公开(公告)号：US08495361B2

公开(公告)日：2013-07-23

申请号：US11858971

申请日：2007-09-21

申请人： Ryan Charles Catherman ,  David Carroll Challener ,  James Patrick Hoff

发明人： Ryan Charles Catherman ,  David Carroll Challener ,  James Patrick Hoff

IPC分类号： H04L29/06

CPC分类号： G06F21/57

摘要： A method and system for ensuring security-compliant creation and signing of endorsement keys of manufactured TPMs. The endorsement keys are generated for the TPM. The TPM vendor selects an N-byte secret and stores the N-byte secret in the TPM along with the endorsement keys. The secret number cannot be read outside of the TPM. The secret number is also provided to the OEM's credential server. During the endorsement key (EK) credential process, the TPM generates an endorsement key, which comprises both the public key and a hash of the secret and the public key. The credential server matches the hash within the endorsement key with a second hash of the received public key (from the endorsement key) and the vendor provided secret. The EK certificate is generated and inserted into the TPM only when a match is confirmed.

摘要翻译： 一种用于确保制造TPM的签注密钥的安全兼容创建和签名的方法和系统。 为TPM生成认可密钥。 TPM供应商选择一个N字节的秘密，并将N字节的秘密与支持密钥一起存储在TPM中。 无法在TPM之外读取密码。 秘密编号也提供给OEM的凭据服务器。 在认可密钥（EK）凭证处理过程中，TPM产生一个签名密钥，其包括公开密钥和密钥的散列以及公开密钥。 凭证服务器将签名密钥内的散列与接收到的公钥（来自认可密钥）和供应商提供的秘密的第二散列进行匹配。 仅当匹配确认时，EK证书才会生成并插入到TPM中。

公开(公告)号：US07644278B2

公开(公告)日：2010-01-05

申请号：US10750594

申请日：2003-12-31

申请人： Ryan Charles Catherman ,  David Carroll Challener ,  James Patrick Hoff

发明人： Ryan Charles Catherman ,  David Carroll Challener ,  James Patrick Hoff

IPC分类号： H04L9/32

CPC分类号： G06F21/602 ,  G06F21/57 ,  G06F2221/2117 ,  H04L9/0877 ,  H04L9/3236 ,  H04L9/3263

摘要： A Method and system for ensuring security-compliant creation and signing of endorsement keys of manufactured trusted platform modules. The endorsement keys are generated for the trusted platform module (TPM). The TPM vendor selects an N-byte secret and stores the N-type secret in the trusted platform module along with the endorsement keys. The secret number cannot be read outside of the trusted platform module. The secret number is also provided to the credential server of the original equipment manufacturer. During the endorsement key (EK) credential process, the trusted platform module generates an endorsement key, which comprises both the public key and a hash of the secret and the public key. The credential server matches the hash within the endorsement key withy a second hash of the received public key (from the endorsement key) and the vendor provided secret. The EK certificate is generated and inserted into the trusted platform module only when a match is confirmed.

摘要翻译： 一种用于确保制造可信平台模块的认可密钥的安全兼容创建和签名的方法和系统。 为可信平台模块（TPM）生成认可密钥。 TPM供应商选择N字节的秘密，并将N型秘密与认可密钥一起存储在可信平台模块中。 秘密号码不能在受信任的平台模块之外读取。 秘密编号也提供给原始设备制造商的凭证服务器。 在认可密钥（EK）凭证过程中，可信平台模块生成包括公开密钥和秘密的哈希和公开密钥的认可密钥。 凭证服务器使用所接收的公钥（来自认可密钥）和供应商提供的秘密的第二散列表来匹配认可密钥内的散列。 仅当匹配确认时，EK证书才会生成并插入可信平台模块。

公开(公告)号：US07751568B2

公开(公告)日：2010-07-06

申请号：US10749261

申请日：2003-12-31

申请人： Ryan Charles Catherman ,  David Carroll Challener ,  James Patrick Hoff

发明人： Ryan Charles Catherman ,  David Carroll Challener ,  James Patrick Hoff

IPC分类号： H04K1/00

CPC分类号： G06F21/602 ,  G06F21/57

摘要： A method and system for ensuring security-compliant creation and certificate generation for endorsement keys of manufactured TPMs. The endorsement keys are generated by the TPM manufacturer and stored within the TPM. The TPM manufacturer also creates a signing key pair and associated signing key certificate. The signing key pair is also stored within the TPM, while the certificate is provided to the OEM's credential server. During the endorsement key (EK) credential process, the TPM generates a signed endorsement key, which comprises the public endorsement key signed with the public signing key. The credential server matches the public signing key of the endorsement key with a public signing key within the received certificate. The EK certificate is generated and inserted into the TPM only when a match is confirmed.

