公开(公告)号：US11764954B2

公开(公告)日：2023-09-19

申请号：US16730931

申请日：2019-12-30

Applicant: Apple Inc.

Inventor： Wade Benson ,  Libor Sykora ,  Vratislav Kuzela ,  Michael Brouwer ,  Andrew R. Whalley ,  Jerrold V. Hauck ,  David Finkelstein ,  Thomas Mensch

IPC: H04L9/08 ,  H04L9/32 ,  H04L9/00 ,  G06F21/32 ,  H04L9/14 ,  G06F21/74 ,  G06F21/72 ,  G06F21/78 ,  H04L9/40 ,  G06F13/28 ,  G06F13/40 ,  G06F21/79

CPC classification number: H04L9/0861 ,  G06F21/32 ,  G06F21/72 ,  G06F21/74 ,  G06F21/78 ,  H04L9/006 ,  H04L9/0877 ,  H04L9/14 ,  H04L9/3231 ,  H04L9/3234 ,  H04L9/3239 ,  H04L9/3247 ,  H04L9/3249 ,  H04L9/3263 ,  H04L9/3268 ,  H04L63/0428 ,  H04L63/062 ,  H04L63/0823 ,  H04L63/0861 ,  G06F13/28 ,  G06F13/4063 ,  G06F21/79 ,  H04L2209/12 ,  H04L2209/127 ,  H04L2463/081

Abstract: Techniques are disclosed relating to relating to a public key infrastructure (PKI). In one embodiment, an integrated circuit is disclosed that includes at least one processor and a secure circuit isolated from access by the processor except through a mailbox mechanism. The secure circuit is configured to generate a key pair having a public key and a private key, and to issue, to a certificate authority (CA), a certificate signing request (CSR) for a certificate corresponding to the key pair. In some embodiments, the secure circuit may be configured to receive, via the mailbox mechanism, a first request from an application executing on the processor to issue a certificate to the application. The secure circuit may also be configured to perform, in response to a second request, a cryptographic operation using a public key circuit included in the secure circuit.

公开(公告)号：US11250118B2

公开(公告)日：2022-02-15

申请号：US16388831

申请日：2019-04-18

Applicant: Apple Inc.

Inventor： Alexander R. Ledwith ,  Wade Benson ,  Marc J. Krochmal ,  John J. Iarocci ,  Jerrold V. Hauck ,  Michael Brouwer ,  Mitchell D. Adler ,  Yannick L. Sierra ,  Libor Sykora ,  Jiri Margaritov

IPC: G06F21/34 ,  G06F1/16 ,  H04W12/63

Abstract: In some embodiments, a first device performs ranging operations to allow a user to perform one or more operations on the first device without providing device-access credentials. For example, when a second device is within a first distance of the first device, the first device determines that the second device is associated with a first user account that is authorized to perform operations on the first device. In response to the determination, the first device enables at least one substitute interaction (e.g., a password-less UI interaction) to allow the operations to be performed on the first device to be accessed without receiving access credentials through a user interface. In response to detecting an occurrence of the substitute interaction, the operation is authorized on the first device.

公开(公告)号：US10558589B1

公开(公告)日：2020-02-11

申请号：US15721636

申请日：2017-09-29

Applicant: Apple Inc.

Inventor： Josh P. de Cesare ,  Wade Benson ,  Fabrice L. Gautier ,  Kaiehu Kaahaaina

IPC: G06F12/14 ,  G06F21/62 ,  G06F21/60

Abstract: Techniques are disclosed concerning secure access to data in a computing device. In one embodiment, a computing device includes a communication interface, a memory, a memory controller, and a security processor. The communication interface may communicate with a different computing device. The security processor may generate a host key in response to a successful authentication of the different computing device, and then encrypt a memory key using the host key. The security processor may also send the encrypted memory key to the memory controller, and send the host key to the different computing device. The host key may be included by the different computing device in a subsequent memory request to access data in the memory. The memory controller may, in response to the subsequent memory request, use the included host key to decrypt the encrypted memory key and use the decrypted memory key to access the data.

公开(公告)号：US10546293B2

公开(公告)日：2020-01-28

申请号：US14475375

申请日：2014-09-02

Applicant: Apple Inc.

Inventor： Ahmer A. Khan ,  Jerrold V. Hauck ,  George R. Dicker ,  Jeffrey C. Lee ,  Mitchell D Adler ,  Wade Benson

IPC: G06Q20/38 ,  G06Q20/32

Abstract: A system for provisioning credentials onto an electronic device is provided. The system may include a payment network subsystem, a service provider subsystem, and one or more user devices that can be used to perform mobile transactions at a merchant terminal. The user device may communicate with the service provider subsystem in order to obtained commerce credentials from the payment network subsystem. The user device may include a secure element and a corresponding trusted processor. The trusted processor may generate a random authorization number and inject that number into the secure element. Mobile payments should only be completed if the random authorization number on the secure element matches the random authorization number at the trusted processor. The trusted processor may be configured to efface the previous random authorization number and generate a new random authorization number when detecting a potential change in ownership at the user device.

公开(公告)号：US10484172B2

公开(公告)日：2019-11-19

申请号：US15173647

申请日：2016-06-04

Applicant: Apple Inc.

Inventor： Libor Sykora ,  Wade Benson ,  Vratislav Kuzela ,  Michael Brouwer ,  Andrew R. Whalley ,  Jerrold V. Hauck ,  David Finkelstein ,  Thomas Mensch

IPC: H04L9/08 ,  H04L9/32 ,  H04L9/00 ,  G06F21/32 ,  H04L9/14 ,  G06F21/74 ,  G06F21/72 ,  G06F21/78 ,  H04L29/06 ,  G06F13/28 ,  G06F13/40 ,  G06F21/79

Abstract: Techniques are disclosed relating to relating to a public key infrastructure (PKI). In one embodiment, an integrated circuit is disclosed that includes at least one processor and a secure circuit isolated from access by the processor except through a mailbox mechanism. In some embodiments, the secure circuit is configured to generate a public key and a private key for an application, and receive, from the application via an API, a request to perform a cryptographic operation using the private key. The secure circuit is further configured to perform the cryptographic operation in response to the request.

