公开(公告)号：WO2013039476A1

公开(公告)日：2013-03-21

申请号：PCT/US2011/051261

申请日：2011-09-12

Applicant: INTEL CORPORATION ,  DEWAN, Prashant ,  DURHAM, David M. ,  KANG, Xiaozhu ,  GREWAL, Karanvir S.

Inventor： DEWAN, Prashant ,  DURHAM, David M. ,  KANG, Xiaozhu ,  GREWAL, Karanvir S.

IPC: H04L9/32 ,  H04N21/4415 ,  G06K9/78

CPC classification number: H04L9/3231 ,  G06F21/32 ,  G06F21/6209 ,  G06F2221/2109 ,  H04L9/0825 ,  H04L63/045 ,  H04L63/0861

Abstract: A method and device for securely sharing images across untrusted channels includes downloading an encrypted image from a remote server to a computing device. The encrypted image may be encrypted at the time of uploading by another user. The current user of the computing device is authenticated using a facial recognition procedure. If the current user is authenticated and is determined to be authorized to view the decrypted image, the encrypted image is decrypted and displayed to the user. If the user becomes unauthenticated (e.g., the user leaves the computing device or another user replaces the current user), the encrypted image is displayed in place of the encrypted image such that the decrypted image is displayed only for authorized persons physically present at the computing device.

Abstract translation: 一种用于在不信任信道上安全地共享图像的方法和设备包括将加密图像从远程服务器下载到计算设备。 加密图像可以在其他用户上传时被加密。 使用面部识别程序认证计算设备的当前用户。 如果当前用户被认证并被确定被授权以查看解密的图像，则加密的图像被解密并显示给用户。 如果用户变得未认证（例如，用户离开计算设备或另一用户替换当前用户），则加密图像被代替加密图像被显示，使得解密的图像仅针对被计算的物理存在的授权人员显示 设备。

公开(公告)号：WO2014063050A1

公开(公告)日：2014-04-24

申请号：PCT/US2013/065680

申请日：2013-10-18

Applicant: INTEL CORPORATION ,  LI, Xiaoning ,  GREWAL, Karanvir S. ,  COOPER, Geoffrey H. ,  GUZIK, John R.

Inventor： LI, Xiaoning ,  GREWAL, Karanvir S. ,  COOPER, Geoffrey H. ,  GUZIK, John R.

IPC: G06F21/50 ,  G06F11/30

CPC classification number: H04L9/3273 ,  G06F11/30 ,  G06F21/00 ,  H04L63/0227 ,  H04L63/0281 ,  H04L63/0428 ,  H04L63/0464 ,  H04L63/166 ,  H04L2209/24

Abstract: Technologies are provided in example embodiments for analyzing an encrypted network flow. The technologies include monitoring the encrypted network flow between a first node and a second node, the network flow initiated from the first node; duplicating the encrypted network flow to form a copy of the encrypted network flow; decrypting the copy of the encrypted network flow using a shared secret, the shared secret associated with the first node and the second node; and scanning the network flow copy for targeted data.

Abstract translation: 在用于分析加密网络流的示例实施例中提供了技术。 所述技术包括监视第一节点和第二节点之间的加密网络流，所述网络流从所述第一节点发起; 复制加密网络流以形成加密网络流的副本; 使用共享密钥解密加密网络流的副本，与第一节点和第二节点相关联的共享秘密; 并扫描目标数据的网络流拷贝。

公开(公告)号：WO2013089758A1

公开(公告)日：2013-06-20

申请号：PCT/US2011/065284

申请日：2011-12-15

Applicant: INTEL CORPORATION ,  DURHAM, David M. ,  LONG, Men ,  GREWAL, Karanvir S. ,  DEWAN, Prashant ,  KANG, Xiaozhu

Inventor： DURHAM, David M. ,  LONG, Men ,  GREWAL, Karanvir S. ,  DEWAN, Prashant ,  KANG, Xiaozhu

IPC: G06F21/24 ,  G06F15/16

CPC classification number: H04L9/28 ,  G06F21/6263 ,  G06F2221/2107 ,  H04L9/065 ,  H04L63/0428 ,  H04N1/4486 ,  H04N21/2743 ,  H04N21/4405 ,  H04N21/4408 ,  H04N21/4788 ,  H04N21/8153

