公开(公告)号：US20150070134A1

公开(公告)日：2015-03-12

申请号：US14479604

申请日：2014-09-08

Applicant: INTEL CORPORATION

Inventor： Ramune Nagisetty ,  Melissa A. Cowan ,  Jason Martin ,  Richard A. Forand ,  Wen-Ling M. Huang ,  Conor P. Cahill

IPC: G07C9/00

CPC classification number: G07C9/00119 ,  G07C9/00111 ,  G07C2009/00095 ,  H04W12/06 ,  H04W12/08

Abstract: A wearable device (“WD”) stores a token after its wearer completes a successful strong authentication on a primary protected device (“primary PD”). Other protected devices (“secondary PDs”) recognize the stored token as representing a strong authentication and grant the user access while the user continues to wear the WD within a “digital leash-length” proximity. The WD constantly monitors whether the user continues to wear the device. Upon sensing that the user has removed the WD, the WD deletes, disables, or invalidates the token, The user must then repeat the strong authentication to gain further access to the protected devices.

Abstract translation: 穿戴式装置（“WD”）在穿戴者在主要受保护设备（“主要PD”）上完成成功的强认证之后存储令牌。 其他受保护设备（“辅助PD”）将所存储的令牌识别为表示强认证，并在用户继续佩戴“数字附带长度”接近度内的WD时授予用户访问权限。 WD不断监控用户是否继续佩戴设备。 一旦检测到用户已经取出WD，则WD将删除，禁用或使令牌无效。用户必须重复强认证才能进一步访问受保护的设备。

公开(公告)号：US20170214526A1

公开(公告)日：2017-07-27

申请号：US15423975

申请日：2017-02-03

Applicant: Intel Corporation

Inventor： Ned M. Smith ,  Conor P. Cahill ,  Victoria C. Moore ,  Jason Martin ,  Micah J. Sheller

IPC: H04L9/08 ,  H04L29/06

CPC classification number: H04L9/0861 ,  G06F21/31 ,  G06F21/33 ,  G06F21/45 ,  H04L9/3234 ,  H04L63/0281 ,  H04L63/061 ,  H04L63/08 ,  H04L63/0815 ,  H04L63/0823 ,  H04L63/0838 ,  H04L63/1466 ,  H04L2209/127 ,  H04L2463/082

Abstract: In an embodiment, a security engine of a processor includes an identity provider logic to generate a first key pair of a key pairing associating system user and a service provider that provides a web service and having a second system coupled to the system via a network, to perform a secure communication with the second system to enable the second system to verify that the identity provider logic is executing in a trusted execution environment, and responsive to the verification, to send a first key of the first key pair to the second system. This key may enable the second system to verify an assertion communicated by the identity provider logic that the user has been authenticated to the system according to a multi-factor authentication. Other embodiments are described and claimed.

公开(公告)号：US09160730B2

公开(公告)日：2015-10-13

申请号：US13994016

申请日：2013-03-15

Applicant: Intel Corporation

Inventor： Micah J. Sheller ,  Conor P. Cahill ,  Jason Martin ,  Ned M. Smith ,  Brandon Baker

IPC: G06F7/04 ,  G06F17/30 ,  G06F15/16 ,  H04L29/06 ,  G06F21/31 ,  H04L29/08

CPC classification number: H04L63/08 ,  G06F21/31 ,  G06F21/316 ,  G06F2221/2101 ,  G06F2221/2103 ,  G06F2221/2139 ,  H04L63/0861 ,  H04L67/14 ,  H04L67/24

Abstract: Generally, this disclosure describes a continuous authentication confidence module. A system may include user device including processor circuitry configured to determine presence data; a confidence factor including at least one of a sensor configured to capture sensor input and a system monitoring module configured to monitor activity of the user device; memory configured to store a confidence score and an operating system; and a continuous authentication confidence module configured to determine the confidence score in response to an initial authentication of a specific user, update the confidence score based, at least in part, an expectation of user presence and/or selected presence data, and notify the operating system that the authentication is no longer valid if the updated confidence score is within a tolerance of a session close threshold; the initial authentication configured to open a session, the confidence score configured to indicate a current strength of authentication during the session.

