公开(公告)号：WO0103398A3

公开(公告)日：2001-06-07

申请号：PCT/GB0002469

申请日：2000-06-28

Applicant: IBM ,  IBM UK

Inventor： BELLWOOD THOMAS ALEXANDER ,  LITA CHRISTIAN ,  RUTKOWSKI MATTHEW FRANCIS

IPC: G06F13/00 ,  G06F15/00 ,  H04L9/08 ,  H04L12/22 ,  H04L12/66 ,  H04L29/06 ,  H04L29/08

CPC classification number: H04L63/0464 ,  H04L63/166 ,  H04L2463/102

Abstract: A method of enabling a proxy to participate in a secure communication between a client and a set of servers. The method begins by establishing a first secure session between the client and the proxy. Upon verifying the first secure session, the method continues by establishing a second secure session between the client and the proxy. In the second secure session, the client requests the proxy to act as a conduit to a first server. Thereafter, the client and the first server negotiate a first session master secret. Using the first secure session, this first session master secret is then provided by the client to the proxy to enable the proxy to participate in secure communications between the client and the first server. After receiving the first session master secret, the proxy generates cryptographic information that enables it to provide a given service (e.g., transcoding) on the client's behalf and without the first server's knowledge or participation. If data from a second server is required during the processing of a given client request to the first server, the proxy issues a request to the client to tunnel back through the proxy to the second server using the same protocol.

Abstract translation: 一种使代理能够参与客户端与一组服务器之间的安全通信的方法。 该方法首先在客户端和代理之间建立第一个安全会话。 在验证第一安全会话后，该方法继续在客户端和代理之间建立第二安全会话。 在第二个安全会话中，客户端请求代理充当第一台服务器的管道。 此后，客户端和第一服务器协商第一会话主密钥。 使用第一安全会话，然后由客户端将第一会话主密钥提供给代理，以使代理能够参与客户端和第一服务器之间的安全通信。 在接收到第一会话主秘密之后，代理生成密码信息，使其能够代表客户提供给定的服务（例如代码转换），并且不需要第一服务器的知识或参与。 如果在处理给定第一个服务器的给定客户机请求期间需要来自第二个服务器的数据，则代理向客户机发出请求，以使用相同协议通过代理向第二个服务器进行隧道传输。

公开(公告)号：WO2008098834A3

公开(公告)日：2008-12-04

申请号：PCT/EP2008051023

申请日：2008-01-29

Applicant: IBM ,  IBM UK ,  BASSETT RONALD ,  BELLWOOD THOMAS ALEXANDER ,  CHUMBLEY ROBERT BRYANT ,  RUTKOWSKI MATTHEW FRANCIS

Inventor： BASSETT RONALD ,  BELLWOOD THOMAS ALEXANDER ,  CHUMBLEY ROBERT BRYANT ,  RUTKOWSKI MATTHEW FRANCIS

IPC: H04L29/06 ,  H04N7/16

CPC classification number: H04L29/06027 ,  H04L65/4076 ,  H04L65/4084 ,  H04L65/605 ,  H04N7/163 ,  H04N21/2181 ,  H04N21/2543 ,  H04N21/4227 ,  H04N21/4524 ,  H04N21/458 ,  H04N21/8106

Abstract: A method isprovided for augmentingprogramming content at a remote location, such as a hotel, with the programming content ordinarily provided under subscription to a home location, such as a user's home. A user agreement is formed between a user and a home service provider, delineating the content provided by the home service provider to the home location. A service provider agreement is formed between the home service provider and a remote service provider, delineating content to be broadcast from the home location to the remote location. Local content is selectively augmented by the home content and displayed on a viewing device at the remote location. The user may remotely access settings and functions of a home set top box while at the remote location.

