公开(公告)号：US09245143B2

公开(公告)日：2016-01-26

申请号：US13370232

申请日：2012-02-09

申请人： Dustin Michael Ingalls ,  Nathan J. Ide ,  Christopher R. Macaulay ,  Octavian T. Ureche ,  Michael J. Grass ,  Sai Vinayak ,  Preston Derek Adam

发明人： Dustin Michael Ingalls ,  Nathan J. Ide ,  Christopher R. Macaulay ,  Octavian T. Ureche ,  Michael J. Grass ,  Sai Vinayak ,  Preston Derek Adam

IPC分类号： G06F21/00 ,  G06F21/62 ,  G06F21/88

CPC分类号： G06F21/6218 ,  G06F21/88 ,  H04L9/0894

摘要： Techniques for providing security policy for device data are described. In implementations, data on a device is stored in an encrypted form. To protect the encrypted data from being decrypted by an unauthorized entity, techniques enable a decryption key to be occluded if an attempt to gain unauthorized access to device data is detected. In implementations, a decryption key can be occluded in a variety of ways, such as by deleting the decryption key, overwriting the encryption key in memory, encrypting the encryption key, and so on. Embodiments enable an occluded decryption key to be recovered via a recovery experience. For example, a recovery experience can include an authentication procedure that requests a recovery password. If a correct recovery password is provided, the occluded decryption key can be provided.

摘要翻译： 描述了为设备数据提供安全策略的技术。 在实现中，设备上的数据以加密形式存储。 为了保护加密的数据不被未经授权的实体解密，如果检测到尝试获得对设备数据的未经授权的访问，技术使解密密钥被遮挡。 在实现中，解密密钥可以以各种方式封闭，例如通过删除解密密钥，覆盖存储器中的加密密钥，加密加密密钥等等。 实施例能够通过恢复体验恢复闭塞的解密密钥。 例如，恢复体验可以包括请求恢复密码的身份验证过程。 如果提供了正确的恢复密码，则可以提供闭塞解密密钥。

公开(公告)号：US20130212367A1

公开(公告)日：2013-08-15

申请号：US13370232

申请日：2012-02-09

申请人： Dustin Michael Ingalls ,  Nathan J. Ide ,  Christopher R. Macaulay ,  Octavian T. Ureche ,  Michael J. Grass ,  Sai Vinayak ,  Preston Derek Adam

发明人： Dustin Michael Ingalls ,  Nathan J. Ide ,  Christopher R. Macaulay ,  Octavian T. Ureche ,  Michael J. Grass ,  Sai Vinayak ,  Preston Derek Adam

IPC分类号： G06F21/24 ,  G06F21/00 ,  G06F9/06

CPC分类号： G06F21/6218 ,  G06F21/88 ,  H04L9/0894

摘要： Techniques for providing security policy for device data are described. In implementations, data on a device is stored in an encrypted form. To protect the encrypted data from being decrypted by an unauthorized entity, techniques enable a decryption key to be occluded if an attempt to gain unauthorized access to device data is detected. In implementations, a decryption key can be occluded in a variety of ways, such as by deleting the decryption key, overwriting the encryption key in memory, encrypting the encryption key, and so on. Embodiments enable an occluded decryption key to be recovered via a recovery experience. For example, a recovery experience can include an authentication procedure that requests a recovery password. If a correct recovery password is provided, the occluded decryption key can be provided.

摘要翻译： 描述了为设备数据提供安全策略的技术。 在实现中，设备上的数据以加密形式存储。 为了保护加密的数据不被未经授权的实体解密，如果检测到尝试获得对设备数据的未经授权的访问，技术使解密密钥被遮挡。 在实现中，解密密钥可以以各种方式封闭，例如通过删除解密密钥，覆盖存储器中的加密密钥，加密加密密钥等等。 实施例能够通过恢复体验恢复闭塞的解密密钥。 例如，恢复体验可以包括请求恢复密码的身份验证过程。 如果提供了正确的恢复密码，则可以提供闭塞解密密钥。

公开(公告)号：US09183415B2

公开(公告)日：2015-11-10

申请号：US13309204

申请日：2011-12-01

申请人： Preston Derek Adam ,  Sai Vinayak ,  Octavian T. Ureche ,  Stefan Thom ,  Himanshu Soni ,  Nicolae Voicu

