公开(公告)号：US08756667B2

公开(公告)日：2014-06-17

申请号：US12341512

申请日：2008-12-22

Applicant: Randall S. Springfield ,  Jeffrey M. Estroff ,  Seiichi Kawano ,  Mikio Hagiwara ,  David C. Challener ,  James P. Hoff ,  Binqiang Ma

Inventor： Randall S. Springfield ,  Jeffrey M. Estroff ,  Seiichi Kawano ,  Mikio Hagiwara ,  David C. Challener ,  James P. Hoff ,  Binqiang Ma

IPC: H04L9/32

CPC classification number: G06F21/34

Abstract: In the context of computer systems, the generation of preboot passwords at a server instead of at a client. Preferably, preboot passwords generated at the server are distributed to the client, and a process is offered whereby a user can establish his/her own proxy, not known to the server, that can be used to release the stored passwords to the client hardware. Since the passwords are generated at the server, management of the passwords is greatly facilitated since they are generated at the site where they are stored. This also makes it easy to implement management features such as a group policy, since the password generation software will be able to make logical connections between users and hardware.

Abstract translation: 在计算机系统的上下文中，在服务器而不是在客户端生成预引导密码。 优选地，在服务器处生成的预引导密码被分发给客户端，并且提供一个过程，由此用户可以建立他/她自己的代理（服务器不知道），可以用于将存储的密码释放到客户端硬件。 由于密码是在服务器上生成的，因此密码的管理因其在存储位置生成而大大方便。 这也使得容易实现诸如组策略的管理功能，因为密码生成软件将能够在用户和硬件之间进行逻辑连接。

公开(公告)号：US08702812B2

公开(公告)日：2014-04-22

申请号：US12040821

申请日：2008-02-29

Applicant: David C. Challener ,  Howard Locker ,  Randall S. Springfield

Inventor： David C. Challener ,  Howard Locker ,  Randall S. Springfield

IPC: G06F21/00

CPC classification number: G06F21/88 ,  G06F2221/2143

Abstract: Methods and arrangements for ensuring that, when a computer system is stolen or otherwise misplaced, the system is rendered unusable (i.e., locked down). Conventional solutions have required software running on the system to perform the lockdown action, but in accordance with at least one preferred embodiment of the present invention is the linkage of TPM (Trusted Platform Module) and AMT (Active Management Technology) solutions whereby an AMT arrangement can remove secure data or identifiers so that any encrypted data present on the system will become unusable.

Abstract translation: 确保当计算机系统被盗或以其他方式错位时，系统变得无法使用（即锁定）的方法和装置。 常规解决方案需要在系统上运行的软件来执行锁定动作，但是根据本发明的至少一个优选实施例是TPM（可信平台模块）和AMT（主动管理技术）解决方案的联动，由此AMT布置 可以删除安全数据或标识符，使系统上存在的任何加密数据变得不可用。

公开(公告)号：US08381304B2

公开(公告)日：2013-02-19

申请号：US11493952

申请日：2006-07-27

Applicant: Daryl Cromer ,  Howard Jeffrey Locker ,  Randall S. Springfield ,  Rod D. Waltermann

Inventor： Daryl Cromer ,  Howard Jeffrey Locker ,  Randall S. Springfield ,  Rod D. Waltermann

IPC: G06F21/00

CPC classification number: G06F21/805 ,  G06F2221/2143

Abstract: A hard disk drive unit includes a microprocessor programmed to erase data stored within the drive unit if it is determined that a process potentially leading to a misuse of the data stored within the drive unit, and if secure disposal configuration data stored in nonvolatile storage within the drive indicates that the data is to be erased. Such a process includes initializing the drive unit for operation without providing a password matching a password stored in the drive unit, initializing the drive unit in a system not having CMOS configuration data matching the drive unit, and determining that a failure rate within the drive unit exceeds a threshold level.

Abstract translation: 如果确定可能导致误用存储在驱动单元内的数据的过程，以及如果存储在驱动单元内的非易失性存储器中的安全处理配置数据，则硬盘驱动器单元包括被编程为擦除存储在驱动单元内的数据的微处理器 驱动器指示要擦除的数据。 这样的处理包括初始化用于操作的驱动单元，而不提供与存储在驱动单元中的密码匹配的密码，在不具有与驱动单元匹配的CMOS配置数据的系统中初始化驱动单元，以及确定驱动单元内的故障率 超过阈值水平。

公开(公告)号：US08364943B2

公开(公告)日：2013-01-29

申请号：US12040829

申请日：2008-02-29

Applicant: David C. Challener ,  Daryl Cromer ,  Justin T. Dubs ,  Howard Locker ,  James S. Rutledge ,  Randall S. Springfield ,  James J. Thrasher ,  Michael T. Vanover

Inventor： David C. Challener ,  Daryl Cromer ,  Justin T. Dubs ,  Howard Locker ,  James S. Rutledge ,  Randall S. Springfield ,  James J. Thrasher ,  Michael T. Vanover

IPC: G06F9/00

CPC classification number: G06F9/4418

Abstract: Arrangements for employing a system BIOS (basic input/output system) to handle email during a suspended state (such as an “S3” state as will be better understood herebelow). Preferably, the BIOS is employed to “jump” between two suspended images such that, e.g., two more powerful OS's can be employed to manage the mail function.

