公开(公告)号：WO2014196963A1

公开(公告)日：2014-12-11

申请号：PCT/US2013/044112

申请日：2013-06-04

Applicant: INTEL CORPORATION ,  LAL, Reshma ,  ZMUDZINSKI, Krystof, C. ,  PAPPACHAN, Pradeep, M. ,  SHELLER, Micah, J.

Inventor： LAL, Reshma ,  ZMUDZINSKI, Krystof, C. ,  PAPPACHAN, Pradeep, M. ,  SHELLER, Micah, J.

IPC: H04L9/00

CPC classification number: H04L63/0428 ,  H04L9/14 ,  H04L9/3223 ,  H04L63/062 ,  H04L63/08 ,  H04L2209/60

Abstract: The present disclosure is directed to an end-to-end secure communication system wherein, in addition to encrypting transmissions between clients, communication-related operations occurring within each client may also be secured. Each client may comprise a secure processing environment to process encrypted communication information received from other clients and locally-captured media information for transmission to other clients. The secure processing environment may include resources to decrypt received encrypted communication information and to process the communication information into media information for presentation by the client. The secure processing environment may also operate in reverse to provide locally recorded audio, image, video, etc. to other clients. Encryption protocols may be employed at various stages of information processing in the client to help ensure that information being transferred between the processing resources cannot be read, copied, altered, etc. In one example implementation, a server may manage interaction between clients, provision encryption keys, etc.

Abstract translation: 本公开涉及一种端到端安全通信系统，其中除了加密客户端之间的传输之外，还可以确保在每个客户端内发生的与通信相关的操作。 每个客户端可以包括用于处理从其他客户端接收的加密通信信息和本地捕获的媒体信息以便传输到其他客户端的安全处理环境。 安全处理环境可以包括用于解密所接收的加密通信信息并将通信信息处理成媒体信息以供客户呈现的资源。 安全处理环境也可以相反地操作，以向其他客户端提供本地记录的音频，图像，视频等。 可以在客户端的信息处理的各个阶段采用加密协议，以帮助确保在处理资源之间传递的信息不能被读取，复制，改变等。在一个示例实现中，服务器可以管理客户端之间的交互，提供加密 钥匙等

公开(公告)号：WO2014196966A1

公开(公告)日：2014-12-11

申请号：PCT/US2013/044158

申请日：2013-06-04

Applicant: INTEL CORPORATION ,  LAL, Reshma ,  MARTIN, Jason ,  SHELLER, Micah J. ,  AMIRFATHI, Michael M. ,  HELDT-SHELLER, Nathan ,  PAPPACHAN, Pradeep M.

Inventor： LAL, Reshma ,  MARTIN, Jason ,  SHELLER, Micah J. ,  AMIRFATHI, Michael M. ,  HELDT-SHELLER, Nathan ,  PAPPACHAN, Pradeep M.

IPC: G06F21/62

CPC classification number: H04N21/64715 ,  G06F21/10 ,  G06F21/72 ,  H04L9/0816 ,  H04L2209/24

Abstract: Technologies for hardening the security of digital information on a client device are described. In some embodiments, the client device includes a secure processing environment such as a secure enclave, which may be used to protect digital information on a client platform. The secure environment(s) may also protect assets which may be used to access the digital information. Using the secure processing environment(s), the described technologies may protect digital information as it is provided to, stored on, accessed on, and/or processed for display by a client device, even if the client device may be infested with malware or subject to attack by another entity.

Abstract translation: 描述了在客户端设备上加强数字信息安全性的技术。 在一些实施例中，客户端设备包括诸如安全飞地之类的安全处理环境，其可以用于保护客户端平台上的数字信息。 安全环境还可以保护可能用于访问数字信息的资产。 使用安全处理环境，所描述的技术可以保护数字信息，因为它被提供给存储，访问和/或处理以供客户端设备显示，即使客户端设备可能被恶意软件或 受另一实体的攻击。

