公开(公告)号：US11809584B2

公开(公告)日：2023-11-07

申请号：US17457401

申请日：2021-12-02

Applicant: Apple Inc.

Inventor： Eric B. Tamura ,  Wade Benson ,  John Garvey

IPC: G06F21/62 ,  G06F21/60 ,  H04L9/14 ,  G06F21/31

CPC classification number: G06F21/6218 ,  G06F21/31 ,  G06F21/602 ,  H04L9/14

Abstract: Techniques are disclosed relating to securely storing file system metadata in a computing device. In one embodiment, a computing device includes a processor, memory, and a secure circuit. The memory has a file system stored therein that includes metadata for accessing a plurality of files in the memory. The metadata is encrypted with a metadata encryption key that is stored in an encrypted form. The secure circuit is configured to receive a request from the processor to access the file system. In response to the request, the secure circuit is configured to decrypt the encrypted form of the metadata encryption key. In some embodiments, the computing device includes a memory controller configured to receive the metadata encryption key from the secure circuit, retrieve the encrypted metadata from the memory, and decrypt the encrypted metadata prior to providing the metadata to the processor.

公开(公告)号：US11675919B2

公开(公告)日：2023-06-13

申请号：US16683238

申请日：2019-11-13

Applicant: Apple Inc.

Inventor： Ananthakrishna Ramesh ,  Andrew S. Terry ,  Wade Benson ,  Jeremy C. Andrus

IPC: H04L29/06 ,  G06F21/62 ,  G06F21/44 ,  H04L9/08

CPC classification number: G06F21/6218 ,  G06F21/44 ,  H04L9/0866

Abstract: Techniques are disclosed relating to securely storing data at a computing device that is managed by an external entity. In some embodiments, a computing device maintains a first file system volume having data that is accessible to a user of the computing device and that is not managed by an entity external to the computing device. The computing device receives, from the entity external, a first request to configure the computing device to store data that is accessible to the user and managed by the external entity. In response to the first request, the computing device creates a second distinct file system volume to store the data managed by the external entity. In response to a second request from the external entity, the computing device subsequently removes the second file system volume.

公开(公告)号：US11582215B2

公开(公告)日：2023-02-14

申请号：US15275203

申请日：2016-09-23

Applicant: Apple Inc.

Inventor： Wade Benson ,  Marc J. Krochmal ,  Alexander R. Ledwith ,  John Iarocci ,  Jerrold V. Hauck ,  Michael Brouwer ,  Mitchell D. Adler ,  Yannick L. Sierra

IPC: G06F7/04 ,  G06F17/30 ,  H04L9/40 ,  H04W12/041 ,  H04W12/086 ,  H04W12/0431 ,  G06F9/445 ,  H04W12/06 ,  H04L9/08 ,  H04L9/14 ,  H04L9/32

Abstract: Some embodiments of the invention provide a method for a trusted (or originator) device to modify the security state of a target device (e.g., unlocking the device) based on a securing ranging operation (e.g., determining a distance, proximity, etc.). The method of some embodiments exchanges messages as a part of a ranging operation in order to determine whether the trusted and target devices are within a specified range of each other before allowing the trusted device to modify the security state of the target device. In some embodiments, the messages are derived by both devices based on a shared secret and are used to verify the source of ranging signals used for the ranging operation. In some embodiments, the method is performed using multiple different frequency bands.

公开(公告)号：US11329827B2

公开(公告)日：2022-05-10

申请号：US15286505

申请日：2016-10-05

Applicant: Apple Inc.

Inventor： Conrad Sauerwald ,  Alexander Ledwith ,  John Iarocci ,  Marc J. Krochmal ,  Wade Benson ,  Gregory Novick ,  Noah Witherspoon

IPC: H04L9/32 ,  H04L9/08 ,  G06F21/32 ,  H04W12/08 ,  H04W12/50 ,  G06F21/44 ,  H04W4/80

Abstract: A method of unlocking a second device using a first device is disclosed. The method can include: the first device pairing with the second device; establishing a trusted relationship with the second device; authenticating the first device using a device key; receiving a secret key from the second device; receiving a user input from an input/output device; and transmitting the received secret key to the second device to unlock the second device in response to receiving the user input, wherein establishing a trusted relationship with the second device comprises using a key generated from a hardware key associated with the first device to authenticate the device key.

公开(公告)号：US20220092206A1

公开(公告)日：2022-03-24

申请号：US17457401

申请日：2021-12-02

Applicant: Apple Inc.

Inventor： Eric B. Tamura ,  Wade Benson ,  John Garvey

IPC: G06F21/62 ,  G06F21/60 ,  H04L9/14 ,  G06F21/31

Abstract: Techniques are disclosed relating to securely storing file system metadata in a computing device. In one embodiment, a computing device includes a processor, memory, and a secure circuit. The memory has a file system stored therein that includes metadata for accessing a plurality of files in the memory. The metadata is encrypted with a metadata encryption key that is stored in an encrypted form. The secure circuit is configured to receive a request from the processor to access the file system. In response to the request, the secure circuit is configured to decrypt the encrypted form of the metadata encryption key. In some embodiments, the computing device includes a memory controller configured to receive the metadata encryption key from the secure circuit, retrieve the encrypted metadata from the memory, and decrypt the encrypted metadata prior to providing the metadata to the processor.

