parameters related to these, it automatically connects securely to the management server SG through the platform host 1 and the RES network.
- the management server is located in a secure physical enclosure and is managed for example by the company distributing and administering portable devices.
- the remote management server then processes the request for parameters from the portable device and transfers to it the parameters of a security policy necessary to continue securing the incoming and outgoing packet traffic PE and PS relating to this policy in the host platform.
- the portable device 2 includes the tables of security policies and parameters TP and TPS, the security policy engine MPS, the encryption algorithms ACH, authentication AA and confidentiality AC, and a module MCS included in the communication interface 25 and used to connect the portable device 2 to the management server SG.
- the security policy table TP relatively similar to the table "Security Policy Database" of the IPSec domain, makes correspond POS security policies respectively to PDP policy designation parameters which are detected in incoming and outgoing PE and PS packets.
- a PDP security policy designation parameter depends on at least one of the following parameters included in a PE, PS packet; a recipient IP address in an outgoing PS packet or a source IP address in an incoming PE packet, or at least part of this address, and / or the incoming or outgoing direction of the packet, and / or the type of transport protocol, and / or a port number serving as a communication or session reference number, etc.
- TPS security policy parameter table relatively similar to the "Security Association DataBase" table of the IPSec domain, which associates PPS security policy parameters respectively with the POS security policies listed in the table.
- TP The TPS security policy parameter table
- a given POS security policy can be associated with at least one of the following PPS parameters: type of ACH encryption algorithm, encryption or authentication or confidentiality key, key lifetime, type of d 'AA authentication, type of algorithm ' AC confidentiality, etc., which are to be used to apply the security policy.
- a packet according to the IPSec protocol may include an AH (Authentication Header) and an ESP (Encapsulated Security Payload) confidentiality header.
- the AH authentication or ESP privacy header notably includes a Security Parameter Index (SPI) and identification data.
- SPI index and / or the IP destination address and / or the type of header AH or ESP as PDP policy designation parameters in the TP table contribute to designating a security policy for the recipient of the packet, such as the host platform 1 for an incoming packet PE, that is to say a security policy POS associated with security parameters PPS in the table TPS.
- the authentication data is used to authenticate the source of the packet and to ensure its integrity.
- One of the AA authentication algorithms selected by the associated POS policy is applied to the AH authentication header to non-repudiate the source of the packet, that is to say authenticated the packet as having been emitted. by the source.
- the ESP confidentiality header includes a field of data which are to be protected by ensuring their confidentiality and integrity by one of the AC confidentiality algorithms identified in the TPS table in association with the POS security policy designated by at least l SPI index and / or IP destination address.
- a PST processed packet leaving device 2 or an incoming PE packet to be processed in device 2 can comprise one of the headers AH and ESP, or both, the confidentiality header ESP then encapsulating the packet with the AH authentication header.
- the administrator preloads in the memory 23 of the portable device some POS security policies in association with one or more parameters of respective PDP policy designation in the TP table and PPS policy parameters in the TPS table, in order to allow the portable device to initiate communications with remote management servers and to decide for itself the evolution of the policies and associated parameters.
- the MPS decision engine detects the PDP policy designation parameter (s) in the PS packet and searches for a security policy in the TP table corresponding to the parameters read PDP. If the engine finds a POS policy, it applies this policy to the PS packet according to the parameters of the latter read in the TPS table.
- the PS packet is then filtered and processed by the MPS engine to transmit it in the form of an outgoing PST packet, without change, or with its encrypted data, and / or encapsulated with an AH header and / or in- ESP head, for example.
- the MPS engine can also discard any outgoing packet PS whose parameters PDP designate an outgoing packet rejection policy.
- POS policy Once a POS policy is associated with the outgoing PS packet, all outgoing PS and PE packets from the current session are processed according to this policy.
- the incoming packets PE transmitted by the remote terminal TE through the network RES to the portable device 2 via the data link layer C2 in the platform 1 and the link 4 are filtered and processed by the MPS engine to perform reverse operations to those outgoing packets.
- the MPS engine transmits incoming PET processed packets to the network layer C3, for example without change, or with decrypted data, and / or decapsulated with an AH header and / or an ESP header, compared to PE packages.
