Backup and restore in a secure appliance with integrity and confidentiality
    51.
    发明申请
    Backup and restore in a secure appliance with integrity and confidentiality 有权
    在安全的设备中备份和还原完整性和机密性

    公开(公告)号:US20140068258A1

    公开(公告)日:2014-03-06

    申请号:US13604427

    申请日:2012-09-05

    申请人: Ching-Yun Chao

    发明人: Ching-Yun Chao

    IPC分类号: H04L29/06

    摘要: A cloud deployment appliance includes a key stored internally and that is used during restore to decrypt encrypted backup images. That key is not available to an administrator of the appliance; instead, the administrator receives a “value” that has been generated externally to the appliance and, in particular, by applying a public key of a public key pair to the key. The value is possessed by the administrator, but it does not expose the key. Upon a given occurrence, such as a disk failure in the appliance, the administrator uses the value to obtain” the key, which is then used to restore an encrypted backup image. The key is obtained by having the administrator provide the value to an entity, e.g., the appliance manufacturer, who then recovers the key for the administrator (by applying the private key of the public key pair).

    摘要翻译: 云部署设备包括内部存储的密钥,并在还原期间使用密钥来解密加密的备份映像。 该设备的管理员无法使用该密钥; 相反,管理员接收到在设备外部产生的“值”,特别是通过将密钥对的公钥应用于密钥。 该值由管理员拥有,但不会显示密钥。 在给定的情况下,例如设备中的磁盘故障,管理员使用该值获取“密钥,然后用于恢复加密的备份映像。该密钥是通过让管理员向实体提供值来获得的 (例如,家电制造商),然后他们恢复管理员的密钥(通过应用公钥对的私钥)。

    Integrated security roles
    53.
    发明授权
    Integrated security roles 有权
    集成安全角色

    公开(公告)号:US08572694B2

    公开(公告)日:2013-10-29

    申请号:US12049139

    申请日:2008-03-14

    IPC分类号: H04L29/06

    CPC分类号: H04L63/102 G06F21/6236

    摘要: An approach to handling integrated security roles is presented. An upstream application includes one or more role-mapping requirements that correspond to an upstream security role and a downstream security role. The upstream security role is expanded by adding an upstream security role identifier in a downstream application's role-mapping table or by adding upstream user-to-role mappings to a downstream application's role-mapping table. When an upstream security role is expanded, a user assigned to the upstream security role automatically has access to role-mapped downstream applications.

    摘要翻译: 介绍了一种处理集成安全角色的方法。 上游应用程序包括一个或多个对应于上游安全角色和下游安全角色的角色映射要求。 通过在下游应用程序的角色映射表中添加上游安全角色标识符,或通过向下游应用程序的角色映射表添加上游用户到角色映射来扩展上游安全角色。 当扩展上游安全角色时,分配给上游安全角色的用户可以自动访问角色映射的下游应用程序。

    Using a portable computing device as a smart key device
    54.
    发明授权
    Using a portable computing device as a smart key device 有权
    使用便携式计算设备作为智能钥匙设备

    公开(公告)号:US08112628B2

    公开(公告)日:2012-02-07

    申请号:US12348475

    申请日:2009-01-05

    IPC分类号: H04L9/00

    摘要: A first data processing system, which includes a first cryptographic device, is communicatively coupled with a second data processing system, which includes a second cryptographic device. The cryptographic devices then mutually authenticate themselves. The first cryptographic device stores a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair that is associated with the second data processing system. The second cryptographic device stores a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair that is associated with the first data processing system. In response to successfully performing the mutual authentication operation between the two cryptographic systems, the first data processing system is enabled to invoke sensitive cryptographic functions on the first cryptographic device while the first data processing system remains communicatively coupled with the second data processing system.

    摘要翻译: 包括第一密码装置的第一数据处理系统与包括第二密码装置的第二数据处理系统通信地耦合。 然后密码设备会自己相互认证。 第一加密设备存储与第二数据处理系统相关联的第一非对称密码密钥对和第二非对称密码密钥对的公钥的私钥。 第二加密设备存储第二非对称密码密钥对的私钥和与第一数据处理系统相关联的第一非对称密码密钥对的公开密钥。 响应于成功地执行两个加密系统之间的相互认证操作,第一数据处理系统能够在第一数据处理系统保持与第二数据处理系统通信耦合的同时在第一密码装置上调用敏感的加密功能。

    Method for using a compact disk as a smart key device
    55.
    发明授权
    Method for using a compact disk as a smart key device 有权
    使用光盘作为智能钥匙装置的方法

    公开(公告)号:US07908492B2

    公开(公告)日:2011-03-15

    申请号:US12118785

    申请日:2008-05-12

    IPC分类号: H04L29/06 G06F17/30

    摘要: A data processing method accepts a removable storage media, which becomes electrically engaged with a system unit within the data processing system, after which the removable storage media and the hardware security unit mutually authenticate themselves. The removable storage media stores a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair that is associated with the hardware security unit, and the hardware security unit stores a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair that is associated with the removable storage media. In response to successfully performing the mutual authentication operation between the removable storage media and the hardware security unit, the system unit is enabled to invoke cryptographic functions on the hardware security unit while the removable storage media remains engaged with the system unit.

