公开(公告)号：US07254722B2

公开(公告)日：2007-08-07

申请号：US10411415

申请日：2003-04-10

申请人： Ryan Charles Catherman ,  Steven Dale Goodman ,  James Patrick Hoff ,  Randall Scott Springfield ,  James Peter Ward

发明人： Ryan Charles Catherman ,  Steven Dale Goodman ,  James Patrick Hoff ,  Randall Scott Springfield ,  James Peter Ward

IPC分类号： G06F1/28

CPC分类号： G06F21/57 ,  G06F21/575 ,  H05K1/181

摘要： A motherboard for a computer system is presented which provides a trusted platform by which operations can be performed with an increased level trust and confidence. The basis of trust for the motherboard is established by an encryption coprocessor and by code which interfaces with the encryption coprocessor and establishes root of trust metrics for the platform. The encryption coprocessor is built such that certain critical operations are allowed only if physical presence of an operator has been detected. Physical presence is determined by inference based upon the status of registers in the core chipset on the motherboard.

摘要翻译： 提供了一种用于计算机系统的主板，其提供可信赖的平台，通过该平台可以以更高级别的信任和置信度执行操作。 主板的信任基础由加密协处理器和与加密协处理器接口的代码建立，并为平台建立信任度量的根源。 构建加密协处理器，使得仅当检测到操作者的物理存在时才允许某些关键操作。 基于主板上核心芯片组中寄存器的状态，推理确定物理存在。

公开(公告)号：US07590870B2

公开(公告)日：2009-09-15

申请号：US10411454

申请日：2003-04-10

申请人： Ryan Charles Catherman ,  Steven Dale Goodman ,  James Patrick Hoff ,  Randall Scott Springfield ,  James Peter Ward

发明人： Ryan Charles Catherman ,  Steven Dale Goodman ,  James Patrick Hoff ,  Randall Scott Springfield ,  James Peter Ward

IPC分类号： G06F1/28

CPC分类号： G06F21/57 ,  G06F21/575

摘要： A computer system is presented which provides a trusted platform by which operations can be performed with an increased level trust and confidence. The basis of trust for the computer system is established by an encryption coprocessor and by code which interfaces with the encryption coprocessor and establishes root of trust metrics for the platform. The encryption coprocessor is built such that certain critical operations are allowed only if physical presence of an operator has been detected. Physical presence is determined by inference based upon the status of registers in the core chipset.

摘要翻译： 提出了一种计算机系统，其提供可信赖的平台，通过该平台可以以更高级别的信任和置信度执行操作。 计算机系统的信任基础由加密协处理器和与加密协处理器接口的代码建立，并为平台建立信任度量的根。 构建加密协处理器，使得仅当检测到操作者的物理存在时才允许某些关键操作。 基于核心芯片组中寄存器的状态的推理确定物理存在。

公开(公告)号：US06892305B1

公开(公告)日：2005-05-10

申请号：US09689460

申请日：2000-10-12

申请人： Richard Alan Dayan ,  Steven Dale Goodman ,  Joseph Michael Pennisi ,  Randall Scott Springfield ,  James Peter Ward ,  Joseph Wayne Freeman

发明人： Richard Alan Dayan ,  Steven Dale Goodman ,  Joseph Michael Pennisi ,  Randall Scott Springfield ,  James Peter Ward ,  Joseph Wayne Freeman

IPC分类号： G06F9/00 ,  G06F12/14 ,  G06F21/00 ,  H04L9/32

CPC分类号： G06F21/575

摘要： A method and system for booting up a computer system in a secure fashion is disclosed. The method and system comprise determining the presence of a security feature element during an initialization of the computer system wherein the security feature element includes a public key and a corresponding private key, storing a portion of the public key in a nonvolatile memory within the computer system if the security feature element is present and utilizing an algorithm to determine the presence of the security feature element prior to a subsequent boot-up of the computer system. Through the use of the present invention, a computer system is capable of being booted up whereby the computer system determines if a security feature element was previously present in the system. If a security feature element was previously present in the computer system, any stored keys, along with the secrets that they protect, are prevented from being compromised. It is also an object of the present invention to preclude the system from compromising any keys and associated secrets if a security feature element in the system was not previously present in the system.

