최소 단어 이상 선택하여야 합니다.
최대 10 단어까지만 선택 가능합니다.
다음과 같은 기능을 한번의 로그인으로 사용 할 수 있습니다.
NTIS 바로가기다음과 같은 기능을 한번의 로그인으로 사용 할 수 있습니다.
DataON 바로가기다음과 같은 기능을 한번의 로그인으로 사용 할 수 있습니다.
Edison 바로가기다음과 같은 기능을 한번의 로그인으로 사용 할 수 있습니다.
Kafe 바로가기국가/구분 | United States(US) Patent 등록 |
---|---|
국제특허분류(IPC7판) |
|
출원번호 | US-0426764 (1999-10-26) |
발명자 / 주소 |
|
출원인 / 주소 |
|
대리인 / 주소 |
|
인용정보 | 피인용 횟수 : 536 인용 특허 : 268 |
The present invention provides methods and systems for secure, automated transaction processing for use in electronic commerce and electronic rights and transaction management over an electronic network such as the Internet and/or over organization internal Intranets. One exemplary system involves r
The present invention provides methods and systems for secure, automated transaction processing for use in electronic commerce and electronic rights and transaction management over an electronic network such as the Internet and/or over organization internal Intranets. One exemplary system involves rule-based specification and selection of clearinghouses, and rule-based specification of user restrictions on the use of identification information.
The present invention provides methods and systems for secure, automated transaction processing for use in electronic commerce and electronic rights and transaction management over an electronic network such as the Internet and/or over organization internal Intranets. One exemplary system involves r
The present invention provides methods and systems for secure, automated transaction processing for use in electronic commerce and electronic rights and transaction management over an electronic network such as the Internet and/or over organization internal Intranets. One exemplary system involves rule-based specification and selection of clearinghouses, and rule-based specification of user restrictions on the use of identification information. e internetwork is protected as a trusted domain having trusted switches: employing a flag within a header of a packet to indicate whether the packet has been verified by a trusted switch configured with the monitoring and filtering agent. 12. The method of claim 11 wherein the flag may be contained within one of an unused field of the header and a mini-header appended to the packet. 13. The method of claim 12 further comprising the step of, if a state of the flag indicates that the packet has not been verified by an upstream trusted switch along a path of the computer internetwork: enabling a downstream trusted switch to process the unverified packet depending upon its available capacity. 14. The method of claim 1, further comprising the steps of: calculating an optimal path for the packets over the computer internetwork; determining whether intermediate stations located along the optimal path are configured with the monitoring and filtering agents; and changing the optimal path of the packets to a non-optimal path that includes additional intermediate stations configured with the monitoring and filtering agents to execute the verification operations on the packets. 15. The method of claim 1 wherein the intermediate station comprises at least one of a switch, a router, a bridge and a firewall. 16. The method of claim 2 wherein the intermediate station comprises at least one of a switch, a router, a bridge, and a firewall. 17. A computer readable medium containing executable program instructions for efficiently distributing processing-intensive loads directed to verification operations on digital signatures appended to packets transferred among a plurality of intermediate stations in a computer internetwork, the executable program instructions comprising program instructions for: configuring at least one intermediate station with a monitoring and filtering agent process to execute the loads on the packets traversing paths of the computer internetwork; and at the configured intermediate station, independently processing a selection of the packets assigned to the station according to a hash function that enables checking of the digital signatures to identify one of authorized and unauthorized packets, thereby enabling sharing of the loads among the intermediate stations. 18. The computer readable medium of claim 17 wherein said executable program instructions further comprise program instructions for invoking the hash function to distinguish the packets based on contents of a field of each packet. 19. The computer readable medium of claim 18 wherein said executable program instructions further comprise program instructions for, wherein the contents comprise an address: decoding predetermined address bits into distinct values; apportioning the packets according to the distinct values; assigning packets to the intermediate stations based on the distinct values; and reassigning certain of the previously-assigned packets to certain of the intermediate stations to thereby balance the load among the stations. 20. A computer data signal embodied in a carrier wave and representing sequences of instructions for efficiently distributing processing-intensive loads directed to verification operations on digital signatures appended to packets transferred among a plurality of intermediate stations in a computer internetwork, the instructions comprising instructions for: configuring at least one intermediate station with a monitoring and filtering agent process to execute the loads on the packets traversing paths of the computer internetwork; and at the configured intermediate station, independently processing a selection of the packets assigned to the station according to a hash function that enables checking of the digital signatures to identify one of authorized and unauthorized packets, thereby enabling sharing of the loads among the intermediate stations. 21. The computer data signal of claim 20 wherein the selection of packets processed by each intermediate station is randomly assigned according to a fractional spot-checking function, said fractional spot checking function selecting a predetermined fraction of packets for processing, to enable checking of the digital signatures to identify one of authorized and unauthorized packets. 