公开(公告)号：US06804782B1

公开(公告)日：2004-10-12

申请号：US09373866

申请日：1999-08-13

Applicant: Xin Qiu ,  Eric J. Sprunk ,  Daniel Z. Simon ,  Lawrence Tang ,  Lawrence R. Cook

Inventor： Xin Qiu ,  Eric J. Sprunk ,  Daniel Z. Simon ,  Lawrence Tang ,  Lawrence R. Cook

IPC: G06F1130

CPC classification number: G06F9/3001 ,  G06F2207/7219 ,  H04L9/003 ,  H04L9/005 ,  H04L9/3013 ,  H04L9/302

Abstract: A cryptography circuit provides secure processing of data by utilizing countermeasures that combat timing and power attacks. Superfluous operations such as multiplication operations, modular reductions by an integer, storage of data to memory are available for use by a processor to disguise the amount of power usage and the amount of time required to perform a cryptographic operation. A cryptographic key is available for use in order to trigger when these emulated operations occur. The occurrences of the emulated operations is controlled by the user to provide the preferred tradeoff between security and use of resources.

Abstract translation: 加密电路通过利用对抗定时和电源攻击的对策来提供对数据的安全处理。 多余的操作，例如乘法运算，整数模块化减少，数据存储到存储器可供处理器使用，以掩盖功率使用量和执行加密操作所需的时间。 可以使用加密密钥来在这些仿真操作发生时触发。 仿真操作的发生由用户控制，以提供资源的安全性和使用之间的首选权衡。

公开(公告)号：US08761401B2

公开(公告)日：2014-06-24

申请号：US11846045

申请日：2007-08-28

Applicant: Eric J. Sprunk ,  Alexander Medvinsky ,  Xin Qiu ,  Stuart Moskovics ,  Liqiang Chen

Inventor： Eric J. Sprunk ,  Alexander Medvinsky ,  Xin Qiu ,  Stuart Moskovics ,  Liqiang Chen

IPC: H04L9/08 ,  H04L9/00 ,  H04L9/32

CPC classification number: H04L9/0844 ,  H04L9/006 ,  H04L9/0822 ,  H04L63/0428 ,  H04L63/062 ,  H04L63/0823 ,  H04L63/166

Abstract: A system and method for securely distributing PKI data, such as one or more private keys or other confidential digital information, from a PKI data generation facility to a product in a product personalization facility that is not connected to the PKI data generation facility and is assumed to be a non-secure product personalization facility. The system includes a PKI data loader for securely transmitting the encrypted PKI data transferred from the PKI data generator to a PKI server at the product personalization facility. The PKI server then transfers the PKI data to the product of interest, typically via a PKI station acting as a proxy between the PKI server and the product. In each communication step, PKI data being transferred is encrypted multiple times and the system is designed such that if any intermediate node is compromised with all of its keys, the overall system has not yet been compromised.

Abstract translation: 用于将PKI数据（例如一个或多个私钥或其他机密数字信息）的PKI数据安全地分发到不连接到PKI数据生成设备并被假定的产品个性化设施中的产品的系统和方法 成为不安全的产品个性化设施。 该系统包括PKI数据加载器，用于将从PKI数据发生器传送的加密的PKI数据安全地发送到产品个性化设施的PKI服务器。 PKI服务器然后将PKI数据传送到感兴趣的产品，通常通过充当PKI服务器和产品之间代理的PKI站。 在每个通信步骤中，正在传送的PKI数据被加密多次，并且系统被设计成使得如果任何中间节点与其所有密钥相冲突，则整个系统尚未被破坏。

公开(公告)号：US20120213370A1

公开(公告)日：2012-08-23

申请号：US13150636

申请日：2011-06-01

Applicant: Stuart P. Moskovics ,  Xin Qiu ,  Joel D. Voss ,  Alexander Medvinsky

Inventor： Stuart P. Moskovics ,  Xin Qiu ,  Joel D. Voss ,  Alexander Medvinsky

IPC: H04L9/08

CPC classification number: G06F21/57

Abstract: A method and system generates and distributes unique cryptographic device keys. The method includes generating at least a first device key and encrypting the first device key with a first encrypting key to produce a first encrypted copy of the device key. The method also includes encrypting the first device key with a second encrypting key to produce a second encrypted copy of the device key. The second encrypting key is different from said first encrypting key. The first and second encrypted copies of the device keys are associated with a device ID identifying a computing device being manufactured. The second encrypted copy of the device key is loaded onto the computing device. The first encrypted copy of the device key and the device ID with which it is associated are stored onto at least one server for subsequent use after the computing device has been deployed to a customer.