公开(公告)号：US10452859B2

公开(公告)日：2019-10-22

申请号：US15275289

申请日：2016-09-23

Applicant: Apple Inc.

Inventor： Eric B. Tamura ,  Wade Benson ,  John Garvey

IPC: G06F21/62 ,  G06F21/60 ,  H04L9/14 ,  G06F21/31

Abstract: Techniques are disclosed relating to securely storing file system metadata in a computing device. In one embodiment, a computing device includes a processor, memory, and a secure circuit. The memory has a file system stored therein that includes metadata for accessing a plurality of files in the memory. The metadata is encrypted with a metadata encryption key that is stored in an encrypted form. The secure circuit is configured to receive a request from the processor to access the file system. In response to the request, the secure circuit is configured to decrypt the encrypted form of the metadata encryption key. In some embodiments, the computing device includes a memory controller configured to receive the metadata encryption key from the secure circuit, retrieve the encrypted metadata from the memory, and decrypt the encrypted metadata prior to providing the metadata to the processor.

公开(公告)号：US10320563B2

公开(公告)日：2019-06-11

申请号：US15274816

申请日：2016-09-23

Applicant: Apple Inc.

Inventor： Kumar Saurav ,  Jerrold V. Hauck ,  Yannick L. Sierra ,  Charles E. Gray ,  Robert Yepez ,  Samuel Gosselin ,  Petr Kostka ,  Wade Benson

IPC: H04L9/08 ,  G06F21/60 ,  G06F21/74

Abstract: A device may include a secure processor and a secure memory coupled to the secure processor. The secure memory may be inaccessible to other device systems. The secure processor may store some keys and/or entropy values in the secure memory and other keys and/or entropy values outside the secure memory. The keys and/or entropy values stored outside the secure memory may be encrypted using information stored inside the secure memory.

公开(公告)号：US12113784B2

公开(公告)日：2024-10-08

申请号：US18107982

申请日：2023-02-09

Applicant: Apple Inc.

Inventor： Wade Benson ,  Marc J. Krochmal ,  Alexander R. Ledwith ,  John Iarocci ,  Jerrold V. Hauck ,  Michael Brouwer ,  Mitchell D. Adler ,  Yannick L Sierra

IPC: H04L9/08 ,  G06F9/445 ,  H04L9/14 ,  H04L9/32 ,  H04L9/40 ,  H04W12/041 ,  H04W12/0431 ,  H04W12/06 ,  H04W12/086

CPC classification number: H04L63/08 ,  G06F9/44505 ,  H04L9/0822 ,  H04L9/085 ,  H04L9/0894 ,  H04L9/14 ,  H04L9/3226 ,  H04L63/0428 ,  H04L63/06 ,  H04L63/083 ,  H04L63/107 ,  H04L63/108 ,  H04L63/1466 ,  H04W12/041 ,  H04W12/0431 ,  H04W12/06 ,  H04W12/086 ,  H04L2209/80

Abstract: Some embodiments of the invention provide a method for a trusted (or originator) device to modify the security state of a target device (e.g., unlocking the device) based on a securing ranging operation (e.g., determining a distance, proximity, etc.). The method of some embodiments exchanges messages as a part of a ranging operation in order to determine whether the trusted and target devices are within a specified range of each other before allowing the trusted device to modify the security state of the target device. In some embodiments, the messages are derived by both devices based on a shared secret and are used to verify the source of ranging signals used for the ranging operation. In some embodiments, the method is performed using multiple different frequency bands.

公开(公告)号：US20240160766A1

公开(公告)日：2024-05-16

申请号：US18474146

申请日：2023-09-25

Applicant: Apple Inc.

Inventor： Eric B. Tamura ,  Wade Benson ,  John Garvey

IPC: G06F21/62 ,  G06F21/31 ,  G06F21/60 ,  H04L9/14

CPC classification number: G06F21/6218 ,  G06F21/31 ,  G06F21/602 ,  H04L9/14

Abstract: Techniques are disclosed relating to securely storing file system metadata in a computing device. In one embodiment, a computing device includes a processor, memory, and a secure circuit. The memory has a file system stored therein that includes metadata for accessing a plurality of files in the memory. The metadata is encrypted with a metadata encryption key that is stored in an encrypted form. The secure circuit is configured to receive a request from the processor to access the file system. In response to the request, the secure circuit is configured to decrypt the encrypted form of the metadata encryption key. In some embodiments, the computing device includes a memory controller configured to receive the metadata encryption key from the secure circuit, retrieve the encrypted metadata from the memory, and decrypt the encrypted metadata prior to providing the metadata to the processor.

公开(公告)号：US20220303137A1

公开(公告)日：2022-09-22

申请号：US17655147

申请日：2022-03-16

Applicant: APPLE INC.

Inventor： Kyle C. Brogle ,  Wade Benson ,  Sean P. Devlin ,  Lucie Kucerova ,  Thomas P. Mensch ,  Yannick L. Sierra ,  Tomislav Suchan

IPC: H04L9/32 ,  H04W12/03 ,  G06F21/44

Abstract: Embodiments described herein provided techniques to enable peripherals configured to provide secure functionality. A secure circuit on a peripheral device can be paired with a secure circuit on a host device outside of a factory environment without compromising security by verifying silicon keys that are embedded within the secure circuit during manufacturing.