公开(公告)号：US20070005992A1

公开(公告)日：2007-01-04

申请号：US11173851

申请日：2005-06-30

申请人： Travis Schluessler ,  David Durham ,  George Cox ,  Karanvir Grewal

发明人： Travis Schluessler ,  David Durham ,  George Cox ,  Karanvir Grewal

IPC分类号： H04L9/00 ,  G06F12/14 ,  H04L9/32 ,  G06F11/30

CPC分类号： G06F21/54 ,  H04L9/004 ,  H04L9/3236 ,  H04L63/123 ,  H04L63/126 ,  H04L63/20 ,  H04L2209/60

摘要： A measurement engine performs active platform observation. A program includes an integrity manifest to indicate an integrity check value for a section of the program's source code. The measurement engine computes a comparison value on the program's image in memory and determines if the comparison value matches the expected integrity check value. If the values do not match, the program's image is determined to be modified, and appropriate remedial action can be triggered. The integrity manifest can include a secure signature to verify the validity of the integrity manifest.

摘要翻译： 测量引擎执行主动平台观察。 程序包括一个完整性清单，用于指示程序源代码的一部分的完整性检查值。 测量引擎计算内存中程序映像的比较值，并确定比较值是否与预期的完整性校验值相匹配。 如果值不匹配，则确定程序的图像被修改，并且可以触发适当的补救动作。 完整性清单可以包括安全签名以验证完整性清单的有效性。

公开(公告)号：US20070005572A1

公开(公告)日：2007-01-04

申请号：US11170491

申请日：2005-06-29

申请人： Travis Schluessler ,  Priya Rajagopal ,  Ray Steinberger ,  Tisson Mathew ,  Arun Preetham ,  Ravi Sahita ,  David Durham ,  Karanvir Grewal

发明人： Travis Schluessler ,  Priya Rajagopal ,  Ray Steinberger ,  Tisson Mathew ,  Arun Preetham ,  Ravi Sahita ,  David Durham ,  Karanvir Grewal

IPC分类号： G06F17/30

CPC分类号： G06F9/546 ,  G06F9/541 ,  G06F2209/548 ,  Y10S707/99931 ,  Y10S707/99933

摘要： According to some embodiments, a system provides a resource service module, a resource data record repository, and a provider module. The resource service module exposes an interface, receives an invocation of the interface from a system management module, and requests managed resource data associated with a manageable resource based on the invocation. The resource data record repository includes a resource data record indicating a memory location of a managed host in which the managed resource data is stored, and the provider module receives the request and to retrieve the managed resource data from the memory location of the managed host.

摘要翻译： 根据一些实施例，系统提供资源服务模块，资源数据记录库和提供者模块。 资源服务模块公开接口，从系统管理模块接收对接口的调用，并且基于该调用请求与可管理资源相关联的被管理的资源数据。 资源数据记录存储库包括指示被管理的主机的存储器位置的资源数据记录，其中管理的资源数据被存储在其中，并且提供者模块接收该请求并从被管理的主机的存储器位置检索被管理的资源数据。

公开(公告)号：US08375430B2

公开(公告)日：2013-02-12

申请号：US11475751

申请日：2006-06-27

申请人： Karanvir Grewal ,  Kapil Sood ,  Travis Schluessler ,  Hormuzd M. Khosravi

发明人： Karanvir Grewal ,  Kapil Sood ,  Travis Schluessler ,  Hormuzd M. Khosravi

IPC分类号： G06F7/04 ,  G06F15/16 ,  G06F17/30 ,  H04L29/06

CPC分类号： H04L9/3234 ,  H04L9/3271 ,  H04L63/162 ,  H04W12/06

摘要： Secure re-authentication of host devices roaming between different connection and/or access points within a network controlled by the same administrative domain is described. Platform overhead associated with exchanging information for authentication and/or validation on each new connection during mobility is reduced by enabling prior authenticated network access to influence subsequent network access.

摘要翻译： 描述在由相同管理域控制的网络内的不同连接和/或接入点之间漫游的主机设备的安全重新认证。 通过使先前的经过身份验证的网络访问来影响后续网络访问，减少了在移动性期间在每个新连接上交换用于认证和/或验证的信息的平台开销。

公开(公告)号：US20080022354A1

公开(公告)日：2008-01-24

申请号：US11475751

申请日：2006-06-27

申请人： Karanvir Grewal ,  Kapil Sood ,  Travis Schluessler ,  Hormuzd M. Khosravi

发明人： Karanvir Grewal ,  Kapil Sood ,  Travis Schluessler ,  Hormuzd M. Khosravi

IPC分类号： H04L9/00

CPC分类号： H04L9/3234 ,  H04L9/3271 ,  H04L63/162 ,  H04W12/06

摘要： Secure re-authentication of host devices roaming between different connection and/or access points within a network controlled by the same administrative domain is described. Platform overhead associated with exchanging information for authentication and/or validation on each new connection during mobility is reduced by enabling prior authenticated network access to influence subsequent network access.

