公开(公告)号：US08634561B2

公开(公告)日：2014-01-21

申请号：US13100354

申请日：2011-05-04

申请人： Todd W. Arnold ,  Elizabeth A. Dames ,  Carsten D. Frehr ,  Kenneth B. Kerr ,  Richard V. Kisley ,  Michael J. Kelly ,  Eric D. Rossman ,  Eric B. Smith

发明人： Todd W. Arnold ,  Elizabeth A. Dames ,  Carsten D. Frehr ,  Kenneth B. Kerr ,  Richard V. Kisley ,  Michael J. Kelly ,  Eric D. Rossman ,  Eric B. Smith

IPC分类号： G06F21/00

CPC分类号： H04L9/088 ,  H04L9/0897 ,  H04L2209/56

摘要： A system for implementing secure key management is provided. The system includes a computer processor and an application configured to execute on the computer processor, the application implementing a method. The method includes populating a section of information associated with a key, the section being populated with information relating to how the key was created. The method also includes populating the section with information relating to how the key was acquired by a secure module; and binding the section to the key, wherein the key is encrypted.

摘要翻译： 提供了一种实现安全密钥管理的系统。 该系统包括计算机处理器和被配置为在计算机处理器上执行实施方法的应用的应用。 该方法包括填充与密钥相关联的一部分信息，该部分填充与如何创建密钥相关的信息。 该方法还包括使用与安全模块如何获取密钥有关的信息来填充该部分; 以及将所述部分绑定到所述密钥，其中所述密钥被加密。

公开(公告)号：US20120281838A1

公开(公告)日：2012-11-08

申请号：US13100639

申请日：2011-05-04

申请人： Todd W. Arnold ,  Elizabeth A. Dames ,  Carsten D. Frehr ,  Michael J. Kelly ,  Kenneth B. Kerr ,  Richard V. Kisley ,  Eric D. Rossman ,  Eric B. Smith

发明人： Todd W. Arnold ,  Elizabeth A. Dames ,  Carsten D. Frehr ,  Michael J. Kelly ,  Kenneth B. Kerr ,  Richard V. Kisley ,  Eric D. Rossman ,  Eric B. Smith

IPC分类号： H04L9/00

CPC分类号： H04L9/0822 ,  H04L9/088 ,  H04L9/0897

摘要： A computer program product for secure key management is provided. The computer program product includes a tangible storage medium readable by a processing circuit and storing instructions for execution by the processing circuit for creating a token and populating the token with key material, and binding key control information to the key material. The key control information includes information relating to management of the key material populating one or more key management fields that define attributes that limit distribution of the key material.

摘要翻译： 提供了一种用于安全密钥管理的计算机程序产品。 计算机程序产品包括可由处理电路读取的有形存储介质，并且存储用于由处理电路执行的用于创建令牌并用密钥材料填充令牌的指令，以及将密钥控制信息绑定到密钥材料的指令。 密钥控制信息包括关于填充一个或多个密钥管理字段的密钥材料的管理的信息，所述密钥管理字段定义限制密钥资料分发的属性。

公开(公告)号：US20120281837A1

公开(公告)日：2012-11-08

申请号：US13100357

申请日：2011-05-04

申请人： Todd W. Arnold ,  Elizabeth A. Dames ,  Carsten D. Frehr ,  Michael J. Kelly ,  Kenneth B. Kerr ,  Richard V. Kisley ,  Eric D. Rossman ,  Eric B. Smith

发明人： Todd W. Arnold ,  Elizabeth A. Dames ,  Carsten D. Frehr ,  Michael J. Kelly ,  Kenneth B. Kerr ,  Richard V. Kisley ,  Eric D. Rossman ,  Eric B. Smith

IPC分类号： H04L9/00

CPC分类号： H04L9/088 ,  H04L9/0897 ,  H04L2209/56

摘要： A system for secure key management is provided. The system includes a computer processor and an application configured to execute on the computer processor, the application implementing a method. The method includes populating a section of information associated with a key, the section of information being populated with information relating to a level of protection of the key accumulated over time. Secure key management further includes securely binding the section of information to the key, wherein the key is encrypted.

