公开(公告)号：US07024555B2

公开(公告)日：2006-04-04

申请号：US10043843

申请日：2001-11-01

申请人： Michael A. Kozuch ,  James A. Sutton, II ,  David Grawrock ,  Gilbert Neiger ,  Richard A. Uhlig ,  Bradley G. Burgess ,  David I. Poisner ,  Clifford D. Hall ,  Andy Glew ,  Lawrence O. Smith, III ,  Robert George

发明人： Michael A. Kozuch ,  James A. Sutton, II ,  David Grawrock ,  Gilbert Neiger ,  Richard A. Uhlig ,  Bradley G. Burgess ,  David I. Poisner ,  Clifford D. Hall ,  Andy Glew ,  Lawrence O. Smith, III ,  Robert George

IPC分类号： G06F1/26

CPC分类号： G06F21/57

摘要： An apparatus and method for unilaterally loading a secure operating system within a multiprocessor environment are described. The method includes disregarding a received load secure region instruction when a currently active load secure region operation is detected. Otherwise, a memory protection element is directed, in response to the received load secure region instruction, to form a secure memory environment. Once directed, unauthorized read/write access to one or more protected memory regions are prohibited. Finally, a cryptographic hash value of the one or more protected memory regions is stored within a digest information repository as a secure software identification value. Once stored, outside agents may request access to a digitally signed software identification value in order to establish security verification of secure software within the secure memory environment.

公开(公告)号：US07921293B2

公开(公告)日：2011-04-05

申请号：US11340181

申请日：2006-01-24

申请人： Michael A. Kozuch ,  James A. Sutton, II ,  David Grawrock ,  Gilbert Neiger ,  Richard A. Uhlig ,  Bradley G. Burgess ,  David I. Poisner ,  Clifford D. Hall ,  Andy Glew ,  Lawrence O. Smith, III ,  Robert George

发明人： Michael A. Kozuch ,  James A. Sutton, II ,  David Grawrock ,  Gilbert Neiger ,  Richard A. Uhlig ,  Bradley G. Burgess ,  David I. Poisner ,  Clifford D. Hall ,  Andy Glew ,  Lawrence O. Smith, III ,  Robert George

IPC分类号： H04L9/00 ,  G06F21/00

CPC分类号： G06F21/57

摘要： An apparatus and method for unilaterally loading a secure operating system within a multiprocessor environment are described. The method includes disregarding a received load secure region instruction when a currently active load secure region operation is detected. Otherwise, a memory protection element is directed, in response to the received load secure region instruction, to form a secure memory environment. Once directed, unauthorized read/write access to one or more protected memory regions are prohibited. Finally, a cryptographic hash value of the one or more protected memory regions is stored within a digest information repository as a secure software identification value. Once stored, outside agents may request access to a digitally signed software identification value to establish security verification of secure software within the secure memory environment.

摘要翻译： 描述了在多处理器环境内单方面加载安全操作系统的装置和方法。 该方法包括当检测到当前活动的负载安全区域操作时忽略接收的负载安全区域指令。 否则，响应于接收到的负载安全区域指令，引导存储器保护元件以形成安全存储器环境。 一旦定向，就禁止对一个或多个受保护的存储器区域进行未经授权的读/写访问。 最后，一个或多个受保护的存储器区域的加密散列值作为安全的软件识别值存储在摘要信息库中。 一旦存储，外部代理可以请求访问数字签名的软件标识值以建立安全存储器环境内的安全软件的安全验证。

公开(公告)号：US08386788B2

公开(公告)日：2013-02-26

申请号：US12615475

申请日：2009-11-10

申请人： Michael A. Kozuch ,  James A. Sutton, II ,  David Grawrock

发明人： Michael A. Kozuch ,  James A. Sutton, II ,  David Grawrock

IPC分类号： H04L29/06

CPC分类号： G06F9/45533 ,  G06F9/445 ,  G06F21/57 ,  G06F21/575 ,  G06F2009/45583 ,  G06F2009/45587

摘要： A method and apparatus is provided for securing a region in a memory of a computer. According to one embodiment, the method comprises halting of all but one of a plurality of processors in a computer. The halted processors entering into a special halted state. Content is loaded into the region only after the halting of all but the one of the plurality of processors and the region is protected from access by the halted processors. The method further comprises placing the non-halted processor into a known privileged state, and causing the halted processors to exit the halted state after the non-halted processor has been placed into the known privileged state.