    摘要翻译: 数据处理方法接受与数据处理系统中的系统单元电接合的可移动存储介质,之后可移动存储介质和硬件安全单元相互认证自身。 可移动存储介质存储与硬件安全单元相关联的第一非对称加密密钥对和第二非对称密码密钥对的公钥的私钥,并且硬件安全单元存储第二非对称密码密钥的私钥 对和与可移动存储介质相关联的第一非对称加密密钥对的公开密钥。 响应于成功地执行可移动存储介质和硬件安全单元之间的相互认证操作,系统单元能够在可移动存储介质保持与系统单元接合的同时在硬件安全单元上调用加密功能。

    Method and system for protecting master secrets using smart key devices
    56.
    发明授权
    Method and system for protecting master secrets using smart key devices 有权
    使用智能钥匙装置保护主机秘密的方法和系统

    公开(公告)号:US07849326B2

    公开(公告)日:2010-12-07

    申请号:US10753818

    申请日:2004-01-08

    申请人: Ching-Yun Chao

    发明人: Ching-Yun Chao

    IPC分类号: G06F11/30 G06F12/14

    摘要: A data processing system accepts a removable hardware device, which becomes electrically engaged with a system unit within the data processing system, after which the removable hardware device and the hardware security unit mutually authenticate themselves. The removable hardware device stores a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair that is associated with the hardware security unit, and the hardware security unit stores a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair that is associated with the removable hardware device. In response to successfully performing the mutual authentication operation between the removable hardware device and the hardware security unit, the system unit is enabled to invoke cryptographic functions on the hardware security unit while the removable hardware device remains electrically engaged with the system unit.

    摘要翻译: 数据处理系统接受与数据处理系统内的系统单元电接合的可移动硬件设备,之后可拆卸硬件设备和硬件安全单元相互认证自身。 可拆卸硬件设备存储与硬件安全单元相关联的第一非对称加密密钥对和第二非对称密码密钥对的公钥的私钥,并且硬件安全单元存储第二非对称密码密钥的私钥 对和与可移除硬件设备相关联的第一非对称加密密钥对的公开密钥。 响应于成功地执行可移动硬件设备和硬件安全单元之间的相互认证操作,系统单元能够在硬件安全单元处调用密码功能,同时可拆卸硬件设备保持与系统单元电气接合。

    Application server object-level security for distributed computing domains
    57.
    发明授权
    Application server object-level security for distributed computing domains 有权
    分布式计算域的应用服务器对象级安全性

    公开(公告)号:US07810132B2

    公开(公告)日:2010-10-05

    申请号:US12123693

    申请日:2008-05-20

    CPC分类号: G06F21/31

    摘要: Objects on application servers are distributed to one or more application servers; a user is allowed to declare in a list which objects residing on each application server are to be protected; the list is read by an interceptor; responsive to exportation of a Common Object Request Broker Architecture (“CORBA”) compliant Interoperable Object Reference (“IOR”) for a listed object, the interceptor associates one or more application server security flags with interfaces to the listed objects by tagging components of the IOR with one or more security flags; and one or more security operations are performed by an application server according to the security flags tagged to the IOR when a client accesses an application server-stored object, the security operations including an operation besides establishing secure communications between the client process and the server-stored object.

    摘要翻译: 应用程序服务器上的对象分发到一个或多个应用程序服务器; 允许用户在列表中声明哪些驻留在每个应用服务器上的对象将被保护; 列表由拦截器读取; 响应于为列出的对象导出通用对象请求代理体系结构(“CORBA”)兼容的可互操作对象引用(“IOR”),拦截器通过标记所列对象的组件将一个或多个应用程序服务器安全标志与列出的对象的接口相关联 IOR带有一个或多个安全标志; 并且当客户端访问应用服务器存储的对象时,应用服务器根据标记为IOR的安全标志执行一个或多个安全操作,该安全操作包括除客户端进程和服务器端之间建立安全通信之外的操作, 存储对象。

    Error detection protocol
    58.
    发明授权
    Error detection protocol 有权
    错误检测协议

    公开(公告)号:US07756830B1

    公开(公告)日:2010-07-13

    申请号:US09282907

    申请日:1999-03-31

    IPC分类号: G06F17/30

    摘要: A method and apparatus for providing a recent set of replicas for a cluster data resource within a cluster having a plurality of nodes. Each of the nodes having a group services client with membership and voting services. The method of the present invention concerns broadcasting a data resource open request to the nodes of the cluster, determining a recent replica of the cluster data resource among the nodes, and distributing the recent replica to the nodes of the cluster. The apparatus of the present invention is for providing a recent set of replicas for a cluster data resource. The apparatus has a cluster having a plurality of nodes in a peer relationship, each node has an electronic memory for storing a local replica of the cluster data resource. A group services client, which is executable by each node of the cluster, has cluster broadcasting and cluster voting capability. A database conflict resolution protocol (“DCRP”), which is executable by each node of the cluster, interacts with the group services clients such that the DCRP broadcasts to the nodes a data resource modification request having a data resource identifier and a timestamp. The DCRP determines a recent replica of the cluster data resource among the nodes with respect to the timestamp of the broadcast data resource modification request relative to a local timestamp associated with the data resource identifier, and distributes the recent replica of the cluster data resource to each node of the plurality of nodes.