Abstract translation: 通常，本公开描述了连续认证置信模块。 系统可以包括用户设备，包括被配置为确定存在数据的处理器电路; 包括被配置为捕获传感器输入的传感器中的至少一个的置信因子和被配置为监视用户设备的活动的系统监视模块中的至少一个; 存储器被配置为存储置信度分数和操作系统; 以及连续认证置信模块，被配置为响应于特定用户的初始认证来确定置信度得分，至少部分地基于用户存在和/或选择的存在数据的期望来更新置信度得分，并且通知操作 系统，如果更新的置信度分数在会话关闭阈值的容限内，认证不再有效; 所述初始认证被配置为打开会话，所述置信度分数被配置为指示所述会话期间的当前认证强度。

公开(公告)号：US09064109B2

公开(公告)日：2015-06-23

申请号：US13721760

申请日：2012-12-20

Applicant: Intel Corporation

Inventor： Ned M. Smith ,  Conor P. Cahill ,  Victoria C. Moore ,  Jason Martin ,  Micah J. Sheller

IPC: G06F17/30 ,  G06F21/45 ,  G06F21/31 ,  G06F21/33 ,  H04L29/06

CPC classification number: H04L9/0861 ,  G06F21/31 ,  G06F21/33 ,  G06F21/45 ,  H04L9/3234 ,  H04L63/0281 ,  H04L63/061 ,  H04L63/08 ,  H04L63/0815 ,  H04L63/0823 ,  H04L63/0838 ,  H04L63/1466 ,  H04L2209/127 ,  H04L2463/082

Abstract: In an embodiment, a security engine of a processor includes an identity provider logic to generate a first key pair of a key pairing associating system user and a service provider that provides a web service and having a second system coupled to the system via a network, to perform a secure communication with the second system to enable the second system to verify that the identity provider logic is executing in a trusted execution environment, and responsive to the verification, to send a first key of the first key pair to the second system. This key may enable the second system to verify an assertion communicated by the identity provider logic that the user has been authenticated to the system according to a multi-factor authentication. Other embodiments are described and claimed.

Abstract translation: 在一个实施例中，处理器的安全引擎包括身份提供者逻辑，以生成密钥配对关联系统用户的第一密钥对和提供Web服务并具有通过网络耦合到系统的第二系统的服务提供者， 以执行与所述第二系统的安全通信，以使所述第二系统能够验证所述身份提供者逻辑在可信执行环境中正在执行，并且响应于所述验证​​，将所述第一密钥对的第一密钥发送到所述第二系统。 该密钥可以使得第二系统可以根据多因素认证来验证由身份提供者逻辑传达的断言，用户已被认证给系统。 描述和要求保护其他实施例。

公开(公告)号：US20140282945A1

公开(公告)日：2014-09-18

申请号：US13995247

申请日：2013-03-15

Applicant: INTEL CORPORATION

Inventor： Ned M. Smith ,  Conor P. Cahill ,  Micah J. Sheller ,  Jason Martin

IPC: H04L29/06

CPC classification number: H04L63/06 ,  G06F21/32 ,  G06F21/62 ,  G06F21/78 ,  H04L63/0861

Abstract: Generally, this disclosure describes technologies for securely storing and using biometric authentication information, such as biometric reference templates. In some embodiments, the technologies include a client device that stores one or more biometric reference templates in a memory thereof. The client device may transfer such templates to an authentication device. The transfer may be conditioned on verification that the authentication device includes a suitable protected environment for the templates and will execute an acceptable temporary storage policy. The technologies may also include an authentication device that is configured to temporarily store biometric reference templates received from a client device in a protected environment thereof. Upon completion of biometric authentication or the occurrence of a termination event, the authentication devices may delete the biometric reference templates from the protected environment.

Abstract translation: 通常，本公开描述了用于安全地存储和使用生物测定认证信息（诸如生物测定参考模板）的技术。 在一些实施例中，技术包括将一个或多个生物测定参考模板存储在其存储器中的客户端设备。 客户端设备可以将这样的模板传送到认证设备。 传输可以根据认证设备包括用于模板的合适的受保护环境并将执行可接受的临时存储策略的验证。 这些技术还可以包括认证设备，其被配置为在其受保护的环境中临时存储从客户端设备接收的生物测定参考模板。 在完成生物认证或发生终止事件时，认证设备可以从受保护的环境中删除生物测定参考模板。

公开(公告)号：US10484378B2

公开(公告)日：2019-11-19

申请号：US15098524

申请日：2016-04-14

Applicant: INTEL CORPORATION

Inventor： Ned M. Smith ,  Conor P. Cahill ,  Jason Martin ,  Abhilasha Bhargav-Spantzel ,  Sanjay Bakshi

IPC: H04L29/06 ,  G06F21/45 ,  G06F21/62

Abstract: A mechanism is described for facilitating context-based access control of resources for according to one embodiment. A method of embodiments, as described herein, includes receiving a first request to access a resource of a plurality of resources. The first request may be associated with one or more contexts corresponding to a user placing the first request at a computing device. The method may further include evaluating the one or more contexts. The evaluation of the one or more contexts may include matching the one or more contexts with one or more access policies associated with the requested resource. The method may further include accepting the first request if the one or more contexts satisfy at least one of the access policies.

