公开(公告)号：US20170024570A1

公开(公告)日：2017-01-26

申请号：US14974960

申请日：2015-12-18

申请人： Pradeep M. Pappachan ,  Reshma Lal ,  Bin Xing ,  Siddhartha Chhabra ,  Vincent R. Scarlata ,  Steven B. McGowan

发明人： Pradeep M. Pappachan ,  Reshma Lal ,  Bin Xing ,  Siddhartha Chhabra ,  Vincent R. Scarlata ,  Steven B. McGowan

IPC分类号： G06F21/60 ,  G06F13/28

CPC分类号： G06F21/602 ,  G06F13/28 ,  G06F21/57

摘要： Technologies for trusted I/O attestation and verification include a computing device with a cryptographic engine and one or more I/O controllers. The computing device collects hardware attestation information associated with statically attached hardware I/O components that are associated with a trusted I/O usage protected by the cryptographic engine. The computing device verifies the hardware attestation information and securely enumerates one or more dynamically attached hardware components in response to verification. The computing device collects software attestation information for trusted software components loaded during secure enumeration. The computing device verifies the software attestation information. The computing device may collect firmware attestation information for firmware loaded in the I/O controllers and verify the firmware attestation information. The computing device may collect application attestation information for a trusted application that uses the trusted I/O usage and verify the application attestation information. Other embodiments are described and claimed.

摘要翻译： 用于可信I / O认证和验证的技术包括具有加密引擎和一个或多个I / O控制器的计算设备。 计算设备收集与由加密引擎保护的受信任的I / O使用相关联的静态附接的硬件I / O组件相关联的硬件认证信息。 计算设备验证硬件认证信息并且响应于验证安全地枚举一个或多个动态附加的硬件组件。 计算设备收集在安全枚举期间加载的可信软件组件的软件认证信息。 计算设备验证软件认证信息。 计算设备可以收集加载在I / O控制器中的固件的固件证明信息，并验证固件证明信息。 计算设备可以收集使用可信I / O使用的可信应用的应用认证信息，并验证应用认证信息。 描述和要求保护其他实施例。

公开(公告)号：US20170024584A1

公开(公告)日：2017-01-26

申请号：US14979002

申请日：2015-12-22

申请人： Siddhartha Chhabra ,  Gideon Gerzon ,  Reshma Lal ,  Bin Xing ,  Pradeep M. Pappachan ,  Steven B. McGowan

发明人： Siddhartha Chhabra ,  Gideon Gerzon ,  Reshma Lal ,  Bin Xing ,  Pradeep M. Pappachan ,  Steven B. McGowan

IPC分类号： G06F21/72 ,  H04L9/32 ,  H04L9/08

CPC分类号： G06F21/72 ,  G06F21/57 ,  H04L9/0822 ,  H04L9/0861 ,  H04L9/3242

摘要： Technologies for secure programming of a cryptographic engine include a computing device with a cryptographic engine and one or more I/O controllers. The computing device establishes, an invoking secure enclave using secure enclave support of a processor. The invoking enclave configures channel programming information, including a channel key, and invokes a processor instruction with the channel programming information as a parameter. The processor generates wrapped programming information including an encrypted channel key and a message authentication code. The encrypted channel key is protected with a key known only to the processor. The invoking enclave provides the wrapped programming information to untrusted software, which invokes a processor instruction with the wrapped programming information as a parameter. The processor unwraps and verifies the wrapped programming information and then programs the cryptographic engine. The processor generates an authenticated response that may be verified by the invoking enclave. Other embodiments are described and claimed.

摘要翻译： 用于加密引擎的安全编程的技术包括具有密码引擎和一个或多个I / O控制器的计算设备。 计算设备使用处理器的安全飞地支持来建立调用安全飞地。 调用飞地配置信道编程信息，包括信道密钥，并且以通道编程信息为参数来调用处理器指令。 处理器产生包括加密的信道密钥和消息认证码的包装节目信息。 加密的通道密钥由仅对处理器已知的密钥进行保护。 调用的包层将包装的编程信息提供给不受信任的软件，该软件以包装的编程信息作为参数调用处理器指令。 处理器解封装并验证封装的编程信息，然后对加密引擎进行编程。 处理器生成可以通过调用飞地验证的认证响应。 描述和要求保护其他实施例。

公开(公告)号：US20170024568A1

公开(公告)日：2017-01-26

申请号：US14974874

申请日：2015-12-18

申请人： Pradeep M. Pappachan ,  Reshma Lal ,  Bin Xing ,  Steven B. McGowan ,  Siddhartha Chhabra ,  Reouven Elbaz