- the policy engine of MPS security in response to a given outgoing packet PS transmitted by the network layer 3 to the remote terminal TE, or incoming PE transmitted by the remote terminal TE via the layer C2, the policy engine of MPS security does not recognize in the TP table any security policy corresponding to PDP policy designation parameters detected in the given packet PS.
- the engine then initiates communication with the management server SG via the connection module MCS and the network RES by reading the IP address of the server SG contained in the memory 23.
- the communication is encrypted by including parameters read from the TPS table and either associated with a communication security policy, in particular with the server SG, or associated with a proprietary security policy only between the device 2 and the server SG.
- the portable device 2 transmits at least one negotiation protocol packet PRN to the remote server SG which then transmits a preformatted response packet REP to the device 2.
- the response packet REP is re-transmitted by the device 2 to the remote terminal TE with which the device is in communication and negotiation.
- the device periodically maintains a cycle of transmission of a PRN policy negotiation protocol packet to the SG server and re-transmission of a REP response packet to the TE terminal.
- the server SG helps the portable device in the negotiation of a security policy, that is to say defines the PPS parameters on which a POS security policy depends, for example as a function of information on the designated terminal TE by its address contained in the PRN negotiation protocol packet compared to the personal data of the user DP and possibly to the other security policies relating to the device 2.
- the server SG transmits to the device 2 at least one POL packet containing the designation of the security policy POS to be applied to the packets exchanged between the terminal TE and the device 2, the PDP designation parameters of this policy and the PPS parameters defining this policy.
- the parameters PDP and PPS of the elaborated policy POL are immediately memorized in the tables TP and TPS of the memory 23 in response to the packet POL detected in the connection module MCS.
- the MPS engine then stops the retransmission of the PRN negotiation protocol and REP response packets, and uses the PPS parameters of the policy just negotiated and memorized to secure at least the outgoing PS packets and de-secure the packets. incoming PE exchanged with the TE terminal.
- negotiation steps between the server SG and the device 2 similar to those described above are initiated by the decisional engine MPS when the latter finds that at least one of the PPS parameters, such as keys , on which the security policy depends the exchanges with terminal 2 must be changed because the parameter is at the end of its life, or because the session exceeds a predetermined duration, or because a silence succeeding a packet transmitted by the TE terminal, without being followed by a PE or PS packet exceeds a predetermined duration.
- the decisional engine MPS when the latter finds that at least one of the PPS parameters, such as keys , on which the security policy depends the exchanges with terminal 2 must be changed because the parameter is at the end of its life, or because the session exceeds a predetermined duration, or because a silence succeeding a packet transmitted by the TE terminal, without being followed by a PE or PS packet exceeds a predetermined duration.
- the terminal TE reappears with the device 2
- the latter renegotiates a security policy, that is to say at least one PPS policy
- the portable device 2 thus dynamically delegates the creation of policy and the management of policy parameters, such as keys, to the management server SG, this delegation being transparent to the remote terminal TE.
- the portable electronic device 2 itself partially implements the IPSec security means represented mainly by the ACH, AA and AC algorithms, the TP and TPS tables and the MPS security policy decision engine.
- the prior verification of the identity of the user by means of a comparison between biometric authentication information obtained by an acquisition or data that only the user-owner knows, for example the PIN code, and data of references contained in the EEPROM memory 23 of the portable device, and the association of specific security policies POS with the authentication information in the portable electronic device 2 provide the link with the user.
- the loss of all links between the user and the platform is no longer possible compared to the prior art according to which the network layer C3 integrates the security means.
- the portable electronic device 2 has in the TPS table all the PPS security parameters for a particular user.
- the portable device can therefore be removed from a platform to then be received by another platform according to the invention.
- the removable security means according to the invention are therefore portable from one platform to another, compared to the prior art according to which a particular network node represented by the host platform had to be dedicated to the user, since the security means resided in the network layer of the platform.
- the security means contained in the portable device 2 are advantageously insertable at the level of the bypass layer C23 intermediate between the link layers C2 and network C3, of any platform having no security means.
- the connection of the portable device with this platform does not modify the suite of protocols in the layers, the operating system and all the applications hosted on the platform. All the software located in the layers above the network layer C3 benefit from the security means implemented in the portable device.
- the invention also remedies the complexity of deploying the public key infrastructure according to the prior art.
