公开(公告)号：US20170094510A1

公开(公告)日：2017-03-30

申请号：US14866903

申请日：2015-09-26

申请人： Hormuzd M. Khosravi ,  David A. Bronleewe ,  Khaled Almahallawy ,  Ned M. Smith

发明人： Hormuzd M. Khosravi ,  David A. Bronleewe ,  Khaled Almahallawy ,  Ned M. Smith

IPC分类号： H04W12/06 ,  H04L29/06 ,  G06F21/32

CPC分类号： H04W12/06 ,  G06F21/32 ,  G06F21/72 ,  G06F21/78 ,  H04L63/04 ,  H04L63/0428 ,  H04L63/0861 ,  H04L2463/082 ,  H04W12/0608

摘要： Technologies for authenticating a user and a mobile computing device of the user at an authentication computing device include generating, at the authentication computing device, a multi-factor authentication credential that includes a text-based credential and a plurality of biometric authentication factors corresponding to the user. The mobile computing device is configured to detect whether the authentication computing device is within proximity of the mobile computing device and establish a secure communication channel therebetween. The mobile computing device is further configured to securely store the multi-factor authentication credential received from the authentication computing device. The authentication computing device is configured to receive the multi-factor authentication credential from the mobile computing device and analyze the received multi-factor authentication credential to determine whether the user is an authorized user of the authentication computing device and take an action based on a result of the analysis. Other embodiments are described and claimed.

公开(公告)号：US09600670B2

公开(公告)日：2017-03-21

申请号：US14580517

申请日：2014-12-23

申请人： Nathaniel J. Goss ,  Nathan Heldt-Sheller ,  Kevin C. Wells ,  Micah J. Sheller ,  Sindhu Pandian ,  Ned M. Smith ,  Bernard N. Keany

发明人： Nathaniel J. Goss ,  Nathan Heldt-Sheller ,  Kevin C. Wells ,  Micah J. Sheller ,  Sindhu Pandian ,  Ned M. Smith ,  Bernard N. Keany

IPC分类号： H04L29/06 ,  G06F21/57 ,  G06F21/62

CPC分类号： G06F21/57 ,  G06F21/31 ,  G06F21/6218 ,  G06F21/629 ,  G06F2221/034 ,  G06F2221/2105 ,  G06F2221/2111 ,  H04L63/107

摘要： In one embodiment, a system comprises: a processor including at least one core to execute instructions; a plurality of sensors, including a first sensor to determine location information regarding a location of the system; and a security engine to apply a security policy to the system. In this embodiment, the security engine includes a policy logic to determine one of a plurality of security policies to apply based at least in part on the location information, where the location information indicates a location different than locations associated with the plurality of security policies. Other embodiments are described and claimed.

公开(公告)号：US20160314468A1

公开(公告)日：2016-10-27

申请号：US14367986

申请日：2013-12-26

申请人： Ned M. Smith ,  William J. Lewis

发明人： Ned M. Smith ,  William J. Lewis

IPC分类号： G06Q20/40 ,  G07F7/10 ,  G06Q20/10

CPC分类号： G06Q20/4012 ,  G06Q20/1085 ,  G07F7/1041

摘要： Various systems and methods for secure transactions using a personal device are described herein. A system to secure transactions using a personal device, the system comprises a randomization module to randomize an initial keypad representation to produce a randomized keypad representation; a communication module to: receive from the personal device, an indication to begin a secure transaction to access a resource with an access code; and transmit the randomized keypad representation to the personal device for presentation by the personal device to a user of the personal device; a keypad to receive a series of key presses from the user, the key presses corresponding to the access code based on the randomized keypad representation; and a security module to verify that the series of key presses correspond to the access code.

摘要翻译： 这里描述了使用个人设备进行安全交易的各种系统和方法。 一种使用个人设备来保护交易的系统，所述系统包括随机化模块，用于随机化初始键盘表示以产生随机键盘表示; 通信模块，用于：从个人设备接收开始安全交易以用访问代码访问资源的指示; 并将所述随机键盘表示发送到所述个人设备，以由所述个人设备呈现给所述个人设备的用户; 键盘，用于从用户接收一系列按键，基于随机键盘表示的对应于访问代码的按键; 以及安全模块，用于验证所述一系列按键对应于所述访问代码。

公开(公告)号：US09367688B2

公开(公告)日：2016-06-14

申请号：US13530773

申请日：2012-06-22

申请人： Ned M. Smith ,  Simon P. Johnson ,  Steve Orrin ,  Willard M. Wiseman

发明人： Ned M. Smith ,  Simon P. Johnson ,  Steve Orrin ,  Willard M. Wiseman

IPC分类号： G06F17/00 ,  G06F21/57

CPC分类号： H04L63/107 ,  G06F21/57 ,  G06F21/575 ,  G06F2221/2111 ,  H04W4/021 ,  H04W12/06 ,  H04W12/08

摘要： In one embodiment, a method includes determining a location of a system responsive to location information received from at least one of a location sensor and a wireless device of the system, associating the location with a key present in the system to generate an authenticated location of the system, and determining whether the authenticated location is within a geofence boundary indicated in a location portion of a launch control policy (LCP) that provides a geographic-specific policy. Other embodiments are described and claimed.

