公开(公告)号：WO2018048723A1

公开(公告)日：2018-03-15

申请号：PCT/US2017/049666

申请日：2017-08-31

Applicant: THE CHARLES STARK DRAPER LABORATORY, INC.

Inventor： VIGEANT, Richard, L. ,  DE LA SERNA, Antonio, E.

IPC: H03K19/23 ,  G06F21/71

CPC classification number: H03K19/23 ,  G06F11/08 ,  G06F13/28 ,  G06F13/32 ,  G06F21/57 ,  G06F21/71 ,  G06F2211/1097 ,  G07C13/02 ,  H03K19/0813 ,  H03K25/02

Abstract: Systems and methods for trusted integration of untrusted components. An example system includes at least three electrical components and voting (consensus) circuitry. The components have varied hierarchical implementations for providing common output given common input. The voting circuitry is configured to receive, as input, outputs from the components and provide a consensus output that is a majority of the outputs received from the components. Such a diversity of multiple untrusted system components (hardware and/or software) engaged in redundant operation can be integrated to as a consensus-based trusted system with a high degree of fault tolerance to unforeseen environmental interference, cyberattack, supply chain counterfeit, inserted Trojan logic, or component design flaws. The degree of fault tolerance can be increased by increasing the degree of diversity of redundant operational nodes or by increasing the number of diversely implemented operational nodes.

Abstract translation:

用于不可信组件可信集成的系统和方法。 示例系统包括至少三个电子组件和投票（共识）电路。 这些组件具有不同的等级实现，以提供公共输出的共同输出。 表决电路被配置为接收来自组件的输出作为输入，并提供作为从组件接收的输出的大部分的共识输出。 从事冗余操作的多种不可信系统组件（硬件和/或软件）的这种多样性可以集成为基于共识的可信系统，具有高度容错性，以预知不可预见的环境干扰，网络攻击，供应链假冒，插入的木马 逻辑或组件设计缺陷。 通过增加冗余操作节点的多样性程度或增加不同实施的操作节点的数量，可以提高容错的程度。

公开(公告)号：WO01027722A1

公开(公告)日：2001-04-19

申请号：PCT/GB2000/003613

申请日：2000-09-19

IPC: G06F9/445 ,  G06F1/00 ,  G06F21/57

CPC classification number: G06F21/575 ,  G06F21/57 ,  G06F2211/009 ,  G06F2211/1097 ,  G06F2221/2101 ,  G06F2221/2105 ,  G06F2221/2143 ,  G06F2221/2153

Abstract: A computing entity comprises a trusted monitoring component having a first processing means and a first memory means, the trusted monitoring component being a self-contained autonomous data processing unit, and a computer platform having a main processing means and a main memory area, along with a plurality of associated physical and logical resources such as peripheral devices including printers, modems, application programs, operating systems and the like. The computer platform is capable of entering a plurality of different states of operation, each state of operation having a different level of security and trustworthiness. Selected ones of the states comprise trusted states in which a user can enter sensitive confidential information with a high degree of certainty that the computer platform has not been compromised by external influences such as viruses, hackers or hostile attacks. To enter a trusted state, references made automatically to the trusted component, and to exit a trusted state reference must be made to the trusted component. On exiting the trusted state, all references to the trusted state are deleted from the computer platform. On entering the trusted state, the state is entered in a reproducible and known manner, having a reproducible and known configuration which is confirmed by the trusted component.

Abstract translation: 计算实体包括具有第一处理装置和第一存储装置的信任监视组件，所述可信监视组件是独立的自主数据处理单元，以及具有主处理装置和主存储区域的计算机平台，以及 多个关联的物理和逻辑资源，诸如包括打印机，调制解调器，应用程序，操作系统等的外围设备。 计算机平台能够输入多种不同的操作状态，每种操作状态具有不同的安全性和可信度。 所选择的状态包括可信状态，用户可以高度确定地输入敏感的机密信息，使得计算机平台未被诸如病毒，黑客或敌对攻击之类的外部影响所影响。 要进入受信任状态，必须对受信任的组件进行自动对可信组件的引用，并退出可信状态引用。 退出可信状态后，从计算机平台中删除对受信任状态的所有引用。 在进入可信状态时，以可再现和已知的方式输入状态，具有由可信部件确认的可再现和已知配置。

