公开(公告)号：US20170093817A1

公开(公告)日：2017-03-30

申请号：US14958089

申请日：2015-12-03

Applicant: Raytheon BBN Technologies Corp.

Inventor： Joud Khoury ,  William Timothy Strayer

IPC: H04L29/06 ,  H04L9/14 ,  G06F21/60

CPC classification number: H04L63/0471 ,  G06F21/62 ,  H04L9/006 ,  H04L9/3073 ,  H04L63/105

Abstract: Techniques for cryptographically secure, cross-domain information sharing are described. A first information domain including a first attribute-based encryption (ABE) authority defines a first universe of ABE attributes. Plaintext is encrypted using ABE encryption, producing ABE ciphertext. The ABE encryption uses an ABE access control expression defined with a set of ABE attributes comprising a first ABE attribute subset from the first universe of ABE attributes and second ABE attribute subset from a second universe of ABE attributes defined by a second ABE authority of a second information domain. The ABE ciphertext and the ABE access control expression are combined to produce an ABE package. The ABE package is encrypted, using predicate-based encryption (PBE), producing a PBE ciphertext. The PBE encryption uses a first set of PBE attributes from a universe of PBE attributes defined by a PBE authority.

公开(公告)号：US09237027B2

公开(公告)日：2016-01-12

申请号：US13828546

申请日：2013-03-14

Applicant: Raytheon BBN Technologies Corp.

Inventor： Daniel Joseph Ellard ,  Alden Warren Jackson ,  Christine Elaine Jones ,  Josh Forrest Karlin ,  Victoria Ursula Manfredi ,  David Patrick Mankins ,  William Timothy Strayer

IPC: G06F15/16 ,  G06F15/173 ,  H04L12/24

CPC classification number: H04L63/20 ,  H04L12/24 ,  H04L41/00 ,  H04L51/12 ,  H04L51/28 ,  H04L61/1511 ,  H04L61/2539 ,  H04L63/02 ,  H04L63/0236 ,  H04L67/104

Abstract: Systems and methods for protecting a network including preventing data traffic from exiting the network unless a domain name request has been performed by a device attempting to transmit the data traffic. In an embodiment, a device within the protected network attempting to send data outside the protected network requests an address for a destination outside the protected network from a domain name server (DNS). In response, the DNS provides an address of the destination to the device and a gateway. In response to receiving the address, the gateway temporarily allows access to the address. In an embodiment, a DNS is coupled to a protected network and the gateway, the DNS provides an external address to a device in response to a request; and a mapping to the gateway; the gateway, coupled to a protected network and an external network, allows traffic according to the mapping.

Abstract translation: 用于保护网络的系统和方法，包括防止数据流量离开网络，除非域名请求已被尝试发送数据业务的设备执行。 在一个实施例中，受保护网络内尝试在受保护网络外发送数据的设备向域名服务器（DNS）请求受保护网络外的目标地址。 作为响应，DNS向设备和网关提供目的地的地址。 响应于接收地址，网关临时允许访问地址。 在一个实施例中，DNS被耦合到受保护的网络和网关，DNS响应于请求向设备提供外部地址; 和映射到网关; 耦合到受保护网络和外部网络的网关允许根据映射的流量。

公开(公告)号：US20150358279A1

公开(公告)日：2015-12-10

申请号：US13828427

申请日：2013-03-14

Applicant: Raytheon BBN Technologies Corp.

Inventor： Daniel Joseph Ellard ,  Alden Warren Jackson ,  Christine Elaine Jones ,  Josh Forrest Karlin ,  Victoria Ursula Manfredi ,  David Patrick Mankins ,  William Timothy Strayer

IPC: H04L29/06 ,  H04L29/08 ,  H04L12/58

CPC classification number: H04L63/20 ,  H04L12/24 ,  H04L41/00 ,  H04L51/12 ,  H04L51/28 ,  H04L61/1511 ,  H04L61/2539 ,  H04L63/02 ,  H04L63/0236 ,  H04L67/104

Abstract: Systems and methods for protecting a network including providing a mapping between internal addresses as seen by devices of the protected network and external addresses; providing devices with a mapped address for a destination in response to a lookup request; rewriting, at a gateway, destination addresses of packets exiting the protected network based on the mapping; and rewriting, at the destination-network gateway, source addresses of packets entering the protected network based on the mapping. Embodiments include a gateway coupled to a protected network, an external network, and a name server. The name server, in response to a hostname lookup request, configured to provide a network device with the internal address; and the gateway with a mapping including the internal address, the addresses of the device, and the hostname. The gateway configured to rewrite destination addresses of outbound packets, and source addresses of inbound packets, based on the mapping.