Abstract translation: 提供了一种用于在远程位置（例如酒店）处增强程序设计内容的方法，其中编程内容通常在订阅到归属位置（例如用户的家庭）下提供。 在用户和家庭服务提供商之间形成用户协议，将家庭服务提供商提供的内容描绘到家庭地点。 在家庭服务提供商和远程服务提供商之间形成服务提供商协议，描述要从家庭位置广播到远程位置的内容。 本地内容由家庭内容选择性地增加，并显示在远程位置的观看设备上。 用户可以在远程位置远程访问家庭机顶盒的设置和功能。

公开(公告)号：WO2008098833A3

公开(公告)日：2008-10-02

申请号：PCT/EP2008051022

申请日：2008-01-29

Applicant: IBM ,  IBM UK ,  BELLWOOD THOMAS ALEXANDER ,  RUTKOWSKI MATTHEW FRANCIS

Inventor： BELLWOOD THOMAS ALEXANDER ,  RUTKOWSKI MATTHEW FRANCIS

IPC: H04N7/167

CPC classification number: H04N7/1675 ,  H04N5/913 ,  H04N21/26613 ,  H04N21/42646 ,  H04N21/4325 ,  H04N21/4623 ,  H04N2005/91364

Abstract: An apparatus and a method are provided for selectively accessing digital content carried on a distribution medium such as a physical medium or a broadcast medium. In one embodiment, a plurality of digital content items are encrypted under a plurality of different key management blocks, wherein each key management block is associated with a different set of device keys. The plurality of content items may be provided together on a single distribution medium to devices having assigned device keys, so that devices may selectively access content as determined by the different key management block used to encrypt the various content items and by the device keys assigned to the devices. Depending on the association between the device key and the key management blocks, the decoding device may decode all of the content items, some of the content items, or none of the content items. To provide greater security, each content item may be multiple encrypted using multiple key management blocks per content item.

Abstract translation: 提供了一种用于选择性地访问诸如物理介质或广播介质之类的分发介质上承载的数字内容的设备和方法。 在一个实施例中，多个数字内容项目在多个不同的密钥管理块下被加密，其中每个密钥管理块与不同的一组设备密钥相关联。 多个内容项目可以在单个分发介质上一起提供给具有分配的设备密钥的设备，使得设备可以选择性地访问由用于加密各种内容项目的不同密钥管理块以及分配给 设备。 取决于设备密钥和密钥管理块之间的关联，解码设备可以解码所有的内容项目，一些内容项目或者没有内容项目。 为了提供更高的安全性，每个内容项目可以使用每个内容项目的多个密钥管理块进行多重加密。

公开(公告)号：JP2009239919A

公开(公告)日：2009-10-15

申请号：JP2009113926

申请日：2009-05-08

Applicant: Internatl Business Mach Corp ,  インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Maschines Corporation

Inventor： BELLWOOD THOMAS ALEXANDER ,  LITA CHRISTIAN ,  RUTKOWSKI MATTHEW FRANCIS

IPC: G06F13/00 ,  H04L9/08 ,  G06F15/00 ,  H04L12/22 ,  H04L12/66 ,  H04L29/06 ,  H04L29/08

CPC classification number: H04L63/0464 ,  H04L63/166 ,  H04L2463/102

Abstract: PROBLEM TO BE SOLVED: To enable a proxy to participate in a secure communication between a client and a set of servers.
SOLUTION: This method includes steps of: requesting a client for a first secure connection to a proxy; requesting the client for a second secure connection to the proxy when a certificate received from the proxy is authenticated to be valid, that is a step of requesting the proxy so that the second secure connection works as a conduit to the server and negotiating respective session master secrets to the client and the server through the conduit; using the first secure connection for the client to deliver the secret to the proxy at the end of the negotiation; and enabling the proxy to use the secret to generate prescribed code information useful for joining the secure communication.
COPYRIGHT: (C)2010,JPO&INPIT

