Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
  • H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
  • H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/16—Implementing security features at a particular protocol layer
  • H04L63/164—Implementing security features at a particular protocol layer at the network layer
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F2221/2105—Dual mode as a secondary aspect
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F2221/2149—Restricted operating environment
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
  • H04L2209/76—Proxy, i.e. using intermediary entity to perform cryptographic operations
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
  • H04L2209/80—Wireless

Definitions

• IPsec Internet protocol security
• communication between two peer endpoints typically involves two phases: mutual authentication and negotiation of traffic protection parameters, and application of the protection parameters to the traffic between the peers (e.g., encryption and/or
• one technique for the peers to authenticate each other is through the use of certificates.
• Each peer endpoint of the connection is provided with a certificate that authorizes the corresponding endpoint to participate in an IPsec session with the other endpoint.
• both machines need to have a certificate from a common trusted certificate authority.
• an ISP Internet service provider
• ISP Internet service provider
• the ISP deploys a certificate authority for each zone.
• the deployment and maintenance of multiple certificate authorities is a time consuming and labor intensive process.
• the disclosed architecture provides Internet protocol security (IPsec) certificate exchange based on certificate attributes. This enables one IPsec endpoint to validate the security context of another IPsec endpoint certificate by referencing certificate attributes, in addition to the certificate root. By facilitating IPsec certificate exchange using certificate attributes rather than solely certificate roots it is now possible to build multiple isolated network zones using a single certificate authority rather than requiring one certificate authority per zone.
• IPsec Internet protocol security
• certificate attributes rather than solely certificate roots it is now possible to build multiple isolated network zones using a single certificate authority rather than requiring one certificate authority per zone.
• QoS quality of service
• certificate attributes can be utilized during the IPsec certificate exchange process to identify the security context of the endpoint.
• the certificate can contain an attribute that is the unique ID (identifier) of the security context.
• the receiving endpoint can validate that the security context of the certificate installed on the current machine is the same as the security context of the certificate of the requestor.
• IPsec certificate use can be locked down to a single IP or group of IPs.
• One of the attributes in the IPsec certificate can be the IP address(es) with which it can be used. This prevents the certificate from being copied and reused on another machine that has a different IP address.
• FIG. 1 illustrates computer-implemented security system in accordance with the disclosed architecture.
• FIG. 2 illustrates a security system that includes a certificate authority for certificate generation and administration over multiple zones.
• FIG. 3 illustrates a security system that includes the certificate authority for certificate generation and administration within subzones of a single zone.
• FIG. 4 illustrates exemplary certificate attributes that can be employed in a digital certificate for IPsec communications.
• FIG. 5 illustrates a computer-implemented security method.
• FIG. 6 illustrates additional aspects of the method of FIG. 5.
• FIG. 7 illustrates a method of processing an IPsec certificate to an IP address.
• FIG. 8 illustrates a block diagram of a computing system operable to execute attribute processing for IPsec communications in accordance with the disclosed architecture.
• FIG. 9 illustrates a schematic block diagram of a computing environment that processes certificate attributes for IPsec communications.
• the disclosed architecture introduces IPsec (Internet protocol security) certificate exchange based on certificate attributes. This enables two IPsec endpoints each having certificates to validate the security context of the other by referencing certificate attributes, in addition to the certificate root. This creation of multiple isolated network zones is now possible using a single certificate authority rather than requiring one certificate authority per zone.
• IPsec Internet protocol security
• FIG. 1 illustrates a computer- implemented security system 100 in accordance with the disclosed architecture.
• the system 100 includes a communications component 102 of a local endpoint 104 that receives a digital certificate 106 from a remote endpoint 108.
• the communications component 102 can include at least the hardware and/or software for sending and receiving data packets.
• the digital certificate 106 includes certificate attributes.
• the system 100 can also include a security component 110 of the local endpoint 104 that processes one or more of the certificate attributes to validate IPsec communications with the remote endpoint 108.
• the system 100 facilitates peer certificate validation during IPsec using certificate attributes rather than of solely based on the root certificate.
• Each peer certificate includes attributes that describe the security context of the certificate.