摘要翻译： 一种用于确保制造TPM的认可密钥的安全兼容创建和证书生成的方法和系统。 认可密钥由TPM制造商生成并存储在TPM内。 TPM制造商还创建了一个签名密钥对和相关的签名密钥证书。 签名密钥对也存储在TPM中，同时将证书提供给OEM的凭据服务器。 在认可密钥（EK）凭证过程中，TPM生成签名的背书密钥，其包括用公共签名密钥签名的公开签名密钥。 凭证服务器将签名密钥的公共签名密钥与接收到的证书中的公共签名密钥相匹配。 仅当匹配确认时，EK证书才会生成并插入到TPM中。

公开(公告)号：US07590845B2

公开(公告)日：2009-09-15

申请号：US10744441

申请日：2003-12-22

申请人： Charles Douglas Ball ,  Ryan Charles Catherman ,  James Patrick Hoff ,  James Peter Ward

发明人： Charles Douglas Ball ,  Ryan Charles Catherman ,  James Patrick Hoff ,  James Peter Ward

IPC分类号： H04L9/14 ,  G06F12/08

CPC分类号： H04L9/0894

摘要： A method for a plurality of key cache managers for a plurality of localities to share cryptographic key storage resources of a security chip, includes: loading an application key into the key storage; and saving a restoration data for the application key by a key cache manager, where the restoration data can be used by the key cache manager to re-load the application key into the key storage if the application key is evicted from the key storage by another key cache manager. The method allows each of a plurality of key cache managers to recognize that its key had been removed from the security chip and to restore its key. The method also allows each key cache manager to evict or destroy any key currently loaded on the security chip without affecting the functionality of other localities.

摘要翻译： 一种用于多个地区的多个密钥高速缓存管理器用于共享安全芯片的加密密钥存储资源的方法，包括：将应用密钥加载到密钥存储器中; 并且由密钥高速缓存管理器保存用于应用密钥的恢复数据，其中如果应用密钥从另一个密钥存储器被逐出，密钥高速缓存管理器可以使用恢复数据将应用密钥重新加载到密钥存储器中 密钥缓存管理器。 该方法允许多个密钥高速缓存管理器中的每一个识别出其密钥已经从安全芯片中移除并恢复其密钥。 该方法还允许每个密钥缓存管理器驱逐或销毁安全芯片上当前加载的任何密钥，而不影响其他地方的功能。

公开(公告)号：US07254722B2

公开(公告)日：2007-08-07

申请号：US10411415

申请日：2003-04-10

申请人： Ryan Charles Catherman ,  Steven Dale Goodman ,  James Patrick Hoff ,  Randall Scott Springfield ,  James Peter Ward

发明人： Ryan Charles Catherman ,  Steven Dale Goodman ,  James Patrick Hoff ,  Randall Scott Springfield ,  James Peter Ward

IPC分类号： G06F1/28

CPC分类号： G06F21/57 ,  G06F21/575 ,  H05K1/181

摘要： A motherboard for a computer system is presented which provides a trusted platform by which operations can be performed with an increased level trust and confidence. The basis of trust for the motherboard is established by an encryption coprocessor and by code which interfaces with the encryption coprocessor and establishes root of trust metrics for the platform. The encryption coprocessor is built such that certain critical operations are allowed only if physical presence of an operator has been detected. Physical presence is determined by inference based upon the status of registers in the core chipset on the motherboard.

