公开(公告)号：US08751804B1

公开(公告)日：2014-06-10

申请号：US13173448

申请日：2011-06-30

申请人： Magnus Nyström ,  Alina Oprea ,  Adam Back

发明人： Magnus Nyström ,  Alina Oprea ,  Adam Back

IPC分类号： H04L29/06

CPC分类号： H04L63/10 ,  H04L63/0428 ,  H04L63/083

摘要： A technique controls access to a file. The technique involves creating a file encryption key based on (i) a user input parameter (e.g., a user password) from a user of the client device and (ii) an automatically generated salt parameter (e.g., a random number). The technique further involves encrypting the file using the file encryption key to form an encrypted copy of the file, and providing the salt parameter to an external storage system to externally store the salt parameter. Access to data within the encrypted copy of the file requires the salt parameter provided to the external storage system.

摘要翻译： 一种技术控制对文件的访问。 该技术涉及基于（i）来自客户端设备的用户的用户输入参数（例如，用户密码）和（ii）自动生成的盐参数（例如，随机数）来创建文件加密密钥。 该技术还涉及使用文件加密密钥来加密文件以形成文件的加密副本，并将盐参数提供给外部存储系统以外部存储salt参数。 访问文件的加密副本中的数据需要提供给外部存储系统的salt参数。

公开(公告)号：US08954965B2

公开(公告)日：2015-02-10

申请号：US13566250

申请日：2012-08-03

申请人： Mark F. Novak ,  Andrew John Layman ,  Magnus Nyström ,  Stefan Thom

发明人： Mark F. Novak ,  Andrew John Layman ,  Magnus Nyström ,  Stefan Thom

IPC分类号： G06F9/455

CPC分类号： G06F21/53

摘要： Cloning of a virtual machine having a trusted executed environment such as a software-based trusted platform module. In order to clone the virtual machine, the virtual machine state of the source virtual machine is copied to formulate a target virtual machine state that is to be associated with a target virtual machine. The target virtual machine is a clone of the source virtual machine state, and thus the storage hierarchy of the trusted execution environment may be the same for the trusted execution environment in the source and target virtual machine states. However, because the identity of the target virtual machine is different than that of the source virtual machine, the endorsement hierarchy of the target virtual machine state is altered such that it is based on the identity of the target virtual machine, rather than the source virtual machine.

摘要翻译： 克隆具有可信执行环境的虚拟机，例如基于软件的可信平台模块。 为了克隆虚拟机，将复制源虚拟机的虚拟机状态以制定与目标虚拟机相关联的目标虚拟机状态。 目标虚拟机是源虚拟机状态的克隆，因此受信任执行环境的存储层次结构对于源虚拟机状态和目标虚拟机状态中的受信任执行环境可能相同。 然而，由于目标虚拟机的身份与源虚拟机的身份不同，所以目标虚拟机状态的认可层级被改变，使得其基于目标虚拟机的身份而不是源虚拟机 机。

公开(公告)号：US09674177B1

公开(公告)日：2017-06-06

申请号：US12333385

申请日：2008-12-12

申请人： Magnus Nyström

发明人： Magnus Nyström

IPC分类号： G06F17/30 ,  H04L29/06

CPC分类号： H04L63/083 ,  G06F21/31 ,  G06F2221/2131 ,  H04L63/0846

摘要： A personal computing device, server or other type of processing device authenticates a user attempting to access a protected resource by verifying user knowledge of one or more extracted characteristics of stored information indicative of an internal operating state of that resource. The one or more extracted characteristics are characteristics that would likely be known to the user if that user had made one or more previous authenticated accesses to the protected resource. For example, the extracted characteristics may be indicative of a manner in which the user had utilized the protected resource during the one or more previous authenticated accesses to the protected resource. The processing device receives input from the user regarding the one or more extracted characteristics, and grants or denies access to the protected resource based at least in part on the input received from the user.