公开(公告)号：WO00073904A1

公开(公告)日：2000-12-07

申请号：PCT/GB2000/002003

申请日：2000-05-25

IPC: G06F1/00 ,  G06F11/00 ,  G06F12/14 ,  G06F21/56 ,  G06F21/57 ,  G06F21/64

CPC classification number: G06F21/567 ,  G06F21/566 ,  G06F21/57 ,  G06F21/64 ,  G06F2207/7219 ,  G06F2211/009 ,  G06F2211/1097

Abstract: A method of security monitoring of data files in a computer platform is carried out by a trusted component having a processor and trusted memory area. The method comprises creating one or a plurality of data files in an untrusted memory area of said computing platform, for each created data file, periodically generating a digest data by applying a hash function to each data file, storing the digest data in a trusted memory area and for each file periodically comparing a current digest data of the file with a previously generated digest data of the file. Any differences between a previous and a current digest data indicate that a file in the untrusted memory area has been corrupted.

Abstract translation: 由计算机平台中的数据文件进行安全监控的方法由具有处理器和可信存储器区域的可信部件执行。 该方法包括在每个创建的数据文件的所述计算平台的不受信任的存储器区域中创建一个或多个数据文件，通过对每个数据文件应用散列函数来周期性地生成摘要数据，将摘要数据存储在可信存储器 区域，并且对于每个文件，周期性地将文件的当前摘要数据与先前生成的文件的摘要数据进行比较。 之前和当前摘要数据之间的任何差异表明不可信内存区域中的文件已损坏。

公开(公告)号：WO98058306A1

公开(公告)日：1998-12-23

申请号：PCT/US1998/012686

申请日：1998-06-17

IPC: G06F1/00 ,  G06F12/14 ,  G06F21/00 ,  G06Q20/00 ,  G07F7/00

CPC classification number: G07F17/0014 ,  G06F12/1408 ,  G06F21/10 ,  G06F21/125 ,  G06F21/565 ,  G06F2211/007 ,  G06F2211/008 ,  G06F2211/1097 ,  G06F2221/0786 ,  G06F2221/2137 ,  G06Q20/12 ,  G06Q20/38215 ,  G06Q30/0607

Abstract: A method and system for facilitating digital commerce using a secure digital commerce system is provided. The secure digital commerce system is arranged according to a client/server architecture and includes a modularized DCS client and DCS server. The DCS client and the DCS server are incorporated into an online purchasing system, such as a virtual store, to perform the purchase and online delivery of electronic content. The DCS client includes a set of components which include a secured copy of the merchandise and various components needed to license and purchase the merchandise and to unsecure and process (e.g., execute) the licensed merchandise. The DCS client communicates with the DCS server to download the components onto a customer's computer system and to license and purchase a requested item of merchandise. The DCS server, which includes a content supplier server, a licensing and purchasing broker, and a payment processing function, supplies merchandise-specific components and licenses the requested item of merchandise by generating an electronic certificate. The eletronic certificate contains license parameters that are specific to the requested merchandise and an indicated purchasing option. Once a valid eletronic license certificate for the requested merchandise is received by the DCS client, the merchandise is made available to the customer for use in accordance with the licensing parameters contained in the electronic license certificate.

Abstract translation: 提供了一种使用安全数字商务系统促进数字商务的方法和系统。 安全数字商务系统根据客户端/服务器架构进行安排，并包括模块化的DCS客户端和DCS服务器。 DCS客户端和DCS服务器被并入到诸如虚拟商店的在线采购系统中，以执行电子内容的购买和在线传送。 DCS客户端包括一组组件，其包括商品的安全副本和许可和购买商品所需的各种组件，并且不安全地（例如执行）许可的商品。 DCS客户端与DCS服务器进行通信，将组件下载到客户的计算机系统上，并许可并购买所请求的商品。 包括内容供应商服务器，许可和采购经纪人以及支付处理功能的DCS服务器通过生成电子证书来提供商品特定组件并许可所请求的商品。 电子证书包含特定于所请求商品的许可证参数和指定的购买选项。 一旦由DCS客户接收到所请求商品的有效电子许可证书，则根据电子许可证书中包含的许可参数，商品可供客户使用。

