公开(公告)号：US20160092700A1

公开(公告)日：2016-03-31

申请号：US14496056

申请日：2014-09-25

申请人： Ned Smith ,  Esteban Gutierrez ,  Andrew Woodruff ,  Aditya Kapoor

发明人： Ned Smith ,  Esteban Gutierrez ,  Andrew Woodruff ,  Aditya Kapoor

IPC分类号： G06F21/64 ,  G06F21/56 ,  G06F21/62

CPC分类号： G06F21/64 ,  G06F21/51 ,  G06F21/52 ,  G06F21/566 ,  G06F21/6281 ,  G06F2221/032 ,  G06F2221/2115

摘要： Particular embodiments described herein provide for an electronic device that can be configured to receive untrusted input data at an enclave in an electronic device, isolate the untrusted input data from at least a portion of the enclave, communicate at least a portion of the untrusted data to an integrity verification module using an attestation channel, and receive data integrity verification of the untrusted input data from the integrity verification module. The integrity verification module can perform data integrity attestation functions to verify the untrusted data and the data integrity attestation functions include a data attestation policy and a whitelist.

摘要翻译： 本文所述的特定实施例提供了一种电子设备，其可以被配置为在电子设备中的飞地处接收不受信任的输入数据，将不受信任的输入数据与飞地的至少一部分隔离，将不可信数据的至少一部分传达到 使用认证通道的完整性验证模块，以及从完整性验证模块接收不可信输入数据的数据完整性验证。 完整性验证模块可以执行数据完整性认证功能，以验证不可信数据，数据完整性认证功能包括数据认证策略和白名单。

公开(公告)号：US20100107224A1

公开(公告)日：2010-04-29

申请号：US12655024

申请日：2009-12-22

申请人： David Durham ,  Ravi Sahita ,  Karanvir Grewal ,  Ned Smith ,  Kapil Sood

发明人： David Durham ,  Ravi Sahita ,  Karanvir Grewal ,  Ned Smith ,  Kapil Sood

IPC分类号： G06F17/00

CPC分类号： H04L63/10 ,  G06F2221/2141 ,  H04L9/3234 ,  H04L9/3247 ,  H04L9/3263 ,  H04L63/0209 ,  H04L63/08 ,  H04L63/20

摘要： Architectures and techniques that allow a firmware agent to operate as a tamper-resistant agent on a host platform that may be used as a trusted policy enforcement point (PEP) on the host platform to enforce policies even when the host operating system is compromised. The PEP may be used to open access control and/or remediation channels on the host platform. The firmware agent may also act as a local policy decision point (PDP) on the host platform in accordance with an authorized enterprise PDP entity by providing policies if a host trust agent is non-responsive and may function as a passive agent when the host trust agent is functional.

摘要翻译： 允许固件代理在主机平台上作为防篡改代理操作的体系结构和技术，可在主机平台上用作受信任的策略执行点（PEP），即使主机操作系统受到威胁也可执行策略。 PEP可用于在主机平台上打开访问控制和/或修复通道。 固件代理还可以根据授权的企业PDP实体在主机平台上作为本地策略决策点（PDP），通过在主机信任代理不响应时提供策略，并且当主机信任时可以用作被动代理 代理功能。

公开(公告)号：US20090319806A1

公开(公告)日：2009-12-24

申请号：US12214830

申请日：2008-06-23

申请人： Ned Smith ,  Vincent J. Zimmer

发明人： Ned Smith ,  Vincent J. Zimmer

IPC分类号： H04L9/32 ,  G06F12/14

CPC分类号： G06F21/575

摘要： In one embodiment, the present invention includes a method for obtaining a pre-boot authentication (PBA) image from a full disk encryption disk in a pre-boot environment, executing the PBA using a chipset to obtain user credential information, authorizing the user based on the user credential information and stored credential information, and storing the user credential information in a PBA metadata region of the disk. Other embodiments are described and claimed.

摘要翻译： 在一个实施例中，本发明包括一种用于在预引导环境中从全盘加密盘获得预引导认证（PBA）图像的方法，使用芯片组执行PBA以获得用户凭证信息，授权用户 关于用户凭证信息和存储的凭证信息，以及将用户凭证信息存储在盘的PBA元数据区域中。 描述和要求保护其他实施例。

公开(公告)号：US20070110244A1

公开(公告)日：2007-05-17

申请号：US11281713

申请日：2005-11-16

申请人： Kapil Sood ,  Jesse Walker ,  Ned Smith

发明人： Kapil Sood ,  Jesse Walker ,  Ned Smith

IPC分类号： H04K1/00

CPC分类号： H04L9/0822 ,  G06F9/45558 ,  G06F2009/45587 ,  H04L9/0897 ,  H04L63/0428 ,  H04L63/06 ,  H04L2209/80 ,  H04W12/04 ,  H04W76/10 ,  H04W80/04

摘要： A method, apparatus and system enable a secure wireless platform. Specifically, embodiments of the present invention may utilize a secure processing area to enforce security mechanisms on the wireless platform, thus isolating the security measures (e.g., security keys) from the host operating system on the wireless node.

