公开(公告)号：US20180145951A1

公开(公告)日：2018-05-24

申请号：US15356720

申请日：2016-11-21

申请人： Srikanth Varadarajan ,  Reshma Lal ,  Steven B. McGowan ,  Hakan Magnus Eriksson ,  Travis W. Peters

发明人： Srikanth Varadarajan ,  Reshma Lal ,  Steven B. McGowan ,  Hakan Magnus Eriksson ,  Travis W. Peters

IPC分类号： H04L29/06 ,  H04W12/04 ,  H04L9/14 ,  H04W12/02 ,  G06F21/57 ,  G06F13/28 ,  G06F13/40

CPC分类号： G06F13/4068 ,  G06F13/28 ,  G06F21/57 ,  G06F21/85 ,  H04L9/065 ,  H04L63/0464 ,  H04L69/22 ,  H04L2209/127 ,  H04W12/02 ,  H04W12/1208

摘要： In one embodiment, an apparatus includes a wireless controller, which may include a byte stream parser to receive a stream of data from one or more wireless devices and parse the stream of data to identify a first data packet associated with a first channel identifier associated with a trusted application, and a cryptographic engine coupled to the byte stream parser to encrypt a payload portion of the first data packet in response to the identification of the first data packet associated with the first channel identifier. Other embodiments are described and claimed.

公开(公告)号：US20170177293A1

公开(公告)日：2017-06-22

申请号：US14974645

申请日：2015-12-18

申请人： Sudha Krishnakumar ,  Reshma Lal ,  Pradeep M. Pappachan ,  Kar Leong Wong ,  Steven B. McGowan ,  Adeel A. Aslam

发明人： Sudha Krishnakumar ,  Reshma Lal ,  Pradeep M. Pappachan ,  Kar Leong Wong ,  Steven B. McGowan ,  Adeel A. Aslam

IPC分类号： G06F3/16 ,  G06F15/167 ,  H04L9/32 ,  H04L29/06

CPC分类号： G06F3/165 ,  G06F3/162 ,  G06F15/167 ,  H04L9/32 ,  H04L63/126 ,  H04L65/1069 ,  H04L65/4069 ,  H04L65/605

摘要： Technologies for cryptographic protection of I/O audio data include a computing device with a cryptographic engine and an audio controller. A trusted software component may request an untrusted audio driver to establish an audio session with the audio controller that is associated with an audio codec. The trusted software component may verify that a stream identifier associated with the audio session received from the audio driver matches a stream identifier received from the codec. The trusted software may program the cryptographic engine with a DMA channel identifier associated with the codec, and the audio controller may assert the channel identifier in each DMA transaction associated with the audio session. The cryptographic engine cryptographically protects audio data associated with the audio session. The audio controller may lock the controller topology after establishing the audio session, to prevent re-routing of audio during a trusted audio session. Other embodiments are described and claimed.

公开(公告)号：US20170024570A1

公开(公告)日：2017-01-26

申请号：US14974960

申请日：2015-12-18

申请人： Pradeep M. Pappachan ,  Reshma Lal ,  Bin Xing ,  Siddhartha Chhabra ,  Vincent R. Scarlata ,  Steven B. McGowan

发明人： Pradeep M. Pappachan ,  Reshma Lal ,  Bin Xing ,  Siddhartha Chhabra ,  Vincent R. Scarlata ,  Steven B. McGowan

IPC分类号： G06F21/60 ,  G06F13/28

CPC分类号： G06F21/602 ,  G06F13/28 ,  G06F21/57

摘要： Technologies for trusted I/O attestation and verification include a computing device with a cryptographic engine and one or more I/O controllers. The computing device collects hardware attestation information associated with statically attached hardware I/O components that are associated with a trusted I/O usage protected by the cryptographic engine. The computing device verifies the hardware attestation information and securely enumerates one or more dynamically attached hardware components in response to verification. The computing device collects software attestation information for trusted software components loaded during secure enumeration. The computing device verifies the software attestation information. The computing device may collect firmware attestation information for firmware loaded in the I/O controllers and verify the firmware attestation information. The computing device may collect application attestation information for a trusted application that uses the trusted I/O usage and verify the application attestation information. Other embodiments are described and claimed.