公开(公告)号：WO2014196964A1

公开(公告)日：2014-12-11

申请号：PCT/US2013/044140

申请日：2013-06-04

Applicant: INTEL CORPORATION ,  PAPPACHAN, Pradeep M. ,  LAL, Reshma

Inventor： PAPPACHAN, Pradeep M. ,  LAL, Reshma

IPC: G06F21/30

CPC classification number: H04L9/14 ,  H04L2209/60

Abstract: The present disclosure is directed to application integrity protection via secure interaction and processing. For example, interaction with a user interface in a device may result in input information being generated. Following encryption, the input information may be conveyed to an application executing in a secure processing environment. The encrypted input information may be received, decrypted and processed by the application. An example application may include a secure controller component, a secure model component and a secure view component. The secure controller component may, for example, provide change instructions to the secure model component based on the decrypted input information. The secure model component may then, if necessary, provide a change notification to the secure view component based on the change instructions. The secure view component may then generate output information, which may be encrypted prior to being provided to the user interface for decryption, processing and presentation.

Abstract translation: 本公开涉及通过安全交互和处理的应用完整性保护。 例如，与设备中的用户界面的交互可能导致生成输入信息。 在加密之后，可以将输入信息传送到在安全处理环境中执行的应用。 加密的输入信息可以被应用程序接收，解密和处理。 示例应用可以包括安全控制器组件，安全模型组件和安全视图组件。 例如，安全控制器组件可以基于解密的输入信息向安全模型组件提供改变指令。 然后，如果需要，安全模型组件可以基于改变指令向安全视图组件提供改变通知。 然后，安全视图组件可以生成输出信息，其可以在被提供给用户接口以进行解密，处理和呈现之前被加密。

公开(公告)号：WO2013101084A1

公开(公告)日：2013-07-04

申请号：PCT/US2011/067878

申请日：2011-12-29

Applicant: INTEL CORPORATION ,  PHEGADE, Vinay ,  MARTIN, Jason ,  LAL, Reshma ,  SHELLER, Micah ,  KOHLENBERG, Tobias

Inventor： PHEGADE, Vinay ,  MARTIN, Jason ,  LAL, Reshma ,  SHELLER, Micah ,  KOHLENBERG, Tobias

IPC: G06F21/24 ,  G06F21/20 ,  H04L9/00

CPC classification number: H04L63/062 ,  G06F21/10 ,  G06F21/606 ,  G06F21/84 ,  G06F2221/0797 ,  G09G2358/00 ,  H04L63/0428 ,  H04L63/08 ,  H04L63/1441 ,  H04L67/02

Abstract: A method of enforcing a virtual corporate boundary may include a client device requesting sensitive content from a network site on a server device responsive to a user's interaction with the client device. The server device can determine whether the user and/or client device are permitted to access the sensitive content. A secure element on the client device can establish a session key between the server device and the client device. The server device can render the sensitive content and send it to the client device, which can display the content to the user.

Abstract translation: 实施虚拟公司边界的方法可以包括响应于用户与客户端设备的交互而从服务器设备上的网络站点请求敏感内容的客户端设备。 服务器设备可以确定用户和/或客户端设备是否被允许访问敏感内容。 客户端设备上的安全元素可以在服务器设备和客户端设备之间建立会话密钥。 服务器设备可以呈现敏感内容并将其发送到客户端设备，可以向用户显示内容。

公开(公告)号：WO2014163912A1

公开(公告)日：2014-10-09

申请号：PCT/US2014/018842

申请日：2014-02-27

Applicant: INTEL CORPORATION ,  LAL, Reshma ,  HOEKSTRA, Matthew E.

Inventor： LAL, Reshma ,  HOEKSTRA, Matthew E.

IPC: G06F21/45 ,  H04L9/32

CPC classification number: G06F21/72 ,  G06F21/31 ,  G06F21/57

Abstract: Various embodiments are generally directed to the provision and use of a secure enclave defined within a storage of a computing device by a processor element thereof to store executable instructions of an OTP component implementing logic to generate and use one-time passwords (OTPs) to enable access to services provided by another computing device. An apparatus includes a storage; a first processor element; and first logic to receive a one-time password (OTP) routine, store the OTP routine within a first secure enclave defined by the first processor element within the storage, obtain a measure of the contents of the first secure enclave with the OTP routine stored therein, transmit the first measure to a computing device, and receive an OTP seed. Other embodiments are described and claimed.