Abstract translation: 方法和系统生成和分发唯一的加密设备密钥。 该方法包括至少生成第一设备密钥并用第一加密密钥加密第一设备密钥以产生设备密钥的第一加密副本。 该方法还包括用第二加密密钥加密第一设备密钥以产生设备密钥的第二加密副本。 第二加密密钥与所述第一加密密钥不同。 设备密钥的第一和第二加密副本与标识正在制造的计算设备的设备ID相关联。 设备密钥的第二个加密副本被加载到计算设备上。 在将计算设备部署到客户之后，设备密钥的第一加密副本和与其相关联的设备ID被存储在至少一个服务器上用于随后的使用。

公开(公告)号：US20120204269A1

公开(公告)日：2012-08-09

申请号：US13364791

申请日：2012-02-02

Applicant: Christopher P. Gardner ,  Paul D. Baker ,  Tat Keung Chan ,  Ted R. Michaud ,  Xin Qiu ,  Jinsong Zheng

Inventor： Christopher P. Gardner ,  Paul D. Baker ,  Tat Keung Chan ,  Ted R. Michaud ,  Xin Qiu ,  Jinsong Zheng

IPC: G06F21/00

CPC classification number: G06F21/10 ,  G06F2221/0768 ,  G06F2221/2105

Abstract: A method for providing a secure automated feature license update is disclosed. This method may be performed at a central license server. A license template including features for enablement on a device is generated. The license template is sent to an authorized user. A license update request is received from an entity. An updated license is generated by the central license server. A response is sent to the entity.A method for providing a secure automated feature license update is disclosed. This method may be performed at a device, e.g. an end-user device. A first feature set of a current license of a device is compared with a second feature set of a license template received by the device. A license update request is generated when there is a difference between the first feature set and the second feature set. The license update request is sent to a license server.

Abstract translation: 公开了一种用于提供安全的自动功能许可证更新的方法。 该方法可以在中央许可证服务器上执行。 生成包含设备启用功能的许可证模板。 许可证模板发送给授权用户。 从实体收到许可证更新请求。 更新的许可证由中央许可证服务器生成。 响应发送到实体。 公开了一种用于提供安全的自动功能许可证更新的方法。 该方法可以在设备，例如， 终端用户设备。 将设备的当前许可证的第一特征集与由设备接收的许可证模板的第二特征集进行比较。 当第一特征集和第二特征集之间存在差异时，生成许可更新请求。 许可证更新请求被发送到许可证服务器。

公开(公告)号：US08166292B2

公开(公告)日：2012-04-24

申请号：US12500791

申请日：2009-07-10

Applicant: Xin Qiu ,  Eric J. Sprunk

Inventor： Xin Qiu ,  Eric J. Sprunk

IPC: H04L29/06

CPC classification number: H04N7/52 ,  H04L9/088 ,  H04N7/1675 ,  H04N21/2347 ,  H04N21/2365 ,  H04N21/4347 ,  H04N21/4405

Abstract: A system to transmit a set of programs from a transmitter to a receiver is used to accommodate different levels of security used for each program. When a high level of security is necessary for transmitting or receiving a program the transmitter and/or receiver is operable to accommodate that level of security. Thus, both transmitters and receivers are operable to be reconfigured to encrypt or decrypt, respectively, at different levels. Accordingly, differing amounts of programs can be transmitted or received based on the resource requirements needed at any level of security. Consequently, a high level of encryption/decryption requires more resources and allows the processing of fewer services, while a lower level of encryption/decryption allows more services to be transmitted/received.

Abstract translation: 用于将一组程序从发射机发射到接收机的系统被用于适应用于每个节目的不同级别的安全性。 当需要高水平的安全性来发送或接收程序时，发射器和/或接收器可操作以适应该级别的安全性。 因此，发射机和接收机都可以被重新配置以分别在不同的级别进行加密或解密。 因此，可以基于任何安全级别所需的资源要求来发送或接收不同数量的程序。 因此，高级别的加密/解密需要更多的资源并且允许处理较少的服务，而较低级别的加密/解密允许发送/接收更多的服务。

公开(公告)号：US20120089839A1

公开(公告)日：2012-04-12

申请号：US13267672

申请日：2011-10-06

Applicant: Xin Qiu ,  Alexander Medvinsky ,  Stuart P. Moskovics ,  Jason A. Pasion ,  Fan Wang ,  Ting Yao

Inventor： Xin Qiu ,  Alexander Medvinsky ,  Stuart P. Moskovics ,  Jason A. Pasion ,  Fan Wang ,  Ting Yao