公开(公告)号：US20140040890A1

公开(公告)日：2014-02-06

申请号：US13566250

申请日：2012-08-03

申请人： Mark F. Novak ,  Andrew John Layman ,  Magnus Nyström ,  Stefan Thom

发明人： Mark F. Novak ,  Andrew John Layman ,  Magnus Nyström ,  Stefan Thom

IPC分类号： G06F9/455

CPC分类号： G06F21/53

摘要： Cloning of a virtual machine having a trusted executed environment such as a software-based trusted platform module. In order to clone the virtual machine, the virtual machine state of the source virtual machine is copied to formulate a target virtual machine state that is to be associated with a target virtual machine. The target virtual machine is a clone of the source virtual machine state, and thus the storage hierarchy of the trusted execution environment may be the same for the trusted execution environment in the source and target virtual machine states. However, because the identity of the target virtual machine is different than that of the source virtual machine, the endorsement hierarchy of the target virtual machine state is altered such that it is based on the identity of the target virtual machine, rather than the source virtual machine.

摘要翻译： 克隆具有可信执行环境的虚拟机，例如基于软件的可信平台模块。 为了克隆虚拟机，将复制源虚拟机的虚拟机状态以制定与目标虚拟机相关联的目标虚拟机状态。 目标虚拟机是源虚拟机状态的克隆，因此受信任执行环境的存储层次结构对于源虚拟机状态和目标虚拟机状态中的受信任执行环境可能相同。 然而，由于目标虚拟机的身份与源虚拟机的身份不同，所以目标虚拟机状态的认可层级被改变，使得其基于目标虚拟机的身份而不是源虚拟机 机。

公开(公告)号：US20120110644A1

公开(公告)日：2012-05-03

申请号：US12938363

申请日：2010-11-02

申请人： Stefan Thom ,  Nathan Ide ,  Scott Daniel Anderson ,  Robert Karl Spiger ,  David J. Linsley ,  Mark Fishel Novak ,  Magnus Nyström

发明人： Stefan Thom ,  Nathan Ide ,  Scott Daniel Anderson ,  Robert Karl Spiger ,  David J. Linsley ,  Mark Fishel Novak ,  Magnus Nyström

IPC分类号： H04L9/32 ,  G06F15/16 ,  G06F21/00

CPC分类号： G06F21/57 ,  G06F2221/2101 ,  H04L9/0897

摘要： An event log can comprise, not only entries associated with components instantiated since a most recent power on of a computing device, but also entries of components instantiated prior to that power on, such as components that were instantiated, and represent, a state of the computing device prior to hibernation that has now been resumed. Upon hibernation, the current values of the Platform Configuration Registers (PCRs) of a Trusted Platform Module (trusted execution environment), as well as a quote of those current values, and a current value of a monotonic counter of the trusted execution environment can be logged. The monotonic counter can be incremented at each power on to track successive generations of the computing device and to guard against an intervening, not-logged generation. A subsequent parsing of the event log can verify the prior generational entries with reference to the PCR values in the log that are associated with those generations.

摘要翻译： 事件日志不仅可以包括与计算设备的最近上电后实例化的组件相关联的条目，而且还可以包括在该上电之前实例化的组件的条目，诸如被实例化的组件，并且表示 休眠前的计算设备现在已经恢复。 休眠后，可信平台模块（可信执行环境）的平台配置寄存器（PCR）的当前值以及当前值的引用以及可信执行环境的单调计数器的当前值可以是 记录。 在每次打开电源时，单调计数器可以递增，以跟踪计算设备的连续几代，并防止中间，未记录的一代。 事件日志的后续解析可以参考日志中与这些世代相关联的PCR值来验证先前的生成条目。