- the portable electronic device 2 is designed according to manufacturing, initialization and distribution principles such as those known for smart cards, and each portable device being linked to at least one authorized user has their personalized security means before the user puts the portable device into service for the first time.
- the delegation of the management of security policies and in particular of the public keys to at least one remote management server combined with the advantages of the personalization of the portable device facilitates the deployment of the infrastructure with public keys.
- the portable electronic device 2 of the invention at least partially implements the security means without security being based on the host platform to which the portable device is connected during the decision-making and data security phases.
- the device 2 itself chooses by means of the MPS engine the security policies POS and therefore the security parameters PPS, such as the associated cryptographic keys and algorithms, selects itself the packets processed PET, PST to be retransmitted. depending on the chosen policies, and performs itself through the AA, AC and ACH algorithms the authentication, confidentiality and encryption (decryption) phases of the PE and PS packets.
- the keys and more generally the PPS security parameters are neither entrusted nor present on the host platform 1 at any time.
- the portable device 2 Once the portable device 2 is distant from the platform 1, that is to say is physically disconnected or is located outside the radio coverage of the platform, no communication relating to the user of the portable device cannot last; especially pathways communication reserved for a virtual private network VPN to which the user has access cannot be used later, the platform 1 becoming anonymous.
- the invention thus improves the security of the use of keys.
- the invention also overcomes the drawback of applications based on smart cards which were portable and generically distributable to other applications or protocols, the number of which was limited because of the implementation of the security means in specific applications, most often proprietary.
- the implementation of the removable security means just below the network layer C3 in the host platform according to the invention allows the securing in a transparent manner of protocols or applications installed in the host platform without particular modification of these protocols or applications.
Abstract
Description
Claims
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP02703684A EP1371207B1 (fr) | 2001-03-14 | 2002-02-08 | Dispositif portable pour securiser le trafic de paquets dans une plate-forme hote |
DE60226014T DE60226014T2 (de) | 2001-03-14 | 2002-02-08 | Tragbares gerät zum sichern des paketenverkehrs in einem wirtsystem |
JP2002571681A JP4442795B2 (ja) | 2001-03-14 | 2002-02-08 | ホストプラットフォームにおけるパケットトラフィックを保護する携帯用デバイス |
US10/471,562 US8250624B2 (en) | 2001-03-14 | 2002-02-08 | Portable device for securing packet traffic in a host platform |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR0103648A FR2822318B1 (fr) | 2001-03-14 | 2001-03-14 | Dispositif portable pour securiser le trafic de paquets dans une plate-forme hote |
FR01/03648 | 2001-03-14 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2002073930A1 true WO2002073930A1 (fr) | 2002-09-19 |
Family
ID=8861249
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/FR2002/000494 WO2002073930A1 (fr) | 2001-03-14 | 2002-02-08 | Dispositif portable pour securiser le trafic de paquets dans une plate-forme hote |
Country Status (9)
Country | Link |
---|---|
US (1) | US8250624B2 (fr) |
EP (1) | EP1371207B1 (fr) |
JP (1) | JP4442795B2 (fr) |
CN (1) | CN100583872C (fr) |
AT (1) | ATE392079T1 (fr) |
DE (1) | DE60226014T2 (fr) |
ES (1) | ES2305203T3 (fr) |
FR (1) | FR2822318B1 (fr) |
WO (1) | WO2002073930A1 (fr) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1311660C (zh) * | 2003-08-21 | 2007-04-18 | 株式会社东芝 | 服务器设备,通信系统和给网络分配安全性策略的方法 |