IPC: H04L9/32 ,  H04L9/30

CPC classification number: H04L9/006 ,  H04L9/0891 ,  H04L9/14 ,  H04L9/321

Abstract: One or more servers are provided including a session manager, authentication module, authorization module, encryption module, database, and protocol handler. The session manager is configured to receive requests for new identity data from network-enabled devices. Each request is authenticated first by the update server via its authentication module by validating the signature of the request message as well as the certificate chain trusted by the update server. The authorization module is configured to determine if the network-enabled devices specified on a whitelist are authorized to be provisioned with new identity data. The database is configured to receive new identity records generated by an identity data generation system. Each of the new identity records includes a new identifier. The new identifier is not associated or linked to any previously assigned/used identifiers and identity data, thus all the new identity records are generated independently and then loaded to the update server.

Abstract translation: 提供一个或多个服务器，包括会话管理器，认证模块，授权模块，加密模块，数据库和协议处理程序。 会话管理器被配置为从网络启用的设备接收新的身份数据的请求。 通过验证请求消息的签名以及由更新服务器信任的证书链，通过其认证模块，更新服务器首先对每个请求进行认证。 授权模块被配置为确定白名单上指定的启用网络的设备是否被授权为新的身份数据提供。 数据库被配置为接收由身份数据生成系统生成的新的身份记录。 每个新的身份记录都包含一个新的标识符。 新标识符不与任何先前分配/使用的标识符和身份数据相关联或链接，因此所有新的身份记录都是独立生成的，然后加载到更新服务器。

公开(公告)号：US08048204B2

公开(公告)日：2011-11-01

申请号：US12236137

申请日：2008-09-23

Applicant: Xin Qiu ,  Meiring Beyers ,  Michael Roth ,  Mark Vanderheyden ,  Scott Shayko

Inventor： Xin Qiu ,  Meiring Beyers ,  Michael Roth ,  Mark Vanderheyden ,  Scott Shayko

IPC: B01D45/00

CPC classification number: E01C1/005

Abstract: A method of mixing polluted air with less polluted air to provide moderately polluted air. The method includes dividing air from a roadway region into a lower part and an upper part, and permitting at least a portion of the upper part to flow substantially in one or more flow directions toward a leeward region. The method also includes directing the lower part substantially upwardly in a direction substantially transverse to the flow direction to intersect with the upper part and to mix the polluted air with the less polluted air, to provide the moderately polluted air proximal to the leeward area.

Abstract translation: 将污染空气与污染较少的空气混合以提供适度污染的空气的方法。 该方法包括将来自巷道区域的空气分成下部和上部，并允许上部的至少一部分基本上沿着一个或多个流动方向流向背风区域。 该方法还包括将下部基本向上引导到基本上横向于流动方向的方向以与上部相交并且将污染的空气与较少污染的空气混合，以便在背风区域附近提供适度污染的空气。

公开(公告)号：US20110258685A1

公开(公告)日：2011-10-20

申请号：US13087847

申请日：2011-04-15

Applicant: Xin Qiu ,  Alexander Medvinsky ,  Stuart P. Moskovics ,  Jason A. Pasion ,  Eric J. Sprunk ,  Fan Wang ,  Ting Yao

Inventor： Xin Qiu ,  Alexander Medvinsky ,  Stuart P. Moskovics ,  Jason A. Pasion ,  Eric J. Sprunk ,  Fan Wang ,  Ting Yao

IPC: H04L9/32 ,  G06F21/00

CPC classification number: H04L63/0823 ,  G06F21/572 ,  H04L63/06 ,  H04L2463/102

Abstract: A method for updating network-enabled devices with new identity data includes generating a plurality of new identity data records and loading the new identity data records onto an update server. A request is received at the update server for new identity data from at least one network-enabled device having a previously assigned identity linked to an identifier. The previously assigned identifier is linked to a new identifier that is linked to one of the new identity data records. One or more new identity data records are securely delivered to the network-enabled device.