公开(公告)号：WO9825372A2

公开(公告)日：1998-06-11

申请号：PCT/IL9700380

申请日：1997-11-20

Applicant: VOLTAIRE ADVANCED DATA SECURIT

Inventor： DIAMANT EREZ ,  PRESCHER AMIR

IPC: G06F12/14 ,  G06F1/00 ,  G06F13/00 ,  G06F21/00 ,  G06F21/24 ,  H04L29/06 ,  H04L

CPC classification number: G06F21/606 ,  G06F21/55 ,  G06F21/554 ,  G06F21/80 ,  G06F21/83 ,  G06F21/84 ,  G06F2207/7219 ,  G06F2211/1097 ,  H04L29/06 ,  H04L63/04 ,  H04L63/1408

Abstract: Communication apparatus including a public network, a secured network, a plurality of public nodes connected to the public network and a plurality of secured nodes connected to the secured network and to the public network. The nodes including means for communicating therebetween over the networks, wherein each secured node includes a communication controller, a computer system and a secured storage area. A secured node divides a confidential message into at least two segments and transmits the segments via the networks wherein at least a selected one of the segments is transmitted via at least one of the secured networks. The communication controller is also operative to disconnect the secured storage area from the computer station and the public network when the communication between the computer station and the public network is in progress.

Abstract translation: 包括公共网络，安全网络，连接到公共网络的多个公共节点以及连接到安全网络和公共网络的多个安全节点的通信设备。 所述节点包括用于在网络之间进行通信的装置，其中每个安全节点包括通信控制器，计算机系统和安全存储区域。 安全节点将机密消息划分成至少两个段，并且经由网络发送段，其中经由安全网络中的至少一个来传送段中的至少一个。 当计算机站和公共网络之间的通信正在进行时，通信控制器还可操作以将安全存储区域与计算机站和公共网络断开连接。

公开(公告)号：WO0142889A2

公开(公告)日：2001-06-14

申请号：PCT/US0042678

申请日：2000-12-07

Applicant: MICROSOFT CORP

Inventor： ENGLAND PAUL

IPC: G06F1/00 ,  G06F9/445 ,  G06F21/00 ,  G06F21/22

CPC classification number: G06F21/33 ,  G06F9/4416 ,  G06F21/121 ,  G06F2211/1097

Abstract: Each software component loaded for a verified operating system on a client computer must satisfy a set of boot rules for a boot certificate. A verified operating system identifier is created from the boot certificate. The boot certificate is published and signed by a boot authority that attests to the validity of the operating system booted under the boot certificate. Each software component for the operating system is associated with a component certificate published and signed by the same boot authority that signed the boot certificate. The boot rules determine the validity of the software component based on the contents of the component and boot certificates. The client computer transmits the verified operating system identity and the boot certificate to a server computer, such as a content provider, and the content provider determines whether to trust the verified operating system with its content. Downloaded data is secured on permanent storage through a key derived from the verified operating system identifier. The boot certificate, component certificates, and secured content define the boot domain.

Abstract translation: 为客户端计算机上的经过验证的操作系统加载的每个软件组件必须满足一组引导证书的引导规则。 从引导证书创建验证的操作系统标识符。 引导证书由引导权限发布和签名，该引导证书证明在引导证书下启动的操作系统的有效性。 用于操作系统的每个软件组件与由签名引导证书的相同引导权限发布和签名的组件证书相关联。 引导规则基于组件和引导证书的内容来确定软件组件的有效性。 客户端计算机将验证的操作系统身份和引导证书发送到诸如内容提供商的服务器计算机，并且内容提供商确定是否以其内容信任已验证的操作系统。 下载的数据通过从验证的操作系统标识符导出的密钥保护在永久存储上。 启动证书，组件证书和安全内容定义了引导域。

公开(公告)号：WO00048062A1

公开(公告)日：2000-08-17

申请号：PCT/GB2000/000504

申请日：2000-02-15

IPC: G06F9/06 ,  G06F1/00 ,  G06F12/14 ,  G06F21/34 ,  G06F21/57 ,  G06F21/60 ,  G06F21/64 ,  G06F21/85

CPC classification number: G06F21/85 ,  G06F21/34 ,  G06F21/57 ,  G06F21/606 ,  G06F21/64 ,  G06F2207/7219 ,  G06F2211/008 ,  G06F2211/009 ,  G06F2211/1097 ,  G06F2221/2103

