公开(公告)号：US08166301B2

公开(公告)日：2012-04-24

申请号：US11843292

申请日：2007-08-22

申请人： Nancy Cam-Winget ,  Hao Zhou ,  Padmanabha C. Jakkahalli ,  Joseph Salowey ,  David A. McGrew

发明人： Nancy Cam-Winget ,  Hao Zhou ,  Padmanabha C. Jakkahalli ,  Joseph Salowey ,  David A. McGrew

IPC分类号： H04L29/06

CPC分类号： H04L63/0435 ,  H04L9/0822 ,  H04L9/0841 ,  H04L63/08 ,  H04L67/14

摘要： A method is disclosed for enabling stateless server-based pre-shared secrets. Based on a local key that is not known to a client, a server encrypts the client's state information. The client's state information may include, for example, the client's authentication credentials, the client's authorization characteristics, and a shared secret key that the client uses to derive session keys. By any of a variety of mechanisms, the encrypted client state information is provided to the client. The server may free memory that stored the client's state information. When the server needs the client's state information, the client sends, to the server, the encrypted state information that the client stored. The server decrypts the client state information using the local key. Because each client stores that client's own state information in encrypted form, the server does not need to store any client's state information permanently.

摘要翻译： 公开了一种实现无状态的基于服务器的预共享机密的方法。 基于客户端不知道的本地密钥，服务器加密客户端的状态信息。 客户端的状态信息可以包括例如客户端的认证凭证，客户端的授权特征以及客户端用于导出会话密钥的共享秘密密钥。 通过各种机制中的任一种，加密的客户端状态信息被提供给客户端。 服务器可以释放存储客户端状态信息的内存。 当服务器需要客户端的状态信息时，客户端向服务器发送客户端存储的加密状态信息。 服务器使用本地密钥解密客户端状态信息。 因为每个客户端都以加密形式存储客户端自己的状态信息，服务器不需要永久存储任何客户端的状态信息。

公开(公告)号：US07346773B2

公开(公告)日：2008-03-18

申请号：US10756634

申请日：2004-01-12

申请人： Nancy Cam-Winget ,  Hao Zhou ,  Padmanabha C. Jakkahalli ,  Joseph Salowey ,  David A. McGrew

发明人： Nancy Cam-Winget ,  Hao Zhou ,  Padmanabha C. Jakkahalli ,  Joseph Salowey ,  David A. McGrew

IPC分类号： H04L9/00 ,  G06F15/16

CPC分类号： H04L63/0435 ,  H04L9/0822 ,  H04L9/0841 ,  H04L63/08 ,  H04L67/14

摘要： A method is disclosed for enabling stateless server-based pre-shared secrets. Based on a local key that is not known to a client, a server encrypts the client's state information. The client's state information may include, for example, the client's authentication credentials, the client's authorization characteristics, and a shared secret key that the client uses to derive session keys. By any of a variety of mechanisms, the encrypted client state information is provided to the client. The server may free memory that stored the client's state information. When the server needs the client's state information, the client sends, to the server, the encrypted state information that the client stored. The server decrypts the client state information using the local key. Because each client stores that client's own state information in encrypted form, the server does not need to store any client's state information permanently.

摘要翻译： 公开了一种实现无状态的基于服务器的预共享机密的方法。 基于客户端不知道的本地密钥，服务器加密客户端的状态信息。 客户端的状态信息可以包括例如客户端的认证凭证，客户端的授权特征以及客户端用于导出会话密钥的共享秘密密钥。 通过各种机制中的任一种，加密的客户端状态信息被提供给客户端。 服务器可以释放存储客户端状态信息的内存。 当服务器需要客户端的状态信息时，客户端向服务器发送客户端存储的加密状态信息。 服务器使用本地密钥解密客户端状态信息。 因为每个客户端都以加密形式存储客户端自己的状态信息，服务器不需要永久存储任何客户端的状态信息。