Abstract: An apparatus and method for preserving image privacy when manipulated by cloud services includes middleware for receiving an original image, splitting the original image into two sub-images, where the RGB pixel values of the sub-images have a bit value that is less than RGB pixel values of the original image. The sub-images are encrypted by adding a keystream to the RGB pixel values of the sub-images. The sub-image data is transmitted to a cloud service such as a social network or photo-sharing site, which manipulate the images by resizing, cropping, filtering, or the like. The sub-image data is received by the middleware and is successfully decrypted irrespective of the manipulations performed by the cloud services. In an alternative embodiment, the blocks of the original image are permutated when encrypted, and then reverse-permutated when decrypted.

Abstract translation: 一种用于在由云服务操作时保护图像隐私的装置和方法包括用于接收原始图像的中间件，将原始图像分割成两个子图像，其中子图像的RGB像素值具有小于RGB的比特值 原始图像的像素值。 通过向子图像的RGB像素值添加密钥流来加密子图像。 子图像数据被发送到诸如社交网络或照片共享站点的云服务，其通过调整大小，裁剪，过滤等来操纵图像。 子图像数据由中间件接收，并且被成功解密，而与云服务执行的操作无关。 在替代实施例中，原始图像的块在加密时被置换，然后在被解密时反向排列。

公开(公告)号：WO2013147908A1

公开(公告)日：2013-10-03

申请号：PCT/US2012/031753

申请日：2012-03-31

Applicant: INTEL CORPORATION ,  GREWAL, Karanvir S. ,  DURHAM, David M. ,  DEWAN, Prashant ,  KANG, Xiaozhu ,  LONG, Men

Inventor： GREWAL, Karanvir S. ,  DURHAM, David M. ,  DEWAN, Prashant ,  KANG, Xiaozhu ,  LONG, Men

IPC: H04N21/266

CPC classification number: H04N21/64715 ,  H04N21/23476 ,  H04N21/2541 ,  H04N21/266 ,  H04N21/4405 ,  H04N21/4627 ,  H04N21/8355

Abstract: Methods and systems for cryptographic access control of multimedia video, include embedding as metadata access control policy (ACP) information, including authorization rules and cryptographic information tied to an encryption policy, into encrypted video. An authorized receiver device having credentials and/or capabilities matched to the authorization rules is able to extract the ACP information from the encrypted video and use it to decrypt and properly render the video.

Abstract translation: 多媒体视频的密码访问控制方法和系统包括嵌入作为元数据访问控制策略（ACP）信息，包括与加密策略相关的授权规则和加密信息，加密视频。 具有与授权规则匹配的凭证和/或能力的授权的接收机设备能够从加密的视频中提取ACP信息，并使用它来解密并适当地呈现视频。

公开(公告)号：WO2011094096A3

公开(公告)日：2011-12-01

申请号：PCT/US2011021627

申请日：2011-01-19

Applicant: INTEL CORP ,  LONG MEN ,  GREWAL KARANVIR S

Inventor： LONG MEN ,  GREWAL KARANVIR S

IPC: H04L9/14 ,  G06F21/20

CPC classification number: H04L9/0827 ,  H04L9/0838 ,  H04L9/14 ,  H04L63/0281 ,  H04L63/0428 ,  H04L63/06 ,  H04L2209/60 ,  H04L2209/76

Abstract: An embodiment may include circuitry to establish, at least in part, a secure communication channel between, at least in part, a client in a first domain and a server in a second domain. The channel may include a first and second domain sessions in the first and second domains. The circuitry may generate first and second domain session keys that may encrypt, at least in part, respectively, the first and second domain sessions. The first domain session key may be generated based upon a first domain key assigned to the first domain and a first data set associated with the first domain session. The second domain session key may be generated based upon a second domain key assigned to the second domain and a second data set associated with the second domain session.

