公开(公告)号：US07281125B2

公开(公告)日：2007-10-09

申请号：US09940155

申请日：2001-08-24

Applicant: David Carroll Challener ,  Steven Dale Goodman ,  David Robert Safford ,  Randall Scott Springfield

Inventor： David Carroll Challener ,  Steven Dale Goodman ,  David Robert Safford ,  Randall Scott Springfield

IPC: H04L29/00

CPC classification number: G06F21/572 ,  G06F21/575 ,  G06F21/62

Abstract: A method, computer program product and computer system for securing alterable data. A computer that is remotely managed may be equipped with a protected storage that is accessible only by BIOS code. The protected storage may have the capacity to store a symmetrical encryption key. An EEPROM, which normally contains the BIOS code, may be used to store accessible configuration data as well as remotely unaccessible sensitive access information (e.g., passwords). The remotely unaccessible sensitive data is encrypted with the symmetrical encryption key by the BIOS code. Remote access to the sensitive data is accomplished via change requests submitted to the BIOS code over a secure channel. The BIOS code then determines whether the request is valid. If so, then sensitive data is decrypted, altered, encrypted, and re-written into the EEPROM. Normal access to accessible data is unaffected and remote access is allowed without changing the computer system architecture.

Abstract translation: 一种用于保护可变数据的方法，计算机程序产品和计算机系统。 远程管理的计算机可能配备有只能通过BIOS代码访问的受保护存储。 受保护的存储器可以具有存储对称加密密钥的能力。 通常包含BIOS代码的EEPROM可用于存储可访问的配置数据以及远程不可访问的敏感访问信息（例如，密码）。 远程不可访问的敏感数据通过BIOS代码用对称加密密钥加密。 通过安全通道提交给BIOS代码的更改请求，可以远程访问敏感数据。 然后，BIOS代码确定请求是否有效。 如果是这样，那么敏感数据将被解密，更改，加密并重新写入EEPROM。 对可访问数据的正常访问不受影响，并且允许远程访问，而无需更改计算机系统架构。

公开(公告)号：US07254722B2

公开(公告)日：2007-08-07

申请号：US10411415

申请日：2003-04-10

Applicant: Ryan Charles Catherman ,  Steven Dale Goodman ,  James Patrick Hoff ,  Randall Scott Springfield ,  James Peter Ward

Inventor： Ryan Charles Catherman ,  Steven Dale Goodman ,  James Patrick Hoff ,  Randall Scott Springfield ,  James Peter Ward

IPC: G06F1/28

CPC classification number: G06F21/57 ,  G06F21/575 ,  H05K1/181

Abstract: A motherboard for a computer system is presented which provides a trusted platform by which operations can be performed with an increased level trust and confidence. The basis of trust for the motherboard is established by an encryption coprocessor and by code which interfaces with the encryption coprocessor and establishes root of trust metrics for the platform. The encryption coprocessor is built such that certain critical operations are allowed only if physical presence of an operator has been detected. Physical presence is determined by inference based upon the status of registers in the core chipset on the motherboard.

Abstract translation: 提供了一种用于计算机系统的主板，其提供可信赖的平台，通过该平台可以以更高级别的信任和置信度执行操作。 主板的信任基础由加密协处理器和与加密协处理器接口的代码建立，并为平台建立信任度量的根源。 构建加密协处理器，使得仅当检测到操作者的物理存在时才允许某些关键操作。 基于主板上核心芯片组中寄存器的状态，推理确定物理存在。

公开(公告)号：US07191464B2

公开(公告)日：2007-03-13

申请号：US09978381

申请日：2001-10-16

Applicant: Daryl Carvis Cromer ,  Joseph Wayne Freeman ,  Steven Dale Goodman ,  Eric Richard Kern ,  Randall Scott Springfield

Inventor： Daryl Carvis Cromer ,  Joseph Wayne Freeman ,  Steven Dale Goodman ,  Eric Richard Kern ,  Randall Scott Springfield

IPC: H04L9/32 ,  G06F15/177

CPC classification number: G06F21/575

Abstract: A method, system and computer readable medium containing programming instructions for tracking a secure boot in a computer system having a plurality of devices is disclosed. The method, system and computer readable medium include providing an embedded security system (ESS) in the computer system, wherein the ESS includes at least one boot platform configuration register (PCR) and a shadow PCR for each of the at least one boot PCRs, initiating a platform reset to boot the computer system via BIOS, and, for a device booted, generating a measurement value for the device and extending that value to one of the at least one boot PCRs and its corresponding shadow PCR. The system, method and computer readable medium of the present invention also includes comparing the measurement values of the boot PCRs to their corresponding shadow PCRs, whereby the computer system is trusted if the measurement values match.

