Abstract: The practical benefit of the inventive idea results from an assumption that typically, the operational subCAs will not get compromised. Assuming this, a a batch of revocation lists manifesting no revocations can be generated and signed. These pregenerated CRLs (root CRLs) can then be stored outside the high-security vault and, in case of no subCA compromises, published periodically one at a time to the directory system where the PKI clients can automatically fetch them.

Abstract: A method, device, system, and computer program for authenticating a user in connection with a security protocol comprising a plurality of authentication methods are described. A packet data connection is established to a remote node. An authentication procedure of the security protocol is initiated with the remote node via the packet data connection. State information is provided for the authentication procedure, and cumulative state information is taken into account in selection of at least one appropriate authentication method when carrying out the authentication procedure.

Abstract: A method, device, system and computer program for providing a transport distribution scheme for a security protocol are disclosed. A first packet data connection is established to a remote node for transmitting packet data over a network with a security protocol. An authentication procedure is performed with the remote node via the first packet data connection for establishing a security protocol session with the remote node. At least one security parameter is negotiated with the remote node for transmitting packets through the first packet data connection. A second packet data connection is established to the remote node, and at least one security parameter is negotiated with the remote node for use with the second packet data connection. The first and second packet data connections are handled as packet data subconnections associated with the security protocol session.

Abstract: This invention provides a method for providing network security services, such as those provided by the IPSEC protocol, through network address translation (NAT). The method is based on determining the transformations that occur on a packet and compensating for the transformations. Because only TCP and UDP protocols work through NATs, the IPSEC AH/ESP packets are encapsulated into UDP packets for transport. Special operations are performed to allow reliable communications in such environments.

Abstract: The invention relates to methods for processing data packets according to a set of rules, and especially for preparing of decision trees for selecting the correct rule for processing of a data packet. In preparation of a decision tree, a splitting point within a dimension being studied is chosen as follows. The rules are sorted to allow monotonous iteration through all range end values specified in the rules in the dimension being studied. The range end values are then iterated through in a monotonous fashion, either increasing or decreasing. At each iteration, the number of range low end values and the number of range high end values being equal to the current iteration value is counted. From these counts and the accumulated results from the corresponding counts in previous iterations, the numbers of rules with ranges in different positions relative to the current iteration value are deduced, and from these values, the goodness of the iteration value is calculated.

Abstract: This invention provides a method for providing network security services, such as those provided by the IPSEC protocol, through network address translation (NAT). The method is based on determining the transformations that occur on a packet and compensating for the transformations. Because only TCP and UDP protocols work through NATs, the IPSEC AH/ESP packets are encapsulated into UDP packets for transport. Special operations are performed to allow reliable communications in such environments.

Abstract: For achieving packet authentication according to an applicable security policy between a sending node (903) and a receiving node (902) in a network, the following steps are taken: the transformations occurring to a packet en route between the sending node and the receiving node are discovered dynamically (1003, 1004), the discovered transformations are checked (1004) to be acceptable based on the applicable security policy, and the dynamically discovered, acceptable transformations are compensated for (1004, 1006) before authenticating packets transmitted from the sending node to the receiving node.

Abstract: A method and devices are provided for handling a broadcast packet in a computer (131, 132, 612, 622, 632, 711, 721, 731, 741, 1111, 1112, 1301) that has an IPsec-protected connection to a part (121, 122, 141, 732, 733, 742, 743, 1113, 1114) of a logical network segment (101, 601, 701, 1101) within which the broadcast packet should be distributed. The IPsec protection specifies, what kinds of packets are acceptable for transmission over the IPsec-protected connection. The broadcast packet is encapsulated (204, 311, 508, 835, 838, 840, 842, 849, 852, 909) into a form that is acceptable for transmission over the IPsec-protected connection. It is then transmitted (205, 206, 312, 509, 836, 839, 841, 843, 850, 853, 910) to the part of the logical network segment through the IPsec-protected connection.

Abstract: A method is provided for intercepting network packets in a computer system, where a number of functions are used to communicate network packets between a network adapter and a protocols entity. A first network adapter and a first protocols entity installed in the computer system are identified. A set of replacement functions is provided within a packet interceptor module. At least one function used for transmitting network packets from said first protocols entity to said first network adapter is hooked into a first replacement function. At least one function used for transmitting network packets from said first network adapter to said first protocols entity is hooked into a second replacement function. At least one function used for receiving information about the status of the network interface implemented by said first network adapter is hooked into a third replacement function.

Abstract: According to the invention, the problem of checking the identity of others is alleviated by creating a mechanism, which allows users to trust and utilize the checking work performed by certain other users, so that every user need not check and confirm the identity of every other user. This can be accomplished by allowing a user who has checked that the identity of a number of other users truly correspond to their certificates, produce a list of these checked certificates, so that other users can import the list of checked certificates into their systems.

Abstract: Data packets are communicated between a transmitting virtual router in a transmitting computer device and a receiving virtual router in a receiving computer device. A security association is established for the secure transmission of data packets between the transmitting computer device and the receiving computer device. The transmitting virtual router and the receiving virtual router are identified within said security association. In the transmitting computer device, the security association for processing a data packet coming from the transmitting virtual router is selected on the basis of the identification of the transmitting virtual router within the security association. In the receiving computer device, the security association for processing a data packet coming from the transmitting computer device is selected on the basis of values contained within the data packet.

Abstract: A data processing system implements a security protocol based on processing data in packets. The data processing system comprises processing packets for storing filter code and processing data packets according to stored filter code, and a policy managing function for generating filter code and communicating generated filter code for packet processing. The packet processing function is arranged to examine, whether the stored filter code is applicable for processing a certain packet. If the stored filter code is not applicable for the processing of a packet, the packet is communicated to the policy managing function, which generates filter code applicable for the processing of the packet and communicates the generated filter code for packet processing.