• one of the attributes in the IPsec certificate can be customer ID.
• each endpoint can examine the attributes of the certificate presented by the peer and make a decision on setting up the IPsec session.
• the certificate presented by the peer contains the same customer ID, then an IPsec session is allowed.
• both certificates still need to be issued by a single certificate authority. This solution utilizes only one certificate authority irrespective of the number of isolation contexts deployed.
• Another aspect is the ability to increase security by locking IPsec certificates to a specific IP address or addresses.
• the certificate can include an IP address (or group of addresses) of the physical network on which the certificate is intended to be used.
• IPsec connection When opening the IPsec connection, each endpoint compares the actual IP address the other endpoint is using to a list of IP addresses in the presented certificate. If the IP address of the other endpoint is on the list, then the connection can proceed. If the address is not on the list, the connection will fail, since this can be an indication of a hijacking attempt, where the attacker managed to copy the certificate from a legitimate machine to a different (unauthorized) machine, for example.
• the disclosed architecture provides the capability to detect such attacks, thereby increasing overall security of the solution.
• the security component 110 can also validate the IPsec communications using a root certificate.
• the digital certificate 106 (and certificate 112) includes one or more certificate attributes that define a security context of the digital certificate. Additionally, the digital certificate can be locked to a specific certificate attribute, such as a specific address or group of addresses.
• the security component 110 can process certificate attributes according to attribute priority.
• one attribute can be given more weight over another attribute or set of attributes.
• a QoS (quality of service) attribute can be used to give higher priority to one endpoint over another endpoint.
• the attribute analysis process can also include comparing certificate attribute(s) to a predetermined set of attributes, and if all attributes match, the IPsec session can be established; however, if only two of the three match, the session fails, or makes at a reduced level of communications.
• the one or more certificate attributes can include an IP address of a proxy system through which an endpoint communicates and/or a zone is located.
• the peer remote endpoint 108 can also include similar components (e.g., communications component and security component) as the local endpoint 104 for receiving and processing the local digital certificate 112 or other certificates the remote endpoint 108 may receive from other peer endpoints.
• FIG. 2 illustrates a security system 200 that includes a certificate authority 202 for certificate generation and administration over multiple zones.
• the certificate authority 202 can now be a single (the only) authority deployed to generate and administer (issue) digital certificates for IPsec communications over the multiple zones.
• the system 200 includes two zones: a first zone (Zonel), and a second zone (Zone2) (although many more zones can be employed).
• the first zone includes multiple endpoints 204
• Endpointn (Endpointn,...,Endpointis) (each of the endpoints 204 being issued a digital certificate) such as a first zone endpoint 206 receiving and utilizing a first zone certificate 208 (Dig Certn).
• the second zone includes multiple endpoints 210
• Endpoint 2 i (Endpoint 2 i, ... ,Endpoint 2T ) (each of the endpoints 210 being issued a digital certificate) such as a second zone endpoint 212 receiving and utilizing a second zone certificate 214
• the certificate authority 202 can be the sole certificate authority that provides certificate administration over a network 216 to both the first and second zones and associated endpoints, and possibly as well as to endpoints and zones outside the network 216.
• the endpoints (206 and 212) exchange corresponding digital certificates (208 and 214) over an IPsec connection.
• the first zone endpoint 206 analyzes the second zone certificate 214 for one or more security context attributes, and potentially other attributes, as does the second zone endpoint 212 to the first zone certificate 208.
• the root certificates of the first and second zone endpoints (206 and 212) can also be passed and validated. If validation is successful from both endpoints, an IPsec session can be established between the endpoints (206 and 212).
• FIG. 3 illustrates a security system 300 that includes the certificate authority 202 for certificate generation and administration within subzones of a single zone.
• the certificate authority 202 can still be the single (only) authority deployed to generate and administer (issue) digital certificates for IPsec communications and sessions over the multiple subzones (or segments).
• the system 300 includes two subzones of a zone: a first subzone (Subzonel), and a second subzone (Subzone2) (although many more subzones can be employed).
• the first subzone includes the multiple endpoints 204 (Endpointn,...,Endpointi S ) (each endpoint being issued a digital certificate) such as a first subzone endpoint 302 receiving and utilizing a first subzone certificate 304 (Dig Certn).
• the second subzone includes the multiple endpoints 210 (Endpoint 2 i, ...,Endpoint 2 T) (each endpoint being issued a digital certificate) such as a second subzone endpoint 306 receiving and utilizing a second zone certificate 308 (Dig