公开(公告)号：US08867747B2

公开(公告)日：2014-10-21

申请号：US12414772

申请日：2009-03-31

申请人： David A. McGrew ,  Brian E. Weis

发明人： David A. McGrew ,  Brian E. Weis

IPC分类号： H04L9/08

CPC分类号： H04L9/0869 ,  H04L9/083

摘要： Systems, methods, and other embodiments associated with key generation for networks are described. One example method includes configuring a key server with a pseudo-random function (PRF). The key server may provide keying material to gateways. The method may also include controlling the key server to generate a cryptography data structure (e.g., D-matrix) based, at least in part, on the PRF and a seed value. The method may also include controlling the key server to selectively distribute a portion of the cryptography data structure and/or data derived from the cryptography data structure to a gateway. The gateway may then encrypt communications based, at least in part, on the portion of the cryptography data structure. The method may also include selectively distributing an epoch value to members of the set of gateways that may then decrypt an encrypted communication based, at least in part, on the epoch value.

摘要翻译： 描述了与网络的密钥生成相关联的系统，方法和其他实施例。 一个示例性方法包括配置具有伪随机函数（PRF）的密钥服务器。 密钥服务器可以向网关提供密钥材料。 该方法还可以包括：至少部分地基于PRF和种子值来控制密钥服务器以生成加密数据结构（例如，D矩阵）。 该方法还可以包括控制密钥服务器以选择性地将加密数据结构的一部分和/或从加密数据结构导出的数据分发到网关。 网关可以至少部分地基于加密数据结构的一部分加密通信。 该方法还可以包括选择性地将时代值分配到该组网关的成员，该网关组可以至少部分地基于时期值来解密加密的通信。

公开(公告)号：US08473757B2

公开(公告)日：2013-06-25

申请号：US12388387

申请日：2009-02-18

申请人： Philip John Steuart Gladstone ,  David A. McGrew

发明人： Philip John Steuart Gladstone ,  David A. McGrew

IPC分类号： G06F21/00

CPC分类号： H04L9/0891 ,  H04L9/0894

摘要： Digital data, such as images on a digital camera, is typically protected (e.g., encrypted and/or authenticated) based on a master key stored off the device. The original master key can be acquired in a number of different ways, including being generated by the device or by another device. A one-way, progressive series of keys are derived from the master key such that only images or data of a same session can be authenticated or decrypted for viewing, export or manipulation of the decrypted image/data. In order to decrypt images or data of a previous session on the device, the master key must be imported to the device, such as by, but not limited to, taking a picture of a representation of the key and interpreting the image to reacquire the master key.

摘要翻译： 数字数据，例如数字照相机上的图像，通常基于存储在设备上的主密钥进行保护（例如，加密和/或认证）。 原始主密钥可以以多种不同的方式获取，包括由设备或另一设备生成。 从主密钥导出单向，渐进的一系列密钥，使得仅能够认证或解密相同会话的图像或数据以查看，导出或操纵解密的图像/数据。 为了对设备上的先前会话的图像或数据进行解密，主密钥必须被导入到设备中，例如通过但不限于获取密钥的表示的图片并解释图像来重新获取 主密钥。

公开(公告)号：US07676679B2

公开(公告)日：2010-03-09

申请号：US11059178

申请日：2005-02-15

申请人： Brian E. Weis ,  David A. McGrew

发明人： Brian E. Weis ,  David A. McGrew

IPC分类号： H04L9/00 ,  H04L9/32

CPC分类号： H04L9/12 ,  H04L9/3297 ,  H04L63/126 ,  H04L63/1466

摘要： Nodes in a network include a pseudo-timestamp in messages or packets, derived from local pseudo-time clocks. When a packet is received, a first time is determined representing when the packet was sent and a second time is determined representing when the packet was received. If the difference between the second time and the first time is greater than a predetermined amount, the packet is considered to be stale and is rejected, thereby deterring replay. Because each node maintains its own clock and time, to keep the clocks relatively synchronized, if a time associated with a timestamp of a received packet is later than a certain amount with respect to the time at the receiver, the receiver's clock is set ahead by an amount that expected to synchronize the receiver's and the sender's clocks. However, a receiver never sets its clock back, to deter attacks.