摘要翻译： 公开了一种以安全方式引导计算机系统的方法和系统。 该方法和系统包括在计算机系统的初始化期间确定安全特征元素的存在，其中安全特征元素包括公共密钥和相应的私钥，将公钥的一部分存储在计算机系统内的非易失性存储器中 如果存在安全特征元素并且利用算法来确定在计算机系统的后续引导之前的安全特征元素的存在。 通过使用本发明，计算机系统能够被启动，由此计算机系统确定安全特征元素是否先前存在于系统中。 如果安全特征元素以前存在于计算机系统中，则防止任何存储的密钥以及它们保护的秘密被泄露。 如果系统中的安全特征元素先前不存在于系统中，则本发明的另一个目的是排除系统损害任何密钥和相关联的秘密。

公开(公告)号：US06823464B2

公开(公告)日：2004-11-23

申请号：US09793239

申请日：2001-02-26

申请人： Daryl Carvis Cromer ,  Joseph Wayne Freeman ,  Steven Dale Goodman ,  Randall Scott Springfield ,  James Peter Ward

发明人： Daryl Carvis Cromer ,  Joseph Wayne Freeman ,  Steven Dale Goodman ,  Randall Scott Springfield ,  James Peter Ward

IPC分类号： G06F124

CPC分类号： G06F21/305 ,  G06F21/57

摘要： Authentication of an entity remotely managing a data processing system is enabled to allow changes by the remote entity to hard-locked critical security information normally accessible only during the POST and only to trusted entities such as the system BIOS. The remote entity builds a change request and generates a hash from the change request with a current password appended. The change request and the hash are stored in a lockable non-volatile buffer which, once locked, requires a system reset to access. During the next POST, a trusted entity such as the system BIOS reads the change request, generates an authentication hash from the change request and the current password within the hard-locked security information, and compares the buffered hash with the generated hash. If a match is determined, the security information is updated; otherwise a tamper error is reported.

摘要翻译： 允许远程管理数据处理系统的实体的认证允许远程实体更改硬锁定通常只能在POST期间可访问的关键安全性信息，并且只允许受信任的实体（如系统BIOS）。 远程实体构建更改请求，并从附加当前密码的更改请求生成哈希值。 更改请求和哈希存储在可锁定的非易失性缓冲区中，该缓冲区一旦被锁定就需要系统重置才能访问。 在下一个POST期间，诸如系统BIOS的受信任的实体读取更改请求，从改变请求中生成认证散列，并在硬锁定的安全信息内生成当前密码，并将缓冲的散列与生成的散列进行比较。 如果确定匹配，则更新安全信息; 否则报告篡改错误。

公开(公告)号：US06704868B1

公开(公告)日：2004-03-09

申请号：US09439235

申请日：1999-11-12

申请人： David Carroll Challener ,  Richard Alan Dayan ,  James Peter Ward ,  Michael Vanover

发明人： David Carroll Challener ,  Richard Alan Dayan ,  James Peter Ward ,  Michael Vanover

IPC分类号： H04L900

CPC分类号： H04L9/32 ,  H04L9/0863 ,  H04L9/3226

摘要： A method for associating a pass phrase with a secured public/private key pair is disclosed. A user public/private key pair is first established for a user. The user public/private key pair includes a user public key and a user private key. Then, the user public/private key pair is encrypted along with a random password, utilizing a chip public key. Next, a first symmetric key is generated. The random password is encrypted utilizing the first symmetric key. A first password is generated by hashing a first pass phrase. Finally, the first password is encrypted along with the first symmetric key, also utilizing the chip public key. As a result, a user can access the user private key to perform an authentication function by providing the first pass phrase.

摘要翻译： 公开了一种将密码短语与安全公钥/私钥对相关联的方法。 首先为用户建立用户公钥/私钥对。 用户公钥/私钥对包括用户公钥和用户私钥。 然后，利用芯片公开密钥对用户公共/私人密钥对以及随机密码进行加密。 接下来，生成第一对称密钥。 利用第一个对称密钥加密随机密码。 通过散列第一个密码短语生成第一个密码。 最后，第一个密码与第一个对称密钥一起被加密，也利用芯片公钥。 结果，用户可以通过提供第一密码短语来访问用户专用密钥来执行认证功能。