22. The computer data signal of claim 21 wherein the instructions further comprise instructions for: in response to identifying an unauthorized packet by a particular intermediate station, filtering the unauthorized packet; and altering the random fractional spot-checking of packets by the particular intermediate station on a per flow basis. 23. The computer data signal of claim 22 wherein the instructions for altering further comprise instructions for spot-checking an increased fraction of the packets. 24. A system for efficiently distributing processing-intensive loads among a plurality of intermediate stations in a computer internetwork, the system comprising: a plurality of memory devices containing software programs organized as monitoring and filtering agents to execute the loads on packets traversing paths of the computer inter-network, a portion of the internetwork protected as a trust domain having trusted switches; a plurality of processing elements coupled to respective ones of the memory devices, each processing element configured to execute a respective agent to independently verify digital signatures appended to a selection of packets to thereby share the loads among the intermediate stations; and a flag structure contained within a header of a packet to indicate whether the packet has been verified by a trusted switch configured with the monitoring and filtering agent. 25. The system of claim 24 wherein the flag structure may be contained within one of an unused field of the header and a mini-header appended to the packet. 26. The system of claim 25 wherein the intermediate station comprises one of a switch and a router. odule being created by using a different version of said random number. 3. The process according to claim 1, wherein said temporary encrypting protection key is generated by the security module. 4. The process according to claim 1, wherein said security module is designed in monolithic form on a single chip. 5. A process for using an item of sensitive information ISj in a security module, said security module including means for processing data and means for storing data, said process comprising the steps of: storing said item of sensitive information ISj in an encrypted form ISJ(ai+1) by the security module, wherein said item of sensitive information ISj is encrypted using a current version CPi(ai+1) of temporary encrypting protection key CPi, wherein said current version CPi(ai+1) is supplied by the security module, and an encryption algorithm, wherein said encryption algorithm is stored with an associated decryption algorithm in said means for storing data; said associated decryption algorithm being able to decrypt said item of sensitive information ISj from said item of sensitive information in encrypted form ISJ(ai+1), the item of sensitive information in encrypted form ISJ(ai+1) being stored in a nonvolatile memory of the security module, in association with identifying data defining a current version CPid(ai+1) of a temporary decrypting protection key CPid associated with said current version CPi(ai+1) of the temporary encrypting protection key CPi, said identifying data comprising a key identifier CPid and an update subscript (ai+1) which defines said current version CPid(ai+1) of the decrypting protection key from among a plurality of versions, said associated decrypting protection key CPid used by said associated decryption algorithm to decrypt said item of sensitive information ISj from said item of sensitive information in encrypted form ISJ(i+1) ; and selecting by the security module, upon a request to use the item of sensitive information ISj issuing from inside or outside the module, said current version CPid(ai+1) of the temporary decrypting protection key CPid associated with the item of sensitive information using said identifying data; decrypting by the security module the encrypted item of sensitive information ISJ(ai+1) using the current version CPid(ai+1) of the temporary decrypting protection key CPid and the decryption algorithm, and temporarily storing the item of sensitive information ISj in a decrypted form so that it disappears from the security module after a utilization of the item of sensitive information; and using the item of sensitive information ISj by the security module in its decrypted form. 6. The process according to claim 5, further comprising periodically modifying the encrypted form of an item of sensitive information by the steps of: decrypting the item of sensitive information stored in a current encrypted form ISJ(ai+1) by the security module, using the current version CPid(ai+1) of the temporary decrypting protection key CPid associated with it and said associated decryption algorithm; selecting a new version CPi(ai+2) of the temporary encrypting protection key CPi by the security module; re-encrypting the decrypted item of sensitive information ISj by the security module using the new version CPi(ai+2) of the temporary encrypting protection key and said encryption algorithm to produce a new encrypted form ISJ(ai+2) of the item of sensitive information; and storing, in the security module, the item of sensitive information in its new encrypted form ISJ(ai+2) and a new version CPid(ai+2) of the temporary decrypting protection key CPid associated with said new version CPi(ai+2) of the temporary encrypting protection key CPi. 7. The process according t o claim 6, further comprising supplying successive different versions of a random number by a random number generating means the security module, each current version CPi(ai+1) and new version CPi(ai+)2 of the temporary encrypting protection key CPi supplied by the security module being obtained from a different version of said random number. 8. The utilization process according to claim 6, further comprising storing two most recent versions of each temporary decrypting protection key CPid, a next-to-last version CPidaiand a last version CPid(ai+1), in the nonvolatile memory (10) of the security module, and when a new version CPi(ai+2) of any a temporary encrypting protection key is produced by the security module, storing a corresponding new version CPid(ai+2) of the associated temporary decrypting protection key CPid by the module in the nonvolatile memory, in place of the next-to-last version CPidai. 