Abstract: A computing apparatus comprises a plurality of hardware modules (102, 104, 106) and a shared communication infrastructure (110) by which the modules can communicate with each other in the usual way. In order to increase the level of trust and security in the apparatus, a trusted hardware module (120) is also provided and is connected to the other modules by respective communication paths (122a; 122b; 122c), distinct from the communication infrastructure, by which each of those modules can communicate directly with the trusted module but cannot communicate directly with any other of the modules. The trusted module can therefore have secure communications, for example of "unsafe" data, with each of the other modules without any of the remaining modules eavesdropping, and the trusted module can route unsafe data between any pair of the other modules, or decline to provide such routing, for example in dependance on policy stored in the trusted module.

Abstract translation: 计算设备包括多个硬件模块（102,104,106）和共享通信基础设施（110），通过该共享通信基础设施（110），模块可以以通常的方式彼此通信。 为了增加设备中的信任和安全级别，还提供可信硬件模块（120），并且通过与通信基础设施不同的相应通信路径（122a; 122b; 122c），通过与通信基础设施不同的通信路径 这些模块中的每一个可以与可信任模块直接通信，但是不能与任何其他模块直接通信。 因此，可信模块可以具有诸如“不安全”数据的安全通信，其中每个其他模块没有任何剩余的模块窃听，并且可信模块可以在任何一对其他模块之间路由不安全数据，或者拒绝 提供这样的路由，例如依赖于存储在可信模块中的策略。

公开(公告)号：WO99047989A1

公开(公告)日：1999-09-23

申请号：PCT/US1999/005218

申请日：1999-03-10

IPC: G06F21/32 ,  G06F21/57 ,  G06F1/00

CPC classification number: G06F21/575 ,  G06F21/32 ,  G06F2211/1097

Abstract: The present invention is a system and a method for the use of a biometric feature as a key to grant access to a computer. The computer comprises a processor connected to a biometric sensor and a resource for operating the biometric sensor. The processor has a nonenabled state and an enabled state. In the nonenabled state the processor cannot execute applications loaded into memory from a hard drive. In the enabled state the processor can execute such applications. A user gains access to the computer and enables the processor by having a biometric feature input onto the computer using the biometric sensor. The resource that operates the biometric sensor then compares data representing the biometric feature to enrolled user data contained within the resource. If the data representing the biometric feature matches the enrolled user data then the resource switches the processor from the nonenabled state to the enabled state. If there is not a match then the processor remains in the nonenabled state.

Abstract translation: 本发明是一种用于使用生物特征作为密钥来授予对计算机的访问的系统和方法。 计算机包括连接到生物测定传感器的处理器和用于操作生物测定传感器的资源。 处理器具有非启用状态和使能状态。 在非启用状态下，处理器无法从硬盘驱动器执行加载到内存中的应用程序。 在启用状态下，处理器可以执行这样的应用程序。 用户通过使用生物特征传感器将生物特征输入到计算机上来获得对计算机的访问并使处理器能够实现。 操作生物识别传感器的资源然后将表示生物特征的数据与资源中包含的已登记用户数据进行比较。 如果表示生物特征的数据与登记的用户数据匹配，则资源将处理器从未使能状态切换到启用状态。 如果没有匹配，则处理器保持在非启用状态。

公开(公告)号：WO98036517A1

公开(公告)日：1998-08-20

申请号：PCT/US1998/002536

申请日：1998-02-10

IPC: G06F12/14 ,  G06F1/00 ,  G06F9/38 ,  G06F21/56 ,  G06F21/57 ,  G06F21/72 ,  H04K1/00 ,  G06F11/34

CPC classification number: G06F21/57 ,  G06F9/3879 ,  G06F21/567 ,  G06F21/72 ,  G06F2207/7219 ,  G06F2211/1097

Abstract: A security enhanced computer system arrangement includes a coprocessor (10) and a multiprocessor logic controller (38) inserted into the architecture of a conventional computer system. The coprocessor and multiprocessor logic controller is interposed between the CPU of the conventional computer system to intercept and replace control signals that are passed over certain of the critical control signal lines associated with the CPU. The CPU is released by allowing control signals to again pass between it and the computer system. Isolating the CPU control signal from the remainder of the computer system, allows a multiprocessor logic controller (38) to interrupt the normal computer system operation at any time and permit the coprocessor to check digital signatures of any firmware or software in the computer system. The multiprocessor logic controller arrangement thereby isolates the CPU of the conventional computer system from the remainder of the conventional computer system, permitting separate control over the CPU and separate control over the remainder of the computer system.