摘要翻译： 描述在由相同管理域控制的网络内的不同连接和/或接入点之间漫游的主机设备的安全重新认证。 通过使先前的经过身份验证的网络访问来影响后续网络访问，减少了在移动性期间在每个新连接上交换用于认证和/或验证的信息的平台开销。

公开(公告)号：US07739724B2

公开(公告)日：2010-06-15

申请号：US11174205

申请日：2005-06-30

申请人： David Durham ,  Ravi Sahita ,  Karanvir Grewal ,  Ned Smith ,  Kapil Sood

发明人： David Durham ,  Ravi Sahita ,  Karanvir Grewal ,  Ned Smith ,  Kapil Sood

IPC分类号： G06F21/00

CPC分类号： H04L63/10 ,  G06F2221/2141 ,  H04L9/3234 ,  H04L9/3247 ,  H04L9/3263 ,  H04L63/0209 ,  H04L63/08 ,  H04L63/20

摘要： Architectures and techniques that allow a firmware agent to operate as a tamper-resistant agent on a host platform that may be used as a trusted policy enforcement point (PEP) on the host platform to enforce policies even when the host operating system is compromised. The PEP may be used to open access control and/or remediation channels on the host platform. The firmware agent may also act as a local policy decision point (PDP) on the host platform in accordance with an authorized enterprise PDP entity by providing policies if a host trust agent is non-responsive and may function as a passive agent when the host trust agent is functional.

公开(公告)号：US20090119510A1

公开(公告)日：2009-05-07

申请号：US11935783

申请日：2007-11-06

申请人： Men Long ,  Jesse Walker ,  David Durham ,  Marc Millier ,  Karanvir Grewal ,  Prashant Dewan ,  Uday Savagaonkar ,  Steven D. Williams

发明人： Men Long ,  Jesse Walker ,  David Durham ,  Marc Millier ,  Karanvir Grewal ,  Prashant Dewan ,  Uday Savagaonkar ,  Steven D. Williams

IPC分类号： H04L9/32

CPC分类号： H04L63/0428 ,  H04L9/0631 ,  H04L9/3242 ,  H04L63/08 ,  H04L63/1466 ,  H04L63/168 ,  H04L2209/12 ,  H04L2209/38

摘要： End-to-end security between clients and a server, and traffic visibility to intermediate network devices, achieved through combined mode, single pass encryption and authentication using two keys is disclosed. In various embodiments, a combined encryption-authentication unit includes a cipher unit and an authentication unit coupled in parallel to the cipher unit, and generates an authentication tag using an authentication key in parallel with the generation of the cipher text using an encryption key, where the authentication and encryption key have different key values. In various embodiments, the cipher unit operates in AES counter mode, and the authentication unit operates in parallel, in AES-GMAC mode Using a two key, single pass combined mode algorithm preserves network performance using a limited number of HW gates, while allowing an intermediate device access to the encryption key for deciphering the data, without providing that device the ability to compromise data integrity, which is preserved between the end to end devices.

摘要翻译： 公开了客户机与服务器之间的端到端安全性，以及通过组合模式，单程加密和使用两个密钥的认证实现的对中间网络设备的流量可见性。 在各种实施例中，组合加密认证单元包括与密码单元并行耦合的密码单元和认证单元，并且使用加密密钥与密文生成并行地使用认证密钥生成认证标签，其中 认证和加密密钥具有不同的密钥值。 在各种实施例中，密码单元以AES计数器模式运行，并且认证单元以AES-GMAC模式并行操作。使用双键单通组合模式算法使用有限数量的HW门保留网络性能，同时允许 中间设备访问用于解密数据的加密密钥，而不提供该设备损害数据完整性的能力，这在端到端设备之间保留。

公开(公告)号：US20100162356A1

公开(公告)日：2010-06-24

申请号：US12714979

申请日：2010-03-01

申请人： Hormuzd Khosravi ,  David Durham ,  Karanvir Grewal

发明人： Hormuzd Khosravi ,  David Durham ,  Karanvir Grewal

IPC分类号： G06F17/30

CPC分类号： H04L63/0227

摘要： A method that includes initiating a network access request from an access requester on a platform that couples to a network, the network access request made to a policy decision point for the network. The method also includes establishing a secure communication channel over a communication link between the policy decision point and a policy enforcement point on the platform. Another secure communication channel is established over another communication link. The other communication link is between at least the policy enforcement point and a manageability engine resident on the platform. The manageability engine forwards posture information associated with the access requester via the other secure communication channel. The posture information is then forwarded to the policy decision point via the secure communication channel between the policy enforcement point and the policy decision point. The policy decision point indicates what access the access requester can obtain to the network based on a comparison of the posture information to one or more network administrative policies.