摘要翻译： 提供了一种用于计算机系统的主板，其提供可信赖的平台，通过该平台可以以更高级别的信任和置信度执行操作。 主板的信任基础由加密协处理器和与加密协处理器接口的代码建立，并为平台建立信任度量的根源。 构建加密协处理器，使得仅当检测到操作者的物理存在时才允许某些关键操作。 基于主板上核心芯片组中寄存器的状态，推理确定物理存在。

公开(公告)号：US07861079B2

公开(公告)日：2010-12-28

申请号：US11858977

申请日：2007-09-21

申请人： Ryan Charles Catherman ,  David Carroll Challener ,  James Patrick Hoff

发明人： Ryan Charles Catherman ,  David Carroll Challener ,  James Patrick Hoff

IPC分类号： H04L29/06

CPC分类号： G06F21/602 ,  G06F21/57 ,  G06F2221/2117 ,  H04L9/0877 ,  H04L9/3236 ,  H04L9/3263

摘要： A method and system for ensuring security-compliant creation and signing of endorsement keys of manufactured TPMs. The endorsement keys are generated for the TPM. The TPM vendor selects an N-byte secret and stores the N-byte secret in the TPM along with the endorsement keys. The secret number cannot be read outside of the TPM. The secret number is also provided to the OEM's credential server. During the endorsement key (EK) credential process, the TPM generates an endorsement key, which comprises both the public key and a hash of the secret and the public key. The credential server matches the hash within the endorsement key with a second hash of the received public key (from the endorsement key) and the vendor provided secret. The EK certificate is generated and inserted into the TPM only when a match is confirmed.

摘要翻译： 一种用于确保制造TPM的签注密钥的安全兼容创建和签名的方法和系统。 为TPM生成认可密钥。 TPM供应商选择一个N字节的秘密，并将N字节的秘密与支持密钥一起存储在TPM中。 无法在TPM之外读取密码。 秘密编号也提供给OEM的凭据服务器。 在认可密钥（EK）凭证处理过程中，TPM产生一个签名密钥，其包括公开密钥和密钥的散列以及公开密钥。 凭证服务器将签名密钥内的散列与接收到的公钥（来自认可密钥）和供应商提供的秘密的第二散列进行匹配。 仅当匹配确认时，EK证书才会生成并插入到TPM中。

公开(公告)号：US07590870B2

公开(公告)日：2009-09-15

申请号：US10411454

申请日：2003-04-10

申请人： Ryan Charles Catherman ,  Steven Dale Goodman ,  James Patrick Hoff ,  Randall Scott Springfield ,  James Peter Ward

发明人： Ryan Charles Catherman ,  Steven Dale Goodman ,  James Patrick Hoff ,  Randall Scott Springfield ,  James Peter Ward

IPC分类号： G06F1/28

CPC分类号： G06F21/57 ,  G06F21/575

摘要： A computer system is presented which provides a trusted platform by which operations can be performed with an increased level trust and confidence. The basis of trust for the computer system is established by an encryption coprocessor and by code which interfaces with the encryption coprocessor and establishes root of trust metrics for the platform. The encryption coprocessor is built such that certain critical operations are allowed only if physical presence of an operator has been detected. Physical presence is determined by inference based upon the status of registers in the core chipset.

摘要翻译： 提出了一种计算机系统，其提供可信赖的平台，通过该平台可以以更高级别的信任和置信度执行操作。 计算机系统的信任基础由加密协处理器和与加密协处理器接口的代码建立，并为平台建立信任度量的根。 构建加密协处理器，使得仅当检测到操作者的物理存在时才允许某些关键操作。 基于核心芯片组中寄存器的状态的推理确定物理存在。

公开(公告)号：US07743406B2

公开(公告)日：2010-06-22

申请号：US11019040

申请日：2004-12-21

申请人： Scott Sina Abedi ,  Roger Kenneth Abrams ,  Ryan Charles Catherman ,  James Patrick Hoff ,  James Stephen Rutledge

发明人： Scott Sina Abedi ,  Roger Kenneth Abrams ,  Ryan Charles Catherman ,  James Patrick Hoff ,  James Stephen Rutledge

IPC分类号： H04L9/32

CPC分类号： H04K1/00

摘要： A system and method for securing data on a wireless device. A secured zone is defined by a boundary sensor. A data processing system is coupled to the boundary sensor and a wireless device. If the data processing system detects that the signal strength of the wireless device has fallen below a first predetermined value for longer than a second predetermined value, the data processing system deletes a digital certificate corresponding to the wireless device from memory. Thus, when the wireless device is reintroduced into the secured zone, in response to determining that a digital certificate corresponding to the wireless device is not stored in memory, the disabling module disables the wireless device from operation within the secured zone.

