公开(公告)号：US11438322B2

公开(公告)日：2022-09-06

申请号：US16264478

申请日：2019-01-31

Applicant: Apple Inc.

Inventor： Wade Benson ,  Marc J. Krochmal ,  Alexander R. Ledwith ,  John Iarocci ,  Jerrold V. Hauck ,  Michael Brouwer ,  Mitchell D. Adler ,  Yannick L. Sierra

IPC: G06F7/04 ,  G06F17/30 ,  H04L9/40 ,  H04W12/041 ,  H04W12/086 ,  H04W12/0431 ,  G06F9/445 ,  H04W12/06 ,  H04L9/08 ,  H04L9/14 ,  H04L9/32

Abstract: Some embodiments of the invention provide a method for a trusted (or originator) device to modify the security state of a target device (e.g., unlocking the device) based on a securing ranging operation (e.g., determining a distance, proximity, etc.). The method of some embodiments exchanges messages as a part of a ranging operation in order to determine whether the trusted and target devices are within a specified range of each other before allowing the trusted device to modify the security state of the target device. In some embodiments, the messages are derived by both devices based on a shared secret and are used to verify the source of ranging signals used for the ranging operation. In some embodiments, the method is performed using multiple different frequency bands.

公开(公告)号：US11228421B1

公开(公告)日：2022-01-18

申请号：US15884263

申请日：2018-01-30

Applicant: Apple Inc.

Inventor： Arthur Mesh ,  Jerrold V. Hauck ,  Pierre-Olivier J. Martel ,  Wade Benson ,  Oren M. Elrad

IPC: G06F21/00 ,  H04L9/00 ,  H04L9/08 ,  G06F21/31 ,  G06F21/56

Abstract: Secure secrets can be used, in one embodiment, to generate a master key. In one embodiment, a first secret value, generated and stored in a first secure element, can be used with a user's credential (e.g., a user's passcode) to generate, through a first key derivation function, a second secret value. A master key can then be generated through a second key derivation function based on the second secret value and a derived or stored secret such as a device's unique identifier.

公开(公告)号：US20210397716A1

公开(公告)日：2021-12-23

申请号：US17092030

申请日：2020-11-06

Applicant: Apple Inc.

Inventor： Xeno S. Kovah ,  Nikolaj Schlej ,  Thomas P. Mensch ,  Wade Benson ,  Jerrold V. Hauck ,  Josh P. de Cesare ,  Austin G. Jennings ,  John J. Dong ,  Robert C. Graham ,  Jacques Fortier

IPC: G06F21/57 ,  G06F21/72 ,  H04L9/32 ,  G06F9/4401 ,  H04L9/08 ,  H04L29/06 ,  G06F21/73

Abstract: Techniques are disclosed relating to securing computing devices during boot. In various embodiments, a secure circuit of a computing device generates for a public key pair and signs, using a private key of the public key pair, configuration settings for an operating system of the computing device. A bootloader of the computing device receives a certificate for the public key pair from a certificate authority and initiates a boot sequence to load the operating system. The boot sequence includes the bootloader verifying the signed configuration settings using a public key included in the certificate and the public key pair. In some embodiments, the secure circuit cryptographically protects the private key based on a passcode of a user, the passcode being usable by the user to authenticate to the computing device.

公开(公告)号：US11194920B2

公开(公告)日：2021-12-07

申请号：US16659146

申请日：2019-10-21

Applicant: Apple Inc.

Inventor： Eric B. Tamura ,  Wade Benson ,  John Garvey

IPC: G06F21/62 ,  G06F21/60 ,  H04L9/14 ,  G06F21/31

Abstract: Techniques are disclosed relating to securely storing file system metadata in a computing device. In one embodiment, a computing device includes a processor, memory, and a secure circuit. The memory has a file system stored therein that includes metadata for accessing a plurality of files in the memory. The metadata is encrypted with a metadata encryption key that is stored in an encrypted form. The secure circuit is configured to receive a request from the processor to access the file system. In response to the request, the secure circuit is configured to decrypt the encrypted form of the metadata encryption key. In some embodiments, the computing device includes a memory controller configured to receive the metadata encryption key from the secure circuit, retrieve the encrypted metadata from the memory, and decrypt the encrypted metadata prior to providing the metadata to the processor.

