-
公开(公告)号:US07386736B2
公开(公告)日:2008-06-10
申请号:US11014559
申请日:2004-12-16
申请人: Steven A. Bade , Ching-Yun Chao
发明人: Steven A. Bade , Ching-Yun Chao
IPC分类号: G06F11/30
CPC分类号: H04L9/3265 , G06F21/33 , G06F21/34 , G06F21/445 , H04L9/0897 , H04L9/3247 , H04L9/3273 , H04L2209/805
摘要: A data processing system accepts a removable storage media, which becomes electrically engaged with a system unit within the data processing system, after which the removable storage media and the hardware security unit mutually authenticate themselves. The removable storage media stores a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair that is associated with the hardware security unit, and the hardware security unit stores a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair that is associated with the removable storage media. In response to successfully performing the mutual authentication operation between the removable storage media and the hardware security unit, the system unit is enabled to invoke cryptographic functions on the hardware security unit while the removable storage media remains engaged with the system unit.
摘要翻译: 数据处理系统接受与数据处理系统内的系统单元电接合的可移动存储介质,之后可拆卸存储介质和硬件安全单元相互认证自身。 可移动存储介质存储与硬件安全单元相关联的第一非对称加密密钥对和第二非对称密码密钥对的公钥的私钥,并且硬件安全单元存储第二非对称密码密钥的私钥 对和与可移动存储介质相关联的第一非对称加密密钥对的公开密钥。 响应于成功地执行可移动存储介质和硬件安全单元之间的相互认证操作,系统单元能够在可移动存储介质保持与系统单元接合的同时在硬件安全单元上调用加密功能。
-
22.发明授权Method and system for verifying binding of an initial trusted device to a secured processing system 有权用于验证初始可信设备与安全处理系统的绑定的方法和系统公开(公告)号:US07143287B2
公开(公告)日:2006-11-28
申请号:US10970461
申请日:2004-10-21
IPC分类号: G06F17/30
CPC分类号: G06F21/57
摘要: A method and system for verifying binding of an initial trusted device to a secured processing system binds an initial device or replacement when no binding information is available from another device in the system. A platform credential is issued only when a valid binding is verified, by sending a proof of binding to a credential provider, such as the manufacturer. The method secures against security breaches that can occur when a device is removed from the system during the binding process. The binding information is generated in the device upon installation and includes system identification information so that at each initialization, upon return of binding information from the system to the device, the device can ensure that it is installed in the proper system and abort operation if the system does not match.
摘要翻译: 用于验证初始可信设备与安全处理系统的绑定的方法和系统在没有绑定信息可用于系统中的另一设备时绑定初始设备或替换。 只有当有效的绑定被验证时,才通过发送绑定到证书提供商(如制造商)的证明来颁发平台凭据。 该方法可以防止在绑定过程中从系统中删除设备时可能发生的安全漏洞。 捆绑信息在安装时在设备中生成,并且包括系统识别信息,使得在每次初始化时,从系统返回到设备的绑定信息,设备可以确保其被安装在适当的系统中并且如果 系统不匹配。
-
23.发明授权公开(公告)号:US07117357B2
公开(公告)日:2006-10-03
申请号:US09892969
申请日:2001-06-27
申请人: Steven A. Bade
发明人: Steven A. Bade
IPC分类号: H04L9/18
CPC分类号: H04L63/04 , G06F21/60 , G06F2221/2119
摘要: A data processing system, method, and product are disclosed for pre-encrypting static information transmitted by secure Web sites. The data processing system includes a server computer system coupled to a client computer system utilizing a network. The server computer system receives a request for a secure Web page that is maintained by the server. The secure Web page includes dynamically-changing information and static information. The server encrypts and transmits the encrypted dynamically-changing information. The server determines whether the static information has been pre-encrypted. If the static information has been pre-encrypted, the server bypasses the encryption step and transmits the pre-encrypted static information.