• the certificate authority 202 can be the sole certificate authority for the zone and subzones that provides certificate administration over the network 216 to both the first and second subzones and associated endpoints, and possibly as well as to endpoints and zones/subzones outside the network 216.
• the endpoints (302 and 306) exchange corresponding digital certificates (304 and 308) over an IPsec connection.
• the first subzone endpoint 302 analyzes the second subzone certificate 308 for one or more security context attributes, and potentially other attributes, as does the second subzone endpoint 306 to the first subzone certificate 304.
• the root certificates of the first and second subzone endpoints (302 and 306) can also be passed and validated. If validation is successful from both endpoints, an IPsec session can be established between the endpoints (302 and 306).
• FIG. 4 illustrates exemplary certificate attributes 400 that can be employed in a digital certificate 402 for IPsec communications.
• the attributes 400 can include QoS data, unique ID of the security context, IP address of an endpoint (physical machine or virtual machine) with which an IPsec session can be obtained, IP addresses for a group (or groups) of endpoints with which an IPsec session(s) can be obtained, customer ID (e.g., for a company), zone ID, circle ID, IP address of proxy system, and so on.
• customer ID e.g., for a company
• zone ID e.g., for a company
• circle ID IP address of proxy system
• the disclosed architecture applies to all classes (e.g., individuals requiring proof of identity, organizations, servers, online business transaction, private organization or governmental, etc.) of digital certificates as well.
• the attribute processing of IPsec can process only a single attribute (company ID), or multiple attributes (e.g., company ID and zonel). Additionally, a weighting system can be employed such that a first attribute is given more weight than a third attribute, for example. Alternatively, or in combination therewith, attributes can be ranked according to predetermined criteria, such as a zone attribute being ranked as top priority, followed by customer ID as a lesser priority, and so on.
• an endpoint can include multiple certificates each defining access to different zones and endpoints according to the attributes.
• FIG. 5 illustrates a computer-implemented security method.
• a digital certificate is received at an endpoint from a peer endpoint, the certificate having one or more certificate attributes.
• the security context of the peer endpoint is validated at the endpoint based on the one or more certificate attributes.
• an IPsec session is established between the endpoint and the peer endpoint based on validation of the security context.
• FIG. 6 illustrates additional aspects of the method of FIG. 5.
• digital certificates are issued to the endpoint and the peer endpoint from a certificate authority that administers multiple zones.
• the certificate is locked down to a specific attribute.
• an attribute is defined as an IP address of a specific endpoint.
• an attribute is defined as a range of IP addresses of a group.
• the security context is defined as one or more of the attributes.
• an attribute of the endpoint digital certificate is compared to security data of the endpoint to validate the peer endpoint to the endpoint.
• FIG. 7 illustrates a method of processing an IPsec certificate to an IP address.
• IPsec communications is initiated between endpoints having lock down to a specific IP addresses.
• each endpoint compares the IP address of the other endpoint to a list of IP addresses in the presented certificate.
• flow is to 706, to establish the IPsec session between the endpoints.
• flow is to 708 to fail start of the IPsec session.
• a component can be, but is not limited to being, a process running on a processor, a processor, a hard disk drive, multiple storage drives (of optical, solid state, and/or magnetic storage medium), an object, an executable, a thread of execution, a program, and/or a computer.
• a component can be, but is not limited to being, a process running on a processor, a processor, a hard disk drive, multiple storage drives (of optical, solid state, and/or magnetic storage medium), an object, an executable, a thread of execution, a program, and/or a computer.
• an application running on a server and the server can be a component.
• One or more components can reside within a process and/or thread of execution, and a component can be localized on one computer and/or distributed between two or more computers.
• the word "exemplary” may be used herein to mean serving as an example, instance, or illustration. Any aspect or design described herein as "exemplary” is not necessarily to be construed as preferred or advantageous
• FIG. 8 there is illustrated a block diagram of a computing system 800 operable to execute attribute processing for IPsec communications in accordance with the disclosed architecture.
• FIG. 8 and the following description are intended to provide a brief, general description of the suitable computing system 800 in which the various aspects can be implemented. While the description above is in the general context of computer- executable instructions that can run on one or more computers, those skilled in the art will recognize that a novel embodiment also can be implemented in combination with other program modules and/or as a combination of hardware and software.
• the computing system 800 for implementing various aspects includes the computer 802 having processing unit(s) 804, a computer-readable storage such as a system memory 806, and a system bus 808.
