-
公开(公告)号:US20150134965A1
公开(公告)日:2015-05-14
申请号:US14399393
申请日:2012-05-24
CPC分类号: H04L63/0435 , G06F9/45533 , G06F9/45558 , G06F21/57 , G06F2009/45587 , G06F2221/034 , H04L63/08 , H04L63/0807
摘要: In a method of provisioning a virtual machine (VM) to a computing network (401), a VM manager or provisioner (403, 408) encrypts a virtual machine using a key bound to at least one security profile indicative of one or more security requirements that a computing resource (402) of the computing network (401) must satisfy in order to be able to decrypt the VM. A key for use in decrypting the VM has previously been sealed into multiple (and preferably into all) computing resources (402) in the network into which the VM is to be provisioned, and has been sealed such that a computing resource can obtain the key only if it is in a state that satisfies the security profile, or at least one security profile, to which the key is bound The VM manager or provisioner (403, 408) creates a VM launch package that includes the encrypted VM and that also includes a key that may be used in decrypting the encrypted VM. When the VM launch package is received at a computing resource (402), the computing resource will not be able to recover the key for use in decrypting the VM—and hence will be unable to decrypt the VM—unless the computing resource satisfies the security requirements indicated by the security profile. The VM manager or provisioner can thus be sure that the VM will not be launched on a computing resource that does not meet the desired security profile. Alternatively the VM manager or provisioner (403, 408) may send a token corresponding to a desired security profile with an encrypted VM. A computing resource uses the token to obtain a key to decrypt the VM but the computing resource will not be able to recover the key unless the computing resource satisfies the security requirements indicated by the token.
摘要翻译: 在将虚拟机(VM)配置到计算网络(401)的方法中,VM管理器或供应器(403,408)使用绑定到指示一个或多个安全要求的至少一个安全简档的密钥来加密虚拟机 计算网络(401)的计算资源(402)必须满足以便能够解密VM。 用于解密VM的密钥先前已经被密封成虚拟机要被提供的网络中的多个(并且优选地到所有的)计算资源(402),并且已经被密封,使得计算资源可以获得密钥 只有当它处于满足密钥被绑定的安全简档或至少一个安全简档的状态时,VM管理器或供应器(403,408)创建包括加密的VM的VM启动包,并且还包括 可用于解密加密的VM的密钥。 当在计算资源(402)处接收到VM启动包时,计算资源将无法恢复用于解密VM的密钥,因此将不能对VM进行解密,除非计算资源满足安全性 要求由安全性配置文件表示。 因此,VM管理器或配置器可以确保不会在不满足期望的安全配置文件的计算资源上启动VM。 或者,VM管理器或供应器(403,408)可以向加密的VM发送与期望的安全简档对应的令牌。 计算资源使用令牌来获取解密VM的密钥,但计算资源将无法恢复密钥,除非计算资源满足令牌所指示的安全性要求。
-
公开(公告)号:US20140032920A1
公开(公告)日:2014-01-30
申请号:US14111212
申请日:2011-04-26
申请人: Christian Gehrmann , András Méhes
发明人: Christian Gehrmann , András Méhes
CPC分类号: H04L9/006 , G06F21/53 , G06F21/57 , G06F2009/45587 , G06F2221/2149 , G06F2221/2153 , H04L9/08 , H04L9/0822 , H04L9/0825 , H04L9/3247 , H04L63/0442 , H04L63/0876 , H04L2209/127
摘要: A device and method in a provisioning unit of secure provisioning of a virtual machine on a target platform having a specific configuration is provided. The method comprising: receiving (404) a public binding key from the target platform (107), the public binding key being bound to the specific configuration, encrypting (410) a virtual machine provisioning command using the public binding key, and sending (412) the encrypted virtual machine provisioning command, to the target platform (107). By the provided device and method secure provisioning of a virtual machine on a target platform is enabled.
