公开(公告)号：WO2011049712A2

公开(公告)日：2011-04-28

申请号：PCT/US2010/050282

申请日：2010-09-24

Applicant: MICROSOFT CORPORATION

Inventor： GALVIN, Tom ,  STEERE, David

IPC: H04L9/30 ,  H04L9/32

CPC classification number: H04L9/0844 ,  H04L9/3263 ,  H04L9/3273 ,  H04L63/061 ,  H04L63/166 ,  H04L67/104 ,  H04L2209/42 ,  H04L2209/80

Abstract: A source device and a target device may endeavor to form a secure communication session whereby encrypted messages may be transmitted over an untrusted network, such as the internet. However, the exchange of many messages in the establishment of the communication session may involve considerable latency and computational resources, particularly in scenarios featuring many communication sessions (e.g., peer-to-peer communication sessions). Techniques for initiating a communication session may be devised that enables the initiation of a communication session with only two exchanged messages, or even with a single message transmitted from the source device to the target device. Some embodiments of these techniques may also permit the inclusion of advantageous security features, such as authentication via public certificate to detect man-in-the-middle attacks and the inclusion of nonces to detect replay attacks, without increasing the number of messages involved in the initiation of the communication session.

Abstract translation: 源设备和目标设备可以努力形成安全通信会话，由此加密的消息可以通过诸如因特网之类的不可信网络来传输。 然而，在建立通信会话期间交换许多消息可能涉及相当大的等待时间和计算资源，特别是在具有多个通信会话（例如，对等通信会话）的情况下。 可以设计用于发起通信会话的技术，该技术使得能够仅利用两个交换的消息来发起通信会话，或者甚至利用从源设备向目标设备发送的单个消息来发起通信会话。 这些技术的一些实施例还可以允许包括有利的安全特征，诸如通过公共证书进行认证以检测中间人攻击并且包括随机数以检测重放攻击，而不增加涉及 通信会议的开始。

公开(公告)号：WO2007032852A1

公开(公告)日：2007-03-22

申请号：PCT/US2006/031877

申请日：2006-08-15

Applicant: MICROSOFT CORPORATION

Inventor： BEN-SHACHAR, Ido ,  MALAKAPALLI, Meher ,  PALEKAR, Ashwin ,  BARABOI, Tudor ,  STEERE, David ,  CHIK, Joy

IPC: G06F15/00 ,  G06F17/00

CPC classification number: H04L63/029 ,  H04L63/0227 ,  H04L63/08 ,  H04L63/102

Abstract: Implementations of the present invention relate to a communication framework that is readily adaptable to a wide variety of resources intended to be accessible through a firewall. In general, a communication framework at a gateway server can provide a specific connection to a requested resource in accordance with a wide range of resource and/or network access policies. In one instance, a client requests a connection to a specific resource behind a firewall. The communication framework authenticates the connection, and quarantines the connection until determining, for example, that the client is using an appropriate resource features. If appropriately authenticated, the communication framework can pass control of the connection to an appropriately identified protocol plug-in processor, which facilitates a direct connection to the requested resource at an application layer of a communication stack.

Abstract translation: 本发明的实现涉及一种易于适应旨在通过防火墙访问的各种资源的通信框架。 通常，网关服务器处的通信框架可以根据广泛的资源和/或网络访问策略提供与请求的资源的特定连接。 在一种情况下，客户端请求与防火墙后面的特定资源的连接。 通信框架认证连接，并隔离连接，直到确定客户端正在使用适当的资源特征。 如果适当地认证，则通信框架可以将连接的控制传递到适当识别的协议插件处理器，这有助于在通信栈的应用层处直接连接到所请求的资源。

公开(公告)号：EP2491672A2

公开(公告)日：2012-08-29

申请号：EP10825382.4

申请日：2010-09-24

Applicant: Microsoft Corporation

Inventor： GALVIN, Tom ,  STEERE, David

IPC: H04L9/30 ,  H04L9/32

CPC classification number: H04L9/0844 ,  H04L9/3263 ,  H04L9/3273 ,  H04L63/061 ,  H04L63/166 ,  H04L67/104 ,  H04L2209/42 ,  H04L2209/80

Abstract: A source device and a target device may endeavor to form a secure communication session whereby encrypted messages may be transmitted over an untrusted network, such as the internet. However, the exchange of many messages in the establishment of the communication session may involve considerable latency and computational resources, particularly in scenarios featuring many communication sessions (e.g., peer-to-peer communication sessions.) Techniques for initiating a communication session may be devised that enables the initiation of a communication session with only two exchanged messages, or even with a single message transmitted from the source device to the target device. Some embodiments of these techniques may also permit the inclusion of advantageous security features, such as authentication via public certificate to detect man-in-the-middle attacks and the inclusion of nonces to detect replay attacks, without increasing the number of messages involved in the initiation of the communication session.

公开(公告)号：EP1934768A1

公开(公告)日：2008-06-25

申请号：EP06801554.4

申请日：2006-08-15

Applicant: Microsoft Corporation

Inventor： BEN-SHACHAR, Ido ,  MALAKAPALLI, Meher ,  PALEKAR, Ashwin ,  BARABOI, Tudor ,  STEERE, David ,  CHIK, Joy

IPC: G06F15/00 ,  G06F17/00

CPC classification number: H04L63/029 ,  H04L63/0227 ,  H04L63/08 ,  H04L63/102

Abstract: Implementations of the present invention relate to a communication framework that is readily adaptable to a wide variety of resources intended to be accessible through a firewall. In general, a communication framework at a gateway server can provide a specific connection to a requested resource in accordance with a wide range of resource and/or network access policies. In one instance, a client requests a connection to a specific resource behind a firewall. The communication framework authenticates the connection, and quarantines the connection until determining, for example, that the client is using an appropriate resource features. If appropriately authenticated, the communication framework can pass control of the connection to an appropriately identified protocol plug-in processor, which facilitates a direct connection to the requested resource at an application layer of a communication stack.