公开(公告)号：EP3314492A1

公开(公告)日：2018-05-02

申请号：EP16814994.6

申请日：2016-05-27

Applicant: Intel Corporation

Inventor： POORNACHANDRAN, Rajesh ,  SMITH, Ned M. ,  EPSHTEYN, Yeugeniy

IPC: G06F21/10 ,  G06F21/62

CPC classification number: H04N21/2541 ,  G06F21/00 ,  G06F21/10 ,  H04N21/2353 ,  H04N21/2396 ,  H04N21/4627 ,  H04N21/8355 ,  H04N21/8456

Abstract: Technologies for selectively licensing segments of source content are described. In some embodiments the technologies enable a user of a client device to select, license, and use one or more segments of source content, without the need to obtain a license to the source content as a whole. Systems, methods, and computer readable media utilizing such technologies are also described. In some embodiments, the technologies can enable digital rights management or other restrictions imposed on a content segment to be enforced, even when the content segment is incorporated into diverse content such as a content mashup. The technologies may also enable independent tracking of information regarding the use and/or payback of content segments, even when such segments are included in diverse content.

公开(公告)号：EP3308524A1

公开(公告)日：2018-04-18

申请号：EP16808013.3

申请日：2016-05-23

Applicant: Intel Corporation

Inventor： SMITH, Ned M. ,  YANG, Shao-Wen ,  HELDT-SHELLER, Nathan ,  WILLIS, Thomas G.

IPC: H04L29/06 ,  H04L29/08 ,  H04L12/64

CPC classification number: H04L63/101 ,  H04L41/12 ,  H04L63/062 ,  H04L63/08 ,  H04L63/104 ,  H04L67/12 ,  H04W4/70 ,  H04W12/04 ,  H04W12/08

Abstract: In one embodiment, a method includes: presenting, in a user interface of an authoring tool, a plurality of levels of abstraction for a network having a plurality of devices; receiving information from a user regarding a subset of the plurality of devices to be provisioned with one or more security keys and an access control policy; automatically provisioning a key schedule for the subset of the plurality of devices in the network based on the user input and a topological context of the network; and automatically provisioning the access control policy for the subset of the plurality of devices in the network based on the user input and the topological context of the network.

公开(公告)号：EP3304401A1

公开(公告)日：2018-04-11

申请号：EP16803924.6

申请日：2016-05-02

Applicant: Intel Corporation

Inventor： POORNACHANDRAN, Rajesh ,  SMITH, Ned M. ,  SARANGDHAR, Nitin V. ,  GREWAL, Karanvir S. ,  SAHITA, Ravi L. ,  ROBINSON, Scott H.

IPC: G06F21/53 ,  G06F21/57 ,  G06F21/62 ,  G06F21/44

CPC classification number: G06F21/57 ,  G06F21/10 ,  G06F21/554 ,  G06F21/71 ,  G06F2221/034 ,  G06F2221/2125 ,  G06F2221/2143 ,  H04L9/0897 ,  H04L9/3226 ,  H04L9/3273 ,  H04L2209/603

Abstract: In an embodiment, a system is adapted to: record at least one measurement of a virtual trusted execution environment in a storage of the system and generate a secret sealed to a state of this measurement; create, using the virtual trusted execution environment, an isolated environment including a secure enclave and an application, the virtual trusted execution environment to protect the isolated environment; receive, in the application, a first measurement quote associated with the virtual trusted execution environment and a second measurement quote associated with the secure enclave; and communicate quote information regarding the first and second measurement quotes to a remote attestation service to enable the remote attestation service to verify the virtual trusted execution environment and the secure enclave, and responsive to the verification the secret is to be provided to the virtual trusted execution environment and the isolated environment. Other embodiments are described and claimed.

公开(公告)号：EP3269116A1

公开(公告)日：2018-01-17

申请号：EP16762084.8

申请日：2016-01-19

Applicant: Intel Corporation

Inventor： SMITH, Ned M.

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/065 ,  H04L63/0435 ,  H04L63/061 ,  H04L63/0823 ,  H04L63/20 ,  H04W4/70

Abstract: Systems and methods may provide for determining a first key associated with a first group and determining a first resource exposure policy for the device with respect to the first group. Additionally, the first key may be used to send first operational and security context data to a first dynamic group verifier in accordance with the first resource exposure policy. In one example, a second key associated with a second group is determined, a second resource exposure policy is determined for the device with respect to the second group, a local context change is detected, and the second key is used to send, in response to the local context change, second operational data to a second dynamic group verifier in accordance with the second resource exposure policy.