Abstract translation: 公开了一种包含用于在具有多个设备的计算机系统中跟踪安全引导的编程指令的方法，系统和计算机可读介质。 所述方法，系统和计算机可读介质包括在所述计算机系统中提供嵌入式安全系统（ESS），其中所述ESS包括用于所述至少一个启动PCR中的每一个的至少一个引导平台配置寄存器（PCR）和阴影PCR， 启动平台重置以通过BIOS引导计算机系统，并且对于引导的设备，生成所述设备的测量值并将该值扩展到所述至少一个启动PCR中的一个及其相应的阴影PCR。 本发明的系统，方法和计算机可读介质还包括将引导PCR的测量值与其相应的阴影PCR进行比较，从而如果测量值匹配，则计算机系统被信任。

公开(公告)号：US07174465B2

公开(公告)日：2007-02-06

申请号：US10180160

申请日：2002-06-26

Applicant: Joseph Wayne Freeman ,  Chad Lee Gettelfinger ,  Steven Dale Goodman ,  William Fred Keown, Jr. ,  Eric Richard Kern ,  Randall Scott Springfield

Inventor： Joseph Wayne Freeman ,  Chad Lee Gettelfinger ,  Steven Dale Goodman ,  William Fred Keown, Jr. ,  Eric Richard Kern ,  Randall Scott Springfield

IPC: H04L9/32 ,  H04L9/00

CPC classification number: G06F21/57

Abstract: A method is disclosed for securely updating system attributes of a client computer with a BIOS and includes signing a public key of a secure server with a private key of the BIOS prior to completion of manufacturing of the client computer to create an encrypted public key and embedded private key stored at the server. The method includes receiving at the server a request packet transmitted from the client computer requesting system attribute modification, encrypting the request packet to create an encrypted packet, and transmitting a return packet to client computer comprising the encrypted packet, the server's public key, and server instructions. The client computer decrypts the request packet using the server's public key and compares it to the original request packet, and if identical, executes the server instructions to modify the client computer's boot block to update client computer's system attributes.

Abstract translation: 公开了一种用于使用BIOS安全地更新客户端计算机的系统属性的方法，并且包括在完成客户端计算机的制造之前用BIOS的私钥对安全服务器的公共密钥进行签名以创建加密的公共密钥并且嵌入 私钥存储在服务器端。 该方法包括在服务器处接收从客户端计算机发送的请求系统属性修改的请求分组，对请求分组进行加密以创建加密的分组，以及向包括加密分组，服务器的公钥和服务器的客户端计算机发送返回分组 说明。 客户端计算机使用服务器的公钥解密请求包，并将其与原始请求包进行比较，如果相同，则执行服务器指令修改客户端计算机的启动块以更新客户端计算机的系统属性。

公开(公告)号：US07107460B2

公开(公告)日：2006-09-12

申请号：US10077135

申请日：2002-02-15

Applicant: Daryl Carvis Cromer ,  Scott Thomas Elliott ,  James Patrick Hoff ,  Howard Jeffrey Locker ,  David Rivera ,  Randall Scott Springfield ,  James Peter Ward

Inventor： Daryl Carvis Cromer ,  Scott Thomas Elliott ,  James Patrick Hoff ,  Howard Jeffrey Locker ,  David Rivera ,  Randall Scott Springfield ,  James Peter Ward

IPC: H04L29/02 ,  H04L29/18 ,  H04L9/34

CPC classification number: G06F21/70 ,  G06F21/57

Abstract: An embedded security subsystem, and method for implementing the same, which provide secure controllability of a data security device within a data processing system. The embedded security subsystem of the present invention includes a persistent enable flag for providing control access to the data security device, wherein the persistent enable flag is accessible only in response to a power-on reset cycle of the data processing system. The persistent enable flag is read-only accessible to runtime program instructions. A pending state change flag that is write accessible by runtime program instructions is utilized for setting an intended next state of the persistent enable flag such that control access to the data security device is enabled only during a subsequent power-on reset of said data processing system.

