-
公开(公告)号:US07890771B2
公开(公告)日:2011-02-15
申请号:US10407117
申请日:2003-04-04
申请人: Paul England , Marcus Peinado
发明人: Paul England , Marcus Peinado
IPC分类号: G06F11/30
CPC分类号: G06F21/6218
摘要: In accordance with certain aspects, data is received from a calling program. Ciphertext that includes the data is generated, using public key encryption, in a manner that allows only one or more target programs to be able to obtain the data from the ciphertext. In accordance with another aspect, a bit string is received from a calling program. An identifier of the calling program is checked to determine whether the calling program is allowed to access data encrypted in ciphertext of the bit string. The data is decrypted using public key decryption and returned to the calling program only if the calling program is allowed to access the data.
摘要翻译: 根据某些方面,从呼叫程序接收数据。 使用公钥加密来生成包含数据的密文,只允许一个或多个目标程序能够从密文获得数据。 根据另一方面,从调用程序接收位串。 检查调用程序的标识符以确定是否允许调用程序访问以位串的密文加密的数据。 数据使用公开密钥解密解密,只有在允许调用程序访问数据的情况下才能返回到调用程序。
-
52.发明授权Virtualization of software configuration registers of the TPM cryptographic processor 有权虚拟化TPM加密处理器的软件配置寄存器公开(公告)号:US07836299B2
公开(公告)日:2010-11-16
申请号:US11080906
申请日:2005-03-15
申请人: Paul England , Matthew C. Setzer
发明人: Paul England , Matthew C. Setzer
CPC分类号: G06F21/57
摘要: A virtual PCR (VPCR) construct is provided that can be cryptographically tagged as optionally resettable or as enduring for the life of a client (process, virtual machine, and the like) and that can be loaded into a resettable hardware PCR to make use of the functionality of a Trusted Platform Module (TPM). The VPCRs may cryptographically reflect their characteristics (resettable or not) in their stored values. Also, since the PCRs are virtualized, they are (effectively) unlimited in number and may be given general names (UUIDs) that are less likely to collide. The VPCRs can be loaded into a physical PCR as needed, but in a way that stops one piece of software from impersonating another piece of software. The VPCRs thus enable all software using the TPM to be given access to TPM functionality (sealing, quoting, etc.) without security concerns.
摘要翻译: 提供虚拟PCR(VPCR)构造,其可以被加密地标记为可选择地重置或在客户端(过程,虚拟机等)的寿命中持久,并且可以将其加载到可重置的硬件PCR中以利用 可信平台模块(TPM)的功能。 VPCR可以加密地反映其存储值的特性(可重置或不可复位)。 此外,由于PCR被虚拟化,它们(有效地)数量无限制,并且可以被给予不太可能发生冲突的通用名称(UUID)。 VPCR可以根据需要加载到物理PCR中,但可以阻止一块软件冒充另一块软件。 因此,VPCR可以使所有使用TPM的软件都能够获得TPM功能(密封,引用等),而无需安全考虑。
-
公开(公告)号:US07797544B2
公开(公告)日:2010-09-14
申请号:US10734028
申请日:2003-12-11
申请人: Blair B. Dillaway , Paul England , Marcus Peinado
发明人: Blair B. Dillaway , Paul England , Marcus Peinado
IPC分类号: H04L9/32
CPC分类号: H04L9/0825 , H04L9/3226 , H04L9/3247 , H04L9/3265 , H04L2209/56
摘要: To establish trust between first and second entities, the first entity sends an attestation message to the second entity, including a code ID, relevant data, a digital signature based on the code ID and data, and a certificate chain. The second entity verifies the signature and decides whether to in fact enter into a trust-based relationship with the first entity based on the code ID and the data in the attestation message. Upon so deciding, the second entity sends a trust message to the first entity, including a secret to be shared between the first and second entities. The first entity obtains the shared secret in the trust message and employs the shared secret to exchange information with the second entity.