• the processing unit(s) 804 can be any of various commercially available processors such as single-processor, multi-processor, single-core units and multi-core units.
• processors such as single-processor, multi-processor, single-core units and multi-core units.
• processors such as single-processor, multi-processor, single-core units and multi-core units.
• those skilled in the art will appreciate that the novel methods can be practiced with other computer system configurations, including minicomputers, mainframe computers, as well as personal computers (e.g., desktop, laptop, etc.), hand-held computing devices, microprocessor-based or programmable consumer electronics, and the like, each of which can be operatively coupled to one or more associated devices.
• the system memory 806 can include computer-readable storage such as a volatile (VOL) memory 810 (e.g., random access memory (RAM)) and non-volatile memory (NON-VOL) 812 (e.g., ROM, EPROM, EEPROM, etc.).
• VOL volatile
• NON-VOL non-volatile memory
• BIOS basic input/output system
• the volatile memory 810 can also include a high-speed RAM such as static RAM for caching data.
• the system bus 808 provides an interface for system components including, but not limited to, the memory subsystem 806 to the processing unit(s) 804.
• the system bus 808 can be any of several types of bus structure that can further interconnect to a memory bus (with or without a memory controller), and a peripheral bus (e.g., PCI, PCIe, AGP, LPC, etc.), using any of a variety of commercially available bus architectures.
• a memory bus with or without a memory controller
• a peripheral bus e.g., PCI, PCIe, AGP, LPC, etc.
• the computer 802 further includes machine readable storage subsystem(s) 814 and storage interface(s) 816 for interfacing the storage subsystem(s) 814 to the system bus 808 and other desired computer components.
• the storage subsystem(s) 814 can include one or more of a hard disk drive (HDD), a magnetic floppy disk drive (FDD), and/or optical disk storage drive (e.g., a CD-ROM drive DVD drive), for example.
• the storage interface(s) 816 can include interface technologies such as EIDE, ATA, SATA, and IEEE 1394, for example.
• One or more programs and data can be stored in the memory subsystem 806, a removable memory subsystem 818 (e.g., flash drive form factor technology), and/or the storage subsystem(s) 814 (e.g., optical, magnetic, solid state), including an operating system 820, one or more application programs 822, other program modules 824, and program data 826.
• a removable memory subsystem 818 e.g., flash drive form factor technology
• the storage subsystem(s) 814 e.g., optical, magnetic, solid state
• an operating system 820 e.g., one or more application programs 822, other program modules 824, and program data 826.
• the one or more application programs 822, other program modules 824, and program data 826 can include the entities and components of the system 100 of FIG. 1, the entities and components of the system 200 of FIG. 2, the entities and components of the system 300 of FIG. 3, the certificate and attributes of FIG. 4, and the methods represented by the flow charts of Figures 5-7, for example.
• programs include routines, methods, data structures, other software components, etc., that perform particular tasks or implement particular abstract data types. All or portions of the operating system 820, applications 822, modules 824, and/or data 826 can also be cached in memory such as the volatile memory 810, for example. It is to be appreciated that the disclosed architecture can be implemented with various
• the storage subsystem(s) 814 and memory subsystems (806 and 818) serve as computer readable media for volatile and non-volatile storage of data, data structures, computer-executable instructions, and so forth.
• Computer readable media can be any available media that can be accessed by the computer 802 and includes volatile and nonvolatile internal and/or external media that is removable or non-removable. For the computer 802, the media accommodate the storage of data in any suitable digital format. It should be appreciated by those skilled in the art that other types of computer readable media can be employed such as zip drives, magnetic tape, flash memory cards, flash drives, cartridges, and the like, for storing computer executable instructions for performing the novel methods of the disclosed architecture.
• a user can interact with the computer 802, programs, and data using external user input devices 828 such as a keyboard and a mouse.
• Other external user input devices 828 can include a microphone, an IR (infrared) remote control, a joystick, a game pad, camera recognition systems, a stylus pen, touch screen, gesture systems (e.g., eye movement, head movement, etc.), and/or the like.
• the user can interact with the computer 802, programs, and data using onboard user input devices 830 such a touchpad, microphone, keyboard, etc., where the computer 802 is a portable computer, for example.
• I/O device interface(s) 832 are connected to the processing unit(s) 804 through input/output (I/O) device interface(s) 832 via the system bus 808, but can be connected by other interfaces such as a parallel port, IEEE 1394 serial port, a game port, a USB port, an IR interface, etc.
• the I/O device interface(s) 832 also facilitate the use of output peripherals 834 such as printers, audio devices, camera devices, and so on, such as a sound card and/or onboard audio processing capability.