Abstract translation: 用于保护网络的系统和方法，包括提供受保护网络的设备和外部地址所看到的内部地址之间的映射; 向设备提供响应于查找请求的目的地的映射地址; 在网关处，基于所述映射重写退出所述受保护网络的分组的目的地址; 并且在目的网络网关处根据映射重写进入受保护网络的分组的源地址。 实施例包括耦合到受保护网络的网关，外部网络和名称服务器。 响应于主机名查找请求，所述名称服务器被配置为向网络设备提供所述内部地址; 网关具有映射，包括内部地址，设备地址和主机名。 网关配置为根据映射重写出站报文的目的地址和入方向报文的源地址。

公开(公告)号：US20220103572A1

公开(公告)日：2022-03-31

申请号：US17548068

申请日：2021-12-10

Applicant: Raytheon BBN Technologies Corp.

Inventor： William Timothy Strayer ,  Brandon Doherty Kalashian ,  Michael Hassan Atighetchi ,  Stephane Yannick Blais ,  Samuel Cunningham Nelson

IPC: H04L67/561

Abstract: Techniques for enforcing trust policies for payload data transmitted through a data provisioning layer include: receiving, by a node in the data provisioning layer, payload data to be delivered to a recipient; obtaining, by the node, a trust policy indicating multiple attributes used to determine trustworthiness of payloads; determining, by the node, a set of values of the attributes associated with the payload data; generating, by the node, a trustworthiness opinion based at least on the trust policy and the set of values of the attributes; transmitting, by the node, the payload data and the trustworthiness opinion via the data provisioning layer toward the recipient; computing, by the recipient, a trustworthiness metric associated with the payload data based at least on the trustworthiness opinion; and determining, by the recipient, an action to take with respect to the payload data based at least on the trustworthiness metric.

公开(公告)号：US20240406189A1

公开(公告)日：2024-12-05

申请号：US18519238

申请日：2023-11-27

Applicant: Raytheon BBN Technologies Corp.

Inventor： William Timothy Strayer ,  Brandon Doherty Kalashian ,  Michael Hassan Atighetchi ,  Stephane Yannick Blais ,  Samuel Cunningham Nelson

IPC: H04L9/40

Abstract: Techniques for enforcing trust policies for payload data transmitted through a data provisioning layer include: receiving, by a node in the data provisioning layer, payload data to be delivered to a recipient; obtaining, by the node, a trust policy indicating multiple attributes used to determine trustworthiness of payloads; determining, by the node, a set of values of the attributes associated with the payload data; generating, by the node, a trustworthiness opinion based at least on the trust policy and the set of values of the attributes; transmitting, by the node, the payload data and the trustworthiness opinion via the data provisioning layer toward the recipient; computing, by the recipient, a trustworthiness metric associated with the payload data based at least on the trustworthiness opinion; and determining, by the recipient, an action to take with respect to the payload data based at least on the trustworthiness metric.

公开(公告)号：US11831657B2

公开(公告)日：2023-11-28

申请号：US17548068

申请日：2021-12-10

Applicant: Raytheon BBN Technologies Corp.

Inventor： William Timothy Strayer ,  Brandon Doherty Kalashian ,  Michael Hassan Atighetchi ,  Stephane Yannick Blais ,  Samuel Cunningham Nelson

IPC: H04L29/06 ,  H04L9/40

CPC classification number: H04L63/126 ,  H04L63/123 ,  H04L63/1408

Abstract: Techniques for enforcing trust policies for payload data transmitted through a data provisioning layer include: receiving, by a node in the data provisioning layer, payload data to be delivered to a recipient; obtaining, by the node, a trust policy indicating multiple attributes used to determine trustworthiness of payloads; determining, by the node, a set of values of the attributes associated with the payload data; generating, by the node, a trustworthiness opinion based at least on the trust policy and the set of values of the attributes; transmitting, by the node, the payload data and the trustworthiness opinion via the data provisioning layer toward the recipient; computing, by the recipient, a trustworthiness metric associated with the payload data based at least on the trustworthiness opinion; and determining, by the recipient, an action to take with respect to the payload data based at least on the trustworthiness metric.

公开(公告)号：US09571463B2

公开(公告)日：2017-02-14

申请号：US14330543

申请日：2014-07-14

Applicant: Raytheon BBN Technologies Corp.