公开(公告)号：US11176237B2

公开(公告)日：2021-11-16

申请号：US15996413

申请日：2018-06-01

Applicant: Apple Inc.

Inventor： Wade Benson ,  Alexander R. Ledwith ,  Marc J. Krochmal ,  John J. Iarocci ,  Jerrold V. Hauck ,  Michael Brouwer ,  Mitchell D. Adler ,  Yannick L. Sierra ,  Libor Sykora

IPC: G06F21/34 ,  G06F21/36 ,  H04W4/80 ,  H04W4/02 ,  H04W12/06 ,  H04W12/63 ,  H04W12/082

Abstract: In some embodiments, a first device performs ranging operations to allow a user to access the first device under one of several user accounts without providing device-access credentials. For example, when a second device is within a first distance of the first device, the first device determines that the second device is associated with a first user account under which a user can access (e.g., can log into) the first device. In response to the determination, the first device enables at least one substitute interaction (e.g., a password-less UI interaction) to allow the first device to be accessed without receiving access credentials through a user interface. In response to detecting an occurrence of the substitute interaction, the user is allowed to access the first device under the first user account. In some embodiments, the substitute interaction occurs while the first device is logged into under a second user account.

公开(公告)号：US20190188397A1

公开(公告)日：2019-06-20

申请号：US16144176

申请日：2018-09-27

Applicant: Apple Inc.

Inventor： Wade Benson ,  Michael J. Smith ,  Joshua P. de Cesare

IPC: G06F21/62 ,  G06F21/12 ,  G06F21/57 ,  G06F21/60 ,  G06F21/72 ,  G06F21/78 ,  H04L9/08

CPC classification number: G06F21/6209 ,  G06F21/12 ,  G06F21/575 ,  G06F21/602 ,  G06F21/72 ,  G06F21/74 ,  G06F21/78 ,  G06F21/81 ,  H04L9/088

Abstract: Techniques are disclosed relating to data storage. In various embodiments, a computing device includes first and second processors and memory having stored therein a first encrypted operating system executable by the first processor and a second encrypted operating system executable by the second processor. The computing device also includes a secure circuit configured to receive, via a first mailbox mechanism of the secure circuit, a first request from the first processor for a first cryptographic key usable to decrypt the first operating system. The secure circuit is further configured to receive, via a second mailbox mechanism of the secure circuit, a second request from the second processor for a second cryptographic key usable to decrypt the second operating system, and to provide the first and second cryptographic keys.

公开(公告)号：US09558363B2

公开(公告)日：2017-01-31

申请号：US14503244

申请日：2014-09-30

Applicant: Apple Inc.

Inventor： Andrew Roger Whalley ,  Wade Benson ,  Conrad Sauerwald

IPC: G06F21/00 ,  G06F21/62

CPC classification number: G06F21/6209 ,  G06F21/6218 ,  G06F21/6245 ,  G06F2221/2111 ,  H04L63/062 ,  H04W12/02 ,  H04W12/04 ,  H04W12/08

Abstract: In some implementations, encrypted data (e.g., application data, keychain data, stored passwords, etc.) stored on a mobile device can be accessed (e.g., decrypted, made available) based on the context of the mobile device. The context can include the current device state (e.g., locked, unlocked, after first unlock, etc.). The context can include the current device settings (e.g., passcode enabled/disabled). The context can include data that has been received by the mobile device (e.g., fingerprint scan, passcode entered, location information, encryption key received, time information).