公开(公告)号：US07082129B2

公开(公告)日：2006-07-25

申请号：US10134936

申请日：2002-04-29

Applicant: Daryl Carvis Cromer ,  Joseph Wayne Freeman ,  Chad Lee Gettelfinger ,  Steven Dale Goodman ,  Eric Richard Kern ,  Randall Scott Springfield

Inventor： Daryl Carvis Cromer ,  Joseph Wayne Freeman ,  Chad Lee Gettelfinger ,  Steven Dale Goodman ,  Eric Richard Kern ,  Randall Scott Springfield

IPC: H04L12/28

CPC classification number: G06F1/3209 ,  H04L12/12 ,  H04L45/20 ,  Y02D50/40

Abstract: In a computer network including a plurality of interconnected computers, one of the computers being a sleeping computer in a power down state, the sleeping computer listening for a packet associated with the sleeping computer, a method and system of waking the sleeping computer from the computer network. An incoming packet of data is transmitted from one of the computers in the network to the sleeping computer. When the sleeping computer detects the incoming packet, it determines if the incoming packet contains a data sequence associated with the sleeping computer. Further, the sleeping computer compares a transit value in the incoming packet to a predetermined value stored at the sleeping computer. The transit value indicates how far the data packet has traveled through the network, indicating the approximate origin of the data packet. Knowing the approximate origin of the data packet allows the client system to identify if the data packet originated from an external network. The predetermined value represents an origin within the internal network. Accordingly, if the incoming packet matches the particular data sequence associated with the sleeping computer, and the transit value in the packet matches the predetermined value stored at the sleeping computer, then a signal is issued to wake the sleeping computer. Otherwise, the incoming packet is discarded and the sleeping computer is not awaken.

Abstract translation: 在包括多个相互连接的计算机的计算机网络中，计算机中的一个是处于断电状态的休眠计算机，睡眠计算机监听与休眠计算机相关联的分组，从计算机唤醒睡眠计算机的方法和系统 网络。 传入的数据包从网络中的一台计算机发送到睡眠计算机。 当睡眠计算机检测到传入分组时，它确定传入分组是否包含与睡眠计算机相关联的数据序列。 此外，睡眠计算机将输入分组中的传输值与存储在睡眠计算机上的预定值进行比较。 传输值表示数据分组通过网络传播的距离，指示数据分组的近似来源。 知道数据包的近似来源允许客户端系统识别数据包是否源自外部网络。 预定值表示内部网络内的原点。 因此，如果输入分组与休眠计算机相关联的特定数据序列匹配，并且分组中的传输值与存储在睡眠计算机上的预定值匹配，则发出信号以唤醒睡眠计算机。 否则，传入的数据包被丢弃，并且睡眠的计算机没有被唤醒。

公开(公告)号：US06658562B1

公开(公告)日：2003-12-02

申请号：US09649440

申请日：2000-08-25

Applicant: Ralph Bonomo ,  Richard Alan Dayan ,  Joseph Wayne Freeman ,  Robert Duane Johnson ,  Diane Nolterieke ,  Randall Scott Springfield

Inventor： Ralph Bonomo ,  Richard Alan Dayan ,  Joseph Wayne Freeman ,  Robert Duane Johnson ,  Diane Nolterieke ,  Randall Scott Springfield

IPC: G06F924

CPC classification number: G06F9/44505 ,  G06F9/4401 ,  G06F21/572

Abstract: A method, system, and program for selecting and implementing a basic input/output system (“BIOS”) configuration among various BIOS configurations for a data processing system are disclosed. Different BIOS configurations are defined for various types of users, such as a home user, a commercial user, and a network user. Each of the BIOS configurations includes a different set of BIOS characteristics, such as program setup features security features, and network server features, under which the data processing system is able to run. The different BIOS configurations are stored into a memory device for the data processing system. A designation is set within the memory device that directs a processor of the data processing system to select and execute a desired one of the BIOS configurations for a particular type of user.