• One or more graphics interface(s) 836 (also commonly referred to as a graphics processing unit (GPU)) provide graphics and video signals between the computer 802 and external display(s) 838 (e.g., LCD, plasma) and/or onboard displays 840 (e.g., for portable computer).
• graphics interface(s) 836 can also be manufactured as part of the computer system board.
• the computer 802 can operate in a networked environment (e.g., IP-based) using logical connections via a wired/wireless communications subsystem 842 to one or more networks and/or other computers.
• the other computers can include workstations, servers, routers, personal computers, microprocessor-based entertainment appliances, peer devices or other common network nodes, and typically include many or all of the elements described relative to the computer 802.
• the logical connections can include
• LAN and WAN networking environments are commonplace in offices and companies and facilitate enterprise-wide computer networks, such as intranets, all of which may connect to a global communications network such as the Internet.
• the computer 802 connects to the network via a wired/wireless communication subsystem 842 (e.g., a network interface adapter, onboard transceiver subsystem, etc.) to communicate with wired/wireless networks, wired/wireless printers, wired/wireless input devices 844, and so on.
• the computer 802 can include a modem or other means for establishing communications over the network.
• programs and data relative to the computer 802 can be stored in the remote memory/storage device, as is associated with a distributed system. It will be appreciated that the network connections shown are exemplary and other means of establishing a communications link between the computers can be used.
• the computer 802 is operable to communicate with wired/wireless devices or entities using the radio technologies such as the IEEE 802.xx family of standards, such as wireless devices operatively disposed in wireless communication (e.g., IEEE 802.11 over- the-air modulation techniques) with, for example, a printer, scanner, desktop and/or portable computer, personal digital assistant (PDA), communications satellite, any piece of equipment or location associated with a wirelessly detectable tag (e.g., a kiosk, news stand, restroom), and telephone.
• PDA personal digital assistant
• the communications can be a predefined structure as with a conventional network or simply an ad hoc networks
• Wi-Fi networks use radio technologies called IEEE 802.1 lx (a, b, g, etc.) to provide secure, reliable, fast wireless connectivity.
• IEEE 802.1 lx a, b, g, etc.
• a Wi-Fi network can be used to connect computers to each other, to the Internet, and to wire networks (which use IEEE 802.3-related media and functions).
• the illustrated aspects can also be practiced in distributed computing environments where certain tasks are performed by remote processing devices that are linked through a communications network.
• program modules can be located in local and/or remote systems and/or storage systems.
• the environment 900 includes one or more client(s) 902.
• the client(s) 902 can be hardware and/or software (e.g., threads, processes, computing devices).
• the client(s) 902 can house cookie(s) and/or associated contextual information, for example.
• the environment 900 also includes one or more server(s) 904.
• the server(s) 904 can also be hardware and/or software (e.g., threads, processes, computing devices).
• the servers 904 can house threads to perform transformations by employing the architecture, for example.
• One possible communication between a client 902 and a server 904 can be in the form of a data packet adapted to be transmitted between two or more computer processes.
• the data packet may include a cookie and/or associated contextual
• the environment 900 includes a communication framework 906 (e.g., a global communication network such as the Internet) that can be employed to facilitate communications between the client(s) 902 and the server(s) 904.
• a communication framework 906 e.g., a global communication network such as the Internet
• Communications can be facilitated via a wire (including optical fiber) and/or wireless technology.
• the client(s) 902 are operatively connected to one or more client data store(s) 908 that can be employed to store information local to the client(s) 902 (e.g., cookie(s) and/or associated contextual information).
• the server(s) 904 are operatively connected to one or more server data store(s) 910 that can be employed to store information local to the servers 904.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Computer Hardware Design (AREA)
• Computing Systems (AREA)
• General Engineering & Computer Science (AREA)
• Data Exchanges In Wide-Area Networks (AREA)
• Information Transfer Between Computers (AREA)
• Computer And Data Communications (AREA)

Priority Applications (4)

Applications Claiming Priority (2)

Publications (2)

Family

ID=43975149

Family Applications (1)

Country Status (6)

Families Citing this family (8)

Family Cites Families (28)

• 2009
  • 2009-11-12 US US12/616,789 patent/US9912654B2/en not_active Expired - Fee Related
• 2010
  • 2010-10-28 EP EP10830474.2A patent/EP2499778B1/en not_active Not-in-force
  • 2010-10-28 KR KR1020127012090A patent/KR101791708B1/ko not_active Expired - Fee Related
  • 2010-10-28 WO PCT/US2010/054573 patent/WO2011059774A2/en not_active Ceased
  • 2010-10-28 JP JP2012538846A patent/JP5714596B2/ja not_active Expired - Fee Related
  • 2010-10-28 CN CN201080051233.4A patent/CN102612820B/zh not_active Expired - Fee Related

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events