Abstract translation: 一种安全增强的计算机系统装置包括一个协处理器（10）和一个插入常规计算机系统架构中的多处理器逻辑控制器（38）。 协处理器和多处理器逻辑控制器被插入在常规计算机系统的CPU之间，以拦截和替换在与CPU相关联的某些关键控制信号线上传递的控制信号。 通过允许控制信号在它和计算机系统之间再次通过来释放CPU。 从计算机系统的其余部分隔离CPU控制信号，允许多处理器逻辑控制器（38）随时中断正常的计算机系统操作，并允许协处理器检查计算机系统中任何固件或软件的数字签名。 因此，多处理器逻辑控制器装置将常规计算机系统的CPU与常规计算机系统的其余部分隔离，允许对CPU的单独控制和对计算机系统的其余部分的单独控制。

公开(公告)号：WO1996013002A1

公开(公告)日：1996-05-02

申请号：PCT/US1994012222

申请日：1994-10-24

Applicant: TREND MICRO DEVICES, INC.

Inventor： TREND MICRO DEVICES, INC. ,  CHANG, Steve, Ming-Jang

IPC: G06F09/445

CPC classification number: G06F21/64 ,  G06F9/4416 ,  G06F21/572 ,  G06F21/575 ,  G06F21/805 ,  G06F2211/007 ,  G06F2211/1097 ,  H04L29/06 ,  H04L67/42

Abstract: A method and apparatus for preboot file and information transfer between workstations (13) and other workstations (15) or workstations (13) and servers (11) on local area networks. During a workstation boot sequence, the various components of the workstation and network operating system are loaded and executed. Since all control of the workstation after the boot sequence is passed to the workstation operating system, any mangement tasks performed after boot must be performed by application programs (23) running on the workstation. The present invention overcomes problems created by using such application programs to perform management tasks by providing a hardware component (27), for example a ROM or PROM (61) containing appropriate programming placed in the usually unused boot ROM socket of a LAN card installed in the individual workstations (13), or a chip including a PROM or ROM (61) built onto the motherboard or system board of the individual workstations. The program in the PROM (61) is set up so that, at system start-up (31), prior to loading of the workstation operating system software during the boot sequence, it performs certain operating system functions (35) by using the basic input/output system (BIOS) of the workstation to enable the workstation to communicate with a server on the network and make the necessary resource of the workstation available to a server management application (11c) running on the server via the network. This process, controlled by a system administrator (15), allows a variety of preboot functions to take place in the workstation.

Abstract translation: 一种用于在局域网上的工作站（13）和其他工作站（15）或工作站（13）和服务器（11）之间预引导文件和信息传输的方法和装置。 在工作站引导顺序期间，加载和执行工作站和网络操作系统的各种组件。 由于启动顺序后工作站的所有控制都传递到工作站操作系统，所以在引导之后执行的任何管理任务必须由在工作站上运行的应用程序（23）执行。 本发明克服了使用这样的应用程序通过提供硬件组件（27）所产生的问题，该硬件组件（27）例如包含适当编程的ROM或PROM（61），其中所述适当的编程放置在安装在其中的LAN卡的通常未使用的引导ROM插槽中 单个工作站（13），或包括建立在各个工作站的主板或系统板上的PROM或ROM（61）的芯片。 PROM（61）中的程序被设置为使得在系统启动（31）期间，在引导顺序期间加载工作站操作系统软件之前，它通过使用基本操作系统执行某些操作系统功能（35） 工作站的输入/输出系统（BIOS），以使工作站能够与网络上的服务器进行通信，并使工作站的必要资源可用于经由网络在服务器上运行的服务器管理应用程序（11c）。 由系统管理员（15）控制的此过程允许在工作站中进行各种预引导功能。