摘要翻译: 提供了具有特定配置的目标平台上的虚拟机的安全供应的供应单元中的设备和方法。 所述方法包括:从所述目标平台(107)接收(404)公钥绑定密钥,所述公共绑定密钥被绑定到所述特定配置,使用所述公共绑定密钥加密(410)虚拟机配置命令,以及发送(412 )加密的虚拟机配置命令到目标平台(107)。 通过提供的设备和方法,能够在目标平台上安全地提供虚拟机。
-
公开(公告)号:US09264220B2
公开(公告)日:2016-02-16
申请号:US14111212
申请日:2011-04-26
申请人: Christian Gehrmann , András Méhes
发明人: Christian Gehrmann , András Méhes
IPC分类号: G06F12/14 , G06F11/30 , H04L9/00 , G06F21/57 , H04L29/06 , H04L9/08 , H04L9/32 , G06F21/53 , G06F9/455
CPC分类号: H04L9/006 , G06F21/53 , G06F21/57 , G06F2009/45587 , G06F2221/2149 , G06F2221/2153 , H04L9/08 , H04L9/0822 , H04L9/0825 , H04L9/3247 , H04L63/0442 , H04L63/0876 , H04L2209/127
摘要: A device and method in a provisioning unit of secure provisioning of a virtual machine on a target platform having a specific configuration is provided. The method comprising: receiving (404) a public binding key from the target platform (107), the public binding key being bound to the specific configuration, encrypting (410) a virtual machine provisioning command using the public binding key, and sending (412) the encrypted virtual machine provisioning command, to the target platform (107). By the provided device and method secure provisioning of a virtual machine on a target platform is enabled.
摘要翻译: 提供了具有特定配置的目标平台上的虚拟机的安全供应的供应单元中的设备和方法。 所述方法包括:从所述目标平台(107)接收(404)公钥绑定密钥,所述公共绑定密钥被绑定到所述特定配置,使用所述公共绑定密钥加密(410)虚拟机配置命令,以及发送(412 )加密的虚拟机配置命令到目标平台(107)。 通过提供的设备和方法,能够在目标平台上安全地提供虚拟机。
-
4.发明申请System and Method for Efficient Security Domain Translation and Data Transfer 有权高效安全域名转换和数据传输的系统和方法公开(公告)号:US20090259857A1
公开(公告)日:2009-10-15
申请号:US12100523
申请日:2008-04-10
申请人: Christian Gehrmann
发明人: Christian Gehrmann
IPC分类号: H04L9/06
摘要: A mobile UE includes a CPU, a secure DMA module, a secure cryptographic module, secure memory, and non-secure memory. The secure cryptographic module and secure memory allow access only by secure processes, including the secure DMA module. The CPU manages cryptographic keys and initializes DMA transfers in secure mode. The CPU executes the DMA transfers in non-secure mode. A first DMA transfer moves data encrypted in a first security domain to the secure cryptographic module, and moves clear text data to the secure memory. A second DMA transfer moves the clear text data to the secure cryptographic module, and data encrypted in a second security domain out of the secure cryptographic module. The data encrypted in the second security domain are transmitted to an external device. The secure memory protects the clear text data from being copied; only encrypted data is accessible by non-secure processes.
摘要翻译: 移动UE包括CPU,安全DMA模块,安全密码模块,安全存储器和非安全存储器。 安全加密模块和安全存储器只允许访问安全的进程,包括安全的DMA模块。 CPU以安全模式管理加密密钥并初始化DMA传输。 CPU以非安全模式执行DMA传输。 第一个DMA传输将在第一安全域中加密的数据移动到安全加密模块,并将清晰的文本数据移动到安全存储器。 第二DMA传输将明文数据移动到安全加密模块,并且将数据从第二安全域中加密出安全加密模块。 在第二安全域中加密的数据被发送到外部设备。 安全存储器保护清除文本数据不被复制; 只有加密的数据才能被非安全的进程访问。
-
公开(公告)号:US07502930B2
公开(公告)日:2009-03-10
申请号:US11843554
申请日:2007-08-22
申请人: Christian Gehrmann
发明人: Christian Gehrmann
CPC分类号: H04L9/3242 , H04L9/0841 , H04L9/0863 , H04L9/3226 , H04L2209/805
摘要: A method of providing secure communications between a first and a second communications unit comprising a key exchange between the communications units resulting in a shared secret key, the′ key exchange including a user interaction. The method includes the steps of providing, at least partly by means of a user interaction, a passcode to the first and second communications units; generating a first contribution to the shared secret key by the first communications unit and a second contribution to the shared secret key by the second communications unit, and transmitting each generated contribution to the corresponding other communications unit; authenticating the transmitted first and second contributions by the corresponding receiving communications unit based on at least the passcode: and establishing said shared secret key by each of the communications units from at least the corresponding received first or second contribution, only if the corresponding received contribution is authenticated successfully.