Abstract translation: 实施例可以包括至少部分地在至少部分地建立第一域中的客户端和第二域中的服务器之间的安全通信信道的电路。 频道可以包括第一和第二域中的第一和第二域会话。 电路可以产生可以分别至少部分地加密第一和第二域会话的第一和第二域会话密钥。 可以基于分配给第一域的第一域密钥和与第一域会话相关联的第一数据集来生成第一域会话密钥。 可以基于分配给第二域的第二域密钥和与第二域会话相关联的第二数据集来生成第二域会话密钥。

公开(公告)号：WO2008005697A1

公开(公告)日：2008-01-10

申请号：PCT/US2007/071835

申请日：2007-06-20

Applicant: INTEL CORPORATION ,  KHOSRAVI, Hormuzd ,  GREWAL, Karanvir, S. ,  KROISER, Ahuva ,  ELDAR, Avigdor

Inventor： KHOSRAVI, Hormuzd ,  GREWAL, Karanvir, S. ,  KROISER, Ahuva ,  ELDAR, Avigdor

IPC: H04L12/56 ,  H04L12/46

CPC classification number: H04L63/102 ,  H04L61/2015 ,  H04L63/0227 ,  H04L63/101 ,  H04L63/12

Abstract: A method and apparatus for detection of network environment to aid policy selection for network access control. An embodiment of a method includes receiving a request to connect a device to a network and, if a security policy is received for the connection of the device, applying the policy for the device. If a security policy for the connection of the device is not received, the domain of the device is determined by determining whether the device is in an enterprise domain and determining whether the device is in a network access control domain, which allows selection of an appropriate domain / environment specific policy.

Abstract translation: 一种用于检测网络环境以帮助网络访问控制的策略选择的方法和装置。 一种方法的实施例包括接收将设备连接到网络的请求，并且如果接收到用于设备的连接的安全策略，则应用所述设备的策略。 如果没有接收到用于连接设备的安全策略，则通过确定设备是否在企业域中并确定设备是否在网络访问控制域中来确定设备的域，这允许选择适当的 域/环境特定策略。

公开(公告)号：WO2008005696A1

公开(公告)日：2008-01-10

申请号：PCT/US2007/071834

申请日：2007-06-21

Applicant: INTEL CORPORATION ,  SAHITA, Ravi ,  GREWAL, Karanvir, S. ,  WADEKAR, Manoj, K. ,  SAVAGAONKAR, Uday, R.

Inventor： SAHITA, Ravi ,  GREWAL, Karanvir, S. ,  WADEKAR, Manoj, K. ,  SAVAGAONKAR, Uday, R.

IPC: H04L12/24 ,  H04B7/26

CPC classification number: H04L47/10 ,  H04L47/14 ,  H04L47/20 ,  H04L47/31 ,  H04L47/32

Abstract: In an embodiment, a method is provided. The method of this embodiment provides monitoring on a system flow statistics to identify one or more non-compliant traffic flows on the system, each of the one or more non-compliant traffic flows having packets; assigning a tag to each of the one or more non-compliant traffic flows, each of the tags corresponding to one of at least one congestion management policy; and applying one of the tags to each of the packets associated with any of the non-compliant traffic flows.

Abstract translation: 在一个实施例中，提供了一种方法。 该实施例的方法提供对系统流统计信息的监视，以识别系统上的一个或多个不符合规定的流量流，所述一个或多个不兼容业务流中的每一个具有分组; 将标签分配给所述一个或多个不符合规定的业务流中的每一个，所述标签中的每一个对应于至少一个拥塞管理策略之一; 以及将一个标签应用于与任何不兼容业务流相关联的每个分组。

公开(公告)号：WO2014039665A1

公开(公告)日：2014-03-13

申请号：PCT/US2013/058239

申请日：2013-09-05

Applicant: INTEL CORPORATION ,  GREWAL, Karanvir S. ,  SAHITA, Ravi L. ,  DURHAM, David

Inventor： GREWAL, Karanvir S. ,  SAHITA, Ravi L. ,  DURHAM, David

IPC: G06F12/14

CPC classification number: H04L63/0428 ,  G06F21/52 ,  G06F21/53 ,  G06F21/606 ,  G06F21/78 ,  G06F21/85

Abstract: One particular example implementation of an apparatus for mitigating unauthorized access to data traffic, comprises: an operating system stack to allocate unprotected kernel transfer buffers; a hypervisor to allocate protected memory data buffers, where data is to be stored in the protected memory data buffers before being copied to the unprotected kernel transfer buffers; and an encoder module to encrypt the data stored in the protected memory data buffers, where the unprotected kernel transfer buffers receive a copy the encrypted data.