Inventor： William Timothy Strayer ,  Joud Khoury ,  Armando Luis Caro, Jr. ,  Vikas Kawadia ,  Samuel Cunningham Nelson, V

IPC: G06F7/04 ,  H04L29/06 ,  H04L9/08

CPC classification number: H04L63/0428 ,  H04L9/088 ,  H04L63/105 ,  H04L63/20 ,  H04L67/10 ,  H04L67/1095 ,  H04L67/20

Abstract: Systems and techniques for policy-based access control in content networks are herein described. Content and metadata describing the content may be encrypted by using an access control policy and a cryptographic key associated with the access control policy. The access control policy may be defined with a set of access control attributes. Each node in the content-based network may be assigned a set of access control attributes and a cryptographic key generated as a function of its assigned set of access control attributes. Each node in the content-based network may be configured to decrypt successfully the metadata or the content if and only if the assigned set of access control attributes of the node satisfies the access control policy used to encrypt the metadata or content.

Abstract translation: 这里描述了用于内容网络中基于策略的访问控制的系统和技术。 可以通过使用访问控制策略和与访问控制策略相关联的加密密钥来加密描述内容的内容和元数据。 访问控制策略可以用一组访问控制属性来定义。 基于内容的网络中的每个节点可以被分配一组访问控制属性和作为其分配的访问控制属性集合的函数而生成的密码密钥。 基于内容的网络中的每个节点可以被配置为当且仅当节点的所分配的一组访问控制属性满足用于加密元数据或内容的访问控制策略时才成功地解密元数据或内容。

公开(公告)号：US11804949B2

公开(公告)日：2023-10-31

申请号：US17207031

申请日：2021-03-19

Applicant: Raytheon BBN Technologies Corp.

Inventor： Joud Khoury ,  Samuel Cunningham Nelson ,  William Timothy Strayer

IPC: H04L9/06 ,  H04L9/08 ,  H04L9/14 ,  G06F16/22

CPC classification number: H04L9/0618 ,  G06F16/2246 ,  H04L9/0861 ,  H04L9/0891 ,  H04L9/14

Abstract: Techniques for subscriber revocation in a publish-subscribe network using attribute-based encryption (ABE) are disclosed, including: generating a tree data structure including leaf nodes representing subscribers, subtrees of the tree data structure representing subsets of subscribers having different likelihoods of ABE key revocation; generating ABE keys associated with edges in the tree data structure; assigning ABE keys to the leaf nodes, each leaf node being assigned a subset of the ABE keys associated with edges that form a path from a root node to the leaf node; based at least on a revocation record that indicates one or more revoked subscribers, determining a minimal subset of ABE keys that covers all non-revoked subscribers; and encrypting a payload using an encryption policy requiring at least one ABE key in the minimal subset of the ABE keys, to obtain a ciphertext that is not accessible to the one or more revoked subscribers.

公开(公告)号：US11558185B2

公开(公告)日：2023-01-17

申请号：US17207042

申请日：2021-03-19

Applicant: Raytheon BBN Technologies Corp.

Inventor： Joud Khoury ,  Samuel Cunningham Nelson ,  William Timothy Strayer

IPC: G06F21/00 ,  H04L29/06 ,  H04L9/08 ,  H04L9/06 ,  H04L9/14 ,  H04L67/55

Abstract: Techniques for stream-based key management are disclosed. A system obtains a first payload to be published to a first set of one or more subscribers, encrypts the first payload using a symmetric key, to obtain a first payload ciphertext, encrypts the symmetric key using an attribute-based encryption (ABE) policy associated with the first payload, to obtain a key ciphertext, and publishes the first payload ciphertext and the key ciphertext. The system obtains a second payload to be published to a second set of one or more subscribers. Responsive at least to determining that each subscriber in the second set of one more subscribers is in the first set of one or more subscribers and the ABE policy is associated with the second payload, the system encrypts the second payload using the symmetric key, to obtain a second payload ciphertext, and publishes the second payload ciphertext without republishing the key ciphertext.

公开(公告)号：US20220303127A1

公开(公告)日：2022-09-22

申请号：US17207042

申请日：2021-03-19

Applicant: Raytheon BBN Technologies Corp.

Inventor： Joud Khoury ,  Samuel Cunningham Nelson ,  William Timothy Strayer

IPC: H04L9/08 ,  H04L29/08 ,  H04L9/14 ,  H04L9/06

Abstract: Techniques for stream-based key management are disclosed. A system obtains a first payload to be published to a first set of one or more subscribers, encrypts the first payload using a symmetric key, to obtain a first payload ciphertext, encrypts the symmetric key using an attribute-based encryption (ABE) policy associated with the first payload, to obtain a key ciphertext, and publishes the first payload ciphertext and the key ciphertext. The system obtains a second payload to be published to a second set of one or more subscribers. Responsive at least to determining that each subscriber in the second set of one more subscribers is in the first set of one or more subscribers and the ABE policy is associated with the second payload, the system encrypts the second payload using the symmetric key, to obtain a second payload ciphertext, and publishes the second payload ciphertext without republishing the key ciphertext.