Abstract: A method for external organization path length (EOPL) validation is provided. A relying party node of an organization receives an authentication request from a subject node of an external organization. The relying party node then obtains and evaluates certificates from a chain of certificates that link the subject node to a trust anchor of the relying party node wherein, at least one certificate from the chain of certificates comprises an enabled external organization flag (EOF) and/or an external organization path length constraint (EOPLC). The relying party node invalidates authentication of the subject node when the relying party node determines that a total number of enabled EOFs from certificates in the chain of certificates exceeds the lowest EOPLC value from certificates in the chain of certificates.

Abstract: A method and system enable robust and scalable propagation of trust between a first organization and a second organization, both operating in an ad hoc wireless communication network. The method includes establishing at a first member node of the first organization pair-wise trust with a first member node of the second organization using a predetermined inter-organizational trust establishment device (step 505). Next, the first member node of the first organization generates a credential for the second organization using the pair-wise trust (step 510). The credential is then distributed from the first member node of the first organization to a second member node of the first organization (step 515). The second member node of the first organization then establishes pair-wise trust with a second member node of the second organization using the credential received from the first member node of the first organization (step 520).

Abstract: An ad hoc network includes a first node, a second node, and a third node. The first node and second node share a first shared secret key, and the first node and third node share a second shared secret key. The second node and third node share a temporal key. The first node generates a unique key, encrypts the unique key with a first shared secret key to generate a first encrypted unique key and transmits the first encrypted unique key to the second node. The first node encrypts the unique key with a second shared secret key to generate a second encrypted unique key and transmits the second encrypted unique key to the third node. To establish the temporal key, the second node decrypts the first encrypted unique key and the third node decrypts the second encrypted unique key thereby each generating the unique key.

Abstract: A method and apparatus for authentication in a wireless communication network is disclosed. A secret is shared between a mobile device and a home device. When a mobile device requests a connection to a remote device and the remote device does not have knowledge of the shared secret, the remote device determines whether the mobile device can connect to the remote device by concurrently sending a challenge to the mobile device and the home device. The remote device then compares the responses from the mobile device and the home device.

Abstract: A method and apparatus for external organization (EO) path length (EOPL) validation are provided. A relying party node (RPN) stores a current EO path length constraint (EOPLC) value, and an EOPL counter that maintains a count of an actual external organization path length. The RPN obtains a chain of certificates that link a subject node (SN) to its trust anchor, and processes the certificates in the chain. When a certificate has a lower EOPLC than the current EOPLC value, the RPN replaces the current EOPLC value with the lower EOPLC. When the certificate currently being evaluated includes an enabled EO flag, the RPN increments the EOPL counter by one. The EOPL validation fails when the EOPL counter is greater than the current EOPLC value, and is successful when the last remaining certificate in the chain is processed without having the EOPL counter exceed the current EOPLC value.

Abstract: A method for deploying a trust bridge in an ad hoc wireless network can provide interoperability for multi-organizational authentication. The method includes processing at a delegate certification authority (DCA) node device authorizations received from of a plurality of certification authorities (CAs) of different organizations, where the authorizations authorize the DCA node device to serve as a DCA representing the CAs (step 1105). The DCA node device then processes context information received from the ad hoc wireless network (step 1110). Next, the DCA node device determines, based on the context information, that a second node device should be enabled as a new trust bridge (step 1115). The DCA node device then performs a trust bridge deployment to enable the second node device to serve as the new trust bridge (step 1120).

Abstract: A method and apparatus which defends a host, which is coupled to the Internet, via a defensive firewall/router, against a denial of service attack. The technique includes periodically determining the status of the host, storing the status of the host, receiving at the defensive firewall/router a request from an entity on the Internet for service from the host, and responding to the entity in accordance with the stored status. The period that is set is not related to the request.

Abstract: A method and system for propagating mutual authentication data in both a first wireless communication network and a second wireless communication network is useful for unifying wireless communication networks. The method includes mutually authenticating a first node operating in the first network and a second node operating in the second network (step 205). A unification message is then transmitted from the first node to a third node operating in the second network, where the unification message indicates that the first node is authenticated with the second network (step 210). In response to the unification message, authentication messages from the third node and the second node are then relayed through the first node, for mutually authenticating the third node and the second node (step 215).

Abstract: A method authenticates a first node to a communication network that includes a second node to which the first node desires to mutually authenticate. The method includes detecting a broadcast message from the second node and determining whether mutual authentication can be performed directly with the second node. When the first node is unable to mutually authenticate to the second node directly, the first node locates a node that can serve as an authentication bridge to authenticate the first node to the communication network.

Abstract: A method for defending a host, which is coupled to the Internet via a defensive firewall/router, against a denial of service attack, comprises periodically determining the status of the host; storing the status of the host; receiving at the defensive firewall/router a request from an entity on the Internet for service from the host; and responding to the entity in accordance with the stored status. The period that is set is not related to the request.