摘要翻译： 提供了一种用于安全密钥管理的系统。 该系统包括计算机处理器和被配置为在计算机处理器上执行实施方法的应用的应用。 该方法包括填充与密钥相关联的一部分信息，该部分的信息被填充有与随时间累积的密钥的保护级别相关的信息。 安全密钥管理还包括将该部分信息安全地绑定到密钥，其中密钥被加密。

公开(公告)号：US20120275600A1

公开(公告)日：2012-11-01

申请号：US13095226

申请日：2011-04-27

申请人： Todd W. Arnold ,  Elizabeth A. Dames ,  Carsten D. Frehr ,  Kenneth B. Kerr ,  Richard V. Kisley ,  Eric D. Rossman ,  Eric B. Smith

发明人： Todd W. Arnold ,  Elizabeth A. Dames ,  Carsten D. Frehr ,  Kenneth B. Kerr ,  Richard V. Kisley ,  Eric D. Rossman ,  Eric B. Smith

IPC分类号： H04L9/00

CPC分类号： H04L9/08 ,  H04L9/083 ,  H04L9/0877 ,  H04L9/30

摘要： A system for creating a secure key is provided that includes a computer processor and an application configured to execute on the computer processor, the application implementing a method that includes creating a token and populating a key control information section of the token with a value to indicate a minimum number of key parts used to form a key. Creating the secure key also includes populating a payload section of the token with a first key part, binding the key control information section to the payload section, adding a second key part to the first key part and iterating the value and binding the key control information section to the payload section after the second key part has been added. Creating the secure key further includes indicating the key is complete, wherein the key comprises a combination of the first and second key parts.

摘要翻译： 提供了一种用于创建安全密钥的系统，其包括计算机处理器和被配置为在计算机处理器上执行的应用程序，所述应用程序实现包括创建令牌的方法，并且以指示值的值填充令牌的密钥控制信息部分 用于形成钥匙的最少数量的关键部件。 创建安全密钥还包括用第一密钥部分填充令牌的有效载荷部分，将密钥控制信息部分绑定到有效负载部分，向第一密钥部分添加第二密钥部分，并迭代该值并绑定密钥控制信息 在添加第二个关键部分之后的部分到有效载荷部分。 创建安全密钥还包括指示密钥是完整的，其中密钥包括第一和第二密钥部分的组合。

公开(公告)号：US20100031021A1

公开(公告)日：2010-02-04

申请号：US11534232

申请日：2006-09-22

申请人： Todd W. Arnold ,  Elizabeth A. Dames ,  Carsten D. Frehr ,  Kurt S. Jacobsen ,  Michael J. Kelly ,  Mark D. Marik ,  Jesper Wiese

发明人： Todd W. Arnold ,  Elizabeth A. Dames ,  Carsten D. Frehr ,  Kurt S. Jacobsen ,  Michael J. Kelly ,  Mark D. Marik ,  Jesper Wiese

IPC分类号： H04L9/00 ,  G06F21/00

CPC分类号： H04L9/3242 ,  H04L9/0637 ,  H04L9/0822 ,  H04L9/088 ,  H04L9/3247 ,  H04L63/0435 ,  H04L63/062 ,  H04L63/0823 ,  H04L63/123 ,  H04L63/20

摘要： A method, article, and system for providing an effective implementation of a data structure comprising instructions that are cryptographically protected against alteration or misuse, wherein the instructions further comprise a trusted block that defines specific key management policies that are permitted when an application program employs the trusted block in application programming interface (API) functions to generate or export symmetric cryptographic keys. The trusted block has a number of fields containing rules that provide an ability to limit how the trusted block is used, thereby reducing the risk of the trusted block being employed in unintended ways or with unintended keys.

摘要翻译： 一种用于提供数据结构的有效实现的方法，制品和系统，所述数据结构包括密码保护以防止改变或误用的指令，其中所述指令还包括定义在应用程序采用所述应用程序时允许的特定密钥管理策略的可信任块 应用程序编程接口（API）中的可信块功能用于生成或导出对称加密密钥。 受信任的块具有包含提供限制如何使用受信任块的能力的规则的字段，从而降低以非预期的方式或非预期密钥使用可信块的风险。

公开(公告)号：US20080077794A1

公开(公告)日：2008-03-27

申请号：US11534236

申请日：2006-09-22

申请人： Todd W. Arnold ,  Elizabeth A. Dames ,  Carsten D. Frehr ,  Kurt S. Jacobsen ,  Michael J. Kelly ,  Mark D. Marik ,  Jesper Wiese