Abstract translation: 使用系统BIOS（基本输入/输出系统）在暂停状态下处理电子邮件的安排（例如S3状态，以下将被更好地理解）。 优选地，使用BIOS来在两个悬挂图像之间跳转，使得例如可以采用两个更强大的OS来管理邮件功能。

公开(公告)号：US08266449B2

公开(公告)日：2012-09-11

申请号：US12415495

申请日：2009-03-31

Applicant: David C. Challener ,  Steven D. Goodman ,  Randall S. Springfield ,  Jeffrey R. Hobbet

Inventor： David C. Challener ,  Steven D. Goodman ,  Randall S. Springfield ,  Jeffrey R. Hobbet

IPC: G06F21/00

CPC classification number: H04L9/0897 ,  G06F11/1662 ,  G06F11/2094 ,  H04L9/3226

Abstract: The invention broadly contemplates a security solution for storage devices that is inexpensive and robust. The invention allows a store of system specific data to be used to release the hard disk key of full-disk encryption (FDE) drives. This system specific data is passed to the FDE drives and used to calculate the actual encryption key. This allows for safe disposal of an FDE drive containing confidential data, as the lack of available system specific decryption data makes decryption virtually impossible.

Abstract translation: 本发明广泛地考虑了廉价且鲁棒的存储设备的安全解决方案。 本发明允许存储系统特定数据以释放全盘加密（FDE）驱动器的硬盘密钥。 该系统的特定数据被传递到FDE驱动器并用于计算实际的加密密钥。 这允许安全处理包含机密数据的FDE驱动器，因为缺少可用的系统特定解密数据使解密几乎不可能。

公开(公告)号：US08239860B2

公开(公告)日：2012-08-07

申请号：US11394654

申请日：2006-03-31

Applicant: Howard J. Locker ,  Daryl Cromer ,  Randall S. Springfield ,  Rod D. Waltermann

Inventor： Howard J. Locker ,  Daryl Cromer ,  Randall S. Springfield ,  Rod D. Waltermann

IPC: G06F9/46 ,  G06F1/00 ,  H03B29/00

CPC classification number: G06F11/3058 ,  G06F1/206 ,  G06F1/3203 ,  G06F11/301

Abstract: Hypervisors are a new technology in the industry that enable multiple Operating Systems to co-exist on a single client. The use of a hypervisor provides a novel approach to thermal fan control. The hypervisor is able to fire up a maintenance Operating System on demand or have it running from the powering of the computer. The maintenance Operating System continuously monitors the status of the user Operating System and determines if the system is within the desired fan noise profile by measuring noise levels using means well known in the art. If the system seems to be drifting out of the desired profile, the maintenance Operating System will determine what type of action is required and choose the most appropriate course of action. These actions can be performed by either the maintenance Operating System or the hypervisor, as appropriate.

Abstract translation: 管理程序是行业中的一项新技术，可使多个操作系统在单个客户端上共存。 使用管理程序提供了一种新型的风扇控制方法。 管理程序能够根据需要启动维护操作系统，或者从计算机的电源运行。 维护操作系统通过使用本领域熟知的手段测量噪声水平来连续地监视用户操作系统的状态并确定系统是否在期望的风扇噪声分布内。 如果系统似乎从所需的配置文件中漂移出来，维护操作系统将确定需要哪种类型的操作，并选择最合适的操作步骤。 这些操作可以由维护操作系统或管理程序根据需要执行。

公开(公告)号：US08132019B2

公开(公告)日：2012-03-06

申请号：US12140784

申请日：2008-06-17

Applicant: Randall S. Springfield ,  Joseph M. Pennisi

Inventor： Randall S. Springfield ,  Joseph M. Pennisi

IPC: G06F21/00

CPC classification number: G06F21/32 ,  G06F21/31 ,  G06F21/575 ,  G06Q20/206 ,  G06Q20/4012

Abstract: Arrangements which permit the employment of dedicated user-access management architecture with more than text-based access. Particularly contemplated herein are arrangements for accepting user identifiers that are then communicated to an intermediate user-delineating architecture (i.e., architecture configured for permitting access to encrypted data or sections of a computer on a user-specific basis) in a manner to permit the user-delineating architecture to perform its own task of unlocking data or sections of a computer.