公开(公告)号：US06944867B2

公开(公告)日：2005-09-13

申请号：US09971942

申请日：2001-10-04

申请人： Richard Wayne Cheston ,  Daryl Carvis Cromer ,  Jeffrey Mark Estroff ,  James Anthony Hunt ,  Howard Jeffrey Locker ,  Joshua Neil Novak ,  Randall Scott Springfield ,  James Peter Ward ,  Arnold Stephen Weksler

发明人： Richard Wayne Cheston ,  Daryl Carvis Cromer ,  Jeffrey Mark Estroff ,  James Anthony Hunt ,  Howard Jeffrey Locker ,  Joshua Neil Novak ,  Randall Scott Springfield ,  James Peter Ward ,  Arnold Stephen Weksler

IPC分类号： G06F9/445 ,  G06F9/24

CPC分类号： G06F9/4406 ,  G06F9/4411

摘要： The hard disk drive of a computer system is loaded with a preloaded image including an operating system, a number of application programs, and a device driver installation routine, all of which are not dependent on the hardware configuration of the computer system. A hidden partition of the hard disk drive is also loaded with a number of device drivers, which are dependent upon the hardware configuration. During the first boot only of the preloaded image, the device drivers are installed by the device driver installation routine.

摘要翻译： 计算机系统的硬盘驱动器装载有包括操作系统，许多应用程序和设备驱动程序安装程序的预加载映像，所有这些都不依赖于计算机系统的硬件配置。 硬盘驱动器的隐藏分区还加载了许多设备驱动程序，这些驱动程序取决于硬件配置。 在首次引导仅预载图像的情况下，设备驱动程序由设备驱动程序安装程序安装。

公开(公告)号：US06959390B1

公开(公告)日：2005-10-25

申请号：US09262123

申请日：1999-03-03

申请人： David Carroll Challener ,  Daryl Carvis Cromer ,  Mark Charles Davis ,  Scott Thomas Elliott ,  Howard Jeffrey Locker ,  Andy Lloyd Trotter ,  James Peter Ward

发明人： David Carroll Challener ,  Daryl Carvis Cromer ,  Mark Charles Davis ,  Scott Thomas Elliott ,  Howard Jeffrey Locker ,  Andy Lloyd Trotter ,  James Peter Ward

IPC分类号： G06F11/30 ,  H04L9/00 ,  H04L9/08 ,  H04L9/30

CPC分类号： H04L9/0894

摘要： A data processing system and method are disclosed for maintaining secure user private keys in a non-secure storage device. A master key pair is established for the system. The master key pair includes a master private key and a master public key. The master key pair is stored in a protected storage device. A unique user key pair is established for each user. The user key pair includes a user private key and a user public key. The user private key is encrypted utilizing the master public key. The encrypted user private key is stored in the non-secure storage device, wherein the encrypted user private key is secure while stored in the non-secure storage device.

摘要翻译： 公开了一种用于在非安全存储设备中维护安全用户私钥的数据处理系统和方法。 为系统建立主密钥对。 主密钥对包括主密钥和主公钥。 主密钥对存储在受保护的存储设备中。 为每个用户建立一个独特的用户密钥对。 用户密钥对包括用户私钥和用户公钥。 使用主公钥加密用户专用密钥。 加密的用户私钥存储在非安全存储设备中，其中加密的用户私钥在存储在非安全存储设备中时是安全的。

公开(公告)号：US06718468B1

公开(公告)日：2004-04-06

申请号：US09439236

申请日：1999-11-12

申请人： David Carroll Challener ,  Richard Alan Dayan ,  James Peter Ward ,  Michael Vanover

发明人： David Carroll Challener ,  Richard Alan Dayan ,  James Peter Ward ,  Michael Vanover

IPC分类号： H04L932

CPC分类号： H04L9/3226 ,  H04L9/0863

摘要： A method for associating a password with a secured public/private key pair is disclosed. A user public/private key pair is first established for a user. The user public/private key pair includes a user public key and a user private key. Then, the user public/private key pair is encrypted along with a random password, utilizing a chip public key. Next, a first password is generated by hashing a pass phrase. Finally, the random password is encrypted along with the first password, also utilizing the chip public key. As a result, a user can assess the user private key to perform an authentication function by providing the pass phrase.

