-
31.发明授权Controlling access to multiple isolated memories in an isolated execution environment 有权在独立的执行环境中控制对多个隔离存储器的访问公开(公告)号:US06678825B1
公开(公告)日:2004-01-13
申请号:US09618738
申请日:2000-07-18
申请人: Carl M. Ellison , Roger A. Golliver , Howard C. Herbert , Derrick C. Lin , Francis X. McKeen , Gilbert Neiger , Ken Reneris , James A. Sutton , Shreekant S. Thakkar , Millind Mittal
发明人: Carl M. Ellison , Roger A. Golliver , Howard C. Herbert , Derrick C. Lin , Francis X. McKeen , Gilbert Neiger , Ken Reneris , James A. Sutton , Shreekant S. Thakkar , Millind Mittal
IPC分类号: G06F1760
CPC分类号: G06F12/145 , G06F12/0831 , G06F12/1009 , G06F12/1491 , G06F21/74 , G06F2212/1016 , G06F2212/1041 , G06F2212/1052
摘要: The present invention provides a method, apparatus, and system for controlling memory accesses to multiple isolated memory areas in an isolated execution environment. A page manager is used to distribute a plurality of pages to a plurality of different areas of a memory, respectively. The memory is divided into non-isolated areas and isolated areas. The page manager is located in an isolated area of memory. Further, a memory ownership page table describes each page of memory and is also located in an isolated area of memory. The page manager assigns an isolated attribute to a page if the page is distributed to an isolated area of memory. On the other hand, the page manager assigns a non-isolated attribute to a page if the page is distributed to a non-isolated area of memory. The memory ownership page table records the attribute for each page. In one embodiment, a processor having a normal execution mode and an isolated execution mode generates an access transaction. The access transaction is configured using a configuration storage that contains configuration settings related to a page and access information. An access checking circuit coupled to the configuration storage checks the access transaction using at least one of the configuration settings and the access information and generates an access grant signal if the access transaction is valid.
摘要翻译: 本发明提供一种用于控制对隔离执行环境中的多个隔离存储器区域的存储器访问的方法,装置和系统。 页面管理器用于分别将多个页面分发到存储器的多个不同区域。 记忆分为非隔离区和隔离区。 页面管理器位于隔离区内。 此外,存储器所有权页表描述了存储器的每一页,并且还位于存储器的隔离区域中。 页面管理器将一个隔离的属性分配给页面,如果该页面被分发到一个隔离的内存区域。 另一方面,如果页面被分发到存储器的非隔离区域,则页面管理器将非隔离属性分配给页面。 内存所有权页表记录每个页面的属性。 在一个实施例中,具有正常执行模式和隔离执行模式的处理器生成访问事务。 访问事务使用包含与页面和访问信息相关的配置设置的配置存储进行配置。 耦合到配置存储器的访问检查电路使用配置设置和访问信息中的至少一个来检查访问事务,并且如果访问事务有效则生成访问许可信号。
-
公开(公告)号:US5640454A
公开(公告)日:1997-06-17
申请号:US715377
申请日:1996-09-12
CPC分类号: H04L9/0894
摘要: A cryptographic communications system and method is provided for access field verification. A key exchange field which includes an encryption of at least part of a first encryption key using a public portion of a second encryption key, an access field which includes an encryption of at least part of the first encryption key using a public portion of a third encryption key, and a verification field which is created from at least one value used to create at least one of the key exchange field and the access field are provided to a receiver. Using the verification field, the receiver verifies that at least part of the first encryption key contained within the key exchange field and at least part of the first encryption key contained within the access field are equivalent. If the receiver's verification is successful, the access field is determined to be authentic.
摘要翻译: 提供了一种用于访问字段验证的加密通信系统和方法。 密钥交换字段,其包括使用第二加密密钥的公共部分对第一加密密钥的至少一部分的加密;访问字段,其包括使用第三加密密钥的公共部分的至少部分第一加密密钥的加密 加密密钥和从用于创建密钥交换字段和访问字段中的至少一个的至少一个值创建的验证字段被提供给接收器。 使用验证字段,接收器验证包含在密钥交换字段内的第一加密密钥的至少一部分和包含在访问字段内的第一加密密钥的至少一部分是等效的。 如果接收者的验证成功,则确定访问字段是真实的。
-
33.发明授权公开(公告)号:US08838981B2
公开(公告)日:2014-09-16
申请号:US13614612
申请日:2012-09-13
CPC分类号: H04L9/3247 , H04L63/102 , H04L63/126
摘要: A communication channel has an associated channel authenticator that includes a channel identifier, a use policy identifying how an owner of the communication channel indicates the communication channel is used, and a digital signature over the channel identifier and use policy. The identifier of the communication channel and the use policy can be verified by a computing device, and a check made as to whether a current security policy of the computing device is satisfied by the use policy. An access that the computing device is allowed to have to the communication channel is determined based at least in part on both whether the current security policy is satisfied by the use policy and whether the identifier of the communication channel and the use policy are verified.