摘要翻译： 网络中的节点包括从本地伪时间时钟导出的消息或分组中的伪时间戳。 当接收到分组时，确定第一次表示何时发送分组，并且确定表示何时接收分组的第二时间。 如果第二时间和第一时间之间的差异大于预定量，则该分组被认为是陈旧的并且被拒绝，从而阻止重放。 由于每个节点保持其自身的时钟和时间，为了保持时钟相对同步，如果与接收到的分组的时间戳相关联的时间相对于接收机的时间晚于一定量，则将接收机的时钟设置在 预计会使接收器和发送器的时钟同步的量。 然而，接收机从未将其时钟重新设置为阻止攻击。

公开(公告)号：US08990582B2

公开(公告)日：2015-03-24

申请号：US12789207

申请日：2010-05-27

申请人： Fabio R. Maino ,  Pere Monclus ,  David A. McGrew

发明人： Fabio R. Maino ,  Pere Monclus ,  David A. McGrew

IPC分类号： G06F21/00 ,  G06F12/14 ,  G06F21/12 ,  G06F12/08

CPC分类号： G06F12/1408 ,  G06F12/0811 ,  G06F12/084 ,  G06F12/0848 ,  G06F21/123

摘要： Techniques for memory compartmentalization for trusted execution of a virtual machine (VM) on a multi-core processing architecture are described. Memory compartmentalization may be achieved by encrypting layer 3 (L3) cache lines using a key under the control of a given VM within the trust boundaries of the processing core on which that VMs is executed. Further, embodiments described herein provide an efficient method for storing and processing encryption related metadata associated with each encrypt/decrypt operation performed for the L3 cache lines.

摘要翻译： 描述了用于多核处理架构上的虚拟机（VM）的可信执行的用于存储器区分的技术。 可以通过使用在执行VM的处理核心的信任边界内的给定VM的控制下的密钥来加密层3（L3）高速缓存线来实现内存区分。 此外，本文描述的实施例提供了一种用于存储和处理与针对L3高速缓存行执行的每个加密/解密操作相关联的加密相关元数据的有效方法。

公开(公告)号：US08745384B2

公开(公告)日：2014-06-03

申请号：US13207775

申请日：2011-08-11

申请人： Andrew Persaud ,  Kavitha Kamarthy ,  Shree Murthy ,  Scott Fanning ,  David A. McGrew ,  Thirunavukkarasu Suresh

发明人： Andrew Persaud ,  Kavitha Kamarthy ,  Shree Murthy ,  Scott Fanning ,  David A. McGrew ,  Thirunavukkarasu Suresh

IPC分类号： H04L29/06

CPC分类号： H04L63/0428 ,  G06F21/606 ,  G06F21/6272 ,  H04L9/0822 ,  H04L9/083 ,  H04L9/0894 ,  H04L9/0897 ,  H04L63/104 ,  H04L2209/76

摘要： Techniques are provided for securely storing data files in, or retrieving data files from, cloud storage. A data file transmitted to cloud storage from a client in an enterprise computing environment is intercepted by at least one network device. Using security information received from a management server, the data file is converted into an encrypted object configured to remain encrypted while at rest in the cloud storage.

摘要翻译： 提供技术用于将数据文件安全地存储在云存储中或从云存储中检索数据文件。 在企业计算环境中从客户端发送到云存储的数据文件被至少一个网络设备拦截。 使用从管理服务器接收的安全信息，数据文件被转换成被配置为在云存储中休息时保持加密的加密对象。

公开(公告)号：US08122482B2

公开(公告)日：2012-02-21

申请号：US12019541

申请日：2008-01-24

申请人： David A. McGrew ,  Melinda L. Shore

发明人： David A. McGrew ,  Melinda L. Shore

IPC分类号： G06F17/00 ,  H04L29/06

CPC分类号： H04L63/0263 ,  H04L63/029 ,  H04L63/0807

摘要： A method is disclosed for cryptographic peer discovery, authentication, and authorization. According to one embodiment, a data packet, which is addressed to a destination device other than an intermediary network device, is intercepted at the intermediary network device. The data packet contains a request and a group identifier. A shared secret cryptographic key, which is mapped to the group identifier, is selected. A challenge is sent toward an upstream device from whence the data packet came. A response is received. A verification value is generated based on the cryptographic key and the challenge. It is determined whether the response matches the verification value. If the response matches the verification value, then it is determined whether the request is allowed by an authorization set that is mapped to the group identifier. If the request is allowed, then a policy of the intermediary network device is configured based on the request.

