Techniques for authenticated posture reporting and associated enforcement of network access
    2.
    发明申请
    Techniques for authenticated posture reporting and associated enforcement of network access 有权
    用于认证状态报告和网络访问相关实施的技术

    公开(公告)号:US20100107224A1

    公开(公告)日:2010-04-29

    申请号:US12655024

    申请日:2009-12-22

    IPC分类号: G06F17/00

    摘要: Architectures and techniques that allow a firmware agent to operate as a tamper-resistant agent on a host platform that may be used as a trusted policy enforcement point (PEP) on the host platform to enforce policies even when the host operating system is compromised. The PEP may be used to open access control and/or remediation channels on the host platform. The firmware agent may also act as a local policy decision point (PDP) on the host platform in accordance with an authorized enterprise PDP entity by providing policies if a host trust agent is non-responsive and may function as a passive agent when the host trust agent is functional.

    摘要翻译: 允许固件代理在主机平台上作为防篡改代理操作的体系结构和技术,可在主机平台上用作受信任的策略执行点(PEP),即使主机操作系统受到威胁也可执行策略。 PEP可用于在主机平台上打开访问控制和/或修复通道。 固件代理还可以根据授权的企业PDP实体在主机平台上作为本地策略决策点(PDP),通过在主机信任代理不响应时提供策略,并且当主机信任时可以用作被动代理 代理功能。

    Extensible pre-boot authentication
    3.
    发明申请
    Extensible pre-boot authentication 有权
    可扩展的预引导认证

    公开(公告)号:US20090319806A1

    公开(公告)日:2009-12-24

    申请号:US12214830

    申请日:2008-06-23

    IPC分类号: H04L9/32 G06F12/14

    CPC分类号: G06F21/575

    摘要: In one embodiment, the present invention includes a method for obtaining a pre-boot authentication (PBA) image from a full disk encryption disk in a pre-boot environment, executing the PBA using a chipset to obtain user credential information, authorizing the user based on the user credential information and stored credential information, and storing the user credential information in a PBA metadata region of the disk. Other embodiments are described and claimed.

    摘要翻译: 在一个实施例中,本发明包括一种用于在预引导环境中从全盘加密盘获得预引导认证(PBA)图像的方法,使用芯片组执行PBA以获得用户凭证信息,授权用户 关于用户凭证信息和存储的凭证信息,以及将用户凭证信息存储在盘的PBA元数据区域中。 描述和要求保护其他实施例。

    DATA VERIFICATION USING ENCLAVE ATTESTATION
    6.
    发明申请
    DATA VERIFICATION USING ENCLAVE ATTESTATION 有权
    使用ENCLAVE ATTESTATION进行数据验证

    公开(公告)号:US20160092700A1

    公开(公告)日:2016-03-31

    申请号:US14496056

    申请日:2014-09-25

    IPC分类号: G06F21/64 G06F21/56 G06F21/62

    摘要: Particular embodiments described herein provide for an electronic device that can be configured to receive untrusted input data at an enclave in an electronic device, isolate the untrusted input data from at least a portion of the enclave, communicate at least a portion of the untrusted data to an integrity verification module using an attestation channel, and receive data integrity verification of the untrusted input data from the integrity verification module. The integrity verification module can perform data integrity attestation functions to verify the untrusted data and the data integrity attestation functions include a data attestation policy and a whitelist.

    摘要翻译: 本文所述的特定实施例提供了一种电子设备,其可以被配置为在电子设备中的飞地处接收不受信任的输入数据,将不受信任的输入数据与飞地的至少一部分隔离,将不可信数据的至少一部分传达到 使用认证通道的完整性验证模块,以及从完整性验证模块接收不可信输入数据的数据完整性验证。 完整性验证模块可以执行数据完整性认证功能,以验证不可信数据,数据完整性认证功能包括数据认证策略和白名单。

    INTRODUCTION OF DISCRETE ROOTS OF TRUST
    7.
    发明申请
    INTRODUCTION OF DISCRETE ROOTS OF TRUST 有权
    介绍信托的分歧

    公开(公告)号:US20140095876A1

    公开(公告)日:2014-04-03

    申请号:US13629887

    申请日:2012-09-28

    IPC分类号: H04L9/32

    摘要: Systems and methods may provide introducing a first root of trust on a platform to a second root of trust on the same platform. In one example, the method may include using an authenticated code module to transfer a first encryption key from a first root of trust on a platform to a second root of trust on the platform, receiving a challenge response from the first root of trust at the second root of trust, and using the first encryption key to verify the challenge response

