公开(公告)号：US20140032933A1

公开(公告)日：2014-01-30

申请号：US13557079

申请日：2012-07-24

申请人： Ned M. Smith ,  George W. Cox ,  David Johnston

发明人： Ned M. Smith ,  George W. Cox ,  David Johnston

IPC分类号： G06F21/24

CPC分类号： H04L9/0866 ,  G06F21/31 ,  G06F21/6209 ,  G06F21/74 ,  G06F2221/2107 ,  H04L9/0822 ,  H04L9/3226

摘要： Embodiments of methods, systems, and storage medium associated with providing access to encrypted data for authorized users are disclosed herein. In one instance, the method may include obtaining a derived value for an authenticated user based on user personalization data of the authenticated user, and generating a user-specific encryption key based on the derived value. The derived value may have entropy in excess of a predetermined level. The user-specific encryption key may enable the authenticated user to access the encrypted data stored at the storage device. Other embodiments may be described and/or claimed.

摘要翻译： 这里公开了与为授权用户提供对加密数据的访问相关联的方法，系统和存储介质的实施例。 在一个实例中，该方法可以包括基于认证用户的用户个性化数据获得经认证的用户的导出值，并且基于导出的值生成用户特定加密密钥。 导出值可能具有超过预定水平的熵。 用户专用加密密钥可以使经认证的用户能够访问存储在存储设备上的加密数据。 可以描述和/或要求保护其他实施例。

公开(公告)号：US20140013116A1

公开(公告)日：2014-01-09

申请号：US14006525

申请日：2011-12-30

申请人： Ned M. Smith ,  Sanjay Bakshi

发明人： Ned M. Smith ,  Sanjay Bakshi

IPC分类号： H04W12/08

CPC分类号： H04W12/02 ,  H04W12/08 ,  H04L63/0815 ,  H04L2463/102 ,  H04W12/0608

摘要： A method for controlling access to information includes sending a request from an identity requester to an identity provider through an over-the-air (OTA) link. Data received from the identity provider in response to the request includes information used to establish a first identity of a user for a first service. The first identity information is received during a Sigma session, and a second identity of the user is established for a second service based on the received first identity information. The user may be a user of a mobile communication terminal or other device, which is to receive the first and second services.

摘要翻译： 用于控制对信息的访问的方法包括通过空中（OTA）链接将请求从身份请求者发送到身份提供者。 从身份提供者接收到的响应于该请求的数据包括用于为第一服务建立用户的第一身份的信息。 在Sigma会话期间接收第一身份信息，并且基于接收的第一身份信息为第二服务建立用户的第二身份。 用户可以是用于接收第一和第二服务的移动通信终端或其他设备的用户。

公开(公告)号：US20130347089A1

公开(公告)日：2013-12-26

申请号：US13976063

申请日：2011-09-30

申请人： Abdul M. Bailey ,  Ned M. Smith ,  Atul Gupta

发明人： Abdul M. Bailey ,  Ned M. Smith ,  Atul Gupta

IPC分类号： H04L29/06

CPC分类号： H04L63/08 ,  H04L9/3215 ,  H04L63/18 ,  H04W12/06

摘要： In an embodiment a single user authentication event, performed between a trusted path hardware module and a service provider via an out of band communication, can enable a user to transparently access multiple service providers using strong credentials that are specific to each service provider. The authentication event may be based on multifactor authentication that is indicative of a user's actual physical presence. Thus, for example, a user would not need to enter a different retinal scan to gain access to each of the service providers. Other embodiments are described herein.

摘要翻译： 在一个实施例中，通过带外通信在可信路径硬件模块和服务提供商之间执行的单个用户认证事件可以使得用户能够使用对每个服务提供商特定的强凭证来透明地访问多个服务提供商。 认证事件可以基于指示用户的实际物理存在的多因素认证。 因此，例如，用户将不需要输入不同的视网膜扫描以获得对每个服务提供商的访问。 本文描述了其它实施例。

公开(公告)号：US20130347087A1

公开(公告)日：2013-12-26

申请号：US13531878

申请日：2012-06-25

申请人： Ned M. Smith

发明人： Ned M. Smith

IPC分类号： G06F21/00

CPC分类号： G06F21/36

摘要： In an embodiment, the present invention includes a method for receiving a request for user authentication of a system, displaying an authentication image on a display of the system using a set of random coordinates, receiving a plurality of gesture input values from the user, and determining whether to authenticate the user based at least in part on the plurality of gesture input values. Other embodiments are described and claimed.