摘要翻译： 在一个实施例中，一种方法包括响应于从系统的位置传感器和无线设备中的至少一个接收的位置信息来确定系统的位置，将位置与系统中存在的密钥相关联，以产生认证位置 并且确定所认证的位置是否在提供地理特定策略的发射控制策略（LCP）的位置部分中指示的地理围栏边界内。 描述和要求保护其他实施例。

公开(公告)号：US20150222633A1

公开(公告)日：2015-08-06

申请号：US14360161

申请日：2013-12-19

申请人： Ned M. Smith ,  Nathan Heldt-Sheller ,  Reshma Lal ,  Micah J. Sheller ,  Matthew E. Hoekstra

发明人： Ned M. Smith ,  Nathan Heldt-Sheller ,  Reshma Lal ,  Micah J. Sheller ,  Matthew E. Hoekstra

IPC分类号： H04L29/06

CPC分类号： H04L63/10 ,  G06F21/10 ,  G06F2221/0708 ,  H04L67/42

摘要： Technologies for supporting and implementing multiple digital rights management protocols on a client device are described. In some embodiments, the technologies include a client device having an architectural enclave which may function to identify one of a plurality of digital rights management protocols for protecting digital information to be received from a content provider or a sensor. The architectural enclave select a preexisting secure information processing environment (SIPE) to process said digital information, if a preexisting SIPE supporting the DRM protocol is present on the client. If a preexisting SIPE supporting the DRM protocol is not present on the client, the architectural enclave may general a new SIPE that supports the DRM protocol on the client. Transmission of the digital information may then be directed to the selected preexisting SIPE or the new SIPE, as appropriate.

摘要翻译： 描述了在客户端设备上支持和实现多个数字版权管理协议的技术。 在一些实施例中，这些技术包括具有架构区域的客户端设备，其可以用于识别用于保护要从内容提供商或传感器接收的数字信息的多个数字版权管理协议中的一个。 如果在客户端上存在支持DRM协议的预先存在的SIPE，那么建筑飞地选择一个预先存在的安全信息处理环境（SIPE）来处理所述数字信息。 如果客户端上不存在支持DRM协议的预先存在的SIPE，那么该架构可以通用一个支持客户端DRM协议的新SIPE。 然后可以适当地将数字信息的传输指向所选择的预先存在的SIPE或新的SIPE。

公开(公告)号：US20150170197A1

公开(公告)日：2015-06-18

申请号：US14360118

申请日：2013-12-18

申请人： Ned M. Smith ,  Nathan Heldt Sheller

发明人： Ned M. Smith ,  Nathan Heldt Sheller

IPC分类号： G06Q30/02 ,  H04L9/00

CPC分类号： G06Q30/0242 ,  G06Q2220/00 ,  H04L9/008 ,  H04L2209/46

摘要： Generally, this disclosure provides technologies for collecting ad statistics in a privacy sensitive manner. In some embodiments the technology includes a system which includes a plurality of client devices, each hosting a context information management (CIMM) module in a secure processing environment. Each CIMM may be operable to select ads for display and calculate statistics for each of the selected ads. The CIMMs may generate a vector representative of those statistics, and may encrypt that vector using additive homomorphic encryption. The encrypted vector may be associated with a statistics collection counter, which may be incremented each time an encrypted vector is calculated. Each CIMM may compare the incremented counter value to a threshold, and may distribute the encrypted vector to another CIMM for further statistical tabulation if the incremented value is less than the threshold. In this way, the technologies described may ensure that a minimum statistical sample size is collected prior to the transmission of ad statistics to an ad network or advertiser, potentially maintaining or protecting user privacy.

摘要翻译： 通常，本公开提供了以隐私敏感方式收集广告统计信息的技术。 在一些实施例中，该技术包括包括多个客户端设备的系统，每个客户端设备在安全处理环境中托管上下文信息管理（CIMM）模块。 每个CIMM可以用于选择要显示的广告并且计算每个所选广告的统计。 CIMM可以生成代表这些统计信息的向量，并且可以使用加法同态加密来加密该向量。 加密向量可以与统计收集计数器相关联，每当计算加密的向量时，其可以递增。 每个CIMM可以将增加的计数器值与阈值进行比较，并且如果递增的值小于阈值，则可以将加密的向量分配给另一CIMM用于进一步的统计表。 以这种方式，所描述的技术可以确保在将广告统计信息传输到广告网络或广告商之前收集最小统计样本大小，潜在地维护或保护用户隐私。

公开(公告)号：US08954735B2

公开(公告)日：2015-02-10

申请号：US13631562

申请日：2012-09-28

申请人： Ned M. Smith ,  David Johnston ,  George W. Cox ,  Adi Shaliv

发明人： Ned M. Smith ,  David Johnston ,  George W. Cox ,  Adi Shaliv

IPC分类号： H04L29/06

CPC分类号： H04L63/061 ,  H04L9/0822 ,  H04L9/0866 ,  H04L9/3231 ,  H04L63/0861 ,  H04L2209/127

摘要： A method and device for securely provisioning trust anchors includes generating a database wrapper key as a function of computing device hardware. The database wrapper key encrypts a key database when it is not in use by a trusted execution environment and may be generated using a Physical Unclonable Function (PUF). A local computing device establishes a secure connection and security protocols with a remote computing device. In establishing the secure connection, the local computing device and remote computing device may exchange and/or authenticate cryptographic keys, including Enhanced Privacy Identification (EPID) keys, and establish a session key and device identifier(s). One or more trust anchors are then provisioned depending on whether unilateral, bilateral, or multilateral trust is established. The local computing device may act as a group or domain controller in establishing multilateral trust. Any of the devices may also require user presence to be verified.