公开(公告)号：US07562221B2

公开(公告)日：2009-07-14

申请号：US11530998

申请日：2006-09-12

申请人： Magnus Nyström ,  Anders Rundgren ,  William M. Duane

发明人： Magnus Nyström ,  Anders Rundgren ,  William M. Duane

IPC分类号： H04L9/32

CPC分类号： G06Q20/3674 ,  G06F21/41 ,  H04L9/3213 ,  H04L9/3228 ,  H04L63/0807 ,  H04L63/0815 ,  H04L63/0838

摘要： A single sign-on technique allows multiple accesses to one or more applications or other resources using a proof-of-authentication module operating in conjunction with a standard authentication component. The application or other resource issues an authentication information request to the standard authentication component responsive to an access request from the user. The application or other resource receives, responsive to the authentication information request, a proof-of-authentication value from the standard authentication component, and authenticates the user based on the proof-of-authentication value. The standard authentication component interacts with the proof-of-authentication module to obtain the proof-of-authentication value. The proof-of-authentication module is configured to generate multiple proof-of-authentication values for authentication of respective access requests of the user.

摘要翻译： 单一登录技术允许使用与标准认证组件一起运行的认证证明模块对一个或多个应用程序或其他资源进行多次访问。 响应于来自用户的访问请求，应用或其他资源向标准认证组件发出认证信息请求。 应用程序或其他资源响应于认证信息请求接收来自标准认证组件的认证证明值，并且基于认证证明​​值对用户进行认证。 标准认证组件与认证证明模块交互以获得认证证明值。 身份验证模块被配置为生成用于认证用户的各个访问请求的多个认证证明值。

公开(公告)号：US08826033B1

公开(公告)日：2014-09-02

申请号：US12644195

申请日：2009-12-22

申请人： Ajay Venkateshan Krishnaprasad ,  Parasuraman Narasimhan ,  Robert Polansky ,  Magnus Nyström

发明人： Ajay Venkateshan Krishnaprasad ,  Parasuraman Narasimhan ,  Robert Polansky ,  Magnus Nyström

IPC分类号： G06F21/22

CPC分类号： G06F21/53 ,  G06F21/554

摘要： A virtual machine on a physical host computer provides controlled access to protected data by creating and storing a “stored system fingerprint” from stable system values (SSVs) as existing when creating the stored system fingerprint. The SSVs include virtual-machine-specific values that change upon cloning the virtual machine (VM) but do not change upon migration of the VM. Upon a request for access to the protected data, a current system fingerprint is calculated from the SSVs as existing when processing the request, the current system fingerprint is compared to the stored system fingerprint to determine whether there is a predetermined degree of matching, and the requested access to the protected data is permitted only if there is the predetermined degree of matching.

摘要翻译： 物理主机上的虚拟机通过在创建存储的系统指纹时，从存在的稳定系统值（SSV）中创建并存储“存储的系统指纹”来提供受保护数据的受控访问。 SSV包括在克隆虚拟机（VM）时进行更改但在迁移VM时不会更改的虚拟机特定值。 在请求访问受保护的数据时，当处理请求时，从存在的SSV计算当前系统指纹，将当前系统指纹与存储的系统指纹进行比较，以确定是否存在预定的匹配度，并且 仅当存在预定匹配度时才允许对受保护数据的访问。

公开(公告)号：US07979707B2

公开(公告)日：2011-07-12

申请号：US10549542

申请日：2004-07-09

申请人： Peter Röstin ,  Magnus Nyström ,  William M. Duane

发明人： Peter Röstin ,  Magnus Nyström ,  William M. Duane

IPC分类号： H04L9/32 ,  H04L9/12

CPC分类号： H04L9/3234 ,  H04L9/06 ,  H04L9/0869 ,  H04L9/3242 ,  H04L9/3271 ,  H04L63/061 ,  H04L63/0823 ,  H04L63/0853 ,  H04L2209/20 ,  H04L2209/56 ,  H04L2209/80

摘要： Techniques for secure generation of a seed for use in performing one or more cryptographic operations, utilizing a seed generation protocol carried out by a seed generation client (110c) and a seed generation server (110s). The seed generation server (110s) provides a first string to the seed generation client (110c). The seed generation client (110c) generates a second string, encrypts the second string utilizing a key (216), and sends the encrypted second string to the seed generation server (110s). The seed generation client (110c) generates the seed as a function of at least the first string and the second string. The seed generation server (110s) decrypts the encrypted second string (222) and independently generates the seed as a function of at least the first string and the second string.