公开(公告)号：EP3238409A1

公开(公告)日：2017-11-01

申请号：EP15874015.9

申请日：2015-11-24

Applicant: Intel Corporation

Inventor： GOSS, Nathaniel J. ,  HELDT-SHELLER, Nathan ,  WELLS, Kevin C. ,  SHELLER, Micah J. ,  PANDIAN, Sindhu ,  SMITH, Ned M. ,  KEANY, Bernard N.

IPC: H04L29/06 ,  H04W12/00

CPC classification number: G06F21/57 ,  G06F21/31 ,  G06F21/6218 ,  G06F21/629 ,  G06F2221/034 ,  G06F2221/2105 ,  G06F2221/2111 ,  H04L63/107

Abstract: In one embodiment, a system comprises: a processor including at least one core to execute instructions; a plurality of sensors, including a first sensor to determine location information regarding a location of the system; and a security engine to apply a security policy to the system. In this embodiment, the security engine includes a policy logic to determine one of a plurality of security policies to apply based at least in part on the location information, where the location information indicates a location different than locations associated with the plurality of security policies. Other embodiments are described and claimed.

Abstract translation: 在一个实施例中，一种系统包括：包括至少一个核以执行指令的处理器; 多个传感器，包括第一传感器，以确定关于所述系统的位置的位置信息; 以及将安全策略应用于系统的安全引擎。 在该实施例中，安全引擎包括用于至少部分地基于位置信息来确定要应用的多个安全策略中的一个的策略逻辑，其中位置信息指示不同于与多个安全策略相关联的位置的位置。 描述并要求保护其他实施例。

公开(公告)号：EP3186918A1

公开(公告)日：2017-07-05

申请号：EP15836733.4

申请日：2015-06-08

Applicant: Intel Corporation

Inventor： SMITH, Ned M. ,  DELEEUW, William C. ,  WILLIS, Thomas G. ,  GOSS, Nathaniel J.

IPC: H04L9/14 ,  H04L9/32 ,  H04L12/58

Abstract: Technologies for utilizing trusted messaging include a local computing device including a message client and a local trusted message module established in a trusted execution environment. The local trusted message module performs attestation of a remote computing device based on communication with a corresponding remote trusted message module established in a trusted execution environment of the remote computing device. The local trusted message module further exchanges, with the remote trusted message module, cryptographic keys in response to successful attestation of the remote computing device. The message client forwards outgoing messages to the local trusted message module and receives incoming messages from the local trusted message module. To securely transmit an outgoing message to the remote computing device, the local trusted message module receives the outgoing message from the message client, encrypts the outgoing message, and cryptographically signs the outgoing message, prior to transmittal to the remote trusted message module of the remote computing device. To securely receive an incoming message from the remote computing device, the local trusted message module receives the incoming message from the remote trusted message module of the remote computing device, decrypts the incoming message, and verifies a cryptographic signature of the incoming message, based on the exchanged cryptographic keys and prior to transmittal of the incoming message to the message client.

Abstract translation: 用于利用可信消息的技术包括本地计算设备，其包括建立在可信执行环境中的消息客户端和本地可信消息模块。 本地可信消息模块基于与在远程计算设备的可信执行环境中建立的相应远程可信消息模块的通信来执行远程计算设备的证明。 响应于远程计算设备的成功证明，本地可信消息模块进一步与远程可信消息模块交换密码密钥。 消息客户端将传出消息转发到本地信任消息模块，并从本地信任消息模块接收传入消息。 为了将传出消息安全地传输到远程计算设备，本地信任消息模块接收来自消息客户端的传出消息，对传出消息进行加密，并且在传输到远程的可信消息模块之前对传出消息进行加密签名 计算设备。 为了安全地接收来自远程计算设备的传入消息，本地可信消息模块从远程计算设备的远程可信消息模块接收传入消息，对传入消息进行解密，并基于传入消息的密码签名来验证传入消息的密码签名 交换的密钥以及在将传入消息传送给消息客户端之前。

公开(公告)号：EP3049981A1

公开(公告)日：2016-08-03

申请号：EP13894105.9

申请日：2013-09-27

Applicant: Intel Corporation

Inventor： SMITH, Ned M. ,  CAHILL, Conor P. ,  MARTIN, Jason ,  BHARGAV-SPANTZEL, Abhilasha ,  BAKSHI, Banjay