摘要翻译： 公开了一种将密码与安全公钥/私钥对相关联的方法。 首先为用户建立用户公钥/私钥对。 用户公钥/私钥对包括用户公钥和用户私钥。 然后，利用芯片公开密钥对用户公共/私人密钥对以及随机密码进行加密。 接下来，通过散列密码短语来生成第一个密码。 最后，随机密码与第一个密码一起加密，也使用芯片公钥。 结果，用户可以通过提供密码来评估用户私钥来执行认证功能。

公开(公告)号：US06754826B1

公开(公告)日：2004-06-22

申请号：US09282713

申请日：1999-03-31

申请人： David Carroll Challener ,  Daryl Carvis Cromer ,  Dhruv M. Desai ,  Brandon Jon Ellison ,  Howard Locker ,  Andy Lloyd Trotter ,  James Peter Ward

发明人： David Carroll Challener ,  Daryl Carvis Cromer ,  Dhruv M. Desai ,  Brandon Jon Ellison ,  Howard Locker ,  Andy Lloyd Trotter ,  James Peter Ward

IPC分类号： H04L932

CPC分类号： H04L63/0823 ,  H04L63/10

摘要： A data processing system and method are disclosed for providing an access connector which limits access to a network to only authorized client computer systems. The network is controlled by a server computer system. The access connector is provided for physically coupling a client computer system to the network. The access connector is physically coupled to the network. Prior to permitting the client computer system to attempt to establish a client communication link with the network, the client computer system attempts to authenticate itself to the server computer system. In response to the client computer system being unable to authenticate itself to the server computer system, the access connector prohibits the client computer system from establishing a client communication link between the client computer system and the network.

摘要翻译： 公开了一种用于提供访问连接器的数据处理系统和方法，其将对网络的访问限于仅授权的客户端计算机系统。 网络由服务器计算机系统控制。 提供接入连接器用于将客户端计算机系统物理耦合到网络。 接入连接器物理耦合到网络。 在允许客户端计算机系统尝试与网络建立客户端通信链路之前，客户端计算机系统尝试向服务器计算机系统认证自身。 响应于客户端计算机系统无法向服务器计算机系统认证自身，访问连接器禁止客户端计算机系统在客户端计算机系统和网络之间建立客户端通信链路。

公开(公告)号：US06654886B1

公开(公告)日：2003-11-25

申请号：US09356189

申请日：1999-07-16

申请人： David Carroll Challener ,  Daryl Carvis Cromer ,  Dhruv Manmohandas Desai ,  Howard Jeffrey Locker ,  Andy Lloyd Trotter ,  James Peter Ward

发明人： David Carroll Challener ,  Daryl Carvis Cromer ,  Dhruv Manmohandas Desai ,  Howard Jeffrey Locker ,  Andy Lloyd Trotter ,  James Peter Ward

IPC分类号： G06F1130

CPC分类号： H04L63/0853 ,  G06F21/31 ,  G06F2221/2129

摘要： A data processing system and method are disclosed for permitting only preregistered client computer hardware to access a service executing on a remote server computer system. A log-in token is established including a unique identifier which identifies a particular client computer hardware. The client computer hardware logs-on to the server computer system. Subsequent to the client computer hardware logging-on to the server computer system, the client computer hardware attempts to access the service. During the attempt, the client computer hardware transmits the log-in token to the server computer system. The server computer system utilizes the unique identifier included within the log-in token to determine if the client computer hardware is registered to access the service. In response to a determination that the client computer hardware is registered to access the service, the server computer system permits the client computer hardware to access the service. In response to a determination that the client computer hardware is not registered to access the service, the server computer system prohibits the client computer hardware from accessing the service.

摘要翻译： 公开了一种用于仅允许预注册的客户端计算机硬件访问在远程服务器计算机系统上执行的服务的数据处理系统和方法。 建立登录令牌，其包括标识特定客户端计算机硬件的唯一标识符。 客户端计算机硬件登录到服务器计算机系统。 在客户端计算机硬件登录到服务器计算机系统之后，客户端计算机硬件尝试访问该服务。 在尝试期间，客户端计算机硬件将登录令牌传输到服务器计算机系统。 服务器计算机系统利用包括在登录令牌内的唯一标识符来确定客户端计算机硬件是否被注册以访问该服务。 响应于确定客户端计算机硬件被注册以访问服务，服务器计算机系统允许客户端计算机硬件访问该服务。 响应于确定客户端计算机硬件未被注册以访问服务，服务器计算机系统禁止客户端计算机硬件访问服务。