摘要翻译： 提供了一种用于将区域固定在计算机的存储器中的方法和装置。 根据一个实施例，该方法包括在计算机中停止多个处理器中的所有处理器中的所有处理器。 停止的处理器进入特殊的停止状态。 只有在除了多个处理器中的一个处理器之外的所有处理器停止之后，内容被加载到该区域中，并且该区域被保护以免被暂停的处理器访问。 该方法还包括将非暂停处理器置于已知特权状态，并且在非停止处理器已经被置于已知特权状态之后使得暂停的处理器退出停止状态。

公开(公告)号：US08407476B2

公开(公告)日：2013-03-26

申请号：US12615519

申请日：2009-11-10

申请人： Michael A. Kozuch ,  James A. Sutton, II ,  David Grawrock

发明人： Michael A. Kozuch ,  James A. Sutton, II ,  David Grawrock

IPC分类号： H04L29/06

CPC分类号： G06F9/45533 ,  G06F9/445 ,  G06F21/57 ,  G06F21/575 ,  G06F2009/45583 ,  G06F2009/45587

摘要： An article of manufacture is provided for securing a region in a memory of a computer. According to one embodiment, the article of manufacture comprises a machine-accessible medium including data that, when accessed by a machine, causes the machine to: halt all but one of a plurality of processing elements in a computer, where the halted processing elements enter into a special halted state; load content into the region only after the halting of all but the one of the plurality of processing elements and the region is protected from access by the halted processing elements; place the non-halted processing element into a known privileged state; and cause the halted processing elements to exit the halted state after the non-halted processing element has been placed into the known privileged state.

摘要翻译： 提供了一种用于将区域固定在计算机的存储器中的制造物品。 根据一个实施例，制品包括机器可访问介质，其包括当由机器访问时使机器停止计算机中的多个处理元件中除了一个处理元件之外的所有其中停止的处理元件进入的数据 进入特殊的停止状态; 只有在除了多个处理元件中的一个处理元件之外的所有处理器停止之后才将内容加载到该区域中，并且该区域被保护以防止被暂停的处理元件的访问; 将未停止的处理元素置于已知的特权状态; 并且在非停止处理元件已经被置于已知的特权状态之后使得暂停的处理元件退出停止状态。

公开(公告)号：US20100058076A1

公开(公告)日：2010-03-04

申请号：US12615519

申请日：2009-11-10

申请人： Michael A. Kozuch ,  James A. Sutton, II ,  David Grawrock

发明人： Michael A. Kozuch ,  James A. Sutton, II ,  David Grawrock

IPC分类号： G06F12/14

CPC分类号： G06F9/45533 ,  G06F9/445 ,  G06F21/57 ,  G06F21/575 ,  G06F2009/45583 ,  G06F2009/45587

摘要： An article of manufacture is provided for securing a region in a memory of a computer. According to one embodiment, the article of manufacture comprises a machine-accessible medium including data that, when accessed by a machine, causes the machine to: halt all but one of a plurality of processing elements in a computer, where the halted processing elements enter into a special halted state; load content into the region only after the halting of all but the one of the plurality of processing elements and the region is protected from access by the halted processing elements; place the non-halted processing element into a known privileged state; and cause the halted processing elements to exit the halted state after the non-halted processing element has been placed into the known privileged state.

摘要翻译： 提供了一种用于将区域固定在计算机的存储器中的制造物品。 根据一个实施例，制品包括机器可访问介质，其包括当由机器访问时使机器停止计算机中的多个处理元件中除了一个处理元件之外的所有其中停止的处理元件进入的数据 进入特殊的停止状态; 只有在除了多个处理元件中的一个处理元件之外的所有处理器停止之后才将内容加载到该区域中，并且该区域被保护以防止被暂停的处理元件的访问; 将未停止的处理元素置于已知的特权状态; 并且在非停止处理元件已经被置于已知的特权状态之后使得暂停的处理元件退出停止状态。

公开(公告)号：US07571329B2

公开(公告)日：2009-08-04

申请号：US10891699

申请日：2004-07-14

申请人： Ernie F. Brickell ,  Alberto J. Martinez ,  David W. Grawrock ,  James A. Sutton, II ,  Clifford D. Hall

发明人： Ernie F. Brickell ,  Alberto J. Martinez ,  David W. Grawrock ,  James A. Sutton, II ,  Clifford D. Hall

IPC分类号： G06F12/14 ,  G06F11/30

CPC分类号： G06F21/73

摘要： Secure storage and retrieval of a unique value associated with a device to/from a memory of a processing system. In at least one embodiment, the device needs to be able to access the unique value across processing system resets, and the device does not have sufficient non-volatile storage to store the unique value itself. Instead, the unique value is stored in the processing system memory in such a way that the stored unique value does not create a unique identifier for the processing system or the device. A pseudo-randomly or randomly generated initialization vector may be used to vary an encrypted data structure used to store the unique value in the memory.