发明人： Pradeep M. Pappachan ,  Reshma Lal ,  Bin Xing ,  Steven B. McGowan ,  Siddhartha Chhabra ,  Reouven Elbaz

IPC分类号： G06F21/60 ,  G06F13/28 ,  G06F17/30

CPC分类号： G06F21/602 ,  G06F13/28 ,  G06F17/30371 ,  G06F21/606 ,  G06F21/64 ,  G06F2221/031

摘要： Technologies for authenticity assurance for I/O data include a computing device with a cryptographic engine and one or more I/O controllers. A metadata producer of the computing device performs an authenticated encryption operation on I/O data to generate encrypted I/O data and an authentication tag. The metadata producer stores the encrypted I/O data in a DMA buffer and the authentication tag in an authentication tag queue. A metadata consumer decrypts the encrypted I/O data from the DMA buffer and determines whether the encrypted I/0 data is authentic using the authentication tag from the authentication tag queue. For input, the metadata producer may be embodied as the cryptographic engine and the metadata consumer may be embodied as a trusted software component. For output, the metadata producer may be embodied as the trusted software component and the metadata consumer may be embodied as the cryptographic engine. Other embodiments are described and claimed.

摘要翻译： 用于I / O数据的真实性保证的技术包括具有加密引擎和一个或多个I / O控制器的计算设备。 计算设备的元数据生成器对I / O数据执行认证加密操作以产生加密的I / O数据和认证标签。 元数据生成器将加密的I / O数据存储在DMA缓冲器中，认证标签存储在认证标签队列中。 元数据消费者从DMA缓冲器解密加密的I / O数据，并使用来自认证标签队列的认证标签来确定加密的I / O数据是否是真实的。 对于输入，元数据生成器可以体现为加密引擎，并且元数据消费者可以被实现为可信软件组件。 对于输出，元数据生成器可以被实现为可信软件组件，并且元数据消费者可以被体现为密码引擎。 描述和要求保护其他实施例。

公开(公告)号：US20170177293A1

公开(公告)日：2017-06-22

申请号：US14974645

申请日：2015-12-18

申请人： Sudha Krishnakumar ,  Reshma Lal ,  Pradeep M. Pappachan ,  Kar Leong Wong ,  Steven B. McGowan ,  Adeel A. Aslam

发明人： Sudha Krishnakumar ,  Reshma Lal ,  Pradeep M. Pappachan ,  Kar Leong Wong ,  Steven B. McGowan ,  Adeel A. Aslam

IPC分类号： G06F3/16 ,  G06F15/167 ,  H04L9/32 ,  H04L29/06

CPC分类号： G06F3/165 ,  G06F3/162 ,  G06F15/167 ,  H04L9/32 ,  H04L63/126 ,  H04L65/1069 ,  H04L65/4069 ,  H04L65/605

摘要： Technologies for cryptographic protection of I/O audio data include a computing device with a cryptographic engine and an audio controller. A trusted software component may request an untrusted audio driver to establish an audio session with the audio controller that is associated with an audio codec. The trusted software component may verify that a stream identifier associated with the audio session received from the audio driver matches a stream identifier received from the codec. The trusted software may program the cryptographic engine with a DMA channel identifier associated with the codec, and the audio controller may assert the channel identifier in each DMA transaction associated with the audio session. The cryptographic engine cryptographically protects audio data associated with the audio session. The audio controller may lock the controller topology after establishing the audio session, to prevent re-routing of audio during a trusted audio session. Other embodiments are described and claimed.

公开(公告)号：US20140359305A1

公开(公告)日：2014-12-04

申请号：US14126859

申请日：2013-06-04

申请人： Pradeep M. Pappachan ,  Reshma Lal

发明人： Pradeep M. Pappachan ,  Reshma Lal

IPC分类号： H04L9/14

CPC分类号： H04L9/14 ,  H04L2209/60

摘要： The present disclosure is directed to application integrity protection via secure interaction and processing. For example, interaction with a user interface in a device may result in input information being generated. Following encryption, the input information may be conveyed to an application executing in a secure processing environment. The encrypted input information may be received, decrypted and processed by the application. An example application may include a secure controller component, a secure model component and a secure view component. The secure controller component may, for example, provide change instructions to the secure model component based on the decrypted input information. The secure model component may then, if necessary, provide a change notification to the secure view component based on the change instructions. The secure view component may then generate output information, which may be encrypted prior to being provided to the user interface for decryption, processing and presentation.