摘要翻译： 一种方法，装置和系统能够实现安全的无线平台。 具体地，本发明的实施例可以利用安全处理区域来在无线平台上实施安全机制，从而将安全措施（例如，安全密钥）与主机操作系统隔离在无线节点上。

公开(公告)号：US20170185814A1

公开(公告)日：2017-06-29

申请号：US14757398

申请日：2015-12-23

申请人： Ned Smith ,  Sven Schrecker ,  Willard Wiseman ,  David Clark ,  Jennifer Gilburg De Magnin ,  Howard Herbert

发明人： Ned Smith ,  Sven Schrecker ,  Willard Wiseman ,  David Clark ,  Jennifer Gilburg De Magnin ,  Howard Herbert

IPC分类号： G06K7/10

CPC分类号： G06F21/00 ,  G06K7/10257 ,  G06Q10/10 ,  G06Q50/10 ,  G06Q2220/00 ,  H04L9/0819

摘要： Technologies for verification include storage with private keys, wherein each private key is associated with a group affiliation. The storage also includes characteristic information about an apparatus. The technologies also include a wireless interface configured to receive a request from a reader for verification of membership of the apparatus within a group affiliation. The technologies further include a controller with programmable logic for configuring the controller to determine whether to verify membership of the apparatus within a given group affiliation. The controller is also configured to verify membership of the apparatus within the given group affiliation by signing data with a private key associated with the given group affiliation. The signed data is sent to the reader. Membership within the given group affiliation conveys a subset of the characteristic information.

公开(公告)号：US20140095876A1

公开(公告)日：2014-04-03

申请号：US13629887

申请日：2012-09-28

申请人： Ned Smith ,  Sharon Smith ,  Willard Wiseman

发明人： Ned Smith ,  Sharon Smith ,  Willard Wiseman

IPC分类号： H04L9/32

CPC分类号： G06F21/57 ,  H04L9/32 ,  H04L9/3265 ,  H04L9/3271

摘要： Systems and methods may provide introducing a first root of trust on a platform to a second root of trust on the same platform. In one example, the method may include using an authenticated code module to transfer a first encryption key from a first root of trust on a platform to a second root of trust on the platform, receiving a challenge response from the first root of trust at the second root of trust, and using the first encryption key to verify the challenge response

摘要翻译： 系统和方法可以提供将平台上的第一信任根引入同一平台上的第二信任根。 在一个示例中，该方法可以包括使用经认证的代码模块将第一加密密钥从平台上的第一信任根传递到平台上的第二信任根，在第一根信任根源处接收挑战响应 第二个信任根，并使用第一个加密密钥验证挑战响应

公开(公告)号：US08356175B2

公开(公告)日：2013-01-15

申请号：US11170528

申请日：2005-06-29

申请人： Ned Smith ,  Rajan S. Palanivel

发明人： Ned Smith ,  Rajan S. Palanivel

IPC分类号： H04L29/06

CPC分类号： H04L9/0844 ,  H04L63/0478 ,  H04L63/06 ,  H04L63/166 ,  H04L2209/38

摘要： Methods and apparatus to perform associated extensions for negotiated channel security protocols are disclosed. A disclosed method to extend a security protocol comprises exchanging identifying information between a first and a second endpoint, determining a secret based on the exchanged identifying information, determining a first master secret based on the determined secret and a second master secret determined in a prior protocol exchange block, and deriving a session key based on the first master secret.