Abstract translation: 用于减轻对数据业务的未经授权访问的装置的一个特定示例实现包括：操作系统栈以分配未受保护的内核传送缓冲器; 分配受保护的存储器数据缓冲器的管理程序，其中数据将被存储在受保护的存储器数据缓冲器中，然后被复制到未受保护的内核传送缓冲器; 以及编码器模块，用于加密存储在受保护的存储器数据缓冲器中的数据，其中未受保护的内核传送缓冲器接收到加密数据的副本。

公开(公告)号：WO2014022062A1

公开(公告)日：2014-02-06

申请号：PCT/US2013/049701

申请日：2013-07-09

Applicant: INTEL CORPORATION ,  DURHAM, David, M. ,  KANG, Xiaozhu ,  DEWAN, Prashant ,  LONG, Men ,  GREWAL, Karanvir, S.

Inventor： DURHAM, David, M. ,  KANG, Xiaozhu ,  DEWAN, Prashant ,  LONG, Men ,  GREWAL, Karanvir, S.

IPC: G06F21/60

CPC classification number: G06F21/10 ,  G06F21/32 ,  H04L9/0866 ,  H04L63/045 ,  H04L63/0861

Abstract: Embodiments of techniques and systems for biometric-data-based media encryption are described. In embodiments, an encryption key may be created for a recipient user based at least in part on biometric data of the recipient user. This encryption key may be maintained on a key maintenance component and used by a sharing user to encrypt a media file for access by the recipient user. One or more access policies associated with recipient user may be encrypted in the encrypted media file as well. In embodiments, the media file may be encrypted for use by multiple recipient users. When a recipient user desires to access the encrypted media file, a decryption key may be generated in real time based on contemporaneously captured biometric data and used to provide access to the encrypted media file. Other embodiments may be described and claimed.

Abstract translation: 描述了用于基于生物特征数据的媒体加密的技术和系统的实施例。 在实施例中，可以至少部分地基于接收者用户的生物特征数据为接收者用户创建加密密钥。 该加密密钥可以维护在密钥维护组件上，并由共享用户使用以加密媒体文件以供接收用户访问。 与接收者用户相关联的一个或多个访问策略也可以在加密的媒体文件中被加密。 在实施例中，媒体文件可以被加密以供多个接收者用户使用。 当接收者用户期望访问加密的媒体文件时，可以基于同时捕获的生物特征数据实时生成解密密钥，并且用于提供对加密的媒体文件的访问。 可以描述和要求保护其他实施例。

公开(公告)号：WO2013100898A1

公开(公告)日：2013-07-04

申请号：PCT/US2011/067367

申请日：2011-12-27

Applicant: INTEL CORPORATION ,  DEWAN, Prashant ,  DURHAM, David M. ,  HUANG, Ling ,  GREWAL, Karanvir S. ,  KANG, Xiaozhu

Inventor： DEWAN, Prashant ,  DURHAM, David M. ,  HUANG, Ling ,  GREWAL, Karanvir S. ,  KANG, Xiaozhu

IPC: G06K9/46

CPC classification number: G06F21/32 ,  G06K9/00288 ,  G06K9/00899

Abstract: A password-less method for authenticating a user includes capturing one or more images of a face of the user and comparing the one or more images with a previously collected face template. Randomly selected colored light and randomized blinking patterns are used to capture the images of the user. Such captured images are compared to previously collected face templates, thereby thwarting spoof attacks. A secret image, known only to the user and the device, is moved from one area of the display to another randomly selected area, using the movements of the user's head or face, thereby providing a Turing based challenge. Protected audio video path (PAVP) enabled devices and components are used to protect the challenge from malware attacks.

Abstract translation: 用于认证用户的无密码方法包括捕获用户的脸部的一个或多个图像并将一个或多个图像与先前收集的面部模板进行比较。 随机选择的彩色光和随机闪烁图案用于捕获用户的图像。 将这样的拍摄图像与先前收集的面部模板进行比较，从而阻止欺骗攻击。 使用用户和设备已知的秘密图像使用用户头部或脸部的移动从显示器的一个区域移动到另一个随机选择的区域，从而提供基于图灵的挑战。 受保护的音频视频路径（PAVP）启用的设备和组件用于保护挑战免受恶意软件攻击。