    摘要翻译: 一种用于在具有多个节点的集群内为集群数据资源提供最近的一组副本的方法和装置。 每个节点具有具有成员资格和投票服务的组服务客户端。 本发明的方法涉及向簇的节点广播数据资源打开请求,确定节点之间的集群数据资源的最近副本,并将最近的副本分发到集群的节点。 本发明的装置用于提供用于集群数据资源的一组最新的副本。 该设备具有具有对等关系的多个节点的集群,每个节点具有用于存储集群数据资源的本地副本的电子存储器。 由群集的每个节点执行的组服务客户端具有集群广播和集群投票功能。 由集群的每个节点执行的数据库冲突解决协议(“DCRP”)与组服务客户端交互,使得DCRP向节点广播具有数据资源标识符和时间戳的数据资源修改请求。 相对于与数据资源标识符相关联的本地时间戳相对于广播数据资源修改请求的时间戳,DCRP确定节点之间的集群数据资源的最近副本,并且将最近的集群数据资源副本分发给每个 节点。

    Method and system for establishing a trust framework based on smart key devices
    59.
    发明授权
    Method and system for establishing a trust framework based on smart key devices 有权
    基于智能钥匙器件建立信任框架的方法和系统

    公开(公告)号:US07711951B2

    公开(公告)日:2010-05-04

    申请号:US10753820

    申请日:2004-01-08

    申请人: Ching-Yun Chao

    发明人: Ching-Yun Chao

    IPC分类号: H04L29/06

    摘要: A mechanism is provided for securing cryptographic functionality within a host system such that it may only be used when a system administrator physically allows it via a hardware security token. In addition, a hardware security unit is integrated into a data processing system, and the hardware security unit acts as a hardware certificate authority. The hardware security unit may be viewed as supporting a trust hierarchy or trust framework within a distributed data processing system. The hardware security unit can sign software that is installed on the machine that contains the hardware security unit. Server processes that use the signed software that is run on the machine can establish mutual trust relationships with the hardware security unit and amongst the other server processes based on their common trust of the hardware security unit.

    摘要翻译: 提供了一种用于保护主机系统内的加密功能的机制,使得仅当系统管理员经由硬件安全令牌物理地允许密码功能时才能使用该机制。 此外,硬件安全单元被集成到数据处理系统中,硬件安全单元充当硬件认证机构。 可以将硬件安全单元视为在分布式数据处理系统内支持信任层级或信任框架。 硬件安全单元可以签署安装在包含硬件安全单元的机器上的软件。 使用在机器上运行的签名软件的服务器进程可以基于硬件安全单元的共同信任,建立与硬件安全单元和其他服务器进程之间的相互信任关系。

    Method for Using a Compact Disk as a Smart Key Device
    60.
    发明申请
    Method for Using a Compact Disk as a Smart Key Device 有权
    使用光盘作为智能钥匙装置的方法

    公开(公告)号:US20090327763A1

    公开(公告)日:2009-12-31

    申请号:US12118785

    申请日:2008-05-12

    IPC分类号: G06F11/30

    摘要: A data processing method accepts a removable storage media, which becomes electrically engaged with a system unit within the data processing system, after which the removable storage media and the hardware security unit mutually authenticate themselves. The removable storage media stores a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair that is associated with the hardware security unit, and the hardware security unit stores a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair that is associated with the removable storage media. In response to successfully performing the mutual authentication operation between the removable storage media and the hardware security unit, the system unit is enabled to invoke cryptographic functions on the hardware security unit while the removable storage media remains engaged with the system unit.

    摘要翻译: 数据处理方法接受与数据处理系统内的系统单元电接合的可移动存储介质,之后可移动存储介质和硬件安全单元相互认证自身。 可移动存储介质存储与硬件安全单元相关联的第一非对称加密密钥对和第二非对称密码密钥对的公钥的私钥,并且硬件安全单元存储第二非对称密码密钥的私钥 对和与可移动存储介质相关联的第一非对称加密密钥对的公开密钥。 响应于成功地执行可移动存储介质和硬件安全单元之间的相互认证操作,系统单元能够在可移动存储介质保持与系统单元接合的同时在硬件安全单元上调用加密功能。