摘要翻译： 公开了为协商的信道安全协议执行相关扩展的方法和装置。 一种公开的扩展安全协议的方法包括交换第一和第二端点之间的识别信息，基于所交换的识别信息确定秘密，基于所确定的秘密确定第一主密钥，以及在先前协议中确定的第二主密钥 交换块，并且基于第一主密钥导出会话密钥。

公开(公告)号：US08300825B2

公开(公告)日：2012-10-30

申请号：US12164663

申请日：2008-06-30

申请人： Nitin Sarangdhar ,  Ned Smith ,  Vincent Von Bokern

发明人： Nitin Sarangdhar ,  Ned Smith ,  Vincent Von Bokern

IPC分类号： H04L9/00

CPC分类号： H04L9/3234 ,  G06F12/1408 ,  G06F21/72 ,  G06F2212/1052 ,  H04L9/0833 ,  H04L9/0897 ,  H04L9/3226 ,  H04L9/3263 ,  H04L63/0428

摘要： In an embodiment, an apparatus is provided that may include an integrated circuit to be removably communicatively coupled to at least one storage device. The integrated circuit of this embodiment may be capable of encrypting and/or and decrypting, based at least in part upon a first key, data to be, in at least in part, stored in and/or retrieved from, respectively, at least one region of the at least one storage device. The at least one region and a second key may be associated with at least one access privilege authorized, at least in part, by an administrator. The second key may be stored, at least in part, externally to the at least one storage device. The first key may be obtainable, at least in part, based, at least in part, upon at least one operation involving the second key. Of course, many alternatives, modifications, and variations are possible without departing from this embodiment.

摘要翻译： 在一个实施例中，提供了一种装置，其可以包括可移除地通信地耦合到至少一个存储装置的集成电路。 该实施例的集成电路可以至少部分地基于第一密钥来加密和/或解密数据，该数据至少部分地存储在和/或分别从至少一个 所述至少一个存储设备的区域。 所述至少一个区域和第二密钥可以至少部分由管理员授权的至少一个访问权限相关联。 至少部分地，第二密钥可以存储在至少一个存储设备的外部。 至少部分地，至少部分地基于涉及第二密钥的至少一个操作可获得第一密钥。 当然，在不脱离本实施例的情况下，许多替代，修改和变化是可能的。

公开(公告)号：US08281135B2

公开(公告)日：2012-10-02

申请号：US13324032

申请日：2011-12-13

申请人： Ned Smith

发明人： Ned Smith

IPC分类号： H04L9/32 ,  H04L29/06 ,  H04L9/00 ,  H04L9/08 ,  G06F11/30 ,  G06F17/30 ,  G06F7/04 ,  H04N7/167 ,  H04K1/00

CPC分类号： G06F21/6218

摘要： A method, system, and computer-readable storage medium containing instructions for controlling access to data stored on a plurality of storage devices associated with a first platform. The method includes authenticating a user to access the first platform, wherein the first platform includes first and second storage devices, chipset encryption hardware, and a memory. Data stored on the storage devices are encrypted, with first data on the first storage device being encrypted by the chipset encryption hardware and second data stored on the second storage device being encrypted by another encryption mechanism. The data are decrypted and the user is allowed to access the first data and the second data.

摘要翻译： 一种包含用于控制对存储在与第一平台相关联的多个存储设备上的数据的访问的指令的方法，系统和计算机可读存储介质。 该方法包括认证用户访问第一平台，其中第一平台包括第一和第二存储设备，芯片组加密硬件和存储器。 存储在存储设备上的数据被加密，第一存储设备上的第一数据由芯片组加密硬件加密，并且存储在第二存储设备上的第二数据被另一加密机制加密。 数据被解密，并且允许用户访问第一数据和第二数据。

公开(公告)号：US20100169640A1

公开(公告)日：2010-07-01

申请号：US12319065

申请日：2008-12-30

申请人： Ned Smith ,  Purushottam Goel

发明人： Ned Smith ,  Purushottam Goel

IPC分类号： H04L9/00

CPC分类号： G06F21/335 ,  G06F21/31 ,  G06F21/33 ,  G06F21/41 ,  G06F21/575 ,  G06F21/72 ,  G06F21/80 ,  G06F2221/034 ,  G06F2221/2103 ,  G09G2358/00 ,  H04L9/0822 ,  H04L9/083 ,  H04L9/3213 ,  H04L63/0807 ,  H04L63/0815

摘要： A manageability engine (ME) receives an authentication response from a user during pre-boot authentication and registers the user with a key distribution center (KDC), indicating that the user has successfully authenticated to the PC. The KDC supplies the ME with single-sign-on credentials in the form of a Key Encryption Key (KEK). The KEK may later be used by the PC to obtain a credential used to establish secure access to Enterprise servers.

摘要翻译： 可管理性引擎（ME）在预引导认证期间从用户接收认证响应，并向用户注册密钥分配中心（KDC），指示用户已成功认证到PC。 KDC以密钥加密密钥（KEK）的形式向ME提供单点登录凭证。 PC随后可以使用KEK来获取用于建立对企业服务器的安全访问的证书。