摘要翻译： 安全地存储和检索与/从处理系统的存储器中的设备相关联的唯一值。 在至少一个实施例中，设备需要能够跨越处理系统复位来访问唯一值，并且设备没有足够的非易失性存储来存储唯一值本身。 相反，唯一的值被存储在处理系统存储器中，使得存储的唯一值不会为处理系统或设备创建唯一的标识符。 可以使用伪随机或随机生成的初始化向量来改变用于在存储器中存储唯一值的加密数据结构。

公开(公告)号：US08660266B2

公开(公告)日：2014-02-25

申请号：US12710439

申请日：2010-02-23

申请人： James A. Sutton, II ,  Ernie F. Brickell ,  Clifford D. Hall ,  David W. Grawrock

发明人： James A. Sutton, II ,  Ernie F. Brickell ,  Clifford D. Hall ,  David W. Grawrock

IPC分类号： G06F21/00

CPC分类号： H04L9/0844 ,  H04L2209/127

摘要： Delivering a Direct Proof private key to a device installed in a client computer system in the field may be accomplished in a secure manner without requiring significant non-volatile storage in the device. A unique pseudo-random value is generated and stored in the device at manufacturing time. The pseudo-random value is used to generate a symmetric key for encrypting a data structure holding a Direct Proof private key and a private key digest associated with the device. The resulting encrypted data structure is stored on a protected on-line server accessible by the client computer system.

摘要翻译： 将直接证明私钥提供给安装在该领域中的客户端计算机系统中的设备可以以安全的方式来实现，而不需要设备中的显着的非易失性存储。 在制造时产生并存储在设备中的唯一伪随机值。 伪随机值用于生成用于加密持有Direct Proof私钥和与该设备相关联的私钥摘要的数据结构的对称密钥。 所生成的加密数据结构存储在由客户端计算机系统可访问的受保护的在线服务器上。

公开(公告)号：US07697691B2

公开(公告)日：2010-04-13

申请号：US10892256

申请日：2004-07-14

申请人： James A. Sutton, II ,  Ernie F. Brickell ,  Clifford D. Hall ,  David W. Grawrock

发明人： James A. Sutton, II ,  Ernie F. Brickell ,  Clifford D. Hall ,  David W. Grawrock

IPC分类号： H04L9/00 ,  H04L9/08 ,  G06F11/30 ,  G06F12/14 ,  G08B29/00

CPC分类号： H04L9/0844 ,  H04L2209/127

摘要： Delivering a Direct Proof private key to a device installed in a client computer system in the field may be accomplished in a secure manner without requiring significant non-volatile storage in the device. A unique pseudo-random value is generated and stored in the device at manufacturing time. The pseudo-random value is used to generate a symmetric key for encrypting a data structure holding a Direct Proof private key and a private key digest associated with the device. The resulting encrypted data structure is stored on a protected on-liner server accessible by the client computer system. When the device is initialized on the client computer system, the system checks if a localized encrypted data structure is present in the system. If not, the system obtains the associated encrypted data structure from the protected on-line server using a secure protocol. The device decrypts the encrypted data structure using a symmetric key regenerated from its stored pseudo-random value to obtain the Direct Proof private key. If the private key is valid, it may be used for subsequent authentication processing by the device in the client computer system.

摘要翻译： 将直接证明私钥提供给安装在该领域中的客户端计算机系统中的设备可以以安全的方式来实现，而不需要设备中的显着的非易失性存储。 在制造时产生并存储在设备中的唯一伪随机值。 伪随机值用于生成用于加密持有Direct Proof私钥和与该设备相关联的私钥摘要的数据结构的对称密钥。 所得到的加密数据结构存储在由客户端计算机系统可访问的受保护的在线服务器上。 当在客户端计算机系统上初始化设备时，系统会检查系统中是否存在本地化的加密数据结构。 如果没有，系统将使用安全协议从受保护的在线服务器获取相关联的加密数据结构。 设备使用从其存储的伪随机值重新生成的对称密钥来解密加密数据结构，以获得直接证明私钥。 如果私钥有效，则其可以用于客户端计算机系统中的设备的后续认证处理。

公开(公告)号：US20100150351A1

公开(公告)日：2010-06-17

申请号：US12710439

申请日：2010-02-23

申请人： James A. Sutton, II ,  Ernie F. Brickell ,  Clifford D. Hall ,  David W. Grawrock

发明人： James A. Sutton, II ,  Ernie F. Brickell ,  Clifford D. Hall ,  David W. Grawrock

