公开(公告)号：US08612766B2

公开(公告)日：2013-12-17

申请号：US13176735

申请日：2011-07-05

申请人： Stefan Thom ,  Robert K. Spiger ,  Magnus Nyström ,  Himanshu Soni ,  Marc R. Barbour ,  Nick Voicu ,  Xintong Zhou ,  Kirk Shoop

发明人： Stefan Thom ,  Robert K. Spiger ,  Magnus Nyström ,  Himanshu Soni ,  Marc R. Barbour ,  Nick Voicu ,  Xintong Zhou ,  Kirk Shoop

IPC分类号： G06F21/00

CPC分类号： G06F21/602 ,  G06F21/30 ,  G06F21/31 ,  G06F21/57 ,  G06F2221/2103 ,  G06F2221/2107 ,  G06F2221/2131 ,  H04L9/0822 ,  H04L9/0861 ,  H04L9/3271 ,  H04L2209/127

摘要： Computing devices utilizing trusted execution environments as virtual smart cards are designed to support expected credential recovery operations when a user credential, e.g., personal identification number (PIN), password, etc. has been forgotten or is unknown. A computing device generates a cryptographic key that is protected with a PIN unlock key (PUK) provided by an administrative entity. If the user PIN cannot be input to the computing device the PUK can be input to unlock the locked cryptographic key and thereby provide access to protected data. A computing device can also, or alternatively, generate a group of challenges and formulate responses thereto. The formulated responses are each used to secure a computing device cryptographic key. If the user PIN cannot be input to the computing device an entity may request a challenge. The computing device issues a challenge from the set of generated challenges. Upon receiving a valid response back, the computing device can unlock the secured computing device cryptographic key associated with the issued challenge and subsequently provide access to protected data.

公开(公告)号：US20130013928A1

公开(公告)日：2013-01-10

申请号：US13176735

申请日：2011-07-05

申请人： Stefan Thom ,  Robert K. Spiger ,  Magnus Nystrôm ,  Himanshu Soni ,  Marc R. Barbour ,  Nick Voicu ,  Xintong Zhou ,  Kirk Shoop

发明人： Stefan Thom ,  Robert K. Spiger ,  Magnus Nystrôm ,  Himanshu Soni ,  Marc R. Barbour ,  Nick Voicu ,  Xintong Zhou ,  Kirk Shoop

IPC分类号： G06F21/00

CPC分类号： G06F21/602 ,  G06F21/30 ,  G06F21/31 ,  G06F21/57 ,  G06F2221/2103 ,  G06F2221/2107 ,  G06F2221/2131 ,  H04L9/0822 ,  H04L9/0861 ,  H04L9/3271 ,  H04L2209/127

摘要： Computing devices utilizing trusted execution environments as virtual smart cards are designed to support expected credential recovery operations when a user credential, e.g., personal identification number (PIN), password, etc. has been forgotten or is unknown. A computing device generates a cryptographic key that is protected with a PIN unlock key (PUK) provided by an administrative entity. If the user PIN cannot be input to the computing device the PUK can be input to unlock the locked cryptographic key and thereby provide access to protected data. A computing device can also, or alternatively, generate a group of challenges and formulate responses thereto. The formulated responses are each used to secure a computing device cryptographic key. If the user PIN cannot be input to the computing device an entity may request a challenge. The computing device issues a challenge from the set of generated challenges. Upon receiving a valid response back, the computing device can unlock the secured computing device cryptographic key associated with the issued challenge and subsequently provide access to protected data.

摘要翻译： 利用可信执行环境作为虚拟智能卡的计算设备被设计为当用户凭证（例如，个人识别号码（PIN），密码等）已被忘记或未知时，支持预期凭证恢复操作。 计算设备生成由管理实体提供的PIN解锁密钥（PUK）保护的加密密钥。 如果用户PIN不能输入到计算设备，则可以输入PUK以解锁锁定的密码密钥，从而提供对受保护数据的访问。 计算设备还可以或替代地产生一组挑战并且对其做出响应。 制定的响应各自用于保护计算设备加密密钥。 如果用户PIN不能输入到计算设备，则实体可以请求挑战。 计算设备从一组生成的挑战中发出挑战。 在接收到有效响应之后，计算设备可以解除与发出的挑战相关联的安全计算设备加密密钥，并随后提供对受保护数据的访问。