摘要翻译: 为了在第一和第二实体之间建立信任,第一实体向第二实体发送认证消息,包括代码ID,相关数据,基于代码ID和数据的数字签名以及证书链。 第二实体验证签名,并且基于代码ID和认证消息中的数据来确定是否实际上与第一实体进行基于信任的关系。 在这样确定的情况下,第二实体向第一实体发送信任消息,包括要在第一和第二实体之间共享的秘密。 第一实体获取信任消息中的共享密钥,并使用共享密钥与第二实体交换信息。
-
公开(公告)号:US07765397B2
公开(公告)日:2010-07-27
申请号:US11557581
申请日:2006-11-08
申请人: Paul England , Marcus Peinado
发明人: Paul England , Marcus Peinado
IPC分类号: H04L29/06
CPC分类号: G06F21/6218
摘要: In accordance with certain aspects, data is received from a calling program. Ciphertext that includes the data is generated, using public key encryption, in a manner that allows only one or more target programs to be able to obtain the data from the ciphertext. In accordance with another aspect, a bit string is received from a calling program. An identifier of the calling program is checked to determine whether the calling program is allowed to access data encrypted in ciphertext of the bit string. The data is decrypted using public key decryption and returned to the calling program only if the calling program is allowed to access the data.
摘要翻译: 根据某些方面,从呼叫程序接收数据。 使用公钥加密来生成包含数据的密文,只允许一个或多个目标程序能够从密文获得数据。 根据另一方面,从调用程序接收位串。 检查调用程序的标识符以确定是否允许调用程序访问以位串的密文加密的数据。 数据使用公开密钥解密解密,只有在允许调用程序访问数据的情况下才能返回到调用程序。
-
55.发明授权Using limits on address translation to control access to an addressable entity 有权使用地址转换限制来控制对可寻址实体的访问公开(公告)号:US07650478B2
公开(公告)日:2010-01-19
申请号:US11299083
申请日:2005-12-09
申请人: Marcus Peinado , Paul England , Bryan Mark Willman
发明人: Marcus Peinado , Paul England , Bryan Mark Willman
IPC分类号: G06F12/00
CPC分类号: G06F12/145
摘要: A data storage resource is identifiable by physical addresses, and optionally by a virtual address. A policy defines which resources are accessible and which resources are not accessible. A request to access a resource is allowed if access to the resource is permitted by the policy, and if carrying out the access will not cause virtual addresses to be assigned to resources to which the policy disallows access. Since resources to which access is disallowed do not have virtual addresses, certain types of access requests that identify a resource by a virtual address can be allowed without consulting the policy.
摘要翻译: 数据存储资源可以通过物理地址和可选的虚拟地址来识别。 策略定义哪些资源是可访问的,哪些资源不可访问。 如果策略允许对资源的访问,则允许访问资源的请求,并且如果执行访问不会导致将虚拟地址分配给策略不允许访问的资源。 由于不允许访问的资源没有虚拟地址,因此可以允许在不咨询策略的情况下识别虚拟地址的资源的某些类型的访问请求。
-
56.发明授权Manifest-based trusted agent management in a trusted operating system environment 有权在受信任的操作系统环境中进行基于清单的可信代理管理公开(公告)号:US07634661B2
公开(公告)日:2009-12-15
申请号:US11206585
申请日:2005-08-18
申请人: Paul England , Marcus Peinado , Daniel R. Simon , Josh D. Benaloh
发明人: Paul England , Marcus Peinado , Daniel R. Simon , Josh D. Benaloh
摘要: Manifest-based trusted agent management in a trusted operating system environment includes receiving a request to execute a process is received and setting up a virtual memory space for the process. Additionally, a manifest corresponding to the process is accessed, and which of a plurality of binaries can be executed in the virtual memory space is limited based on indicators, of the binaries, that are included in the manifest.
摘要翻译: 在受信任的操作系统环境中的基于清单的可信代理管理包括接收接收到的执行进程的请求,并为进程设置虚拟内存空间。 此外,访问对应于进程的清单,并且可以基于二进制文件中包括在清单中的指示符限制在虚拟存储器空间中执行多个二进制文件中的哪一个。
-
公开(公告)号:US07577840B2
公开(公告)日:2009-08-18
申请号:US11068007
申请日:2005-02-28
申请人: Paul England , Marcus Peinado , Daniel R. Simon , Josh D. Benaloh
发明人: Paul England , Marcus Peinado , Daniel R. Simon , Josh D. Benaloh
IPC分类号: H04L9/00
CPC分类号: G06F21/57 , G06F21/606
摘要: Transferring application secrets in a trusted operating system environment involves receiving a request to transfer application data from a source computing device to a destination computing device. A check is made as to whether the application data can be transferred to the destination computing device, and if so, whether the application data can be transferred under control of the user or a third party. If these checks succeed, a check is also made as to whether the destination computing device is a trustworthy device running known trustworthy software. Input is also received from the appropriate one of the user or third party to control transferring of the application data to the destination computing device. Furthermore, application data is stored on the source computing device in a manner that facilitates determining whether the application data can be transferred, and that facilitates transferring the application data if it can be transferred.