-
24.发明授权System and method for providing positional authentication for client-server systems 有权用于为客户机 - 服务器系统提供位置认证的系统和方法公开(公告)号:US06898628B2
公开(公告)日:2005-05-24
申请号:US09815549
申请日:2001-03-22
CPC分类号: H04L67/42 , H04L63/083 , H04L63/102 , H04L63/107 , H04L67/04 , H04L67/18 , H04L69/329
摘要: The present invention is embodied in a system and method for providing positional authentication for client-server systems, such as extranets. In general, an authentication system of the present invention controls and authenticates access rights to a host server from a client machine that desires access to the host server via a network connection, such as an extranet connection. Specifically, the present invention includes a client machine coupled to a host server, via any suitable connection, such as an extranet, and a wireless positioning system, such as a global positioning satellite (GPS). The client machine can be any suitable client computer machine, such as a desktop computer, portable notebook computer or the like. The client machine includes a positioning receiver and a positional relation module. The host server includes an authentication module with predefined access parameters for standard and positional authentication. A portion of the predefined access parameters is used to associate specific locations of the client machine with access rights for positional authentication.
摘要翻译: 本发明体现在用于为诸如外联网之类的客户端 - 服务器系统提供位置认证的系统和方法中。 通常,本发明的认证系统通过诸如外联网之类的网络连接从希望通过网络连接访问主机服务器的客户端机器来控制和认证对主机服务器的访问权限。 具体地,本发明包括通过任何合适的连接(例如外部网)和诸如全球定位卫星(GPS)的无线定位系统耦合到主机服务器的客户端机器。 客户机可以是任何合适的客户端计算机机器,例如台式计算机,便携式笔记本电脑等。 客户机包括定位接收器和位置关系模块。 主机服务器包括具有用于标准和位置认证的预定义访问参数的认证模块。 预定义的访问参数的一部分用于将客户机的特定位置与位置认证的访问权限相关联。
-
25.发明授权公开(公告)号:US09560036B2
公开(公告)日:2017-01-31
申请号:US12832307
申请日:2010-07-08
申请人: Heather M. Hinton , Steven A. Bade , Jeb Linton , Peter Rodriguez
发明人: Heather M. Hinton , Steven A. Bade , Jeb Linton , Peter Rodriguez
CPC分类号: H04L63/0815 , H04L9/3228
摘要: A method to enable access to resources hosted in a compute cloud begins upon receiving a registration request to initiate a user's registration to use resources hosted in the compute cloud. During a registration process initiated by receipt of the registration request, a federated single sign-on (F-SSO) request is received. The F-SSO request includes an assertion (e.g., an HTTP-based SAML assertion) having authentication data (e.g., an SSH public key, a CIFS username, etc.) for use to enable direct user access to a resource hosted in the compute cloud. Upon validation of the assertion, the authentication data is deployed within the cloud to enable direct user access to the compute cloud resource using the authentication data. In this manner, the cloud provider provides authentication, single sign-on and lifecycle management for the user, despite the “air gap” between the HTTP protocol used for F-SSO and the non-HTTP protocol used for the user's direct access to the cloud resource.
摘要翻译: 能够访问计算云中托管的资源的方法从接收到注册请求开始,以启动用户的注册以使用计算云中托管的资源。 在通过接收注册请求发起的注册过程中,接收到联合单点登录(F-SSO)请求。 F-SSO请求包括具有认证数据(例如,SSH公钥,CIFS用户名等)的断言(例如,基于HTTP的SAML断言),用于使直接用户能够访问计算机中托管的资源 云。 在确认断言之后,将认证数据部署在云中,以使用身份验证数据可以直接访问计算云资源。 以这种方式,云提供商为用户提供身份验证,单点登录和生命周期管理,尽管用于F-SSO的HTTP协议与用于用户直接访问的非HTTP协议之间存在“空白” 云资源。
-
26.发明授权Techniques for addressing geographical location issues in computing environments 有权解决计算环境中地理位置问题的技术公开(公告)号:US08527633B2
公开(公告)日:2013-09-03
申请号:US12985529
申请日:2011-01-06
IPC分类号: G06F15/173 , G06F9/46
CPC分类号: H04L67/38 , G06F8/61 , G06F9/45558 , H04L67/18
摘要: A technique for addressing geographical location issues in a computing environment includes receiving, at a data processing system, location information indicating a permissible geographical location in which a virtual machine image for a consumer may be deployed. A request for an exception to deploy the virtual machine image outside of the permissible geographical location is issued, from the data processing system. An exception grant or an exception denial is received, at the data processing system, from the consumer in response to the request. The virtual machine image is deployed, using the data processing system, to one or more servers in the computing environment that are outside of the permissible geographical location in response to receipt of the exception grant. The virtual machine image is deployed, using the data processing system, to one or more servers in the computing environment that are within the permissible geographical location in response to receipt of the exception denial.