公开(公告)号：US09183415B2

公开(公告)日：2015-11-10

申请号：US13309204

申请日：2011-12-01

申请人： Preston Derek Adam ,  Sai Vinayak ,  Octavian T. Ureche ,  Stefan Thom ,  Himanshu Soni ,  Nicolae Voicu

发明人： Preston Derek Adam ,  Sai Vinayak ,  Octavian T. Ureche ,  Stefan Thom ,  Himanshu Soni ,  Nicolae Voicu

IPC分类号： G06F15/177 ,  G06F1/24 ,  H04L29/06 ,  G06F21/00 ,  G06F7/04 ,  G06F17/30 ,  H04N7/16 ,  G06F12/00 ,  G06F21/78 ,  G06F21/40 ,  G06F21/72 ,  G06F21/73 ,  H04L9/08

CPC分类号： G06F21/78 ,  G06F21/40 ,  G06F21/72 ,  G06F21/73 ,  G06F2221/2107 ,  G06F2221/2129 ,  G06F2221/2141 ,  H04L9/0897 ,  H04L9/32

摘要： Described herein are techniques for regulating access to a portable storage drive, that stores an operating system securely, using information regarding a host machine. In accordance with some of the techniques described herein, when a portable storage drive that stores an operating system securely is to be accessed by a host machine, information regarding the host machine, such as information regarding the hardware of the host machine, may be retrieved and evaluated to determine whether to grant access to the host machine. When the host machine is granted access, the host machine may access secured data stored on the portable storage drive in any suitable manner. In some cases, accessing the secured data may include decrypting the secured data and transferring decrypted data to another storage of the host machine. The decrypted information may include an operating system that is booted by the host machine.

摘要翻译： 这里描述的是使用关于主机的信息来调节对便携式存储驱动器的访问的技术，其存储操作系统。 根据这里描述的一些技术，当主机机器访问存储操作系统的便携式存储驱动器时，可以检索关于主机的信息，例如关于主机的硬件的信息 并进行评估以确定是否授予对主机的访问权限。 当主机被授权访问时，主机可以以任何合适的方式访问存储在便携式存储驱动器上的安全数据。 在某些情况下，访问安全数据可能包括解密安全数据并将解密的数据传送到主机的另一个存储器。 解密的信息可以包括由主机引导的操作系统。

公开(公告)号：US09507964B2

公开(公告)日：2016-11-29

申请号：US13327013

申请日：2011-12-15

申请人： Preston Derek Adam ,  Sai Vinayak ,  Octavian T. Ureche ,  Stefan Thom ,  Himanshu Soni ,  Nicolae Voicu

发明人： Preston Derek Adam ,  Sai Vinayak ,  Octavian T. Ureche ,  Stefan Thom ,  Himanshu Soni ,  Nicolae Voicu

IPC分类号： H04L9/32 ,  G06F21/78 ,  G06F21/40 ,  G06F21/72 ,  G06F21/73 ,  H04L9/08

CPC分类号： G06F21/78 ,  G06F21/40 ,  G06F21/72 ,  G06F21/73 ,  G06F2221/2107 ,  G06F2221/2129 ,  G06F2221/2141 ,  H04L9/0897 ,  H04L9/32

摘要： Described herein are techniques for regulating access to a remote resource using two-factor authentication based on information regarding a host machine of a portable storage drive that stores an operating system that is booted by the host machine. The information regarding the host machine of a portable storage drive may be used as a second factor in a two-factor authentication. Such information regarding the host machine may include, in some embodiments, information retrieved from a secure storage of the host machine, such as from a cryptoprocessor of the host machine. The information may include an identifier for the host machine or may be a user credential pre-provisioned to the host machine to be used in two-factor authentication.