Abstract translation: 公开了一种用于在数据处理系统的各种BIOS配置之间选择和实现基本输入/输出系统（“BIOS”）配置的方法，系统和程序。 为各种类型的用户（例如家庭用户，商业用户和网络用户）定义不同的BIOS配置。 每个BIOS配置包括一组不同的BIOS特性，例如程序设置功能，安全功能和网络服务器功能，数据处理系统可以在这些功能下运行。 不同的BIOS配置被存储到用于数据处理系统的存储器设备中。 在存储器设备内设置指示数据处理系统的处理器为特定类型的用户选择并执行所需的一个BIOS配置的指定。

公开(公告)号：US06601174B1

公开(公告)日：2003-07-29

申请号：US09255552

申请日：1999-02-22

Applicant: Daryl Carvis Cromer ,  Richard Alan Dayan ,  Brandon Jon Ellison ,  Eric Richard Kern ,  Randall Scott Springfield

Inventor： Daryl Carvis Cromer ,  Richard Alan Dayan ,  Brandon Jon Ellison ,  Eric Richard Kern ,  Randall Scott Springfield

IPC: G06F1130

CPC classification number: H04L63/083 ,  G06F21/57

Abstract: A data processing system and method are described for permitting a server computer system to remotely provide a client computer system's settings password to the client computer system. The client and server computer systems are coupled together utilizing a network. A network settings password is established within the client. The network settings password is required prior to permitting access to system settings included within the client. The client receives the network settings password from the server computer system utilizing the network. Access to the system settings is permitted in response to the receipt of the network settings password. In this manner, the server computer system remotely provides a network settings password to the client computer system.

Abstract translation: 描述了一种数据处理系统和方法，用于允许服务器计算机系统向客户端计算机系统远程提供客户端计算机系统的设置密码。 客户端和服务器计算机系统利用网络耦合在一起。 在客户端内建立网络设置密码。 在允许访问客户端中包含的系统设置之前，需要网络设置密码。 客户端使用网络从服务器计算机系统接收网络设置密码。 响应收到网络设置密码，可以访问系统设置。 以这种方式，服务器计算机系统向客户端计算机系统远程提供网络设置密码。

公开(公告)号：US6158020A

公开(公告)日：2000-12-05

申请号：US60279

申请日：1998-04-14

Applicant: Howard Locker ,  Randall Scott Springfield ,  Daryl Carvis Cromer ,  David Benson Rhoades ,  James Peter Ward

Inventor： Howard Locker ,  Randall Scott Springfield ,  Daryl Carvis Cromer ,  David Benson Rhoades ,  James Peter Ward

IPC: H04L12/24 ,  G06F11/00

CPC classification number: H04L41/00 ,  H04L12/24

Abstract: A client on a network is provided with auxiliary low power logic, at the network adapter, that is always active and simulates network traffic (e.g. Ethernet format) normally sent under control of the main client system processor(s). This logic receives commands from the network manager, even when the system CPU is powered down or the system is not operational; information which allows the network manager to exercise broader control and perform maintenance and upgrades which would otherwise require service call for maintenance and reconfiguration of the client system. The auxiliary logic also can receive and interpret commands from the network that conform to a predefined format.

Abstract translation: 在网络上的客户机提供辅助低功率逻辑，在网络适配器处，其始终是活动的并且模拟通常在主客户端系统处理器的控制下发送的网络流量（例如以太网格式）。 该逻辑从网络管理器接收命令，即使系统CPU断电或系统不可操作; 允许网络管理员进行更广泛的控制并进行维护和升级的信息，否则将要求维护和重新配置客户端系统的服务。 辅助逻辑还可以接收和解释来自网络的符合预定格式的命令。

公开(公告)号：US09792453B2

公开(公告)日：2017-10-17

申请号：US11861597

申请日：2007-09-26

Applicant: David Carroll Challener ,  Daryl Cromer ,  Howard Locker ,  Randall Scott Springfield

Inventor： David Carroll Challener ,  Daryl Cromer ,  Howard Locker ,  Randall Scott Springfield

IPC: G06F21/62 ,  G06F21/74 ,  H04L29/06

CPC classification number: G06F21/6209 ,  G06F21/74 ,  G06F2221/2103 ,  G06F2221/2105 ,  H04L63/1441

Abstract: A method and system are disclosed for placing a computer in a safe and secure lock down state from a remote location using a remote command device such as a cellular telephone. The method and system includes optional security provisions before restarting the computer.