Families Citing this family (31)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040218762A1 (en) | 2003-04-29 | 2004-11-04 | Eric Le Saint | Universal secure messaging for cryptographic modules |
US8209753B2 (en) * | 2001-06-15 | 2012-06-26 | Activcard, Inc. | Universal secure messaging for remote security tokens |
US20030074458A1 (en) * | 2001-09-18 | 2003-04-17 | Gokhale Maya B. | Hybrid hardware/software packet filter |
US20030105952A1 (en) * | 2001-12-05 | 2003-06-05 | International Business Machines Corporation | Offload processing for security session establishment and control |
US20030105977A1 (en) * | 2001-12-05 | 2003-06-05 | International Business Machines Corporation | Offload processing for secure data transfer |
US7178724B2 (en) * | 2003-04-21 | 2007-02-20 | Stmicroelectronics, Inc. | Smart card device and method used for transmitting and receiving secure e-mails |
US7831519B2 (en) * | 2003-12-17 | 2010-11-09 | First Data Corporation | Methods and systems for electromagnetic initiation of secure transactions |
US8639819B2 (en) * | 2004-02-05 | 2014-01-28 | Nokia Corporation | Ad-hoc connection between electronic devices |
US8613091B1 (en) * | 2004-03-08 | 2013-12-17 | Redcannon Security, Inc. | Method and apparatus for creating a secure anywhere system |
US8230480B2 (en) * | 2004-04-26 | 2012-07-24 | Avaya Inc. | Method and apparatus for network security based on device security status |
US20060036854A1 (en) * | 2004-08-09 | 2006-02-16 | Chien-Hsing Liu | Portable virtual private network device |
CN100459787C (zh) * | 2004-08-29 | 2009-02-04 | 华为技术有限公司 | 一种用户卡的安全保障方法 |
EP1813073B1 (fr) * | 2004-10-29 | 2010-07-21 | Telecom Italia S.p.A. | Systeme et procede de gestion a distance de la securite d'un terminal d'utilisateur via une plate-forme d'utilisateur fiable |
US9202087B2 (en) * | 2006-10-31 | 2015-12-01 | Verizon Patent And Licensing Inc. | Method and apparatus for controlling access to local storage devices |
US7975053B2 (en) * | 2006-12-29 | 2011-07-05 | United States Cellular Corporation | Establishing network policy for session-unaware mobile-device applications |
US8032746B2 (en) * | 2007-06-19 | 2011-10-04 | The University Of Texas At San Antonio | Tamper-resistant communication layer for attack mitigation and reliable intrusion detection |
US8495357B2 (en) * | 2007-12-19 | 2013-07-23 | International Business Machines Corporation | Data security policy enforcement |
US8335916B2 (en) * | 2008-01-29 | 2012-12-18 | International Business Machines Corporation | Secure request handling using a kernel level cache |
JP4577406B2 (ja) * | 2008-05-19 | 2010-11-10 | ソニー株式会社 | 管理装置、情報処理装置、プログラム、および情報処理システム |
US9063897B2 (en) * | 2008-06-26 | 2015-06-23 | Microsoft Technology Licensing, Llc | Policy-based secure information disclosure |
US8799630B2 (en) | 2008-06-26 | 2014-08-05 | Microsoft Corporation | Advanced security negotiation protocol |
US8432907B2 (en) * | 2010-12-29 | 2013-04-30 | Konica Minolta Laboratory U.S.A., Inc. | Method and system having an application for a run time IPv6 only network |
US20130212712A1 (en) * | 2012-02-13 | 2013-08-15 | KEVIN Richard BROCK | System and method for creating bounded packets of personally-identifiable information (pii) |
US9166969B2 (en) * | 2012-12-06 | 2015-10-20 | Cisco Technology, Inc. | Session certificates |
US9213820B2 (en) * | 2013-09-10 | 2015-12-15 | Ebay Inc. | Mobile authentication using a wearable device |
CN103795735B (zh) * | 2014-03-07 | 2017-11-07 | 深圳市迈科龙电子有限公司 | 安全设备、服务器及服务器信息安全实现方法 |
US9703973B2 (en) * | 2015-04-28 | 2017-07-11 | International Business Machines Corporation | Customer load of field programmable gate arrays |
US10482458B2 (en) * | 2015-09-08 | 2019-11-19 | Sk Planet Co., Ltd. | User equipment, service providing device, payment system comprising the same, control method thereof and non-transitory computer-readable storage medium storing computer program recorded thereon |