摘要翻译： 用于可信I / O认证和验证的技术包括具有加密引擎和一个或多个I / O控制器的计算设备。 计算设备收集与由加密引擎保护的受信任的I / O使用相关联的静态附接的硬件I / O组件相关联的硬件认证信息。 计算设备验证硬件认证信息并且响应于验证安全地枚举一个或多个动态附加的硬件组件。 计算设备收集在安全枚举期间加载的可信软件组件的软件认证信息。 计算设备验证软件认证信息。 计算设备可以收集加载在I / O控制器中的固件的固件证明信息，并验证固件证明信息。 计算设备可以收集使用可信I / O使用的可信应用的应用认证信息，并验证应用认证信息。 描述和要求保护其他实施例。

公开(公告)号：US20170118215A1

公开(公告)日：2017-04-27

申请号：US14757659

申请日：2015-12-23

申请人： Srikanth Varadarajan ,  Reshma Lal ,  Josh Triplett

发明人： Srikanth Varadarajan ,  Reshma Lal ,  Josh Triplett

IPC分类号： H04L29/06 ,  G06F17/30 ,  H04L29/08

CPC分类号： H04L63/10 ,  G06F16/9014 ,  H04L63/0236 ,  H04L63/0428 ,  H04L63/083 ,  H04L67/02 ,  H04L67/1097

摘要： Various system configurations and methods for maintaining, accessing, and utilizing secure data of a web browser in a hardware-managed secure data store are disclosed herein. In an example, operations for management of sensitive data such as passwords may be provided with the use of secure enclaves operating in a trusted execution environment. For example, such secure enclaves may be used for sealing and persisting sensitive data associated with a remote service, and transmitting the sensitive data to the remote service, while an unsealed form of the sensitive data is not accessible outside of the trusted execution environment. In further examples, operations for generating a password, storing or updating existing passwords, and replacing web browser input fields with secure data are disclosed.

公开(公告)号：US20170024584A1

公开(公告)日：2017-01-26

申请号：US14979002

申请日：2015-12-22

申请人： Siddhartha Chhabra ,  Gideon Gerzon ,  Reshma Lal ,  Bin Xing ,  Pradeep M. Pappachan ,  Steven B. McGowan

发明人： Siddhartha Chhabra ,  Gideon Gerzon ,  Reshma Lal ,  Bin Xing ,  Pradeep M. Pappachan ,  Steven B. McGowan

IPC分类号： G06F21/72 ,  H04L9/32 ,  H04L9/08

CPC分类号： G06F21/72 ,  G06F21/57 ,  H04L9/0822 ,  H04L9/0861 ,  H04L9/3242

摘要： Technologies for secure programming of a cryptographic engine include a computing device with a cryptographic engine and one or more I/O controllers. The computing device establishes, an invoking secure enclave using secure enclave support of a processor. The invoking enclave configures channel programming information, including a channel key, and invokes a processor instruction with the channel programming information as a parameter. The processor generates wrapped programming information including an encrypted channel key and a message authentication code. The encrypted channel key is protected with a key known only to the processor. The invoking enclave provides the wrapped programming information to untrusted software, which invokes a processor instruction with the wrapped programming information as a parameter. The processor unwraps and verifies the wrapped programming information and then programs the cryptographic engine. The processor generates an authenticated response that may be verified by the invoking enclave. Other embodiments are described and claimed.