摘要翻译： 在一个实施例中，本发明包括一种用于接收对系统的用户认证的请求的方法，使用一组随机坐标在系统的显示器上显示认证图像，从用户接收多个手势输入值，以及 至少部分地基于所述多个手势输入值来确定是否对所述用户进行认证。 描述和要求保护其他实施例。

公开(公告)号：US08064605B2

公开(公告)日：2011-11-22

申请号：US11863233

申请日：2007-09-27

申请人： Tasneem Brutch ,  Alok Kumar ,  Vincent R. Scarlata ,  Faraz A. Siddiqi ,  Ned M. Smith ,  Willard M. Wiseman

发明人： Tasneem Brutch ,  Alok Kumar ,  Vincent R. Scarlata ,  Faraz A. Siddiqi ,  Ned M. Smith ,  Willard M. Wiseman

IPC分类号： H04L9/00 ,  H04L29/06

CPC分类号： G06F21/602 ,  G06F21/57 ,  H04L9/0825 ,  H04L9/0836 ,  H04L9/0897

摘要： A processing system with a trusted platform module (TPM) supports migration of digital keys. For instance, an application in the processing system may create a first configuration key as a child of a TPM storage root key (SRK) when the processing system has a first configuration. The application may also create an upgradable root user key associated with an upgrade authority as a child of the first configuration key. The application may also create a user key as a child of the upgradable root user key. When the processing system has a second configuration, the application may create a second configuration key as a child of the SRK. The application may request migration approval from the upgrade authority. In response to receiving the approval from the upgrade authority, the application may migrate the root user key to be a child of the second configuration key. Other embodiments are described and claimed.

摘要翻译： 具有可信平台模块（TPM）的处理系统支持数字密钥的迁移。 例如，当处理系统具有第一配置时，处理系统中的应用可以创建作为TPM存储根密钥（SRK）的子节点的第一配置密钥。 应用还可以创建与作为第一配置密钥的子级的升级授权机相关联的可升级根用户密钥。 应用程序还可以创建用户密钥作为可升级的根用户密钥的子级。 当处理系统具有第二配置时，应用可以创建作为SRK的子节点的第二配置密钥。 该应用程序可能请求迁移批准从升级授权。 响应于接收到升级授权的批准，应用程序可以将root用户密钥迁移为第二个配置密钥的子节点。 描述和要求保护其他实施例。

公开(公告)号：US07827593B2

公开(公告)日：2010-11-02

申请号：US11171593

申请日：2005-06-29

申请人： Ned M. Smith ,  Howard C. Herbert ,  Karanvir Grewal

发明人： Ned M. Smith ,  Howard C. Herbert ,  Karanvir Grewal

IPC分类号： G06F7/04 ,  H04L29/06

CPC分类号： H04L63/20 ,  H04L63/105 ,  H04L63/1408

摘要： Embodiments of the inventions are generally directed to methods, apparatuses, and systems for the dynamic evaluation and delegation of network access control. In an embodiment, a platform includes a switch to control a network connection and an endpoint enforcement engine coupled with the switch. The endpoint enforcement engine may be capable of dynamically switching among a number of network access control modes responsive to an instruction received from the network connection.

摘要翻译： 本发明的实施例一般涉及用于动态评估和授权网络访问控制的方法，装置和系统。 在一个实施例中，平台包括用于控制网络连接的开关和与开关耦合的端点执行引擎。 端点执行引擎可以响应于从网络连接接收的指令而能够在多个网络访问控制模式之间动态切换。

公开(公告)号：US20090307493A1

公开(公告)日：2009-12-10

申请号：US12468532

申请日：2009-05-19

申请人： Ned M. Smith

发明人： Ned M. Smith

IPC分类号： H04L9/00

CPC分类号： H04L63/0823 ,  H04L63/166

摘要： A network security handshake exchange for combining user and platform authentication. The security handshake exchange performs operations on a pre-master secret to increase identity verification and security. The pre-master secret is augmented and authenticated with platform identity and user identity credentials of one endpoint. A second phase of exchanges may include exchange of a master secret that is the pre-master secret modified with platform identity and user identity of the other endpoint.