IPC: G06F21/30 ,  G06F17/00

CPC classification number: H04L63/10 ,  G06F21/45 ,  G06F21/6218 ,  G06F2221/2111 ,  H04L63/0876 ,  H04L63/20

Abstract: A mechanism is described for facilitating context-based access control of resources for according to one embodiment. A method of embodiments, as described herein, includes receiving a first request to access a resource of a plurality of resources. The first request may be associated with one or more contexts corresponding to a user placing the first request at a computing device. The method may further include evaluating the one or more contexts. The evaluation of the one or more contexts may include matching the one or more contexts with one or more access policies associated with the requested resource. The method may further include accepting the first request if the one or more contexts satisfy at least one of the access policies.

Abstract translation: 一种机制描述了一种用于促进资源的gemäß一个实施例的基于上下文的访问控制。 如在描述的实施例的方法，包括：接收访问资源的多个资源的第一请求。 第一请求可以与一个或多个上下文对应于放置在计算设备的第一请求的用户相关联。 该方法可以包括进一步评估所述一个或多个上下文。 在一个或多个上下文的评价可以包括与所请求的资源相关联的一个或多个访问策略相匹配的一个或多个上下文。 该方法可以包括进一步接受所述第一请求如果所述一个或多个上下文满足访问策略中的至少一个。

公开(公告)号：EP2798559A1

公开(公告)日：2014-11-05

申请号：EP11878914.8

申请日：2011-12-29

Applicant: Intel Corporation

Inventor： SMITH, Ned M. ,  ZIMMER, Vincent J. ,  MOORE, Victoria C.

IPC: G06F21/10 ,  G06F9/24

CPC classification number: G06F21/575 ,  G06F9/24 ,  G06F9/4401

Abstract: A data processing system may include a high integrity storage (HIS) device with a partition or cache that is protected from updates. The data processing system may perform a boot process in response to being reactivated. The boot process may include the operation of executing a boot object. During the boot process, before executing the boot object, the data processing system may retrieve a digest for the boot object from the protected cache of the HIS device. The digest may be a cryptographic hash value for the boot object. During the boot process, the retrieved digest may be extended into a platform configuration register in a trusted platform module of the data processing system. Other embodiments are described and claimed.

公开(公告)号：EP2761438A1

公开(公告)日：2014-08-06

申请号：EP11873157.9

申请日：2011-09-30

Applicant: Intel Corporation

Inventor： SMITH, Ned M. ,  SAHITA, Ravi L.

IPC: G06F9/44 ,  G06F9/06 ,  G06F21/00

CPC classification number: G06F21/44 ,  G06F9/45558 ,  G06F21/00 ,  G06F21/575 ,  G06F2009/45562 ,  G06F2009/45566 ,  G06F2009/45587

Abstract: An embodiment of the invention provides for an authenticated launch of VMs and nested VMMs. The embodiment may do so using an interface that invokes a VMM protected launch control mechanism for the VMs and nested VMMs. The interface may be architecturally generic. Other embodiments are described herein.

Abstract translation: 本发明的实施例提供了VM和嵌套VMM的认证启动。 该实施例可以使用调用用于VM和嵌套VMM的VMM保护的启动控制机制的接口来实现。 界面可以是架构上通用的。 本文描述了其它实施例。

公开(公告)号：EP2606450A2

公开(公告)日：2013-06-26

申请号：EP11818526.3

申请日：2011-07-25

Applicant: Intel Corporation

Inventor： SMITH, Ned M. ,  DANNEELS, Gunner D. ,  SHANBHOGUE, Vedvyas ,  SUGUMAR, Suresh

IPC: G06F21/20 ,  G06F9/44 ,  G06F9/30 ,  G06F9/06

CPC classification number: G06F21/53 ,  G06F21/564 ,  G06F21/575

Abstract: An antivirus (AV) application specifies a fault handler code image, a fault handler manifest, a memory location of the AV application, and an AV application manifest. A loader verifies the fault handler code image and the fault handler manifest, creates a first security domain having a first security level, copies the fault handler code image to memory associated with the first security domain, and initiates execution of the fault handler. The loader requests the locking of memory pages in the guest OS that are reserved for the AV application. The fault handler locks the executable code image of the AV application loaded into guest OS memory by setting traps on selected code segments in guest OS memory.