CN107070918B (zh) * | 2017-04-14 | 2019-07-30 | 天地融科技股份有限公司 | 一种网络应用登录方法和系统 |
US11283876B2 (en) * | 2020-03-20 | 2022-03-22 | Verizon Patent And Licensing Inc. | Systems and methods for end-to-end request-response flow routing for geographically distributed client devices |
US11848953B1 (en) * | 2023-02-17 | 2023-12-19 | Celerium Inc. | Network compromise activity monitoring system |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6067620A (en) * | 1996-07-30 | 2000-05-23 | Holden; James M. | Stand alone security device for computer networks |
US6141752A (en) * | 1998-05-05 | 2000-10-31 | Liberate Technologies | Mechanism for facilitating secure storage and retrieval of information on a smart card by an internet service provider using various network computer client devices |
Family Cites Families (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH0691527B2 (ja) * | 1985-03-08 | 1994-11-14 | 株式会社東芝 | 通信ネツトワ−クシステム |
WO1997000471A2 (fr) | 1993-12-15 | 1997-01-03 | Check Point Software Technologies Ltd. | Systeme pour la securisation et la modification selective du flux de paquets dans un reseau informatique |
IL114182A (en) * | 1995-06-15 | 2003-03-12 | Checkpoint Software Techn Ltd | Method for controlling computer network security |
JPH09219700A (ja) | 1996-02-09 | 1997-08-19 | Toppan Printing Co Ltd | データ通信システム、データ通信装置、およびicカード |
JPH10224339A (ja) * | 1996-12-05 | 1998-08-21 | Akutei Create:Kk | データ・セキュリティ装置 |
JPH10307799A (ja) * | 1997-02-28 | 1998-11-17 | Media Konekuto:Kk | コンピュータ通信網における身元確認方法及び身元確認装置 |
US6557104B2 (en) * | 1997-05-02 | 2003-04-29 | Phoenix Technologies Ltd. | Method and apparatus for secure processing of cryptographic keys |
US7143438B1 (en) * | 1997-09-12 | 2006-11-28 | Lucent Technologies Inc. | Methods and apparatus for a computer network firewall with multiple domain support |
US5954826A (en) | 1997-09-29 | 1999-09-21 | Sun Microsystems, Inc. | Method and apparatus for analyzing data |
JP2000315997A (ja) * | 1999-04-30 | 2000-11-14 | Toshiba Corp | 暗号通信方法及びノード装置 |
JP2000324104A (ja) | 1999-05-10 | 2000-11-24 | Matsushita Electric Works Ltd | バーチャル通信ネットワークにおけるセキュリティーポリシー設定方法、セキュリティーポリシーマネージャ及びこれを用いたバーチャル通信ネットワークシステム |
US6577229B1 (en) * | 1999-06-10 | 2003-06-10 | Cubic Corporation | Multiple protocol smart card communication device |
ATE297645T1 (de) | 1999-10-22 | 2005-06-15 | Ericsson Telefon Ab L M | Mobiltelefon mit eingebauter sicherheitsfirmware |
JP2001298449A (ja) | 2000-04-12 | 2001-10-26 | Matsushita Electric Ind Co Ltd | セキュリティ通信方法、通信システム及びその装置 |
JP3730480B2 (ja) * | 2000-05-23 | 2006-01-05 | 株式会社東芝 | ゲートウェイ装置 |
JP2002261829A (ja) * | 2001-02-27 | 2002-09-13 | Mitsubishi Electric Corp | 階層管理システム及び階層管理方法 |
-
2001
- 2001-03-14 FR FR0103648A patent/FR2822318B1/fr not_active Expired - Fee Related
-
2002
- 2002-02-08 DE DE60226014T patent/DE60226014T2/de not_active Expired - Lifetime
- 2002-02-08 CN CN02809841A patent/CN100583872C/zh not_active Expired - Fee Related
- 2002-02-08 US US10/471,562 patent/US8250624B2/en active Active
- 2002-02-08 EP EP02703684A patent/EP1371207B1/fr not_active Expired - Lifetime
- 2002-02-08 JP JP2002571681A patent/JP4442795B2/ja not_active Expired - Fee Related
- 2002-02-08 ES ES02703684T patent/ES2305203T3/es not_active Expired - Lifetime
- 2002-02-08 AT AT02703684T patent/ATE392079T1/de not_active IP Right Cessation
- 2002-02-08 WO PCT/FR2002/000494 patent/WO2002073930A1/fr active IP Right Grant
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6067620A (en) * | 1996-07-30 | 2000-05-23 | Holden; James M. | Stand alone security device for computer networks |
US6141752A (en) * | 1998-05-05 | 2000-10-31 | Liberate Technologies | Mechanism for facilitating secure storage and retrieval of information on a smart card by an internet service provider using various network computer client devices |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1311660C (zh) * | 2003-08-21 | 2007-04-18 | 株式会社东芝 | 服务器设备,通信系统和给网络分配安全性策略的方法 |
Also Published As
Publication number | Publication date |