-
公开(公告)号:US07502471B2
公开(公告)日:2009-03-10
申请号:US11277012
申请日:2006-03-20
申请人: Henrique Malvar , Paul England
发明人: Henrique Malvar , Paul England
IPC分类号: H04N7/167
CPC分类号: H04K1/02 , G11B20/00086 , G11B20/0021 , H04N5/913 , H04N7/1675 , H04N2005/91364
摘要: A scrambling architecture protects data streams in the operating system and hardware components of a computer by scrambling the otherwise raw data prior to the data being handled by the operating system. Scrambled content is passed to a filter graph (or other processing system) where the content is processed while scrambled. A scrambler also generates a random signal based on a first key and a second key. After processing, the scrambled data is passed to a driver for output. A driver may implement a descrambler to detect tone patterns in the content and recovers the first key from varying amplitudes of the tone patterns. The descrambler may also receive the second key via a separate channel and generates the same random signal using the recovered first key and the second key. The descrambler subtracts the tone patterns and the random signal from the scrambled content to restore the content.
摘要翻译: 加扰架构通过在操作系统处理数据之前加扰原始数据来保护计算机的操作系统和硬件组件中的数据流。 加扰的内容被传递到滤波器图(或其他处理系统),其中内容被加扰处理。 加扰器还基于第一密钥和第二密钥生成随机信号。 处理后,将加扰的数据传递给驱动程序进行输出。 驱动器可以实现解扰器来检测内容中的音调模式,并从不同的音调模式的幅度恢复第一个键。 解扰器还可以经由单独的信道接收第二密钥,并使用恢复的第一密钥和第二密钥生成相同的随机信号。 解扰器从加扰的内容中减去音调模式和随机信号以恢复内容。
-
公开(公告)号:US07496769B2
公开(公告)日:2009-02-24
申请号:US11018065
申请日:2004-12-20
申请人: Butler W. Lampson , Paul England
发明人: Butler W. Lampson , Paul England
摘要: An architecture for protecting premium content in a nonsecure computer environment executes only a small number of code modules in a secure memory. The modules are arranged in a hierarchy of trust, where a module names other modules that it is willing to trust, and those modules in turn name other modules that they are willing to trust. A secure loader loads a security manager that oversees a number of content-providing modules for manipulating the content. A memory manager assigns permissions to various pages of the secure memory. The memory has rings of different security. The security model can be extended to program modules and other devices on the computer's bus, such as DMA controllers and peripherals.
摘要翻译: 在非安全计算机环境中保护优质内容的架构仅在安全存储器中执行少量代码模块。 这些模块被布置在信任层级中,其中模块命名它愿意信任的其他模块,而这些模块又命名他们愿意信任的其他模块。 安全加载器加载一个安全管理器,该管理器负责监视用于操纵内容的多个内容提供模块。 内存管理员将权限分配给安全内存的各个页面。 内存具有不同安全性的环。 安全模型可以扩展到计算机总线上的程序模块和其他设备,如DMA控制器和外设。
-
公开(公告)号:US07487365B2
公开(公告)日:2009-02-03
申请号:US10406861
申请日:2003-04-04
申请人: Paul England , Marcus Peinado
发明人: Paul England , Marcus Peinado
CPC分类号: G06F21/6218
摘要: In accordance with certain aspects, data is received from a calling program. Ciphertext that includes the data is generated, using a symmetric cipher, in a manner that allows only one or more target programs to be able to obtain the data from the ciphertext. In accordance with other aspects, a bit string is received from a calling program. An identifier of the calling program is checked to determine whether the calling program is allowed to access data encrypted in ciphertext of the bit string. The integrity of the data is also verified, and the data is decrypted using a symmetric key. The data is returned to the calling program only if the calling program is allowed to access the data and if the integrity of the data is successfully verified.
-
-
-
-
-
-
-
-
-
搜索结果
208 条记录 (耗时 0.055 秒)