发明人： Todd W. Arnold ,  Elizabeth A. Dames ,  Carsten D. Frehr ,  Kurt S. Jacobsen ,  Michael J. Kelly ,  Mark D. Marik ,  Jesper Wiese

IPC分类号： H04N7/16 ,  H04L9/00 ,  H04L9/32 ,  G06F17/30 ,  G06F7/04 ,  G06K9/00 ,  H03M1/68 ,  H04K1/00

CPC分类号： H04L9/0822 ,  H04L9/088 ,  H04L9/3242 ,  H04L9/3247 ,  H04L2209/04 ,  H04L2209/34

摘要： A method, article, and system for providing an effective implementation of data structures, and application programming interface (API) functions that allow secure execution of functions behind a secure boundary. The controlling mechanism is a flexible, extendable, and non-forgeable block that details how values and parameters behind the secure boundary can be changed. The invention allows for one entity to execute a security function that will normally require extensive authorizations or dual or multiple control. The method and system comprise instructions that are cryptographically protected against alteration or misuse, wherein the instructions further comprise a trusted block that defines security policies that are permitted when an application program employs the trusted block in APIs. The trusted block has a number of fields containing rules that provide an ability to limit how the trusted block is used, thereby reducing the risk of the trusted block being employed in unintended ways. This trusted block controls the critical values or parameters behind the secure boundary. Cryptographically secured data structures are provided that allow for breaking up the instructions in the trusted blocks in a number of steps without reducing the level of security. Systems that make use of the trusted block must provide two API functions; one that encapsulates the block under at least dual control, and one that process the instructions or rules in the trusted block. In particular the invention provides a method, article, and system for the effective implementation for securely transferring symmetric encryption keys to remote devices, such as Automated Teller Machines (ATMs), PIN entry devices, and point of sale terminals. It may also be used to exchange symmetric keys with another cryptographic system of any type, such as a Host Security Module (HSM) in a computer server.

公开(公告)号：US07779258B2

公开(公告)日：2010-08-17

申请号：US11534236

申请日：2006-09-22

申请人： Todd W. Arnold ,  Elizabeth A. Dames ,  Carsten D. Frehr ,  Kurt S. Jacobsen ,  Michael J. Kelly ,  Mark D. Marik ,  Jesper Wiese

发明人： Todd W. Arnold ,  Elizabeth A. Dames ,  Carsten D. Frehr ,  Kurt S. Jacobsen ,  Michael J. Kelly ,  Mark D. Marik ,  Jesper Wiese

IPC分类号： H04N7/16 ,  H04L9/00 ,  H04L9/32 ,  G06F17/30 ,  G06F7/04 ,  G06K9/00 ,  H03M1/68 ,  H04K1/00

CPC分类号： H04L9/0822 ,  H04L9/088 ,  H04L9/3242 ,  H04L9/3247 ,  H04L2209/04 ,  H04L2209/34

摘要： A method, article, and system for providing an effective implementation of data structures, and application programming interface (API) functions that allow secure execution of functions behind a secure boundary. The controlling mechanism is a flexible, extendable, and non-forgeable block that details how values and parameters behind the secure boundary can be changed. The invention allows for one entity to execute a security function that will normally require extensive authorizations or dual or multiple control. The method and system comprise instructions that are cryptographically protected against alteration or misuse, wherein the instructions further comprise a trusted block that defines security policies that are permitted when an application program employs the trusted block in APIs. The trusted block has a number of fields containing rules that provide an ability to limit how the trusted block is used, thereby reducing the risk of the trusted block being employed in unintended ways.

摘要翻译： 一种用于提供有效实施数据结构的方法，文章和系统，以及允许安全执行安全边界后面的功能的应用程序编程接口（API）功能。 控制机制是一个灵活，可扩展和不可伪造的块，详细介绍了安全边界背后的值和参数如何改变。 本发明允许一个实体执行通常需要广泛授权或双重或多重控制的安全功能。 所述方法和系统包括密码保护以防止改变或误用的指令，其中所述指令还包括定义在应用程序在API中使用所述可信块时允许的安全策略的可信块。 可信块具有包含规则的多个字段，这些规则提供了限制如何使用受信任块的能力，从而降低以非预期的方式使用可信块的风险。