公开(公告)号：US20160092665A1

公开(公告)日：2016-03-31

申请号：US14499138

申请日：2014-09-27

Applicant: Intel Corporation

Inventor： Melissa A. Cowan ,  Ramune Nagisetty ,  Jason Martin ,  Richard A. Forand ,  Conor P. Cahill ,  Bradley A. Jackson

IPC: G06F21/34 ,  G06F21/35

CPC classification number: G06F21/35 ,  G06F21/32 ,  G06F2221/2133 ,  H04W12/06

Abstract: An initial authentication of a user, if successful, causes a token to be stored on, and presented from, a wearable device (WD). The WD continually monitors one or more of the wearer's vital signs to confirm that (1) the WD is being worn by a living person rather than an inanimate simulacrum, and (2) the WD is still worn by the same person who underwent the authentication. The token can be read by a token-reader on at least one protected device (PD). If the token is valid, its presentation serves as authentication and the token-reader grants the user access to the PD. If the WD vital-sign signal is interrupted when the user removes the WD, the WD stops presenting the token and can no longer be used to access a PD.

Abstract translation: 用户的初始认证（如果成功）导致将令牌存储在可穿戴设备（WD）上并从可穿戴设备（WD）呈现。 WD持续监测一个或多个佩戴者的生命体征，以确认（1）WD由正在使用的人而不是无生命的模拟人员穿戴，以及（2）WD仍然由同一人进行身份验证 。 令牌可以由至少一个受保护设备（PD）上的令牌读取器读取。 如果令牌有效，则其演示文稿用作身份验证，令牌读取器授予用户对PD的访问权。 如果用户删除WD时W​​D生命信号中断，则WD停止显示令牌，不能再用于访问PD。

公开(公告)号：US10097350B2

公开(公告)日：2018-10-09

申请号：US15423975

申请日：2017-02-03

Applicant: Intel Corporation

Inventor： Ned M. Smith ,  Conor P. Cahill ,  Victoria C. Moore ,  Jason Martin ,  Micah J. Sheller

IPC: G06F17/30 ,  H04L9/08 ,  H04L29/06

Abstract: In an embodiment, a security engine of a processor includes an identity provider logic to generate a first key pair of a key pairing associating system user and a service provider that provides a web service and having a second system coupled to the system via a network, to perform a secure communication with the second system to enable the second system to verify that the identity provider logic is executing in a trusted execution environment, and responsive to the verification, to send a first key of the first key pair to the second system. This key may enable the second system to verify an assertion communicated by the identity provider logic that the user has been authenticated to the system according to a multi-factor authentication. Other embodiments are described and claimed.

公开(公告)号：US10009327B2

公开(公告)日：2018-06-26

申请号：US15451600

申请日：2017-03-07

Applicant: Intel Corporation

Inventor： Ned M. Smith ,  Conor P. Cahill ,  Micah J. Sheller ,  Jason Martin

IPC: G06F15/16 ,  G06F7/04 ,  H04L29/06

CPC classification number: H04L63/06 ,  G06F21/32 ,  G06F21/62 ,  G06F21/78 ,  H04L63/0861

Abstract: Generally, this disclosure describes technologies for securely storing and using biometric authentication information, such as biometric reference templates. In some embodiments, the technologies include a client device that stores one or more biometric reference templates in a memory thereof. The client device may transfer such templates to an authentication device. The transfer may be conditioned on verification that the authentication device includes a suitable protected environment for the templates and will execute an acceptable temporary storage policy. The technologies may also include an authentication device that is configured to temporarily store biometric reference templates received from a client device in a protected environment thereof. Upon completion of biometric authentication or the occurrence of a termination event, the authentication devices may delete the biometric reference templates from the protected environment.

公开(公告)号：US09602492B2

公开(公告)日：2017-03-21

申请号：US14714513

申请日：2015-05-18

Applicant: Intel Corporation

Inventor： Ned M. Smith ,  Conor P. Cahill ,  Victoria C. Moore ,  Jason Martin ,  Micah J. Sheller

IPC: G06F17/30 ,  H04L29/06 ,  G06F21/45 ,  G06F21/31 ,  G06F21/33

CPC classification number: H04L9/0861 ,  G06F21/31 ,  G06F21/33 ,  G06F21/45 ,  H04L9/3234 ,  H04L63/0281 ,  H04L63/061 ,  H04L63/08 ,  H04L63/0815 ,  H04L63/0823 ,  H04L63/0838 ,  H04L63/1466 ,  H04L2209/127 ,  H04L2463/082

Abstract: In an embodiment, a security engine of a processor includes an identity provider logic to generate a first key pair of a key pairing associating system user and a service provider that provides a web service and having a second system coupled to the system via a network, to perform a secure communication with the second system to enable the second system to verify that the identity provider logic is executing in a trusted execution environment, and responsive to the verification, to send a first key of the first key pair to the second system. This key may enable the second system to verify an assertion communicated by the identity provider logic that the user has been authenticated to the system according to a multi-factor authentication. Other embodiments are described and claimed.