发明人： Preston Derek Adam ,  Sai Vinayak ,  Octavian T. Ureche ,  Stefan Thom ,  Himanshu Soni ,  Nicolae Voicu

IPC分类号： G06F15/177 ,  G06F1/24 ,  H04L29/06 ,  G06F21/00 ,  G06F7/04 ,  G06F17/30 ,  H04N7/16 ,  G06F12/00 ,  G06F21/78 ,  G06F21/40 ,  G06F21/72 ,  G06F21/73 ,  H04L9/08

CPC分类号： G06F21/78 ,  G06F21/40 ,  G06F21/72 ,  G06F21/73 ,  G06F2221/2107 ,  G06F2221/2129 ,  G06F2221/2141 ,  H04L9/0897 ,  H04L9/32

摘要： Described herein are techniques for regulating access to a portable storage drive, that stores an operating system securely, using information regarding a host machine. In accordance with some of the techniques described herein, when a portable storage drive that stores an operating system securely is to be accessed by a host machine, information regarding the host machine, such as information regarding the hardware of the host machine, may be retrieved and evaluated to determine whether to grant access to the host machine. When the host machine is granted access, the host machine may access secured data stored on the portable storage drive in any suitable manner. In some cases, accessing the secured data may include decrypting the secured data and transferring decrypted data to another storage of the host machine. The decrypted information may include an operating system that is booted by the host machine.

摘要翻译： 这里描述的是使用关于主机的信息来调节对便携式存储驱动器的访问的技术，其存储操作系统。 根据这里描述的一些技术，当主机机器访问存储操作系统的便携式存储驱动器时，可以检索关于主机的信息，例如关于主机的硬件的信息 并进行评估以确定是否授予对主机的访问权限。 当主机被授权访问时，主机可以以任何合适的方式访问存储在便携式存储驱动器上的安全数据。 在某些情况下，访问安全数据可能包括解密安全数据并将解密的数据传送到主机的另一个存储器。 解密的信息可以包括由主机引导的操作系统。

公开(公告)号：US09507964B2

公开(公告)日：2016-11-29

申请号：US13327013

申请日：2011-12-15

申请人： Preston Derek Adam ,  Sai Vinayak ,  Octavian T. Ureche ,  Stefan Thom ,  Himanshu Soni ,  Nicolae Voicu

发明人： Preston Derek Adam ,  Sai Vinayak ,  Octavian T. Ureche ,  Stefan Thom ,  Himanshu Soni ,  Nicolae Voicu

IPC分类号： H04L9/32 ,  G06F21/78 ,  G06F21/40 ,  G06F21/72 ,  G06F21/73 ,  H04L9/08

CPC分类号： G06F21/78 ,  G06F21/40 ,  G06F21/72 ,  G06F21/73 ,  G06F2221/2107 ,  G06F2221/2129 ,  G06F2221/2141 ,  H04L9/0897 ,  H04L9/32

摘要： Described herein are techniques for regulating access to a remote resource using two-factor authentication based on information regarding a host machine of a portable storage drive that stores an operating system that is booted by the host machine. The information regarding the host machine of a portable storage drive may be used as a second factor in a two-factor authentication. Such information regarding the host machine may include, in some embodiments, information retrieved from a secure storage of the host machine, such as from a cryptoprocessor of the host machine. The information may include an identifier for the host machine or may be a user credential pre-provisioned to the host machine to be used in two-factor authentication.

摘要翻译： 这里描述的是基于关于存储由主机引导的操作系统的便携式存储驱动器的主机的信息来使用双因素认证来调节对远程资源的访问的技术。 关于便携式存储驱动器的主机的信息可以用作双因素认证中的第二个因素。 在一些实施例中，关于主机的这种信息可以包括从主机的安全存储器（例如来自主机的密码处理器）检索的信息。 该信息可以包括主机的标识符，或者可以是预先提供给主机以在双因素认证中使用的用户凭证。

公开(公告)号：US20130145440A1

公开(公告)日：2013-06-06

申请号：US13327013

申请日：2011-12-15

申请人： Preston Derek Adam ,  Sai Vinayak ,  Octavian T. Ureche ,  Stefan Thom ,  Himanshu Soni ,  Nicolae Voicu

发明人： Preston Derek Adam ,  Sai Vinayak ,  Octavian T. Ureche ,  Stefan Thom ,  Himanshu Soni ,  Nicolae Voicu