摘要翻译： 公开了一种用于加密对等体发现，认证和授权的方法。 根据一个实施例，寻址到中继网络设备之外的目的地设备的数据分组在中间网络设备处被截取。 数据包包含请求和组标识符。 选择映射到组标识符的共享密钥加密密钥。 从数据包来自何时向上游设备发送一个挑战。 收到回复。 基于加密密钥和挑战生成验证值。 确定响应是否匹配验证值。 如果响应匹配验证值，则确定该映射到组标识符的授权集是否允许该请求。 如果允许请求，则根据请求配置中间网络设备的策略。

公开(公告)号：US20100211799A1

公开(公告)日：2010-08-19

申请号：US12388387

申请日：2009-02-18

申请人： Philip John Steuart Gladstone ,  David A. McGrew

发明人： Philip John Steuart Gladstone ,  David A. McGrew

IPC分类号： H04L9/16 ,  G06F12/14

CPC分类号： H04L9/0891 ,  H04L9/0894

摘要： Digital data, such as images on a digital camera, is typically protected (e.g., encrypted and/or authenticated) based on a master key stored off the device. The original master key can be acquired in a number of different ways, including being generated by the device or by another device. A one-way, progressive series of keys are derived from the master key such that only images or data of a same session can be authenticated or decrypted for viewing, export or manipulation of the decrypted image/data. In order to decrypt images or data of a previous session on the device, the master key must be imported to the device, such as by, but not limited to, taking a picture of a representation of the key and interpreting the image to reacquire the master key.

摘要翻译： 数字数据，例如数字照相机上的图像，通常基于存储在设备上的主密钥进行保护（例如，加密和/或认证）。 原始主密钥可以以多种不同的方式获取，包括由设备或另一设备生成。 从主密钥导出单向，渐进的一系列密钥，使得仅能够认证或解密相同会话的图像或数据以查看，导出或操纵解密的图像/数据。 为了对设备上的先前会话的图像或数据进行解密，主密钥必须被导入到设备中，例如通过但不限于获取密钥的表示的图片并解释图像来重新获取 主密钥。

公开(公告)号：US20100169645A1

公开(公告)日：2010-07-01

申请号：US12604221

申请日：2009-10-22

申请人： David A. McGrew ,  Brian E. Weis ,  Fabio R. Maino

发明人： David A. McGrew ,  Brian E. Weis ,  Fabio R. Maino

IPC分类号： H04L9/32 ,  H04L9/06 ,  H04L9/28

CPC分类号： H04L9/0637 ,  H04L9/0822 ,  H04L9/0833 ,  H04L9/3242

摘要： A computer system for authenticating, encrypting, and transmitting a secret communication, where the encryption key is transmitted along with the encrypted message, is disclosed. In an embodiment, a first transmitting processor encrypts a plaintext message to a ciphertext message using a data key, encrypts the data key using a key encrypting key, and sends a communication comprising the encrypted data key and the ciphertext message. A second receiving processor receives the communication and then decrypts the encrypted data key using the key encrypting key and decrypts the ciphertext message using the data key to recover the plaintext message.

摘要翻译： 公开了一种用于认证，加密和发送秘密通信的计算机系统，其中加密密钥与加密消息一起发送。 在一个实施例中，第一发送处理器使用数据密钥将明文消息加密为密文消息，使用密钥加密密钥加密数据密钥，并发送包括加密数据密钥和密文消息的通信。 第二接收处理器接收通信，然后使用密钥加密密钥解密加密的数据密钥，并使用数据密钥解密密文消息以恢复明文消息。