摘要翻译： 这里描述的是基于关于存储由主机引导的操作系统的便携式存储驱动器的主机的信息来使用双因素认证来调节对远程资源的访问的技术。 关于便携式存储驱动器的主机的信息可以用作双因素认证中的第二个因素。 在一些实施例中，关于主机的这种信息可以包括从主机的安全存储器（例如来自主机的密码处理器）检索的信息。 该信息可以包括主机的标识符，或者可以是预先提供给主机以在双因素认证中使用的用户凭证。

公开(公告)号：US20130145440A1

公开(公告)日：2013-06-06

申请号：US13327013

申请日：2011-12-15

申请人： Preston Derek Adam ,  Sai Vinayak ,  Octavian T. Ureche ,  Stefan Thom ,  Himanshu Soni ,  Nicolae Voicu

发明人： Preston Derek Adam ,  Sai Vinayak ,  Octavian T. Ureche ,  Stefan Thom ,  Himanshu Soni ,  Nicolae Voicu

IPC分类号： H04L9/32 ,  G06F21/20

CPC分类号： G06F21/78 ,  G06F21/40 ,  G06F21/72 ,  G06F21/73 ,  G06F2221/2107 ,  G06F2221/2129 ,  G06F2221/2141 ,  H04L9/0897 ,  H04L9/32

摘要： Described herein are techniques for regulating access to a remote resource using two-factor authentication based on information regarding a host machine of a portable storage drive that stores an operating system that is booted by the host machine. The information regarding the host machine of a portable storage drive may be used as a second factor in a two-factor authentication. Such information regarding the host machine may include, in some embodiments, information retrieved from a secure storage of the host machine, such as from a cryptoprocessor of the host machine. The information may include an identifier for the host machine or may be a user credential pre-provisioned to the host machine to be used in two-factor authentication.

摘要翻译： 这里描述的是基于关于存储由主机引导的操作系统的便携式存储驱动器的主机的信息来使用双因素认证来调节对远程资源的访问的技术。 关于便携式存储驱动器的主机的信息可以用作双因素认证中的第二个因素。 在一些实施例中，关于主机的这种信息可以包括从主机的安全存储器（例如来自主机的密码处理器）检索的信息。 该信息可以包括主机的标识符，或者可以是预先提供给主机以在双因素认证中使用的用户凭证。

公开(公告)号：US20130145139A1

公开(公告)日：2013-06-06

申请号：US13309204

申请日：2011-12-01

申请人： Preston Derek Adam ,  Sai Vinayak ,  Octavian T. Ureche ,  Stefan Thom ,  Himanshu Soni ,  Nicolae Voicu

发明人： Preston Derek Adam ,  Sai Vinayak ,  Octavian T. Ureche ,  Stefan Thom ,  Himanshu Soni ,  Nicolae Voicu

IPC分类号： G06F12/14 ,  G06F21/00 ,  H04L9/32 ,  G06F9/00

CPC分类号： G06F21/78 ,  G06F21/40 ,  G06F21/72 ,  G06F21/73 ,  G06F2221/2107 ,  G06F2221/2129 ,  G06F2221/2141 ,  H04L9/0897 ,  H04L9/32

摘要： Described herein are techniques for regulating access to a portable storage drive, that stores an operating system securely, using information regarding a host machine. In accordance with some of the techniques described herein, when a portable storage drive that stores an operating system securely is to be accessed by a host machine, information regarding the host machine, such as information regarding the hardware of the host machine, may be retrieved and evaluated to determine whether to grant access to the host machine. When the host machine is granted access, the host machine may access secured data stored on the portable storage drive in any suitable manner. In some cases, accessing the secured data may include decrypting the secured data and transferring decrypted data to another storage of the host machine. The decrypted information may include an operating system that is booted by the host machine.

摘要翻译： 这里描述的是使用关于主机的信息来调节对便携式存储驱动器的访问的技术，其存储操作系统。 根据这里描述的一些技术，当主机机器访问存储操作系统的便携式存储驱动器时，可以检索关于主机的信息，例如关于主机的硬件的信息 并进行评估以确定是否授予对主机的访问权限。 当主机被授权访问时，主机可以以任何合适的方式访问存储在便携式存储驱动器上的安全数据。 在某些情况下，访问安全数据可能包括解密安全数据并将解密的数据传送到主机的另一个存储器。 解密的信息可以包括由主机引导的操作系统。