摘要翻译： 用于加密引擎的安全编程的技术包括具有密码引擎和一个或多个I / O控制器的计算设备。 计算设备使用处理器的安全飞地支持来建立调用安全飞地。 调用飞地配置信道编程信息，包括信道密钥，并且以通道编程信息为参数来调用处理器指令。 处理器产生包括加密的信道密钥和消息认证码的包装节目信息。 加密的通道密钥由仅对处理器已知的密钥进行保护。 调用的包层将包装的编程信息提供给不受信任的软件，该软件以包装的编程信息作为参数调用处理器指令。 处理器解封装并验证封装的编程信息，然后对加密引擎进行编程。 处理器生成可以通过调用飞地验证的认证响应。 描述和要求保护其他实施例。

公开(公告)号：US20170024568A1

公开(公告)日：2017-01-26

申请号：US14974874

申请日：2015-12-18

申请人： Pradeep M. Pappachan ,  Reshma Lal ,  Bin Xing ,  Steven B. McGowan ,  Siddhartha Chhabra ,  Reouven Elbaz

发明人： Pradeep M. Pappachan ,  Reshma Lal ,  Bin Xing ,  Steven B. McGowan ,  Siddhartha Chhabra ,  Reouven Elbaz

IPC分类号： G06F21/60 ,  G06F13/28 ,  G06F17/30

CPC分类号： G06F21/602 ,  G06F13/28 ,  G06F17/30371 ,  G06F21/606 ,  G06F21/64 ,  G06F2221/031

摘要： Technologies for authenticity assurance for I/O data include a computing device with a cryptographic engine and one or more I/O controllers. A metadata producer of the computing device performs an authenticated encryption operation on I/O data to generate encrypted I/O data and an authentication tag. The metadata producer stores the encrypted I/O data in a DMA buffer and the authentication tag in an authentication tag queue. A metadata consumer decrypts the encrypted I/O data from the DMA buffer and determines whether the encrypted I/0 data is authentic using the authentication tag from the authentication tag queue. For input, the metadata producer may be embodied as the cryptographic engine and the metadata consumer may be embodied as a trusted software component. For output, the metadata producer may be embodied as the trusted software component and the metadata consumer may be embodied as the cryptographic engine. Other embodiments are described and claimed.

摘要翻译： 用于I / O数据的真实性保证的技术包括具有加密引擎和一个或多个I / O控制器的计算设备。 计算设备的元数据生成器对I / O数据执行认证加密操作以产生加密的I / O数据和认证标签。 元数据生成器将加密的I / O数据存储在DMA缓冲器中，认证标签存储在认证标签队列中。 元数据消费者从DMA缓冲器解密加密的I / O数据，并使用来自认证标签队列的认证标签来确定加密的I / O数据是否是真实的。 对于输入，元数据生成器可以体现为加密引擎，并且元数据消费者可以被实现为可信软件组件。 对于输出，元数据生成器可以被实现为可信软件组件，并且元数据消费者可以被体现为密码引擎。 描述和要求保护其他实施例。

公开(公告)号：US20140189356A1

公开(公告)日：2014-07-03

申请号：US13976023

申请日：2011-12-29

申请人： Vinay Phegade ,  Jason Martin ,  Reshma Lal ,  Micah Sheller ,  Tobias Kohlenberg

发明人： Vinay Phegade ,  Jason Martin ,  Reshma Lal ,  Micah Sheller ,  Tobias Kohlenberg

IPC分类号： H04L29/06

CPC分类号： H04L63/062 ,  G06F21/10 ,  G06F21/606 ,  G06F21/84 ,  G06F2221/0797 ,  G09G2358/00 ,  H04L63/0428 ,  H04L63/08 ,  H04L63/1441 ,  H04L67/02

摘要： A method of enforcing a virtual corporate boundary may include a client device requesting sensitive content from a network site on a server device responsive to a user's interaction with the client device. The server device can determine whether the user and/or client device are permitted to access the sensitive content. A secure element on the client device can establish a session key between the server device and the client device. The server device can render the sensitive content and send it to the client device, which can display the content to the user.