    摘要翻译: 系统和方法可以提供将平台上的第一信任根引入同一平台上的第二信任根。 在一个示例中,该方法可以包括使用经认证的代码模块将第一加密密钥从平台上的第一信任根传递到平台上的第二信任根,在第一根信任根源处接收挑战响应 第二个信任根,并使用第一个加密密钥验证挑战响应

    Methods and apparatus to perform associated security protocol extensions
    8.
    发明授权
    Methods and apparatus to perform associated security protocol extensions 有权
    执行相关安全协议扩展的方法和装置

    公开(公告)号:US08356175B2

    公开(公告)日:2013-01-15

    申请号:US11170528

    申请日:2005-06-29

    IPC分类号: H04L29/06

    摘要: Methods and apparatus to perform associated extensions for negotiated channel security protocols are disclosed. A disclosed method to extend a security protocol comprises exchanging identifying information between a first and a second endpoint, determining a secret based on the exchanged identifying information, determining a first master secret based on the determined secret and a second master secret determined in a prior protocol exchange block, and deriving a session key based on the first master secret.

    摘要翻译: 公开了为协商的信道安全协议执行相关扩展的方法和装置。 一种公开的扩展安全协议的方法包括交换第一和第二端点之间的识别信息,基于所交换的识别信息确定秘密,基于所确定的秘密确定第一主密钥,以及在先前协议中确定的第二主密钥 交换块,并且基于第一主密钥导出会话密钥。

    Data encryption and/or decryption by integrated circuit
    9.
    发明授权
    Data encryption and/or decryption by integrated circuit 有权
    集成电路进行数据加密和/或解密

    公开(公告)号:US08300825B2

    公开(公告)日:2012-10-30

    申请号:US12164663

    申请日:2008-06-30

    IPC分类号: H04L9/00

    摘要: In an embodiment, an apparatus is provided that may include an integrated circuit to be removably communicatively coupled to at least one storage device. The integrated circuit of this embodiment may be capable of encrypting and/or and decrypting, based at least in part upon a first key, data to be, in at least in part, stored in and/or retrieved from, respectively, at least one region of the at least one storage device. The at least one region and a second key may be associated with at least one access privilege authorized, at least in part, by an administrator. The second key may be stored, at least in part, externally to the at least one storage device. The first key may be obtainable, at least in part, based, at least in part, upon at least one operation involving the second key. Of course, many alternatives, modifications, and variations are possible without departing from this embodiment.

    摘要翻译: 在一个实施例中,提供了一种装置,其可以包括可移除地通信地耦合到至少一个存储装置的集成电路。 该实施例的集成电路可以至少部分地基于第一密钥来加密和/或解密数据,该数据至少部分地存储在和/或分别从至少一个 所述至少一个存储设备的区域。 所述至少一个区域和第二密钥可以至少部分由管理员授权的至少一个访问权限相关联。 至少部分地,第二密钥可以存储在至少一个存储设备的外部。 至少部分地,至少部分地基于涉及第二密钥的至少一个操作可获得第一密钥。 当然,在不脱离本实施例的情况下,许多替代,修改和变化是可能的。

    Enforcing use of chipset key management services for encrypted storage devices
    10.
    发明授权
    Enforcing use of chipset key management services for encrypted storage devices 有权
    为加密存储设备强制使用芯片组密钥管理服务

    公开(公告)号:US08281135B2

    公开(公告)日:2012-10-02

    申请号:US13324032

    申请日:2011-12-13

    申请人: Ned Smith

    发明人: Ned Smith

    CPC分类号: G06F21/6218

    摘要: A method, system, and computer-readable storage medium containing instructions for controlling access to data stored on a plurality of storage devices associated with a first platform. The method includes authenticating a user to access the first platform, wherein the first platform includes first and second storage devices, chipset encryption hardware, and a memory. Data stored on the storage devices are encrypted, with first data on the first storage device being encrypted by the chipset encryption hardware and second data stored on the second storage device being encrypted by another encryption mechanism. The data are decrypted and the user is allowed to access the first data and the second data.

    摘要翻译: 一种包含用于控制对存储在与第一平台相关联的多个存储设备上的数据的访问的指令的方法,系统和计算机可读存储介质。 该方法包括认证用户访问第一平台,其中第一平台包括第一和第二存储设备,芯片组加密硬件和存储器。 存储在存储设备上的数据被加密,第一存储设备上的第一数据由芯片组加密硬件加密,并且存储在第二存储设备上的第二数据被另一加密机制加密。 数据被解密,并且允许用户访问第一数据和第二数据。