摘要翻译: 通信信道具有关联的信道认证器,其包括信道标识符,识别通信信道的所有者如何指示通信信道的使用策略以及信道标识符和使用策略上的数字签名。 可以由计算设备来验证通信信道的标识符和使用策略,并且通过使用策略来检查计算设备的当前安全策略是否被满足。 至少部分地基于使用策略来满足当前安全策略以及通信信道的标识符和使用策略是否被验证,允许计算设备被允许对通信信道的访问。
-
公开(公告)号:US08423774B2
公开(公告)日:2013-04-16
申请号:US13072674
申请日:2011-03-25
CPC分类号: G06F21/34 , G06Q20/341 , G06Q20/388 , G06Q20/40975 , G07F7/1008 , H04L9/0897
摘要: Systems, methods, and technologies for configuring a conventional smart card and a client machine, and for performing a smart card authorization using the configured smart card and client. Further, the combination of methods provides for mutual authentication—authentication of the client to the user, and authentication of the user to the client. The authentication methods include presenting a specified token to the user sufficient to authenticate the client to the user and thus protect the user-provided PIN. Security is strengthened by using an integrity key based on approved client system configurations. Security is further strengthened by calculating a PIN′ value based on a user-specified PIN and a modifier and using the PIN′ value for unlocking the smart card.
摘要翻译: 用于配置常规智能卡和客户机的系统,方法和技术,以及使用配置的智能卡和客户端执行智能卡授权。 此外,方法的组合提供了客户端对用户的相互认证 - 认证,以及用户对客户端的认证。 认证方法包括向用户呈现足以向用户认证客户端的指定令牌,从而保护用户提供的PIN。 通过使用基于认可的客户端系统配置的完整性密钥来加强安全性。 通过基于用户指定的PIN和修饰符计算PIN'值并使用PIN'值来解锁智能卡来进一步加强安全性。
-
35.发明申请公开(公告)号:US20130007463A1
公开(公告)日:2013-01-03
申请号:US13614612
申请日:2012-09-13
IPC分类号: H04L9/30
CPC分类号: H04L9/3247 , H04L63/102 , H04L63/126
摘要: A communication channel has an associated channel authenticator that includes a channel identifier, a use policy identifying how an owner of the communication channel indicates the communication channel is used, and a digital signature over the channel identifier and use policy. The identifier of the communication channel and the use policy can be verified by a computing device, and a check made as to whether a current security policy of the computing device is satisfied by the use policy. An access that the computing device is allowed to have to the communication channel is determined based at least in part on both whether the current security policy is satisfied by the use policy and whether the identifier of the communication channel and the use policy are verified.
摘要翻译: 通信信道具有关联的信道认证器,其包括信道标识符,识别通信信道的所有者如何指示通信信道的使用策略,以及通过信道标识符和使用策略的数字签名。 可以由计算设备来验证通信信道的标识符和使用策略,并且通过使用策略来检查计算设备的当前安全策略是否被满足。 至少部分地基于使用策略来满足当前安全策略以及通信信道的标识符和使用策略是否被验证,允许计算设备被允许对通信信道的访问。
-
36.发明授权公开(公告)号:US08296564B2
公开(公告)日:2012-10-23
申请号:US12372476
申请日:2009-02-17
CPC分类号: H04L9/3247 , H04L63/102 , H04L63/126
摘要: A communication channel has an associated channel authenticator that includes a channel identifier, a use policy identifying how an owner of the communication channel indicates the communication channel is used, and a digital signature over the channel identifier and use policy. The identifier of the communication channel and the use policy can be verified by a computing device, and a check made as to whether a current security policy of the computing device is satisfied by the use policy. An access that the computing device is allowed to have to the communication channel is determined based at least in part on both whether the current security policy is satisfied by the use policy and whether the identifier of the communication channel and the use policy are verified.
摘要翻译: 通信信道具有关联的信道认证器,其包括信道标识符,识别通信信道的所有者如何指示通信信道的使用策略,以及通过信道标识符和使用策略的数字签名。 可以由计算设备来验证通信信道的标识符和使用策略,并且通过使用策略来检查计算设备的当前安全策略是否被满足。 至少部分地基于使用策略来满足当前安全策略以及通信信道的标识符和使用策略是否被验证,允许计算设备被允许对通信信道的访问。
-
公开(公告)号:US07930332B2
公开(公告)日:2011-04-19
申请号:US11690758
申请日:2007-03-23
IPC分类号: G06F1/02
CPC分类号: G06F7/58
摘要: A weighted entropy pool service system and methods. Weights are associated with entropy sources and are used to estimate a quantity of entropy contained in data from the entropy sources. An interface is optionally provided to facilitate connecting user entropy sources to the entropy pool service. The quantity of entropy contained in the system is tracked as entropy is distributed to entropy consumers. A persistent entropy pool state file stores entropy across system restarts.