IPC分类号： H04L9/32 ,  G06F21/20

CPC分类号： G06F21/78 ,  G06F21/40 ,  G06F21/72 ,  G06F21/73 ,  G06F2221/2107 ,  G06F2221/2129 ,  G06F2221/2141 ,  H04L9/0897 ,  H04L9/32

摘要： Described herein are techniques for regulating access to a remote resource using two-factor authentication based on information regarding a host machine of a portable storage drive that stores an operating system that is booted by the host machine. The information regarding the host machine of a portable storage drive may be used as a second factor in a two-factor authentication. Such information regarding the host machine may include, in some embodiments, information retrieved from a secure storage of the host machine, such as from a cryptoprocessor of the host machine. The information may include an identifier for the host machine or may be a user credential pre-provisioned to the host machine to be used in two-factor authentication.

摘要翻译： 这里描述的是基于关于存储由主机引导的操作系统的便携式存储驱动器的主机的信息来使用双因素认证来调节对远程资源的访问的技术。 关于便携式存储驱动器的主机的信息可以用作双因素认证中的第二个因素。 在一些实施例中，关于主机的这种信息可以包括从主机的安全存储器（例如来自主机的密码处理器）检索的信息。 该信息可以包括主机的标识符，或者可以是预先提供给主机以在双因素认证中使用的用户凭证。

公开(公告)号：US20130145139A1

公开(公告)日：2013-06-06

申请号：US13309204

申请日：2011-12-01

申请人： Preston Derek Adam ,  Sai Vinayak ,  Octavian T. Ureche ,  Stefan Thom ,  Himanshu Soni ,  Nicolae Voicu

发明人： Preston Derek Adam ,  Sai Vinayak ,  Octavian T. Ureche ,  Stefan Thom ,  Himanshu Soni ,  Nicolae Voicu

IPC分类号： G06F12/14 ,  G06F21/00 ,  H04L9/32 ,  G06F9/00

CPC分类号： G06F21/78 ,  G06F21/40 ,  G06F21/72 ,  G06F21/73 ,  G06F2221/2107 ,  G06F2221/2129 ,  G06F2221/2141 ,  H04L9/0897 ,  H04L9/32

摘要： Described herein are techniques for regulating access to a portable storage drive, that stores an operating system securely, using information regarding a host machine. In accordance with some of the techniques described herein, when a portable storage drive that stores an operating system securely is to be accessed by a host machine, information regarding the host machine, such as information regarding the hardware of the host machine, may be retrieved and evaluated to determine whether to grant access to the host machine. When the host machine is granted access, the host machine may access secured data stored on the portable storage drive in any suitable manner. In some cases, accessing the secured data may include decrypting the secured data and transferring decrypted data to another storage of the host machine. The decrypted information may include an operating system that is booted by the host machine.

摘要翻译： 这里描述的是使用关于主机的信息来调节对便携式存储驱动器的访问的技术，其存储操作系统。 根据这里描述的一些技术，当主机机器访问存储操作系统的便携式存储驱动器时，可以检索关于主机的信息，例如关于主机的硬件的信息 并进行评估以确定是否授予对主机的访问权限。 当主机被授权访问时，主机可以以任何合适的方式访问存储在便携式存储驱动器上的安全数据。 在某些情况下，访问安全数据可能包括解密安全数据并将解密的数据传送到主机的另一个存储器。 解密的信息可以包括由主机引导的操作系统。

公开(公告)号：US08387109B2

公开(公告)日：2013-02-26

申请号：US12256742

申请日：2008-10-23

申请人： Octavian T. Ureche ,  Alex M. Semenko ,  Ping Xie ,  Sai Vinayak

发明人： Octavian T. Ureche ,  Alex M. Semenko ,  Ping Xie ,  Sai Vinayak

IPC分类号： G06F17/00 ,  H04L29/06

CPC分类号： G06F21/6218

摘要： In accordance with one or more aspects, a current security policy for accessing a device or volume of a computing device is identified. A secondary access control state for the device or volume is also identified. An access state for the device is determined based on both the current security policy and the secondary access control state.