IPC分类号： H04L9/00 ,  H04L9/08 ,  G06F12/14 ,  G06F11/30 ,  G08B29/00

CPC分类号： H04L9/0844 ,  H04L2209/127

摘要： Delivering a Direct Proof private key to a device installed in a client computer system in the field may be accomplished in a secure manner without requiring significant non-volatile storage in the device. A unique pseudo-random value is generated and stored in the device at manufacturing time. The pseudo-random value is used to generate a symmetric key for encrypting a data structure holding a Direct Proof private key and a private key digest associated with the device. The resulting encrypted data structure is stored on a protected on-liner server accessible by the client computer system. When the device is initialized on the client computer system, the system checks if a localized encrypted data structure is present in the system. If not, the system obtains the associated encrypted data structure from the protected on-line server using a secure protocol. The device decrypts the encrypted data structure using a symmetric key regenerated from its stored pseudo-random value to obtain the Direct Proof private key. If the private key is valid, it may be used for subsequent authentication processing by the device in the client computer system.

摘要翻译： 将直接证明私钥提供给安装在该领域中的客户端计算机系统中的设备可以以安全的方式来实现，而不需要设备中的显着的非易失性存储。 在制造时产生并存储在设备中的唯一伪随机值。 伪随机值用于生成用于加密持有Direct Proof私钥和与该设备相关联的私钥摘要的数据结构的对称密钥。 所得到的加密数据结构存储在由客户端计算机系统可访问的受保护的在线服务器上。 当在客户端计算机系统上初始化设备时，系统会检查系统中是否存在本地化的加密数据结构。 如果没有，系统将使用安全协议从受保护的在线服务器获取相关联的加密数据结构。 设备使用从其存储的伪随机值重新生成的对称密钥来解密加密数据结构，以获得直接证明私钥。 如果私钥有效，则其可以用于客户端计算机系统中的设备的后续认证处理。

公开(公告)号：US07693286B2

公开(公告)日：2010-04-06

申请号：US10892280

申请日：2004-07-14

申请人： James A. Sutton, II ,  Clifford D. Hall ,  Ernie F. Brickell ,  David W. Grawrock

发明人： James A. Sutton, II ,  Clifford D. Hall ,  Ernie F. Brickell ,  David W. Grawrock

IPC分类号： H04L9/08 ,  H04L9/00 ,  H04L9/32

CPC分类号： H04L63/083 ,  G06F9/4843 ,  G06F12/1036 ,  G06F21/57 ,  G06F21/73 ,  H04L9/0897 ,  H04L9/3218 ,  H04L9/3236 ,  H04L63/04

摘要： Delivering a Direct Proof private key in a signed group of keys to a device installed in a client computer system in the field may be accomplished in a secure manner without requiring significant non-volatile storage in the device. A unique pseudo-random value is generated and stored along with a group number in the device at manufacturing time. The pseudo-random value is used to generate a symmetric key for encrypting a data structure holding a Direct Proof private key and a private key digest associated with the device. The resulting encrypted data structure is stored in a signed group of keys (e.g., a signed group record) on a removable storage medium (such as a CD or DVD), and distributed to the owner of the client computer system. When the device is initialized on the client computer system, the system checks if a localized encrypted data structure is present in the system. If not, the system obtains the associated signed group record of encrypted data structures from the removable storage medium, and verifies the signed group record. The device decrypts the encrypted data structure using a symmetric key regenerated from its stored pseudo-random value to obtain the Direct Proof private key, when the group record is valid. If the private key is valid, it may be used for subsequent authentication processing by the device in the client computer system.

摘要翻译： 在安装在客户端计算机系统中的设备中的签名密钥组中提供直接证明私钥可以以安全的方式实现，而不需要设备中的重要的非易失性存储。 在制造时生成并存储与设备中的组号一起存储唯一的伪随机值。 伪随机值用于生成用于加密持有Direct Proof私钥和与该设备相关联的私钥摘要的数据结构的对称密钥。 所得到的加密数据结构被存储在可移动存储介质（例如CD或DVD）上的签名组密钥（例如，签名组记录）中，并且分发给客户端计算机系统的所有者。 当在客户端计算机系统上初始化设备时，系统会检查系统中是否存在本地化的加密数据结构。 如果没有，系统从可移动存储介质中获得加密数据结构的关联签名组记录，并验证签名组记录。 该设备使用从其存储的伪随机值重新生成的对称密钥来解密加密的数据结构，以便当组记录有效时获得Direct Proof私钥。 如果私钥有效，则其可以用于客户端计算机系统中的设备的后续认证处理。