摘要翻译： 一种用于组合用户和平台认证的网络安全握手交换。 安全握手交换机执行前主机秘密的操作，以增加身份验证和安全性。 通过一个端点的平台身份和用户身份凭证来增强和验证前主密码。 交换的第二阶段可以包括交换作为通过平台身份修改的前主秘密和另一端点的用户身份的主秘密。

公开(公告)号：US07574600B2

公开(公告)日：2009-08-11

申请号：US10808973

申请日：2004-03-24

申请人： Ned M. Smith

发明人： Ned M. Smith

IPC分类号： H04L9/00 ,  H04L9/28

CPC分类号： H04L63/0823 ,  H04L63/166

摘要： A security protocol for combining user and platform authentication. The security protocol includes a first handshake phase to issue attestation identity credentials, and a second handshake phase to authenticate based on the attestation identity credentials issued in the first handshake phase. The security protocol also includes a session resumption phase to resume a previous session.

摘要翻译： 用于组合用户和平台认证的安全协议。 安全协议包括第一握手阶段以发出认证身份证书，以及第二握手阶段，以基于在第一握手阶段中发出的认证身份证书进行认证。 安全协议还包括恢复上一个会话的会话恢复阶段。

公开(公告)号：US07373509B2

公开(公告)日：2008-05-13

申请号：US10750340

申请日：2003-12-31

申请人： Selim Aissi ,  David Wheeler ,  Krishnamurthy Srinivasan ,  Randy E Hall ,  Ned M. Smith

发明人： Selim Aissi ,  David Wheeler ,  Krishnamurthy Srinivasan ,  Randy E Hall ,  Ned M. Smith

IPC分类号： H04L9/00

CPC分类号： G06F21/31 ,  G06F2221/2101 ,  H04L9/3247 ,  H04L9/3271 ,  H04L2209/56 ,  H04L2209/80

摘要： In an embodiment, a method includes authenticating a computing device and a different entity for a session of communication between the computing device and the different entity. The authenticating includes generating a hash of a value selected from the group consisting of an encrypted attribute associated with computing device stored in the computing device and the identification of the session stored in a protected storage within the computing device. The authenticating also includes encrypting a random number based on the hash. The authenticating includes transmitting the encrypted random number to the different entity.

摘要翻译： 在一个实施例中，一种方法包括对计算设备和不同实体进行身份验证，用于计算设备与不同实体之间的通信会话。 认证包括生成从由存储在计算设备中的与计算设备相关联的加密属性组成的组中选择的值的散列，以及存储在计算设备内的受保护存储器中的会话的标识。 认证还包括基于散列加密随机数。 认证包括将加密的随机数发送给不同的实体。

公开(公告)号：US07210034B2

公开(公告)日：2007-04-24

申请号：US10355977

申请日：2003-01-30

申请人： Ned M. Smith

发明人： Ned M. Smith

IPC分类号： H04L9/32 ,  G06F12/14

CPC分类号： H04L63/12 ,  H04L9/3234 ,  H04L9/3247

摘要： A system for controlling integrity measurement of an un-trusted system component on a client system includes a trusted management utility configured to measure the integrity of the un-trusted system component, a trusted fixed token resident on the client system, and a trusted registration service. The trusted registration service creates a signed hash of the trusted management utility software and stores the signed hash of the trusted management utility software in the trusted fixed token. The trusted registration service creates a security domain and stores the security domain in the trusted fixed token. The trusted fixed token creates a signed hash of the trusted management utility software and the security domain, and securely communicates the signed hash of the trusted management utility software and the security domain to the trusted registration service. The trusted management utility software is installed on the client system and executed to gather integrity measurements on the un-trusted system component. A hash of the un-trusted system component and the trusted management utility software is created and stored in the trusted fixed token. This data may be combined with the security domain. The hash of the un-trusted system component, the trusted management utility software, and the security domain may be interrogated by the trusted registration service to verify the integrity of the un-trusted system component.

摘要翻译： 用于控制客户端系统上的不可信系统组件的完整性测量的系统包括被配置为测量不可信系统组件的完整性的可信管理实用程序，驻留在客户端系统上的可信固定令牌以及可信任注册服务 。 可信注册服务创建可信管理实用程序软件的签名散列，并将可信管理实用程序软件的签名散列存储在受信任的固定令牌中。 可信注册服务创建一个安全域并将安全域存储在受信任的固定令牌中。 受信任的固定令牌创建可信管理实用程序软件和安全域的签名散列，并将可信管理实用程序软件和安全域的签名哈希安全地传达给信任注册服务。 可信管理实用程序软件安装在客户端系统上，并执行以在不可信系统组件上收集完整性度量。 不可信系统组件和可信管理实用程序软件的散列被创建并存储在可信固定令牌中。 该数据可以与安全域组合。 不可信系统组件的散列，可信管理实用软件和安全域可由可信注册服务查询，以验证不可信系统组件的完整性。