摘要翻译： 根据一个或多个方面，识别用于访问计算设备的设备或卷的当前安全策略。 还识别用于设备或卷的辅助访问控制状态。 基于当前的安全策略和次要访问控制状态来确定设备的访问状态。

公开(公告)号：US08838981B2

公开(公告)日：2014-09-16

申请号：US13614612

申请日：2012-09-13

申请人： Octavian T. Ureche ,  Alex M. Semenko ,  Sai Vinayak ,  Carl M. Ellison

发明人： Octavian T. Ureche ,  Alex M. Semenko ,  Sai Vinayak ,  Carl M. Ellison

IPC分类号： H04L9/32 ,  G06F17/00 ,  H04L29/06

CPC分类号： H04L9/3247 ,  H04L63/102 ,  H04L63/126

摘要： A communication channel has an associated channel authenticator that includes a channel identifier, a use policy identifying how an owner of the communication channel indicates the communication channel is used, and a digital signature over the channel identifier and use policy. The identifier of the communication channel and the use policy can be verified by a computing device, and a check made as to whether a current security policy of the computing device is satisfied by the use policy. An access that the computing device is allowed to have to the communication channel is determined based at least in part on both whether the current security policy is satisfied by the use policy and whether the identifier of the communication channel and the use policy are verified.

摘要翻译： 通信信道具有关联的信道认证器，其包括信道标识符，识别通信信道的所有者如何指示通信信道的使用策略以及信道标识符和使用策略上的数字签名。 可以由计算设备来验证通信信道的标识符和使用策略，并且通过使用策略来检查计算设备的当前安全策略是否被满足。 至少部分地基于使用策略来满足当前安全策略以及通信信道的标识符和使用策略是否被验证，允许计算设备被允许对通信信道的访问。

公开(公告)号：US20130007463A1

公开(公告)日：2013-01-03

申请号：US13614612

申请日：2012-09-13

申请人： Octavian T. Ureche ,  Alex M. Semenko ,  Sai Vinayak ,  Carl M. Ellison

发明人： Octavian T. Ureche ,  Alex M. Semenko ,  Sai Vinayak ,  Carl M. Ellison

IPC分类号： H04L9/30

CPC分类号： H04L9/3247 ,  H04L63/102 ,  H04L63/126

摘要： A communication channel has an associated channel authenticator that includes a channel identifier, a use policy identifying how an owner of the communication channel indicates the communication channel is used, and a digital signature over the channel identifier and use policy. The identifier of the communication channel and the use policy can be verified by a computing device, and a check made as to whether a current security policy of the computing device is satisfied by the use policy. An access that the computing device is allowed to have to the communication channel is determined based at least in part on both whether the current security policy is satisfied by the use policy and whether the identifier of the communication channel and the use policy are verified.

摘要翻译： 通信信道具有关联的信道认证器，其包括信道标识符，识别通信信道的所有者如何指示通信信道的使用策略，以及通过信道标识符和使用策略的数字签名。 可以由计算设备来验证通信信道的标识符和使用策略，并且通过使用策略来检查计算设备的当前安全策略是否被满足。 至少部分地基于使用策略来满足当前安全策略以及通信信道的标识符和使用策略是否被验证，允许计算设备被允许对通信信道的访问。

公开(公告)号：US08296564B2

公开(公告)日：2012-10-23

申请号：US12372476

申请日：2009-02-17

申请人： Octavian T. Ureche ,  Alex M. Semenko ,  Sai Vinayak ,  Carl M. Ellison

发明人： Octavian T. Ureche ,  Alex M. Semenko ,  Sai Vinayak ,  Carl M. Ellison

IPC分类号： H04L9/32 ,  G06F17/00

CPC分类号： H04L9/3247 ,  H04L63/102 ,  H04L63/126

摘要： A communication channel has an associated channel authenticator that includes a channel identifier, a use policy identifying how an owner of the communication channel indicates the communication channel is used, and a digital signature over the channel identifier and use policy. The identifier of the communication channel and the use policy can be verified by a computing device, and a check made as to whether a current security policy of the computing device is satisfied by the use policy. An access that the computing device is allowed to have to the communication channel is determined based at least in part on both whether the current security policy is satisfied by the use policy and whether the identifier of the communication channel and the use policy are verified.

摘要翻译： 通信信道具有关联的信道认证器，其包括信道标识符，识别通信信道的所有者如何指示通信信道的使用策略，以及通过信道标识符和使用策略的数字签名。 可以由计算设备来验证通信信道的标识符和使用策略，并且通过使用策略来检查计算设备的当前安全策略是否被满足。 至少部分地基于使用策略来满足当前安全策略以及通信信道的标识符和使用策略是否被验证，允许计算设备被允许对通信信道的访问。