摘要翻译： 一种方法，其包括从耦合到网络的平台上的访问请求者发起网络访问请求，所述网络访问请求发送到网络的策略决策点。 该方法还包括在策略决策点和平台上的策略执行点之间的通信链路上建立安全通信信道。 通过另一个通信链路建立另一个安全通信信道。 另一个通信链路至少在平台上驻留的策略执行点和可管理引擎之间。 可管理性引擎经由另一个安全通信信道转发与访问请求者相关联的姿势信息。 然后，姿势信息经由策略执行点和策略决策点之间的安全通信信道被转发到策略决策点。 策略决策点基于姿势信息与一个或多个网络管理策略的比较来指示访问请求者可以获得哪些访问到网络。

公开(公告)号：US20100107224A1

公开(公告)日：2010-04-29

申请号：US12655024

申请日：2009-12-22

申请人： David Durham ,  Ravi Sahita ,  Karanvir Grewal ,  Ned Smith ,  Kapil Sood

发明人： David Durham ,  Ravi Sahita ,  Karanvir Grewal ,  Ned Smith ,  Kapil Sood

IPC分类号： G06F17/00

CPC分类号： H04L63/10 ,  G06F2221/2141 ,  H04L9/3234 ,  H04L9/3247 ,  H04L9/3263 ,  H04L63/0209 ,  H04L63/08 ,  H04L63/20

摘要： Architectures and techniques that allow a firmware agent to operate as a tamper-resistant agent on a host platform that may be used as a trusted policy enforcement point (PEP) on the host platform to enforce policies even when the host operating system is compromised. The PEP may be used to open access control and/or remediation channels on the host platform. The firmware agent may also act as a local policy decision point (PDP) on the host platform in accordance with an authorized enterprise PDP entity by providing policies if a host trust agent is non-responsive and may function as a passive agent when the host trust agent is functional.

摘要翻译： 允许固件代理在主机平台上作为防篡改代理操作的体系结构和技术，可在主机平台上用作受信任的策略执行点（PEP），即使主机操作系统受到威胁也可执行策略。 PEP可用于在主机平台上打开访问控制和/或修复通道。 固件代理还可以根据授权的企业PDP实体在主机平台上作为本地策略决策点（PDP），通过在主机信任代理不响应时提供策略，并且当主机信任时可以用作被动代理 代理功能。

公开(公告)号：US20060227773A1

公开(公告)日：2006-10-12

申请号：US11096843

申请日：2005-03-30

申请人： Karanvir Grewal ,  David Durham

发明人： Karanvir Grewal ,  David Durham

IPC分类号： H04L9/00 ,  H04L12/56

CPC分类号： H04L63/123

摘要： Provided are a techniques for storing information in a packet. A data integrity operation is performed over one portion of the packet to calculate an integrity check value using a secret key. The data transformation operation is performed over another selectable portion of the packet to store the integrity check value in the other portion of the packet, without increasing a size of the packet. Other embodiments are described and claimed.

公开(公告)号：US08671439B2

公开(公告)日：2014-03-11

申请号：US12460736

申请日：2009-07-23

申请人： David Durham ,  Ravi Sahita ,  Karanvir Grewal ,  Ned Smith ,  Kapil Sood

发明人： David Durham ,  Ravi Sahita ,  Karanvir Grewal ,  Ned Smith ,  Kapil Sood

IPC分类号： G06F21/00

CPC分类号： H04L63/10 ,  G06F2221/2141 ,  H04L9/3234 ,  H04L9/3247 ,  H04L9/3263 ,  H04L63/0209 ,  H04L63/08 ,  H04L63/20

摘要： Architectures and techniques that allow a firmware agent to operate as a tamper-resistant agent on a host platform that may be used as a trusted policy enforcement point (PEP) on the host platform to enforce policies even when the host operating system is compromised. The PEP may be used to open access control and/or remediation channels on the host platform. The firmware agent may also act as a local policy decision point (PDP) on the host platform in accordance with an authorized enterprise PDP entity by providing policies if a host trust agent is non-responsive and may function as a passive agent when the host trust agent is functional.

摘要翻译： 允许固件代理在主机平台上作为防篡改代理操作的体系结构和技术，可在主机平台上用作受信任的策略执行点（PEP），即使主机操作系统受到威胁也可执行策略。 PEP可用于在主机平台上打开访问控制和/或修复通道。 固件代理还可以根据授权的企业PDP实体在主机平台上作为本地策略决策点（PDP），通过在主机信任代理不响应时提供策略，并且当主机信任时可以用作被动代理 代理功能。