Abstract translation: 允许使用专用的用户访问管理架构的安排不仅仅是基于文本的访问。 在此特别考虑的是用于接受用户标识符的安排，该用户标识符然后传送到中间用户描述架构（即，被配置为允许以用户特定的基础访问计算机的加密数据或部分的架构），以允许用户 线性架构来执行自己的任务，解锁数据或计算机的部分。

公开(公告)号：US08086873B2

公开(公告)日：2011-12-27

申请号：US11446737

申请日：2006-06-05

Applicant: Howard J. Locker ,  Daryl C. Cromer ,  Randall S. Springfield ,  Rod D. Waltermann

Inventor： Howard J. Locker ,  Daryl C. Cromer ,  Randall S. Springfield ,  Rod D. Waltermann

IPC: G06F12/14

CPC classification number: G06F12/1475 ,  G06F21/78

Abstract: A method for controlling file access on computer systems is disclosed. Initially, a virtual machine manager (VMM) is provided in a computer system. In response to a write request, the VMM determines whether or not a location field is valid. If the location field is not valid, then the VMM writes the write request information to a storage device; but if the location field is valid, then the VMM encrypts the write request information before writing the write request information to the storage device. In response to a read request, the VMM again determines whether or not a location field is valid. If the location field is not valid, then the VMM sends the read request information to a read requester; but, if the location field is valid, then the VMM decrypts the read request information before sending the read request information to the read requester.

Abstract translation: 公开了一种用于控制计算机系统上的文件访问的方法。 最初，在计算机系统中提供虚拟机管理器（VMM）。 响应于写入请求，VMM确定位置字段是否有效。 如果位置字段无效，则VMM将写请求信息写入存储设备; 但是如果位置字段有效，则VMM在将写入请求信息写入存储设备之前对写入请求信息进行加密。 响应于读取请求，VMM再次确定位置字段是否有效。 如果位置字段无效，则VMM将读取请求信息发送给读取请求者; 但是，如果位置字段有效，则VMM在将读取请求信息发送给读取请求者之前解密读取请求信息。

公开(公告)号：US20110154010A1

公开(公告)日：2011-06-23

申请号：US12641029

申请日：2009-12-17

Applicant: Randall S. Springfield ,  Howard J. Locker ,  David Rivera ,  Joseph M. Pennisi ,  Rod D. Waltermann

Inventor： Randall S. Springfield ,  Howard J. Locker ,  David Rivera ,  Joseph M. Pennisi ,  Rod D. Waltermann

IPC: H04L9/00 ,  G06F1/24

CPC classification number: H04L9/3234 ,  G06F21/57 ,  H04L9/3236 ,  H04L9/3263 ,  H04L2209/127

Abstract: An exemplary apparatus includes one or more processors; memory; circuitry configured to hash a value associated with core root of trust measurement code and system management code; store the hash in a secure register; load an operating system; validate a certificate associated with the core root of trust measurement code and validate a certificate associated with the system management code; based on the validated certificates, provide an expected hash associated with the core root of trust measurement code and the system management code; decide if the expected hash matches the hash stored in the register; and, if the expected hash matches the hash stored in the register, commence a dynamic root of trust measurement session. Various other apparatuses, systems, methods, etc., are also disclosed.

Abstract translation: 示例性装置包括一个或多个处理器; 记忆; 配置为对与信任测度代码的核心根和系统管理代码相关联的值进行散列的电路; 将哈希存储在安全寄存器中; 加载操作系统; 验证与信任测度代码的核心根相关联的证书，并验证与系统管理代码相关联的证书; 基于验证的证书，提供与信任测度代码的核心根和系统管理代码相关联的预期散列; 确定预期哈希是否与存储在寄存器中的哈希匹配; 并且如果期望的哈希与存储在寄存器中的哈希匹配，则启动信任测量会话的动态根。 还公开了各种其它装置，系统，方法等。

公开(公告)号：US07941847B2

公开(公告)日：2011-05-10

申请号：US11535110

申请日：2006-09-26

Applicant: David Rivera ,  David C. Challener ,  William F. Keown, Jr. ,  Joseph M. Pennisi ,  Randall S. Springfield

Inventor： David Rivera ,  David C. Challener ,  William F. Keown, Jr. ,  Joseph M. Pennisi ,  Randall S. Springfield

IPC: G06F7/04

CPC classification number: G06F21/34

Abstract: A method for providing a secure single sign-on to a computer system is disclosed. Pre-boot passwords are initially stored in a secure storage area of a smart card. The operating system password, which has been encrypted to a blob, is stored in a non-secure area of the smart card. After the smart card has been inserted in a computer system, a user is prompted for a Personal Identification Number (PIN) of the smart card. In response to a correct smart card PIN entry, the blob stored in the non-secure storage area of the smart card is decrypted to provide the operating system password, and the operating system password along with the pre-boot passwords stored in the secure storage area of the smart card are then utilized to log on to the computer system.

Abstract translation: 公开了一种用于向计算机系统提供安全单点登录的方法。 预引导密码最初存储在智能卡的安全存储区域中。 已经加密到Blob的操作系统密码存储在智能卡的非安全区域。 在将智能卡插入计算机系统中之后，将提示用户输入智能卡的个人识别号码（PIN）。 响应于正确的智能卡PIN条目，存储在智能卡的非安全存储区域中的斑点被解密以提供操作系统密码，以及操作系统密码以及存储在安全存储器中的预引导密码 然后使用智能卡的区域登录到计算机系统。