公开(公告)号：US09369274B2

公开(公告)日：2016-06-14

申请号：US13542841

申请日：2012-07-06

申请人： Todd W. Arnold ,  Elizabeth A. Dames ,  Mark D. Marik

发明人： Todd W. Arnold ,  Elizabeth A. Dames ,  Mark D. Marik

IPC分类号： G06F11/30 ,  H04L9/06 ,  G06F21/62 ,  H04L9/08

CPC分类号： H04L9/0618 ,  G06F21/6209 ,  H04L9/088

摘要： A computer system includes memory configured to store information regarding predetermined conditions of an encryption operation and a processor configured to analyze an inbound key and an outbound key of the encryption operation. The processor is also configured to determine that the encryption operation includes a translation from a first class of encryption to a second class of encryption based on the analyzing the inbound key and the outbound key, and to determine whether the translation is permitted based on the predetermined conditions.

摘要翻译： 计算机系统包括被配置为存储关于加密操作的预定条件的信息的存储器和被配置为分析加密操作的入站密钥和出站密钥的处理器。 处理器还被配置为基于分析入站密钥和出站密钥来确定加密操作包括从第一类加密到第二类加密的翻译，并且基于预定的密码来确定是否允许翻译 条件。

公开(公告)号：US08639938B2

公开(公告)日：2014-01-28

申请号：US13099509

申请日：2011-05-03

申请人： Todd W. Arnold ,  Elizabeth A. Dames ,  Carsten D. Frehr ,  Clifford L. Hansen ,  Shelia M. Sittinger

发明人： Todd W. Arnold ,  Elizabeth A. Dames ,  Carsten D. Frehr ,  Clifford L. Hansen ,  Shelia M. Sittinger

IPC分类号： H04L29/06

CPC分类号： G06F21/46 ,  G06F21/31 ,  G06Q20/382 ,  G06Q20/4012 ,  G07F7/1016 ,  G07F7/1075 ,  G07F7/1091 ,  G07F19/211

摘要： A system for enhancing security of a personal identification number is configned for performing a method that includes receiving, from a first entity having an input permission, a first data structure into a HSM, wherein the first data structure maps a first many-to-one mapping between a first and a second PIN numeral system. The method also includes determining whether the content of the first data structure is valid, storing the first data structure in the HSM if the first data structure is valid and marking the stored first data structure as inactive. The method further includes activating the first data structure if a second data structure is input into the HSM by a second entity having an activation permission, wherein the first entity is different from the second entity, the first data structure is identical to the second data structure. The method additionally includes converting from the first to the second PIN numeral system responsive to the activated first data structure.

摘要翻译： 用于增强个人识别号码的安全性的系统用于执行包括从具有输入许可的第一实体接收第一数据结构到HSM的方法，其中所述第一数据结构映射第一多对一 第一和第二PIN数字系统之间的映射。 该方法还包括确定第一数据结构的内容是否有效，如果第一数据结构有效并将所存储的第一数据结构标记为不活动，则将第一数据结构存储在HSM中。 该方法还包括：如果第二数据结构由具有激活许可的第二实体输入到HSM中，则激活第一数据结构，其中第一实体与第二实体不同，第一数据结构与第二数据结构相同 。 该方法还包括响应于激活的第一数据结构从第一PIN数字系统转换为第二PIN数字系统。

公开(公告)号：US20140013122A1

公开(公告)日：2014-01-09

申请号：US13542841

申请日：2012-07-06

申请人： Todd W. Arnold ,  Elizabeth A. Dames ,  Mark D. Marik

发明人： Todd W. Arnold ,  Elizabeth A. Dames ,  Mark D. Marik

IPC分类号： G06F21/00

CPC分类号： H04L9/0618 ,  G06F21/6209 ,  H04L9/088

摘要： A computer system includes memory configured to store information regarding predetermined conditions of an encryption operation and a processor configured to analyze an inbound key and an outbound key of the encryption operation. The processor is also configured to determine that the encryption operation includes a translation from a first class of encryption to a second class of encryption based on the analyzing the inbound key and the outbound key, and to determine whether the translation is permitted based on the predetermined conditions.

摘要翻译： 计算机系统包括被配置为存储关于加密操作的预定条件的信息的存储器和被配置为分析加密操作的入站密钥和出站密钥的处理器。 处理器还被配置为基于分析入站密钥和出站密钥来确定加密操作包括从第一类加密到第二类加密的翻译，并且基于预定的密码来确定是否允许翻译 条件。