摘要翻译: 一种加权熵池服务系统及方法。 权重与熵源相关联,用于估计来自熵源的数据中包含的熵量。 可选地提供接口以便于将用户熵源连接到熵池服务。 随着熵被分配给熵消费者,系统中包含的熵量被跟踪。 持续熵池状态文件在系统重新启动之间存储熵。
-
公开(公告)号:US20100106756A1
公开(公告)日:2010-04-29
申请号:US12258997
申请日:2008-10-27
申请人: Carl M. Ellison
发明人: Carl M. Ellison
CPC分类号: H04L9/3242 , G06F7/58 , H04L9/0869 , H04L2209/24
摘要: In accordance with one or more aspects, an initial output string is generated by a random number generator. The initial output string is sent to a random number service, and an indication of failure is received from the random number service if the initial output string is the same as a previous initial output string received by the random number service. Operation of the device is ceased in response to the indication of failure. Additionally, entropy estimates for hash values of an entropy source can be generated by an entropy estimation service based on hash values of various entropy source values received by the entropy estimation service. The hash values can be incorporated into an entropy pool of the device, and the entropy estimate of the pool being updated based on the estimated entropy of the entropy source.
摘要翻译: 根据一个或多个方面,初始输出字符串由随机数生成器生成。 如果初始输出字符串与由随机数服务接收的先前初始输出字符串相同,则将初始输出字符串发送到随机数服务,并且从随机数服务接收到失败指示。 响应于故障指示停止设备的操作。 此外,可以通过基于由熵估计服务接收的各种熵源值的哈希值的熵估计服务来生成熵源的散列值的熵估计。 哈希值可以被合并到设备的熵池中,并且基于熵源的估计熵更新池的熵估计。
-
公开(公告)号:US20090154709A1
公开(公告)日:2009-06-18
申请号:US11958376
申请日:2007-12-17
申请人: Carl M. Ellison
发明人: Carl M. Ellison
IPC分类号: H04L9/32
CPC分类号: H04L9/083 , G06F21/51 , G06F21/575 , H04L9/0877 , H04L9/3234 , H04L9/3263 , H04L2209/127 , H04L2463/062
摘要: Described is a technology by which computer data secrets sealed by a trusted platform module (TPM) or like device may be securely migrated from a physical source computing machine to a physically different destination machine. For example, migration of TPM secrets allows migration of a virtual machine from one physical machine to another. A destination machine receives a set of data sealed at a source machine. The set of data includes a migration key and a secret sealed by the migration key. The destination machine performs attestation with a key server to attest that the destination machine is entitled to access the sealed secret, via credentials, known good configuration and/or other policy compliance. The key server unseals the migration key, and provides a returned key (e.g., the migration key or a session key) to the destination machine for unsealing the secrets.
摘要翻译: 描述了一种技术,通过该技术,由可信平台模块(TPM)或类似设备密封的计算机数据秘密可以被安全地从物理源计算机迁移到物理上不同的目的地机器。 例如,TPM秘密的迁移允许虚拟机从一台物理机迁移到另一台物理机。 目的地机器接收在源机器上密封的一组数据。 数据集包括迁移密钥和由迁移密钥密封的秘密。 目的地机器与密钥服务器执行证明,以证明目的地机器有权通过凭证,已知的良好配置和/或其他策略合规来访问密封的秘密。 密钥服务器解密迁移密钥,并将返回的密钥(例如,迁移密钥或会话密钥)提供给目标机器以用于解密密钥。
-
公开(公告)号:US07305711B2
公开(公告)日:2007-12-04
申请号:US10316595
申请日:2002-12-10
CPC分类号: G11B20/0021 , G11B20/00086 , G11B20/00188 , G11B20/00224 , G11B20/00253 , G11B20/00362 , G11B20/00492 , G11B20/00528 , H04L9/0825 , H04L9/0897 , H04L2209/60
摘要: Protected content distribution is accomplished by a first entity generating a set of asymmetric key pairs, creating a plurality of sets of private keys by selecting a combination of private keys from the set of asymmetric key pairs for each created set, and distributing the sets of private keys to playback devices. A second entity produces protected content including encrypted content and a public key media key block, encrypts a symmetric content key with each public key in the set of asymmetric key pairs to form the public key media key block and encrypts a content title with the symmetric content key to form the encrypted content. A playback device stores one set of private keys, receives the protected content, and decrypts and plays the content title stored in the protected content when a selected one of the set of private keys stored by the playback device successfully decrypts the encrypted symmetric content key stored in the public key media key block of the received protected content.
摘要翻译: 受保护的内容分发由生成一组非对称密钥对的第一实体完成,通过从每个创建的集合的非对称密钥对集合中选择私钥的组合来创建多组私钥,并且分发私有密钥集合 播放设备的键。 第二实体产生包括加密内容和公共密钥媒体密钥块的受保护内容,使用非对称密钥对集合中的每个公开密钥对对称内容密钥进行加密,以形成公共密钥媒体密钥块,并加密具有对称内容的内容标题 密钥来形成加密的内容。 回放设备存储一组专用密钥,接收受保护的内容,并且当由重放设备存储的一组专用密钥中的所选择的一个成功地解密存储的加密的对称内容密钥时,解密并播放存储在受保护内容中的内容标题 在接收到的受保护内容的公钥媒体密钥块中。
-
-
-
-
-
-
-
-
-
搜索结果
81 条记录 (耗时 0.037 秒)