摘要翻译: 一种在第一和第二通信单元之间提供安全通信的方法,包括通信单元之间的密钥交换,产生共享秘密密钥,密钥交换包括用户交互。 该方法包括以下步骤:至少部分地通过用户交互提供到第一和第二通信单元的密码; 由所述第一通信单元生成对所述共享密钥的第一贡献,以及由所述第二通信单元对所述共享秘密密钥的第二贡献,并将每个生成的贡献发送到对应的其他通信单元; 至少基于密码,由对应的接收通信单元验证发送的第一和第二贡献; 以及仅当对应的接收到的贡献被成功认证时,由至少相应的所接收的第一或第二贡献,由每个通信单元建立所述共享秘密密钥。
-
公开(公告)号:US07457956B2
公开(公告)日:2008-11-25
申请号:US10344352
申请日:2001-07-05
申请人: Christian Gehrmann
发明人: Christian Gehrmann
IPC分类号: H04L29/00
CPC分类号: H04L63/065 , H04L63/0823 , H04L63/12
摘要: The present invention relates to securing information in open systems and more particularly to a method and a system for providing authentication, confidentiality and integrity protection of arbitrary communication services. A client that wishes to communicate with a particular service downloads a signed program code from that service containing code necessary for doing authenticated key exchange with that service. The client is assumed to support only two basic cryptographic functions: signing of arbitrary data by using a public key algorithm together with a one way hash function, and verifying a public key signature of arbitrary data. By allowing the security protocol needed for key exchange and data communication protection to be downloaded the number of predefined security functions that a client or server needs to support is limited. This also makes it much easier to update the communication protection since only the server program needs to be updated.
摘要翻译: 本发明涉及在开放系统中保护信息,更具体地涉及一种用于提供任意通信服务的认证,保密性和完整性保护的方法和系统。 希望与特定服务通信的客户端从该服务中下载签名的程序代码,其中包含与该服务进行身份验证的密钥交换所需的代码。 假设客户端仅支持两种基本的加密功能:通过使用公共密钥算法与单向散列函数签名任意数据,以及验证任意数据的公钥签名。 通过允许下载密钥交换和数据通信保护所需的安全协议,客户端或服务器需要支持的预定义的安全功能的数量是有限的。 这也使得更新通信保护变得更加容易,因为只需要更新服务器程序。
-
公开(公告)号:US20080222368A1
公开(公告)日:2008-09-11
申请号:US11813480
申请日:2005-12-20
申请人: Christian Gehrmann
发明人: Christian Gehrmann
IPC分类号: G06F12/00
CPC分类号: G06F21/572
摘要: A method of updating memory content stored in a memory of a processing device, the memory comprising a plurality of addressable memory blocks, the memory content being protected by a current integrity protection data item stored in the processing device, the method comprising determining a first subset of memory blocks that require an update, and a second subset of memory blocks that remain unchanged by said updating; calculating, as parallel processes, a first and a second integrity protection data item over the memory blocks; wherein the first integrity protection data item is calculated over the current memory contents of the first and second subsets of memory blocks; and wherein the second integrity protection data item is calculated over the current memory contents of the second subset of memory blocks and the updated memory block contents of the first subset of memory blocks.