Abstract translation: 各种实施例通常涉及提供和使用通过其处理器元件在计算设备的存储器内定义的安全空间，以存储实现逻辑的OTP组件的可执行指令，以生成和使用一次性密码（OTP）来实现 访问由另一计算设备提供的服务。 一种装置包括存储装置; 第一处理器元件; 以及接收一次密码（OTP）例程的第一逻辑，将OTP例程存储在由存储器内的第一处理器元件定义的第一安全空间内，获得存储有OTP例程的第一安全飞地的内容的度量 在其中将第一测量发送到计算设备，并且接收OTP种子。 描述和要求保护其他实施例。

公开(公告)号：WO2017069915A1

公开(公告)日：2017-04-27

申请号：PCT/US2016/053509

申请日：2016-09-23

Applicant: INTEL CORPORATION ,  LAL, Reshma

Inventor： LAL, Reshma ,  VARADARAJAN, Srikanth ,  TRIPLETT, Josh

IPC: H04L9/08 ,  H04L9/32

CPC classification number: H04L63/10 ,  G06F17/30949 ,  H04L63/0236 ,  H04L63/0428 ,  H04L63/083 ,  H04L67/02 ,  H04L67/1097

Abstract: Various system configurations and methods for maintaining, accessing, and utilizing secure data of a web browser in a hardware-managed secure data store are disclosed herein. In an example, operations for management of sensitive data such as passwords may be provided with the use of secure enclaves operating in a trusted execution environment. For example, such secure enclaves may be used for sealing and persisting sensitive data associated with a remote service, and transmitting the sensitive data to the remote service, while an unsealed form of the sensitive data is not accessible outside of the trusted execution environment. In further examples, operations for generating a password, storing or updating existing passwords, and replacing web browser input fields with secure data are disclosed.

Abstract translation: 本文公开了用于维护，访问和利用硬件管理的安全数据存储中的网页浏览器的安全数据的各种系统配置和方法。 在一个示例中，可以通过使用在可信执行环境中操作的安全区来提供用于管理敏感数据（例如密码）的操作。 例如，这样的安全区域可以用于密封和保持与远程服务相关联的敏感数据，并且将敏感数据传输到远程服务，而未密封形式的敏感数据在可信执行环境之外不可访问。 在进一步的示例中，公开了用于生成密码，存储或更新现有密码以及用安全数据替换web浏览器输入字段的操作。

公开(公告)号：WO2015094176A1

公开(公告)日：2015-06-25

申请号：PCT/US2013/075598

申请日：2013-12-17

Applicant: INTEL CORPORATION ,  XING, Bin Cedric ,  LAL, Reshma

Inventor： XING, Bin Cedric ,  LAL, Reshma

IPC: G06F12/14 ,  G06F21/00

CPC classification number: G06F12/1408 ,  G06F3/0622 ,  G06F3/0632 ,  G06F3/0673 ,  G06F9/4406 ,  G06F9/4411 ,  G06F12/0802 ,  G06F12/1009 ,  G06F12/1466 ,  G06F21/53 ,  G06F21/575 ,  G06F21/6218 ,  G06F2212/1052 ,  G06F2212/60

Abstract: Various embodiments are generally directed to techniques to load and run secure enclaves for use by kernel mode applications. An apparatus to provide kernel mode access to a secure enclave includes a kernel mode secure enclave driver to provide user mode support for a kernel mode application and to initialize a secure enclave on behalf of the kernel mode application and a user mode secure enclave manager to process an instruction from the kernel mode application to the secure enclave.

Abstract translation: 各种实施例通常涉及加载和运行安全包层以供内核模式应用使用的技术。 向安全飞地提供内核模式访问的装置包括内核模式安全飞行驱动程序，以为内核模式应用程序提供用户模式支持，并代表内核模式应用程序初始化安全飞地，以及用户模式安全飞地管理程序来处理 从内核模式应用程序到安全飞地的指令。

公开(公告)号：WO2014099028A1

公开(公告)日：2014-06-26

申请号：PCT/US2013/048513

申请日：2013-06-28

Applicant: INTEL CORPORATION ,  CHHABRA, Siddhartha ,  LAL, Reshma

Inventor： CHHABRA, Siddhartha ,  LAL, Reshma

IPC: G06F21/62

CPC classification number: G06F21/10 ,  H04L9/0825 ,  H04L9/32 ,  H04L63/08

Abstract: Embodiments of an invention for platform-hardened digital rights management key provisioning are disclosed. In one embodiment, a processor includes an execution unit to execute one or more instructions to create a secure enclave in which to run an application to receive digital rights management information from a provisioning server in response to authentication of the application by a verification server.