摘要翻译: 用于在计算环境中解决地理位置问题的技术包括在数据处理系统处接收指示可以部署消费者的虚拟机映像的允许地理位置的位置信息。 从数据处理系统发出请求异常以在允许的地理位置之外部署虚拟机映像。 在数据处理系统中,从消费者接收到响应请求的异常授权或异常拒绝。 响应于接收到异常授权,虚拟机映像使用数据处理系统部署在计算环境中的一个或多个服务器之外,该服务器在允许的地理位置之外。 响应于接收到异常拒绝,虚拟机映像使用数据处理系统部署在计算环境中的可允许的地理位置内的一个或多个服务器。
-
公开(公告)号:US20130054780A1
公开(公告)日:2013-02-28
申请号:US13218674
申请日:2011-08-26
IPC分类号: G06F15/16
CPC分类号: H04L43/08 , G06F9/5072 , H04L67/18
摘要: Despite the best intentions of a cloud service provider, digital assets of may be moved to a geographic location that deviates from a geographic preference, policy, or setting of the owner of the digital assets. A monitoring tool can monitor network location of a digital asset hosted by a cloud service provider. Movement of the digital asset from a first network location to a second network location is detected. In response to detecting that the digital asset moves, a geographic location that corresponds to the second network location is determined. It is then determined that the geographic location deviates from a geographic setting configured for the digital asset. A notification that the digital asset has been moved to the geographic location that deviates from the geographic setting is generated.
摘要翻译: 尽管云服务提供商有最好的意图,数字资产可能会移动到偏离数字资产所有者的地理偏好,政策或设置的地理位置。 监控工具可以监控由云服务提供商托管的数字资产的网络位置。 检测到数字资产从第一网络位置移动到第二网络位置。 响应于检测到数字资产移动,确定对应于第二网络位置的地理位置。 然后确定地理位置偏离为数字资产配置的地理设置。 生成数字资产已被移动到偏离地理位置设置的地理位置的通知。
-
公开(公告)号:US08086852B2
公开(公告)日:2011-12-27
申请号:US12207487
申请日:2008-09-09
申请人: Steven A. Bade , Ryan Charles Catherman , James Patrick Hoff , Nia Letise Kelley , Emily Jane Ratliff
发明人: Steven A. Bade , Ryan Charles Catherman , James Patrick Hoff , Nia Letise Kelley , Emily Jane Ratliff
IPC分类号: H04L9/00
CPC分类号: G06F21/53
摘要: A method is presented for implementing a trusted computing environment within a data processing system. A hypervisor is initialized within the data processing system, and the hypervisor supervises a plurality of logical, partitionable, runtime environments within the data processing system. The hypervisor reserves a logical partition for a hypervisor-based trusted platform module (TPM) and presents the hypervisor-based trusted platform module to other logical partitions as a virtual device via a device interface. Each time that the hypervisor creates a logical partition within the data processing system, the hypervisor also instantiates a logical TPM within the reserved partition such that the logical TPM is anchored to the hypervisor-based TPM. The hypervisor manages multiple logical TPM's within the reserved partition such that each logical TPM is uniquely associated with a logical partition.