Abstract translation: 在一些实现中，可以基于移动设备的上下文来访问（例如，解密，使得可用）存储在移动设备上的加密数据（例如，应用数据，钥匙串数据，存储的密码等）。 上下文可以包括当前设备状态（例如，锁定，解锁，在首次解锁之后等等）。 上下文可以包括当前设备设置（例如，启用/禁用密码）。 上下文可以包括已经由移动设备接收的数据（例如，指纹扫描，输入的密码，位置信息，接收的加密密钥，时间信息）。

公开(公告)号：US20250097018A1

公开(公告)日：2025-03-20

申请号：US18542176

申请日：2023-12-15

Applicant: Apple Inc.

Inventor： Thomas P. Mensch ,  Elad Efrat ,  David Tamagno ,  Armaiti Ardeshiricham ,  Wade Benson ,  Yannick L. Sierra

IPC: H04L9/08

Abstract: Techniques are disclosed relating to cryptographic key exchanges. In some embodiments, a first device belonging to a first device group receives a request to perform a key exchange to establish a shared secret with a second device belonging to a second device group. The first device verifies a key authorization data structure issued by a key authority, the key authorization data structure including a first public key of a first participant authority authorized to identify members of the first device group and a second public key of a second participant authority authorized to identify members of the second device group. In response to the verifying being successful, the first device performs the requested exchange using a public key pair attested to by the first participant authority as belonging to a member in the first device group.

公开(公告)号：US20240039714A1

公开(公告)日：2024-02-01

申请号：US18447083

申请日：2023-08-09

Applicant: Apple Inc.

Inventor： Wade Benson ,  Libor Sykora ,  Vratislav Kuzela ,  Michael Brouwer ,  Andrew R. Whalley ,  Jerrold V. Hauck ,  David Finkelstein ,  Thomas Mensch

IPC: H04L9/08 ,  H04L9/32 ,  H04L9/00 ,  G06F21/32 ,  H04L9/14 ,  G06F21/74 ,  G06F21/72 ,  G06F21/78 ,  H04L9/40

CPC classification number: H04L9/0861 ,  H04L9/3268 ,  H04L9/006 ,  H04L9/3249 ,  G06F21/32 ,  H04L9/3239 ,  H04L9/14 ,  G06F21/74 ,  H04L9/0877 ,  H04L9/3231 ,  H04L9/3234 ,  G06F21/72 ,  G06F21/78 ,  H04L63/0428 ,  H04L63/062 ,  H04L63/0823 ,  H04L63/0861 ,  H04L9/3247 ,  H04L9/3263 ,  H04L2209/127 ,  G06F13/28

Abstract: Techniques are disclosed relating to relating to a public key infrastructure (PKI). In one embodiment, an integrated circuit is disclosed that includes at least one processor and a secure circuit isolated from access by the processor except through a mailbox mechanism. The secure circuit is configured to generate a key pair having a public key and a private key, and to issue, to a certificate authority (CA), a certificate signing request (CSR) for a certificate corresponding to the key pair. In some embodiments, the secure circuit may be configured to receive, via the mailbox mechanism, a first request from an application executing on the processor to issue a certificate to the application. The secure circuit may also be configured to perform, in response to a second request, a cryptographic operation using a public key circuit included in the secure circuit.

公开(公告)号：US11455432B1

公开(公告)日：2022-09-27

申请号：US16895933

申请日：2020-06-08

Applicant: Apple Inc.

Inventor： Pierre Olivier Martel ,  Arthur Mesh ,  Wade Benson

IPC: G06F21/78 ,  G06F21/72 ,  H04L9/08 ,  H04L9/14

Abstract: Embodiments described herein enable multi-user storage volume encryption via a secure enclave processor. One embodiment provides for a computing device comprising a first processor to execute a first operating system having one or more user accounts; a second processor to execute a second operating system, the second processor to receive a first encrypted key from the first processor and decrypt a volume encryption key via a key encryption key derived from the first encrypted key, the first encrypted key derived via the secure enclave without user-provided entropy; and a non-volatile memory controller to access encrypted data within non-volatile memory using the volume encryption key.