Abstract translation: 要解决的问题：使代理能够参与客户端和一组服务器之间的安全通信。 解决方案：该方法包括以下步骤：请求客户端到代理的第一安全连接; 当从代理接收的证书被认证为有效时，请求客户端到代理的第二安全连接，这是请求代理的步骤，使得第二安全连接作为服务器的管道并协商相应的会话主 通过管道向客户端和服务器机密; 使用客户端的第一个安全连接在协商结束时将秘密传递给代理; 并且使所述代理能够使用所述秘密来生成用于加入所述安全通信的规定代码信息。 版权所有（C）2010，JPO＆INPIT

公开(公告)号：DE112014000357T5

公开(公告)日：2015-10-08

申请号：DE112014000357

申请日：2014-03-10

Applicant: IBM

Inventor： BELLWOOD THOMAS ALEXANDER ,  BASSETT RONALD ,  RUTKOWSKI MATTHEW FRANCIS

IPC: H04L9/14

Abstract: Mandanten in einer mandantenfähigen, gemeinsam genutzten Implementierung werden ihre eigenen, einzigartigen Schlüsselbereiche bereitgestellt, über die sie ein Schlüsselverwaltungssystem steuern. Auf diese Weise werden virtuelle Schlüsselverwaltungsdomänen je Mandant (je Kunde) so erstellt, dass, wenn Daten eines bestimmten Kunden in der IT-Infrastruktur des Rechenzentrums/der Rechenzentren des Anbieters in ein Mehrmandantensystem eingebracht, gespeichert, übertragen oder virtualisiert werden, sie mithilfe von Schlüsselverwaltungsmaterialien gesichert werden, die für diesen Kunden spezifisch sind. Dies gewährleistet, dass die Gesamtheit der Daten eines Mandanten sicher bleibt, indem sie gegenüber Anwendungen anderer Mandanten kryptographisch isoliert wird. Die virtuellen Schlüsselverwaltungsdomänen werden mithilfe eines Übertragungsverschlüsselungs(BE)-Protokolls und im Besonderen eines Schemas mit mehreren Verwaltungsschlüsselvarianten dieses Protokolls festgelegt. Das virtuelle Schlüsselverwaltungssystem (VKMS) und -protokoll auf Grundlage von Übertragungsverschlüsselung erzielen eine je Mandant (wie auch je Anwendung) gesicherte Isolierung von Daten und können in jeglicher Kombination von Ressourcen in oder über sämtlichen) Ebenen einer IT-Infrastruktur mit mehreren Mandanten hinweg verwendet werden.

公开(公告)号：CA2616981C

公开(公告)日：2014-07-08

申请号：CA2616981

申请日：2006-05-16

Applicant: IBM

Inventor： CERRUTI JULIAN ,  CHUMBLEY ROBERT ,  RUTKOWSKI MATTHEW FRANCIS

IPC: G06F21/10

Abstract: The present invention provides a means for managing title keys by establishing logical partitions of title keys encrypted with the same binding information. The invention supports delayed and background processing of title keys when binding information changes. This invention supports proper accounting for devices required to recover rebinding processing when devices fail or go offline unexpectedly during processing. The invention uses binding context which represents a set of data that can be used to determine if the binding information used to encrypt a set of title keys is outdated and allow for rebinding to the current cluster binding information level.

公开(公告)号：DE10051024B4

公开(公告)日：2006-10-26

申请号：DE10051024

申请日：2000-10-14

Applicant: IBM

Inventor： BARRETT ROBERT C ,  BELLWOOD THOMAS ALEXANDER ,  DUTTA RABINDRANATH ,  LITA CHRISTIAN ,  RUTKOWSKI MATTHEW FRANCIS ,  STERLING DOUGLAS MERLE

IPC: G06F13/00 ,  G06F9/50 ,  G06F15/163 ,  G06F17/30 ,  H04L12/16 ,  H04L29/08

Abstract: A set of program elements (e.g., transcoders) are grouped together as an administrative unit. Instead of caching the individual outputs of each program element, preferably only the aggregate output of the set of program elements, taken as a whole, is cached. The inventive technique enables the effective re-use of intermediate content. In an illustrative client-server based implementation involving a transcoding service located at a server, the cached information may be shared across multiple server instances to obviate redundant processing. With the present invention, a caching mechanism in a complex software system may be extended in a user-configurable manner by setting up optimal intermediate caching points that are defined by groups of programs used in long computations.