摘要翻译: 一种更新存储在处理设备的存储器中的存储器内容的方法,所述存储器包括多个可寻址存储器块,所述存储器内容被存储在所述处理设备中的当前完整性保护数据项所保护,所述方法包括确定第一子集 的需要更新的存储器块,以及通过所述更新保持不变的存储器块的第二子集; 作为并行处理,计算存储块上的第一和第二完整性保护数据项; 其中所述第一完整性保护数据项是根据所述第一和第二子集的存储器块的当前存储器内容来计算的; 并且其中根据存储器块的第二子集的当前存储器内容和存储器块的第一子集的更新的存储器块内容来计算第二完整性保护数据项。
-
公开(公告)号:US07298840B2
公开(公告)日:2007-11-20
申请号:US10476138
申请日:2002-04-09
申请人: Christian Gehrmann , Rolf Blom
发明人: Christian Gehrmann , Rolf Blom
CPC分类号: H04L9/3242 , H04L2209/80
摘要: A method of authenticating a message (111) received via a transmission channel (108) using a Message Authentication Code (MAC). The message comprises a message body (114) and a tag (116) and the method comprises the steps of generating a second tag (115) according to a MAC function (112) on the basis of the received message body and a secret key (113), calculating a distance (117) between the received tag and generated second tag, and comparing (118) the calculated distance with a predetermined threshold value.
摘要翻译: 一种验证通过使用消息认证码(MAC)的传输信道(108)接收的消息(111)的方法。 消息包括消息体(114)和标签(116),并且该方法包括以下步骤:根据所接收的消息体和根据MAC功能(112)生成第二标签(115)和秘密密钥( 113),计算接收到的标签与生成的第二标签之间的距离(117),并将计算出的距离与预定阈值进行比较(118)。
-
公开(公告)号:US07181614B1
公开(公告)日:2007-02-20
申请号:US09692709
申请日:2000-10-19
申请人: Christian Gehrmann , Rolf Blom
发明人: Christian Gehrmann , Rolf Blom
IPC分类号: H04L9/00
CPC分类号: H04L63/065 , H04L9/3255 , H04L63/104 , H04W12/04 , H04W12/08 , H04W84/18
摘要: The present invention relates to establishing security within an ad hoc network. Such ad hoc networks do not have on-line connections to a particular server for getting desired public keys or certificates, thereby requiring them to create trust relations among their respective nodes wherein some of the nodes have a mutual trust relation to each other, thus constituting a trust group. When a particular candidate node desires to join the trust group, an X-node is identified, being a member of a trust group and having a trust relation with the candidate node. The X-node then certifies the candidate node and establishes and distributes trust relations between the members of the trust group and the candidate node.
摘要翻译: 本发明涉及在自组织网络内建立安全性。 这样的自组织网络不具有到特定服务器的在线连接以获得期望的公共密钥或证书,从而要求他们在它们各自的节点之间创建信任关系,其中一些节点彼此具有相互信任关系,从而构成 一个信任组。 当特定候选节点希望加入信任组时,识别出X节点,它是信任组的成员,并且与候选节点具有信任关系。 X节点然后证明候选节点,并建立和分配信任组成员和候选节点之间的信任关系。
-
公开(公告)号:US08255678B2
公开(公告)日:2012-08-28
申请号:US13347759
申请日:2012-01-11
申请人: Christian Gehrmann
发明人: Christian Gehrmann
IPC分类号: G06F15/177
CPC分类号: G06F15/177 , G06F9/4405
摘要: A method for booting a processing device, the processing device comprising a first and a second processing unit, the method comprising: detecting by the first processing unit, whether at least one boot configuration parameter is accessible from a non-volatile storage medium of the processing device, the at least one configuration parameter being indicative of a boot interface; if said at least one configuration parameter is available, forwarding at least a part of the detected at least one configuration parameter by the first processing unit to the second processing unit; otherwise detecting by at least one of the first and second processing units whether a boot interface is available to the processing device; booting at least the second processing unit from the indicated or detected boot interface.
摘要翻译: 一种用于引导处理设备的方法,所述处理设备包括第一和第二处理单元,所述方法包括:由所述第一处理单元检测至少一个引导配置参数是否可从所述处理的非易失性存储介质访问 所述至少一个配置参数指示引导接口; 如果所述至少一个配置参数可用,则将所述第一处理单元检测到的至少一个配置参数的至少一部分转发给所述第二处理单元; 否则由第一和第二处理单元中的至少一个检测引导接口是否可用于处理设备; 至少从指示或检测到的引导界面引导第二处理单元。
-
-
-
-
-
-
-
-
-
搜索结果
58 条记录 (耗时 0.019 秒)