Abstract translation: 用新的身份数据更新启用网络的设备的方法包括生成多个新的身份数据记录并将新的身份数据记录加载到更新服务器上。 在更新服务器处接收到来自具有链接到标识符的先前分配的身份的至少一个启用网络的设备的新身份数据的请求。 先前分配的标识符被链接到链接到新的身份数据记录之一的新标识符。 一个或多个新的身份数据记录被安全地传送到启用网络的设备。

公开(公告)号：US20110258434A1

公开(公告)日：2011-10-20

申请号：US13087972

申请日：2011-04-15

Applicant: Xin Qiu ,  Alexander Medvinsky ,  Stuart P. Moskovics ,  Greg N. Nakanishi ,  Jason A. Pasion ,  Fan Wang ,  Ting Yao

Inventor： Xin Qiu ,  Alexander Medvinsky ,  Stuart P. Moskovics ,  Greg N. Nakanishi ,  Jason A. Pasion ,  Fan Wang ,  Ting Yao

IPC: H04L9/00

CPC classification number: H04L63/062 ,  H04L9/006 ,  H04L9/0825 ,  H04L9/0866 ,  H04L9/0891 ,  H04L63/0823

Abstract: A system for generating new identity data for network-enabled devices includes a whitelist reader configured to extract attributes from a whitelist. The whitelist includes, for each device specified in the whitelist, a previously assigned identifier of the first type. The previously assigned identifiers of the first type are linked to identity data previously provisioned in each of the respective devices. A data retrieval module is configured to receive the identifiers of the first type from the whitelist reader and, based on each of the identifiers, retrieve each of the previously provisioned identity data records linked thereto. A new data generation module is configured to (i) obtain a cryptographic key associated with the identity data previously provisioned in the devices specified on the whitelist and the corresponding identifiers of the first type, (ii) generate new identity data records each linked to a new identifier and (iii) encrypt each of the new identity data records with one of the cryptographic keys and link each new identity data record to the identifier of the first type corresponding to each respective cryptographic key. A data output module is configured to load onto an external source the encrypted new identity data records along with their respective new identifiers and their respective previously assigned identifiers of the first type.

Abstract translation: 用于为启用网络的设备生成新的身份数据的系统包括被配置为从白名单中提取属性的白名单阅读器。 对于白名单中指定的每个设备，白名单包括先前分配的第一类型的标识符。 先前分配的第一类型的标识符被链接到先前在每个相应设备中提供的标识数据。 数据检索模块被配置为从白名单读取器接收第一类型的标识符，并且基于每个标识符，检索与之相关联的先前提供的身份数据记录中的每一个。 新的数据生成模块被配置为（i）获得与先前在白名单上指定的设备中提供的身份数据和第一类型的相应标识符相关联的密码密钥，（ii）生成新的身份数据记录， 新标识符和（iii）使用密码密钥之一加密每个新的身份数据记录，并将每个新的身份数据记录链接到与每个相应密码密钥对应的第一类型的标识符。 数据输出模块被配置为将加密的新身份数据记录及其各自的新标识符及其各自先前分配的第一类型的标识符加载到外部源上。

公开(公告)号：US20110047374A1

公开(公告)日：2011-02-24

申请号：US12854922

申请日：2010-08-12

Applicant: Jiajing Liu ,  Thomas J. Barbour ,  Liqiang Chen ,  Ying Chen ,  Wei Lin Chou ,  Christopher P. Gardner ,  Stuart P. Moskovics ,  Xin Qiu ,  Chia Ling Tsai ,  Ting Yao

Inventor： Jiajing Liu ,  Thomas J. Barbour ,  Liqiang Chen ,  Ying Chen ,  Wei Lin Chou ,  Christopher P. Gardner ,  Stuart P. Moskovics ,  Xin Qiu ,  Chia Ling Tsai ,  Ting Yao

IPC: H04L9/00

CPC classification number: H04L9/3265 ,  H04L9/007

Abstract: A method and apparatus are provided for generating identity data to be provisioned in product devices that are a part of a project. The method includes establishing a template associated with each CA in a hierarchical chain of CAs having a root CA at a highest level in the chain and a signing CA at a lowest level in the chain. The template associated with the signing CA inherits mandatory attribute fields specified in the root CA and any intermediate CA in the hierarchical chain. The mandatory attribute fields are user-specifiable fields to be populated with PKI data. A configuration file is generated upon receipt of an order for digital certificates using PKI data provided by a user to populate the mandatory attribute fields of the template associated with the signing CA. The digital certificates requested in the order are generated using the PKI data in the configuration file.

Abstract translation: 提供了一种用于生成作为项目的一部分的产品设备中提供的身份数据的方法和装置。 该方法包括在具有链中最高级别的根CA的CA的分级链中建立与每个CA相关联的模板以及链中最低级的签名CA。 与签名CA相关联的模板继承根CA中指定的强制属性字段和层级链中的任何中间CA。 强制属性字段是要填充PKI数据的用户指定字段。 使用由用户提供的PKI数据接收到数字证书的订单时，生成配置文件来填充与签名CA相关联的模板的强制属性字段。 使用配置文件中的PKI数据生成订单中请求的数字证书。