摘要翻译： 执行虚拟公司边界的方法可以包括响应于用户与客户端设备的交互而从服务器设备上的网络站点请求敏感内容的客户端设备。 服务器设备可以确定用户和/或客户端设备是否被允许访问敏感内容。 客户端设备上的安全元素可以在服务器设备和客户端设备之间建立会话密钥。 服务器设备可以呈现敏感内容并将其发送到客户端设备，可以向用户显示内容。

公开(公告)号：US10171500B2

公开(公告)日：2019-01-01

申请号：US13730465

申请日：2012-12-28

申请人： Reshma Lal ,  Bin Cedric Xing

发明人： Reshma Lal ,  Bin Cedric Xing

IPC分类号： H04L29/06 ,  H04L29/08

摘要： Embodiments of a system, apparatus, and method of platform security are describe. In some embodiments, a system comprises a manageability engine to detect if a software agent of the platform is removed and a software agent enclave, wherein the software agent enclave and manageability engine each include a specific session key to be used for communications between the software agent enclave and the manageability engine.

公开(公告)号：US20170026181A1

公开(公告)日：2017-01-26

申请号：US14974948

申请日：2015-12-18

申请人： Siddhartha Chhabra ,  Reshma Lal ,  Ravi L. Sahita ,  Reouven Elbaz ,  Bin Xing

发明人： Siddhartha Chhabra ,  Reshma Lal ,  Ravi L. Sahita ,  Reouven Elbaz ,  Bin Xing

IPC分类号： H04L9/32 ,  G06F9/455 ,  G06F21/53 ,  G06F13/28

CPC分类号： H04L9/3234 ,  G06F9/45558 ,  G06F13/28 ,  G06F21/53 ,  G06F2009/45579 ,  G06F2009/45587 ,  G06F2221/2149 ,  H04L2209/127 ,  H04L2209/26

摘要： Technologies for secure programming of a cryptographic engine include a computing device with a cryptographic engine and one or more I/O controllers. The computing device establishes one or more trusted execution environments (TEEs). A TEE generates a request to program the cryptographic engine with respect to a DMA channel. The computing device may verify a signed manifest that indicates the TEEs permitted to program DMA channels and, if verified, determine whether the TEE is permitted to program the requested DMA channel. The computing device may record the TEE for a request to protect the DMA channel and may determine whether the programming TEE matches the recorded TEE for a request to unprotect a DMA channel. The computing device may allow the request to unprotect the DMA channel if the programming TEE matches the recorded TEE. Other embodiments are described and claimed.

摘要翻译： 用于加密引擎的安全编程的技术包括具有密码引擎和一个或多个I / O控制器的计算设备。 计算设备建立一个或多个可信执行环境（TEE）。 TEE生成关于DMA通道对加密引擎进行编程的请求。 计算设备可以验证指示允许编程DMA通道的TEE的签名清单，并且如果被验证，则确定是否允许TEE对所请求的DMA通道进行编程。 计算设备可以记录TEE以保护DMA通道的请求，并且可以确定编程TEE是否与用于取消保护DMA通道的请求的记录的TEE匹配。 如果编程TEE与记录的TEE匹配，则计算设备可以允许请求取消对DMA通道的保护。 描述和要求保护其他实施例。

公开(公告)号：US20140173756A1

公开(公告)日：2014-06-19

申请号：US13719907

申请日：2012-12-19

申请人： Siddhartha Chhabra ,  Reshma Lal

发明人： Siddhartha Chhabra ,  Reshma Lal

IPC分类号： G06F21/10

CPC分类号： G06F21/10 ,  H04L9/0825 ,  H04L9/32 ,  H04L63/08

摘要： Embodiments of an invention for platform-hardened digital rights management key provisioning are disclosed. In one embodiment, a processor includes an execution unit to execute one or more instructions to create a secure enclave in which to run an application to receive digital rights management information from a provisioning server in response to authentication of the application by a verification server.

摘要翻译： 公开了用于平台硬化的数字版权管理密钥提供的发明的实施例。 在一个实施例中，处理器包括执行单元，用于执行一个或多个指令以创建安全空间，其中响应于验证服务器对应用的认证，运行应用以从供应服务器接收数字版权管理信息。