摘要翻译： 利用由种子生成客户端（110c）和种子生成服务器（110s）进行的种子生成协议，用于安全地生成用于执行一个或多个密码操作的种子的技术。 种子生成服务器（110s）向种子生成客户端（110c）提供第一串。 种子生成客户机（110c）生成第二串，利用密钥（216）对第二串进行加密，并将加密的第二串发送到种子生成服务器（110s）。 种子生成客户端（110c）根据至少第一串和第二串的函数生成种子。 种子生成服务器（110s）解密加密的第二串（222），并且独立地生成作为至少第一串和第二串的函数的种子。

公开(公告)号：US06985583B1

公开(公告)日：2006-01-10

申请号：US09304775

申请日：1999-05-04

申请人： John G. Brainard ,  Burton S. Kaliski, Jr. ,  Magnus Nyström ,  Ronald L. Rivest

发明人： John G. Brainard ,  Burton S. Kaliski, Jr. ,  Magnus Nyström ,  Ronald L. Rivest

IPC分类号： H04L9/00 ,  H04L9/32

CPC分类号： H04L63/08 ,  G06F21/31 ,  G06F21/33 ,  H04L9/0844 ,  H04L9/0869 ,  H04L9/3234 ,  H04L63/0428

摘要： In one embodiment of a user authentication system and method according to the invention, a device shares a secret, referred to as a master seed, with a server. The device and the server both derive one or more secrets, referred to as verifier seeds, from the master seed, using a key derivation function. The server shares a verifier seed with one or more verifiers. The device, or an entity using the device, can authenticate with one of the verifiers using the appropriate verifier seed. In this way, the device and the verifier can share a secret, the verifier seed for that verifier, without that verifier knowing the master seed, or any other verifier seeds. Thus, the device need only store the one master seed, have access to the information necessary to correctly derive the appropriate seed, and have seed derivation capability. A verifier cannot compromise the master seed, because the verifier does not have access to the master seed.

公开(公告)号：US08627464B2

公开(公告)日：2014-01-07

申请号：US12938363

申请日：2010-11-02

申请人： Stefan Thom ,  Nathan Ide ,  Scott Danie Anderson ,  Robert Karl Spiger ,  David J. Linsley ,  Mark Fishel Novak ,  Magnus Nyström

发明人： Stefan Thom ,  Nathan Ide ,  Scott Danie Anderson ,  Robert Karl Spiger ,  David J. Linsley ,  Mark Fishel Novak ,  Magnus Nyström

IPC分类号： G06F12/14

CPC分类号： G06F21/57 ,  G06F2221/2101 ,  H04L9/0897

摘要： An event log can comprise, not only entries associated with components instantiated since a most recent power on of a computing device, but also entries of components instantiated prior to that power on, such as components that were instantiated, and represent, a state of the computing device prior to hibernation that has now been resumed. Upon hibernation, the current values of the Platform Configuration Registers (PCRs) of a Trusted Platform Module (trusted execution environment), as well as a quote of those current values, and a current value of a monotonic counter of the trusted execution environment can be logged. The monotonic counter can be incremented at each power on to track successive generations of the computing device and to guard against an intervening, not-logged generation. A subsequent parsing of the event log can verify the prior generational entries with reference to the PCR values in the log that are associated with those generations.

摘要翻译： 事件日志不仅可以包括与计算设备的最近上电后实例化的组件相关联的条目，而且还可以包括在该上电之前实例化的组件的条目，诸如被实例化的组件，并且表示 休眠前的计算设备现在已经恢复。 休眠后，可信平台模块（可信执行环境）的平台配置寄存器（PCR）的当前值以及当前值的引用以及可信执行环境的单调计数器的当前值可以是 记录。 在每次打开电源时，单调计数器可以递增，以跟踪计算设备的连续几代，并防止中间，未记录的一代。 事件日志的后续解析可以参考日志中与这些世代相关联的PCR值来验证先前的生成条目。