9. The process according to claim 8, in which several items of sensitive information IS(j-1), ISj are respectively encrypted with a different next-to-last version CPiaiand a different last version CPi(ai+1) of a same temporary encrypting protection key CPi so as to produce encrypted forms IS(J-1)aiand ISJ(ai+1), and when a new version of these items of sensitive information are to be produced by the security module, the following steps are executed: decrypting the item of sensitive information IS(J-1)(ai) encrypted with the next-to-last version CPiaiof the temporary encrypting protection key CPi by the security module, using the next-to-last version CPidaiof the temporary decrypting protection key CPid associated with the protection key; re-encrypting the decrypted item of sensitive information IS(j-1) by the security module using said last version CPi(ai+1) of the temporary encrypting protection key to produce a new encrypted form IS(J-1)(ai+1of the item of sensitive information; and storing, in the security module, the item of sensitive information in its new encrypted form IS(J-1)(J-1)(ai+1; and, in order to produce said new version of the items of sensitive information IS(j-1), ISj, executing the following steps: decrypting all the items of sensitive information IS(J-1)(ai+1) and ISJ(ai+1) related to said temporary encrypting protection key CPi by the security module using a last version CPid(ai+1) of the temporary decrypting protection key CPid associated with said last version CPi(ai+1) of the temporary encrypting protection key CPi; re-encrypting the decrypted items of sensitive information IS(j-1), ISj by the security module, using a new version CPi(ai+2) of the temporary encrypting protection key and said encryption algorithm, in order to produce a new encrypted form IS(J-1)(ai+2) and ISJ(ai+2) of these items of sensitive information; and storing, in the security module, the items of sensitive information in new encrypted forms IS(J-1)(ai+2) and ISJ(ai+2) and a new version CPid(ai+2) of the temporary decrypting production key CPid associated with said new version CPi(ai+2) of the temporary encrypting protection key. 10. The process according to claim 5, wherein said security module is designed in monolithic form on a single chip. 11. A security module comprising: means for processing data; means for storing data: key producing means disposed to produce one or more temporary encrypting protection keys CP1, . . . CPi, . . . CPn and an equal number of associated temporary decrypting protection keys CP1d, . . . CPid, . . . CPnd, and for each temporary encrypting protection key CPi and decrypting protection key CPid, several successive versions CPiai,CPi(ai+1), CPi(ai+2) and CPidai,CPid(ai+1), CPid(ai+2) ; means for associating with a given item of sensitive information ISj a predetermined temporary encrypting protection key CPi and temporary decrypting protection key CPid also associated with the temporary encrypting protection key CPi; encryption means for carrying out successive encryptions of the item of sensitive information ISj using one or another of said successive versions CPiai,CPi(ai+1), CPi(ai+2) of the temporary encrypting protection key associated with the item of sensitive information, wherein said encryption means includes an encryption algorithm stored in the storage means; and decryption means for carrying out successive decryptions of the item of sensitive information ISj using, for each decryption, from among said successive versions CPidai,CPid(ai+1), CPid(ai+2) of the temporary decrypting protection key, a version associated with the version of the temporary encrypting protection key used in the corresponding encryption, wherein said decryption means includes an associated decryption algorithm stored in the storage means, said associated decryption algorithm being able to decrypt said item of sensitive information ISj from the information encrypted by said encryption algorithm using said version of the temporary decrypting protection key. 12. The security module according to claim 11, comprising a random number generator means for supplying successive different versions of a random number, each of said successive versions CPiai,CPi(ai+1), CPi(ai+2) of each temporary encrypting protection key CPi supplied by the security module being obtained from a different version of said random number. 13. The security module according to claim 11, wherein said security module is designed in monolithic form on a single chip. ver the computer internetwork; determining whether intermediate stations located along the optimal path are configured with the monitoring and filtering agents; and changing the optimal path of the packets to a non-optimal path that includes additional intermediate stations configured with the monitoring and filtering agents to execute the verification operations on the packets. 15. The method of claim 1 wherein the intermediate station comprises at least one of a switch, a router, a bridge and a firewall. 16. The method of claim 2 wherein the intermediate station comprises at least one of a switch, a router, a bridge, and a firewall. 17. A computer readable medium containing executable program instructions for efficiently distributing processing-intensive loads directed to verification operations on digital signatures appended to packets transferred among a plurality of intermediate stations in a computer internetwork, the executable program instructions comprising program instructions for: configuring at least one intermediate station with a monitoring and filtering agent process to execute the loads on the packets traversing paths of the computer internetwork; and at the configured intermediate station, independently processing a selection of the packets assigned to the station according to a hash function that enables checking of the digital signatures to identify one of authorized and unauthorized packets, thereby enabling sharing of the loads among the intermediate stations. 18. The computer readable medium of claim 17 wherein said executable program instructions further comprise program instructions for invoking the hash function to distinguish the packets based on contents of a field of each packet. 19. The computer readable medium of claim 18 wherein said executable program instructions further comprise program instructions for, wherein the contents comprise an address: decoding predetermi
Copyright KISTI. All Rights Reserved.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.