公开(公告)号：US10691837B1

公开(公告)日：2020-06-23

申请号：US15832887

申请日：2017-12-06

Applicant: Apple Inc.

Inventor： Pierre Olivier Martel ,  Arthur Mesh ,  Wade Benson

IPC: G06F21/78 ,  G06F21/72 ,  H04L9/08 ,  H04L9/14

Abstract: Embodiments described herein enable multi-user storage volume encryption via a secure enclave processor. One embodiment provides for a computing device comprising a first processor to execute a first operating system having one or more user accounts; a second processor to execute a second operating system, the second processor including a secure enclave, the secure enclave to receive a first encrypted key from the first processor and decrypt a volume encryption key via a key encryption key derived from the first encrypted key, the first encrypted key derived via the secure enclave without user-provided entropy; and a non-volatile memory controller to access encrypted data within non-volatile memory using the volume encryption key.

公开(公告)号：US20200186337A1

公开(公告)日：2020-06-11

申请号：US16730931

申请日：2019-12-30

Applicant: Apple Inc.

Inventor： Wade Benson ,  Libor Sykora ,  Vratislav Kuzela ,  Michael Brouwer ,  Andrew R. Whalley ,  Jerrold V. Hauck ,  David Finkelstein ,  Thomas Mensch

IPC: H04L9/08 ,  H04L9/32 ,  H04L29/06 ,  G06F21/78 ,  G06F21/72 ,  G06F21/74 ,  H04L9/14 ,  G06F21/32 ,  H04L9/00

Abstract: Techniques are disclosed relating to relating to a public key infrastructure (PKI). In one embodiment, an integrated circuit is disclosed that includes at least one processor and a secure circuit isolated from access by the processor except through a mailbox mechanism. The secure circuit is configured to generate a key pair having a public key and a private key, and to issue, to a certificate authority (CA), a certificate signing request (CSR) for a certificate corresponding to the key pair. In some embodiments, the secure circuit may be configured to receive, via the mailbox mechanism, a first request from an application executing on the processor to issue a certificate to the application. The secure circuit may also be configured to perform, in response to a second request, a cryptographic operation using a public key circuit included in the secure circuit.

公开(公告)号：US10523431B2

公开(公告)日：2019-12-31

申请号：US16133645

申请日：2018-09-17

Applicant: Apple Inc.

Inventor： Wade Benson ,  Libor Sykora ,  Vratislav Kuzela ,  Michael Brouwer ,  Andrew R. Whalley ,  Jerrold V. Hauck ,  David Finkelstein ,  Thomas Mensch

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32 ,  H04L9/00 ,  G06F21/32 ,  H04L9/14 ,  G06F21/74 ,  G06F21/72 ,  G06F21/78 ,  G06F13/28 ,  G06F13/40 ,  G06F21/79

Abstract: Techniques are disclosed relating to relating to a public key infrastructure (PKI). In one embodiment, an integrated circuit is disclosed that includes at least one processor and a secure circuit isolated from access by the processor except through a mailbox mechanism. The secure circuit is configured to generate a key pair having a public key and a private key, and to issue, to a certificate authority (CA), a certificate signing request (CSR) for a certificate corresponding to the key pair. In some embodiments, the secure circuit may be configured to receive, via the mailbox mechanism, a first request from an application executing on the processor to issue a certificate to the application. The secure circuit may also be configured to perform, in response to a second request, a cryptographic operation using a public key circuit included in the secure circuit.

公开(公告)号：US20190296905A1

公开(公告)日：2019-09-26

申请号：US16436328

申请日：2019-06-10

Applicant: Apple Inc.

Inventor： Kumar Saurav ,  Jerrold V. Hauck ,  Yannick L. Sierra ,  Charles E. Gray ,  Roberto G. Yepez ,  Samuel Gosselin ,  Petr Kostka ,  Wade Benson

IPC: H04L9/08 ,  G06F21/60 ,  G06F21/74

Abstract: A device may include a secure processor and a secure memory coupled to the secure processor. The secure memory may be inaccessible to other device systems. The secure processor may store some keys and/or entropy values in the secure memory and other keys and/or entropy values outside the secure memory. The keys and/or entropy values stored outside the secure memory may be encrypted using information stored inside the secure memory.

公开(公告)号：US20170373844A1

公开(公告)日：2017-12-28

申请号：US15173647

申请日：2016-06-04

Applicant: Apple Inc.

Inventor： Libor Sykora ,  Wade Benson ,  Vratislav Kuzela ,  Michael Brouwer ,  Andrew R. Whalley ,  Jerrold V. Hauck ,  David Finkelstein ,  Thomas Mensch

IPC: H04L9/08 ,  G06F21/32 ,  H04L9/32

Abstract: Techniques are disclosed relating to relating to a public key infrastructure (PKI). In one embodiment, an integrated circuit is disclosed that includes at least one processor and a secure circuit isolated from access by the processor except through a mailbox mechanism. In some embodiments, the secure circuit is configured to generate a public key and a private key for an application, and receive, from the application via an API, a request to perform a cryptographic operation using the private key. The secure circuit is further configured to perform the cryptographic operation in response to the request.