公开(公告)号：AU5554100A

公开(公告)日：2001-01-22

申请号：AU5554100

申请日：2000-06-28

Applicant: IBM

Inventor： LITA CHRISTIAN ,  RUTKOWSKI MATTHEW FRANCIS

IPC: G06F13/00 ,  G06F15/00 ,  H04L9/08 ,  H04L12/22 ,  H04L12/66 ,  H04L29/06 ,  H04L29/08 ,  H04L29/00

Abstract: A method of enabling a proxy to participate in a secure communication between a client and a set of servers. The method begins by establishing a first secure session between the client and the proxy. Upon verifying the first secure session, the method continues by establishing a second secure session between the client and the proxy. In the second secure session, the client requests the proxy to act as a conduit to a first server. Thereafter, the client and the first server negotiate a first session master secret. Using the first secure session, this first session master secret is then provided by the client to the proxy to enable the proxy to participate in secure communications between the client and the first server. After receiving the first session master secret, the proxy generates cryptographic information that enables it to provide a given service (e.g., transcoding) on the client's behalf and without the first server's knowledge or participation. If data from a second server is required during the processing of a given client request to the first server, the proxy issues a request to the client to tunnel back through the proxy to the second server using the same protocol.

公开(公告)号：GB2526240A

公开(公告)日：2015-11-18

申请号：GB201517231

申请日：2014-03-10

Applicant: IBM

Inventor： BELLWOOD THOMAS ALEXANDER ,  RUTKOWSKI MATTHEW FRANCIS ,  BASSETT RONALD W

IPC: H04L9/14

Abstract: Tenants in a multi-tenant shared deployment are provided their own distinct key spaces over which they control a key management system. In this manner, virtual key management domains are created on a per-tenant (per-customer) basis so that, whenever a particular customer's data is co-tenanted, stored, transmitted or virtualized in the IT infrastructure of the provider's datacenter(s), it is secured using key management materials specific to that customer. This assures that the entirety of a tenant's data remains secure by cryptographically isolating it from other tenants' applications. The virtual key management domains are established using a broadcast encryption (BE) protocol and, in particular, a multiple management key variant scheme of that protocol. The broadcast encryption- based virtual key management system (VKMS) and protocol achieves per-tenant (as well as per-application) secured isolation of data and can be used across any combination of resources in or across all levels of a co-tenanted IT infrastructure.

公开(公告)号：AT321405T

公开(公告)日：2006-04-15

申请号：AT00940630

申请日：2000-06-28

Applicant: IBM

Inventor： BELLWOOD THOMAS ALEXANDER ,  LITA CHRISTIAN ,  RUTKOWSKI MATTHEW FRANCIS

IPC: G06F13/00 ,  G06F15/00 ,  H04L9/08 ,  H04L12/22 ,  H04L12/66 ,  H04L29/06 ,  H04L29/08 ,  H04L29/00

Abstract: A method of enabling a proxy to participate in a secure communication between a client and a set of servers. The method begins by establishing a first secure session between the client and the proxy. Upon verifying the first secure session, the method continues by establishing a second secure session between the client and the proxy. In the second secure session, the client requests the proxy to act as a conduit to a first server. Thereafter, the client and the first server negotiate a first session master secret. Using the first secure session, this first session master secret is then provided by the client to the proxy to enable the proxy to participate in secure communications between the client and the first server. After receiving the first session master secret, the proxy generates cryptographic information that enables it to provide a given service (e.g., transcoding) on the client's behalf and without the first server's knowledge or participation. If data from a second server is required during the processing of a given client request to the first server, the proxy issues a request to the client to tunnel back through the proxy to the second server using the same protocol.