公开(公告)号：US11068419B1

公开(公告)日：2021-07-20

申请号：US16786633

申请日：2020-02-10

Applicant: Apple Inc.

Inventor： Josh P. de Cesare ,  Wade Benson ,  Fabrice L. Gautier ,  Kaiehu Kaahaaina

IPC: G06F12/14 ,  G06F21/62 ,  G06F21/60

Abstract: Techniques are disclosed concerning secure access to data in a computing device. In one embodiment, a computing device includes a communication interface, a memory, a memory controller, and a security processor. The communication interface may communicate with a different computing device. The security processor may generate a host key in response to a successful authentication of the different computing device, and then encrypt a memory key using the host key. The security processor may also send the encrypted memory key to the memory controller, and send the host key to the different computing device. The host key may be included by the different computing device in a subsequent memory request to access data in the memory. The memory controller may, in response to the subsequent memory request, use the included host key to decrypt the encrypted memory key and use the decrypted memory key to access the data.

公开(公告)号：US11025418B2

公开(公告)日：2021-06-01

申请号：US16436328

申请日：2019-06-10

Applicant: Apple Inc.

Inventor： Kumar Saurav ,  Jerrold V. Hauck ,  Yannick L. Sierra ,  Charles E. Gray ,  Roberto G. Yepez ,  Samuel Gosselin ,  Petr Kostka ,  Wade Benson

IPC: H04L9/08 ,  G06F21/60 ,  G06F21/74

Abstract: A device may include a secure processor and a secure memory coupled to the secure processor. The secure memory may be inaccessible to other device systems. The secure processor may store some keys and/or entropy values in the secure memory and other keys and/or entropy values outside the secure memory. The keys and/or entropy values stored outside the secure memory may be encrypted using information stored inside the secure memory.

公开(公告)号：US10965474B1

公开(公告)日：2021-03-30

申请号：US15953326

申请日：2018-04-13

Applicant: Apple Inc.

Inventor： Wade Benson ,  Arthur Mesh

IPC: H04L9/32 ,  H04L9/08 ,  H04L9/30

Abstract: Some embodiments of the invention provide a method for authenticating a security device (e.g., a smart card or other highly secured device) to modify a security state (e.g., unlocking, decrypting, etc.) at a target device (e.g., laptop computers, mobile phones, tablets, etc.). In some embodiments, the security device does not have a volatile storage for storing volatile parameters for the particular device to use to perform the authentication process. The method of some embodiments sends an encrypted challenge to the security device, in which the encrypted challenge can only be decrypted by the security device. The method receives a response and modifies accessibility for the target device when the response is a valid response. The method of some embodiments determines that a response is valid based on the decrypted contents of the response and/or based on a period of time between the issuance of the challenge and the received response.

公开(公告)号：US20200380149A1

公开(公告)日：2020-12-03

申请号：US16683238

申请日：2019-11-13

Applicant: Apple Inc.

Inventor： Ananthakrishna Ramesh ,  Andrew S. Terry ,  Wade Benson ,  Jeremy C. Andrus

IPC: G06F21/62 ,  H04L9/08 ,  G06F21/44

Abstract: Techniques are disclosed relating to securely storing data at a computing device that is managed by an external entity. In some embodiments, a computing device maintains a first file system volume having data that is accessible to a user of the computing device and that is not managed by an entity external to the computing device. The computing device receives, from the entity external, a first request to configure the computing device to store data that is accessible to the user and managed by the external entity. In response to the first request, the computing device creates a second distinct file system volume to store the data managed by the external entity. In response to a second request from the external entity, the computing device subsequently removes the second file system volume.

公开(公告)号：US10423804B2

公开(公告)日：2019-09-24

申请号：US15275273

申请日：2016-09-23

Applicant: Apple Inc.

Inventor： Wade Benson ,  Conrad Sauerwald ,  Mitchell D. Adler ,  Michael Brouwer ,  Timothee Geoghegan ,  Andrew R. Whalley ,  David P. Finkelstein ,  Yannick L. Sierra

IPC: G06F21/72 ,  H04L9/08 ,  H04L9/14 ,  G06F21/32

Abstract: Techniques are disclosed relating to securely storing data in a computing device. In one embodiment, a computing device includes a secure circuit configured to maintain key bags for a plurality of users, each associated with a respective one of the plurality of users and including a first set of keys usable to decrypt a second set of encrypted keys for decrypting data associated with the respective user. The secure circuit is configured to receive an indication that an encrypted file of a first of the plurality of users is to be accessed and use a key in a key bag associated with the first user to decrypt an encrypted key of the second set of encrypted keys. The secure circuit is further configured to convey the decrypted key to a memory controller configured to decrypt the encrypted file upon retrieval from a memory.