摘要翻译: 呈现一种用于在数据处理系统内实现可信计算环境的方法。 在数据处理系统内初始化管理程序,并且管理程序监视数据处理系统内的多个逻辑,可分割的运行时环境。 虚拟机管理程序为基于虚拟机管理程序的可信平台模块(TPM)预留逻辑分区,并通过设备接口将基于虚拟机管理程序的可信平台模块作为虚拟设备呈现给其他逻辑分区。 每当虚拟机管理程序在数据处理系统内创建一个逻辑分区时,管理程序也会在保留的分区内实例化一个逻辑TPM,使得逻辑TPM被锚定到基于管理程序的TPM。 虚拟机管理程序管理保留分区内的多个逻辑TPM,使得每个逻辑TPM与逻辑分区唯一相关联。
-
公开(公告)号:US20110145891A1
公开(公告)日:2011-06-16
申请号:US12638176
申请日:2009-12-15
申请人: Steven A. Bade , Harold Moss , Mary Ellen Zurko
发明人: Steven A. Bade , Harold Moss , Mary Ellen Zurko
CPC分类号: H04L63/12 , G06F21/10 , G06F21/30 , H04L9/32 , H04L63/10 , H04L63/101 , H04L63/1466 , H04L67/10 , H04L67/42 , H04W12/06
摘要: A method, system, and computer usable program product for securing asynchronous client server transactions are provided in the illustrative embodiments. A request including an application identifier and a version of a second application is received at a first application. A service identifier is generated if a session with the second application is valid. A registry is generated at the first application. A catalog is generated based on the registry and the service identifier and the catalog are sent to the second application. A sub-request including the service identifier is received as part of an asynchronous client server transaction. Validity of the sub-request is determined by determining whether the service identifier has expired, whether the sub-request requests a service that is permissible according to the catalog, whether the service identifier is used in conjunction with the second application, or a combination thereof. If the sub-request is valid, the service is provided.
摘要翻译: 在说明性实施例中提供了用于保护异步客户端服务器事务的方法,系统和计算机可用程序产品。 在第一应用中接收到包括应用标识符和第二应用的版本的请求。 如果与第二应用程序的会话有效,则生成服务标识符。 在第一个应用程序生成注册表。 基于注册表和服务标识符生成目录,并将目录发送到第二个应用程序。 作为异步客户端服务器事务的一部分接收到包含服务标识符的子请求。 通过确定服务标识符是否过期,子请求是否请求根据目录允许的服务,确定服务标识符是否与第二应用一起使用或其组合来确定子请求的有效性 。 如果子请求有效,则提供服务。
-
30.发明授权Method and system for hierarchical platform boot measurements in a trusted computing environment 有权在可信计算环境中分层平台引导测量的方法和系统公开(公告)号:US07752458B2
公开(公告)日:2010-07-06
申请号:US12258332
申请日:2008-10-24
IPC分类号: G06F11/30
CPC分类号: G06F21/57
摘要: An architecture for a distributed data processing system comprises a system-level service processor along with one or more node-level service processors; each are uniquely associated with a node, and each is extended to comprise any components that are necessary for operating the nodes as trusted platforms, such as a TPM and a CRTM in accordance with the security model of the Trusted Computing Group. These node-level service processors then inter-operate with the system-level service processor, which also contains any components that are necessary for operating the system as a whole as a trusted platform. A TPM within the system-level service processor aggregates integrity metrics that are gathered by the node-level service processors, thereafter reporting integrity metrics as requested, e.g., to a hypervisor, thereby allowing a large distributed data processing system to be validated as a trusted computing environment while allowing its highly parallelized initialization process to proceed.
摘要翻译: 用于分布式数据处理系统的架构包括系统级服务处理器以及一个或多个节点级服务处理器; 每个都与节点唯一相关联,并且每个都被扩展以包括根据可信计算组的安全模型将节点操作为可信平台(例如TPM和CRTM)所需的任何组件。 然后,这些节点级服务处理器与系统级服务处理器互操作,系统级服务处理器还包含将系统作为整体操作为可信平台所必需的任何组件。 系统级服务处理器内的TPM聚合由节点级服务处理器收集的完整性度量,此后根据请求报告完整性度量,例如向管理程序报告,从而允许将大型分布式数据处理系统验证为可信任的 同时允许其高度并行化的初始化过程进行。
-
-
-
-
-
-
-
-
-
搜索结果
51 条记录 (耗时 0.036 秒)