---|---|
CN100583872C (zh) | 2010-01-20 |
US20040088567A1 (en) | 2004-05-06 |
DE60226014T2 (de) | 2009-05-14 |
JP4442795B2 (ja) | 2010-03-31 |
EP1371207A1 (fr) | 2003-12-17 |
FR2822318B1 (fr) | 2003-05-30 |
JP2004532543A (ja) | 2004-10-21 |
US8250624B2 (en) | 2012-08-21 |
ES2305203T3 (es) | 2008-11-01 |
ATE392079T1 (de) | 2008-04-15 |
FR2822318A1 (fr) | 2002-09-20 |
DE60226014D1 (de) | 2008-05-21 |
EP1371207B1 (fr) | 2008-04-09 |
CN1509558A (zh) | 2004-06-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1371207B1 (fr) | Dispositif portable pour securiser le trafic de paquets dans une plate-forme hote | |
EP2039114B1 (fr) | Procede de controle d'application dans un chipset nfc comprenant plusieurs processeurs hotes | |
EP2166728B1 (fr) | Procédé d'échange de données, telles que des clés cryptographiques, entre un système informatique et une entité électronique, telle qu'une carte à microcircuit | |
FR2825869A1 (fr) | Procede d'authentification entre un objet de telecommunication portable et une borne d'acces public | |
EP2912594B1 (fr) | Procédé de fourniture d'un service sécurisé | |
WO2007115982A2 (fr) | Procede de protection d'identite, dispositifs, et produit programme d'ordinateur correspondants | |
CA2659756A1 (fr) | Procede de routage de donnees d'application entrantes dans un chipset nfc, par identification de l'application | |
FR2877521A1 (fr) | Dispositif, procede, programme et support de distribution d'informations, d'initialisation, dispositif, procede, programme et support de transfert d'initialisation d'authentification et programme de reception ... | |
WO2006095076A1 (fr) | Procede d'etablissement d'un lien de communication securise | |
EP1157575A1 (fr) | Authentification dans un reseau de radiotelephonie | |
WO2003107587A1 (fr) | Procede et dispositif d’interface pour echanger de maniere protegee des donnees de contenu en ligne | |
WO2005020538A2 (fr) | Procede et systeme de double authentification d'un utilisateur lors de l'acces a un service | |
WO2005079038A1 (fr) | Procede, terminal mobile, systeme et equipement pour la fourniture d’un service de proximite accessible par l’intermediaire d’un terminal mobile | |
EP1492061A1 (fr) | Méthode d'allocation de ressources sécurisées dans un module de sécurité | |
WO2012156365A1 (fr) | Procede de securisation d'une platforme d'authentification, dispositifs materiels et logiciels correspondants | |
WO2017077211A1 (fr) | Communication entre deux éléments de sécurité insérés dans deux objets communicants | |
EP3360293A1 (fr) | Moyens de gestion d'accès à des données | |
EP4222994A1 (fr) | Procedes de configuration d'un equipement utilisateur, de negociation avec une entite du reseau, et de gestion d'une connexion, et dispositifs associes | |
FR3017729A1 (fr) | Procede d'authentification a distance | |
WO2005034009A2 (fr) | Procede et systeme pour securiser les acces d'un utilisateur a un reseau de communication | |
FR2848754A1 (fr) | Procede d'authentification dans un reseau sans fil et architecture pour la mise en oeuvre du procede | |
EP1858224A1 (fr) | Méthode de mise en place des réseaux privés virtuels et contrôle d'accès distant | |
FR2954883A1 (fr) | Procede d'authentification securisee d'un terminal itinerant sur un reseau de telecommunications sans fil |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG US UZ VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2002703684 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2002571681 Country of ref document: JP Ref document number: 10471562 Country of ref document: US |
|
WWE | Wipo information: entry into national phase |
Ref document number: 028098412 Country of ref document: CN |
|
WWP | Wipo information: published in national office |
Ref document number: 2002703684 Country of ref document: EP |
|
REG | Reference to national code |
Ref country code: DE Ref legal event code: 8642 |
|
WWG | Wipo information: grant in national office |
Ref document number: 2002703684 Country of ref document: EP |