摘要翻译： 本公开涉及通过安全交互和处理的应用完整性保护。 例如，与设备中的用户界面的交互可能导致生成输入信息。 在加密之后，可以将输入信息传送到在安全处理环境中执行的应用。 加密的输入信息可以被应用程序接收，解密和处理。 示例应用可以包括安全控制器组件，安全模型组件和安全视图组件。 例如，安全控制器组件可以基于解密的输入信息向安全模型组件提供改变指令。 然后，如果需要，安全模型组件可以基于改变指令向安全视图组件提供改变通知。 然后，安全视图组件可以生成输出信息，其可以在被提供给用户接口以进行解密，处理和呈现之前被加密。

公开(公告)号：US20150304736A1

公开(公告)日：2015-10-22

申请号：US14127542

申请日：2013-06-04

申请人： Reshma Lal ,  Jason Martin ,  Micah J. Sheller ,  Michael M. Amirfathi ,  Nathan Heldt-Sheller ,  Pradeep M. Pappachan

发明人： Reshma Lal ,  Jason Martin ,  Micah J. Sheller ,  Michael M. Amirfathi ,  Nathan Heldt-Sheller ,  Pradeep M. Pappachan

IPC分类号： H04N21/647 ,  H04L9/08

CPC分类号： H04N21/64715 ,  G06F21/10 ,  G06F21/72 ,  H04L9/0816 ,  H04L2209/24

摘要： Technologies for hardening the security of digital information on a client device are described. In some embodiments, the client device includes a secure processing environment such as a secure enclave, which may be used to protect digital information on a client platform. The secure environment(s) may also protect assets which may be used to access the digital information. Using the secure processing environment(s), the described technologies may protect digital information as it is provided to, stored on, accessed on, and/or processed for display by a client device, even if the client device may be infested with malware or subject to attack by another entity.

摘要翻译： 描述了在客户端设备上加强数字信息安全性的技术。 在一些实施例中，客户端设备包括诸如安全飞地之类的安全处理环境，其可以用于保护客户端平台上的数字信息。 安全环境还可以保护可能用于访问数字信息的资产。 使用安全处理环境，所描述的技术可以保护数字信息，因为它被提供给存储，访问和/或处理以供客户端设备显示，即使客户端设备可能被恶意软件或 受另一实体的攻击。

公开(公告)号：US20150143118A1

公开(公告)日：2015-05-21

申请号：US14127533

申请日：2013-06-04

申请人： Micah J. Sheller ,  Reshma Lal ,  Pradeep M. Pappachan ,  Krystof C. Zmudzinski

发明人： Micah J. Sheller ,  Reshma Lal ,  Pradeep M. Pappachan ,  Krystof C. Zmudzinski

IPC分类号： H04L29/06 ,  H04L9/32

CPC分类号： H04L63/0428 ,  H04L9/14 ,  H04L9/3223 ,  H04L63/062 ,  H04L63/08 ,  H04L2209/60

摘要： The present disclosure is directed to an end-to-end secure communication system wherein, in addition to encrypting transmissions between clients, communication-related operations occurring within each client may also be secured. Each client may comprise a secure processing environment to process encrypted communication information received from other clients and locally-captured media information for transmission to other clients. The secure processing environment may include resources to decrypt received encrypted communication information and to process the communication information into media information for presentation by the client. The secure processing environment may also operate in reverse to provide locally recorded audio, image, video, etc. to other clients. Encryption protocols may be employed at various stages of information processing in the client to help ensure that information being transferred between the processing resources cannot be read, copied, altered, etc. In one example implementation, a server may manage interaction between clients, provision encryption keys, etc.

摘要翻译： 本公开涉及一种端到端安全通信系统，其中除了加密客户端之间的传输之外，还可以确保在每个客户端内发生的与通信相关的操作。 每个客户端可以包括用于处理从其他客户端接收的加密通信信息和本地捕获的媒体信息以便传输到其他客户端的安全处理环境。 安全处理环境可以包括用于解密所接收的加密通信信息并将通信信息处理成媒体信息以供客户呈现的资源。 安全处理环境也可以相反地操作，以向其他客户端提供本地记录的音频，图像，视频等。 可以在客户端的信息处理的各个阶段采用加密协议，以帮助确保在处理资源之间传递的信息不能被读取，复制，改变等。在一个示例实现中，服务器可以管理客户端之间的交互，提供加密 钥匙等