摘要翻译： 用于安全地配置信任锚的方法和设备包括生成作为计算设备硬件的函数的数据库包装密钥。 数据库包装器密钥在密钥数据库不被可信执行环境使用时加密，并且可以使用物理不可克隆功能（PUF）生成密钥数据库。 本地计算设备与远程计算设备建立安全连接和安全协议。 在建立安全连接时，本地计算设备和远程计算设备可以交换和/或验证密码密钥，包括增强型隐私标识（EPID）密钥，并建立会话密钥和设备标识符。 根据单方面，双边或多边信托是否建立了一个或多个信托基金。 本地计算设备可以充当组或域控制器来建立多边信任。 任何设备也可能要求验证用户存在。

公开(公告)号：US08892858B2

公开(公告)日：2014-11-18

申请号：US13810654

申请日：2011-12-29

申请人： Ned M. Smith ,  Vincent J. Zimmer ,  Victoria C. Moore

发明人： Ned M. Smith ,  Vincent J. Zimmer ,  Victoria C. Moore

IPC分类号： G06F21/57 ,  G06F9/24

CPC分类号： G06F21/575 ,  G06F9/24 ,  G06F9/4401

摘要： A data processing system may include a high integrity storage (HIS) device with a partition or cache that is protected from updates. The data processing system may perform a boot process in response to being reactivated. The boot process may include the operation of executing a boot object. During the boot process, before executing the boot object, the data processing system may retrieve a digest for the boot object from the protected cache of the HIS device. The digest may be a cryptographic hash value for the boot object. During the boot process, the retrieved digest may be extended into a platform configuration register in a trusted platform module of the data processing system. Other embodiments are described and claimed.

摘要翻译： 数据处理系统可以包括具有防止更新的分区或高速缓存的高完整性存储（HIS）设备。 数据处理系统可以响应于重新激活而执行引导过程。 引导过程可以包括执行引导对象的操作。 在引导过程中，在执行引导对象之前，数据处理系统可以从HIS设备的受保护缓存中检索引导对象的摘要。 摘要可能是引导对象的加密哈希值。 在引导过程中，检索到的摘要可以扩展到数据处理系统的可信平台模块中的平台配置寄存器。 描述和要求保护其他实施例。

公开(公告)号：US20140281468A1

公开(公告)日：2014-09-18

申请号：US14272584

申请日：2014-05-08

申请人： Hormuzd M. Khosravi ,  Ajith K. Illendula ,  Ned M. Smith ,  Yasser Rasheed ,  Tracy L. Zenti ,  Bryan K. Jorgensen

发明人： Hormuzd M. Khosravi ,  Ajith K. Illendula ,  Ned M. Smith ,  Yasser Rasheed ,  Tracy L. Zenti ,  Bryan K. Jorgensen

IPC分类号： G06F9/44

CPC分类号： G06F9/4416 ,  G06F13/105 ,  G06F13/4027

摘要： A management engine may be used to trap configuration cycles during the boot process and thereafter in response to operating system enumeration. As a result, a virtual bus device can be created. The bus device may be used to provision software to the platform even when the operating system is corrupted or non-functional.

摘要翻译： 管理引擎可用于在引导过程期间以及其后响应于操作系统枚举来捕获配置周期。 结果，可以创建虚拟总线设备。 总线设备可用于将软件提供给平台，即使操作系统损坏或不起作用。

公开(公告)号：US08752132B2

公开(公告)日：2014-06-10

申请号：US12901349

申请日：2010-10-08

申请人： Ned M. Smith ,  Howard C. Herbert ,  Karanvir Grewal

发明人： Ned M. Smith ,  Howard C. Herbert ,  Karanvir Grewal

IPC分类号： H04L29/06

CPC分类号： H04L63/20 ,  H04L63/105 ,  H04L63/1408

摘要： Embodiments of the inventions are generally directed to methods, apparatuses, and systems for the dynamic evaluation and delegation of network access control. In an embodiment, a platform includes a switch to control a network connection and an endpoint enforcement engine coupled with the switch. The endpoint enforcement engine may be capable of dynamically switching among a number of network access control modes responsive to an instruction received from the network connection.

摘要翻译： 本发明的实施例一般涉及用于动态评估和授权网络访问控制的方法，装置和系统。 在一个实施例中，平台包括用于控制网络连接的开关和与开关耦合的端点执行引擎。 端点执行引擎可以响应于从网络连接接收的指令而能够在多个网络访问控制模式之间动态切换。