Abstract translation: 公开了用于平台硬化的数字版权管理密钥提供的发明的实施例。 在一个实施例中，处理器包括执行单元，用于执行一个或多个指令以创建安全空间，其中响应于验证服务器对应用的认证，运行应用以从供应服务器接收数字版权管理信息。

公开(公告)号：WO2014084908A1

公开(公告)日：2014-06-05

申请号：PCT/US2013/047257

申请日：2013-06-24

Applicant: INTEL CORPORATION ,  CHHABRA, Siddhartha ,  LAL, Reshma ,  MARTIN, Jason ,  NEMIROFF, Daniel

Inventor： CHHABRA, Siddhartha ,  LAL, Reshma ,  MARTIN, Jason ,  NEMIROFF, Daniel

IPC: G06F21/71 ,  G06F21/00

CPC classification number: G06F21/50 ,  G06F21/54 ,  G06F21/71

Abstract: Embodiments of an invention for virtualizing a hardware monotonic counter are disclosed. In one embodiment, an apparatus includes a hardware monotonic counter, virtualization logic, a first non-volatile storage location, and a second non-volatile storage location. The virtualization logic is to create a virtual monotonic counter from the hardware monotonic counter. The first non-volatile storage location is to store an indicator that the count of the hardware monotonic counter has changed. The second non-volatile storage location is to store an indicator that the count of the virtual monotonic counter has changed.

Abstract translation: 公开了用于虚拟化硬件单调计数器的发明的实施例。 在一个实施例中，装置包括硬件单调计数器，虚拟化逻辑，第一非易失性存储位置和第二非易失性存储位置。 虚拟化逻辑是从硬件单调计数器创建一个虚拟单调计数器。 第一个非易失性存储位置是存储硬件单调计数器的计数改变的指示符。 第二非易失性存储位置是存储虚拟单调计数器的计数改变的指示符。

公开(公告)号：WO2015094277A1

公开(公告)日：2015-06-25

申请号：PCT/US2013/076525

申请日：2013-12-19

Applicant: INTEL CORPORATION ,  SMITH, Ned M. ,  HELDT-SHELLER, Nathan ,  LAL, Reshma ,  SHELLER, Micah J. ,  HOEKSTRA, Matthew E.

Inventor： SMITH, Ned M. ,  HELDT-SHELLER, Nathan ,  LAL, Reshma ,  SHELLER, Micah J. ,  HOEKSTRA, Matthew E.

IPC: G06F21/10

CPC classification number: H04L63/10 ,  G06F21/10 ,  G06F2221/0708 ,  H04L67/42

Abstract: Technologies for supporting and implementing multiple digital rights management protocols on a client device are described. In some embodiments, the technologies include a client device having an architectural enclave which may function to identify one of a plurality of digital rights management protocols for protecting digital information to be received from a content provider or a sensor. The architectural enclave select a preexisting secure information processing environment (SIPE) to process said digital information, if a preexisting SIPE supporting the DRM protocol is present on the client. If a preexisting SIPE supporting the DRM protocol is not present on the client, the architectural enclave may general a new SIPE that supports the DRM protocol on the client. Transmission of the digital information may then be directed to the selected preexisting SIPE or the new SIPE, as appropriate.

Abstract translation: 描述了在客户端设备上支持和实现多个数字版权管理协议的技术。 在一些实施例中，这些技术包括具有架构区域的客户端设备，其可以用于识别用于保护要从内容提供商或传感器接收的数字信息的多个数字版权管理协议中的一个。 如果在客户端上存在支持DRM协议的预先存在的SIPE，那么建筑飞地选择预先存在的安全信息处理环境（SIPE）来处理所述数字信息。 如果客户端上不存在支持DRM协议的预先存在的SIPE，那么该架构可以通用一个支持客户端DRM协议的新SIPE。 然后可以适当地将数字信息的传输指向所选择的预先存在的SIPE或新的SIPE。