摘要翻译： 一种用于在无线设备上保护数据的系统和方法。 安全区域由边界传感器定义。 数据处理系统耦合到边界传感器和无线设备。 如果数据处理系统检测到无线设备的信号强度已经低于第一预定值长于第二预定值，则数据处理系统从存储器中删除对应于无线设备的数字证书。 因此，当无线设备被重新引入安全区域时，响应于确定与无线设备相对应的数字证书没有被存储在存储器中，禁用模块禁止无线设备在安全区域内的操作。

公开(公告)号：US07673134B2

公开(公告)日：2010-03-02

申请号：US11101290

申请日：2005-04-07

申请人： Ryan Charles Catherman ,  David Carroll Challener ,  Scott Thomas Elliott ,  James Patrick Hoff

发明人： Ryan Charles Catherman ,  David Carroll Challener ,  Scott Thomas Elliott ,  James Patrick Hoff

IPC分类号： H04L29/06 ,  G06F9/00

CPC分类号： H04L63/0428 ,  G06F11/1446 ,  G06F21/6209 ,  H04L9/0822 ,  H04L2209/60 ,  H04L2463/062

摘要： A method and system for remotely storing a user's admin key to gain access to an intranet is presented. The user's admin key and intranet user identification (ID) are encrypted using an enterprise's public key, and together they are concatenated into a single backup admin file, which is stored in the user's client computer. If the user needs his admin file and is unable to access it in a backup client computer, he sends the encrypted backup admin file to a backup server and his unencrypted intranet user ID to an intranet authentication server. The backup server decrypts the user's single backup admin file to obtain the user's admin key and intranet user ID. If the unencrypted intranet user ID in the authentication server matches the decrypted intranet user ID in the backup server, then the backup server sends the backup client computer the decrypted admin key.

摘要翻译： 介绍一种用于远程存储用户管理密钥以访问内联网的方法和系统。 用户的管理密钥和内部网用户标识（ID）使用企业的公钥进行加密，并将它们并入一个备份管理文件，该文件存储在用户的客户端计算机中。 如果用户需要他的管理员文件，并且无法在备份客户端计算机中访问它，则他将加密的备份管理文件发送到备份服务器，并将其未加密的内部网用户ID发送到内部网认证服务器。 备份服务器解密用户的单备份管理文件，获取用户的管理密钥和内部网用户ID。 如果身份验证服务器中未加密的Intranet用户ID与备份服务器中的解密内网用户ID匹配，则备份服务器将备份客户端计算机发送解密的管理密钥。

公开(公告)号：US07581097B2

公开(公告)日：2009-08-25

申请号：US10745172

申请日：2003-12-23

申请人： Ryan Charles Catherman ,  Dave Carroll Challener ,  Akira Hino ,  James Patrick Hoff ,  James Peter Ward

发明人： Ryan Charles Catherman ,  Dave Carroll Challener ,  Akira Hino ,  James Patrick Hoff ,  James Peter Ward

IPC分类号： H04L9/00

CPC分类号： G06F21/83 ,  G06F21/606

摘要： An apparatus, system and method of secure communications from a human interface device are provided. The apparatus, system, and method receive input data and calculate encrypted data from the input data using a secure credential. In one embodiment the apparatus, system, and method request and receive a single instance credential and calculate the encrypted data using the secure credential and the single instance credential. The encrypted data may be a secure authorization that may be valid for one use. Communication of the encrypted data through networks and communicating devices is secure. The encrypted data may not be decrypted even if intercepted without the secure credential. The apparatus, system, and method enable secure communications from the human interface device.

摘要翻译： 提供了一种从人机接口设备进行安全通信的装置，系统和方法。 设备，系统和方法使用安全证书从输入数据接收输入数据并计算加密数据。 在一个实施例中，装置，系统和方法请求并接收单个实例凭证并使用安全凭证和单个实例凭证来计算加密的数据。 加密数据可以是对一次使用可能有效的安全授权。 通过网络和通信设备进行加密数据的通信是安全的。 即使在没有安全凭证的情况下被拦截，加密数据也可能不被解密。 该装置，系统和方法能够实现来自人机接口装置的安全通信。