公开(公告)号：US20170359169A1

公开(公告)日：2017-12-14

申请号：US15497203

申请日：2017-04-26

Applicant: Apple Inc.

Inventor： Wade Benson ,  Marc J. Krochmal ,  Alexander R. Ledwith ,  John Iarocci ,  Jerrold V. Hauck ,  Michael Brouwer ,  Mitchell D. Adler ,  Yannick L. Sierra

IPC: H04L9/08 ,  H04L9/14 ,  H04W12/08 ,  H04L9/32 ,  H04L29/06 ,  H04W12/06

CPC classification number: G06F9/44505 ,  H04L9/0822 ,  H04L9/085 ,  H04L9/0894 ,  H04L9/14 ,  H04L9/3226 ,  H04L63/0428 ,  H04L63/06 ,  H04L63/08 ,  H04L63/083 ,  H04L63/107 ,  H04L63/108 ,  H04L63/1466 ,  H04L2209/80 ,  H04W12/04 ,  H04W12/06 ,  H04W12/08

Abstract: Some embodiments of the invention provide a method for a trusted (or originator) device to modify the security state of a target device (e.g., unlocking the device) based on a securing ranging operation (e.g., determining a distance, proximity, etc.). The method of some embodiments exchanges messages as a part of a ranging operation in order to to determine whether the trusted and target devices are within a specified range of each other before allowing the trusted device to modify the security state of the target device. In some embodiments, the messages are derived by both devices based on a shared secret and are used to verify the source of ranging signals used for the ranging operation. In some embodiments, the method is performed using multiple different frequency bands.

公开(公告)号：US20170357830A1

公开(公告)日：2017-12-14

申请号：US15275273

申请日：2016-09-23

Applicant: Apple Inc.

Inventor： Wade Benson ,  Conrad Sauerwald ,  Mitchell D. Adler ,  Michael Brouwer ,  Timothee Geoghegan ,  Andrew R. Whalley ,  David P. Finkelstein ,  Yannick L. Sierra

IPC: G06F21/72 ,  G06F21/32 ,  G06F12/14 ,  H04L9/08 ,  H04L9/14

Abstract: Techniques are disclosed relating to securely storing data in a computing device. In one embodiment, a computing device includes a secure circuit configured to maintain key bags for a plurality of users, each associated with a respective one of the plurality of users and including a first set of keys usable to decrypt a second set of encrypted keys for decrypting data associated with the respective user. The secure circuit is configured to receive an indication that an encrypted file of a first of the plurality of users is to be accessed and use a key in a key bag associated with the first user to decrypt an encrypted key of the second set of encrypted keys. The secure circuit is further configured to convey the decrypted key to a memory controller configured to decrypt the encrypted file upon retrieval from a memory.

公开(公告)号：US20170357523A1

公开(公告)日：2017-12-14

申请号：US15275203

申请日：2016-09-23

Applicant: Apple Inc.

Inventor： Wade Benson ,  Marc J. Krochmal ,  Alexander R. Ledwith ,  John Iarocci ,  Jerrold V. Hauck ,  Michael Brouwer ,  Mitchell D. Adler ,  Yannick L. Sierra

IPC: G06F9/445 ,  H04W12/04 ,  H04W12/06 ,  H04L29/06

CPC classification number: G06F9/44505 ,  H04L9/0822 ,  H04L9/085 ,  H04L9/0894 ,  H04L9/14 ,  H04L9/3226 ,  H04L63/0428 ,  H04L63/06 ,  H04L63/08 ,  H04L63/083 ,  H04L63/107 ,  H04L63/108 ,  H04L63/1466 ,  H04L2209/80 ,  H04W12/04 ,  H04W12/06 ,  H04W12/08

Abstract: Some embodiments of the invention provide a method for a trusted (or originator) device to modify the security state of a target device (e.g., unlocking the device) based on a securing ranging operation (e.g., determining a distance, proximity, etc.). The method of some embodiments exchanges messages as a part of a ranging operation in order to determine whether the trusted and target devices are within a specified range of each other before allowing the trusted device to modify the security state of the target device. In some embodiments, the messages are derived by both devices based on a shared secret and are used to verify the source of ranging signals used for the ranging operation. In some embodiments, the method is performed using multiple different frequency bands.

公开(公告)号：US20250094602A1

公开(公告)日：2025-03-20

申请号：US18541961

申请日：2023-12-15

Applicant: Apple Inc.

Inventor： Thomas P. Mensch ,  Elad Efrat ,  David Tamagno ,  Armaiti Ardeshiricham ,  Wade Benson ,  Yannick L. Sierra

IPC: G06F21/60 ,  G06F21/72

Abstract: Techniques are disclosed relating to cryptographic key exchanges. In some embodiments, a computing device includes a cryptographic circuit coupled to a secure memory inaccessible to a processor of the computing device. Program instructions executing on the computing device can request performance of a key exchange to establish a shared secret with another device. The cryptographic circuit is configured to perform the key exchange including deriving the shared secret using private key material maintained in the secure memory. In some embodiments, the key exchange includes verifying a key authorization data structure issued by a key authority including a first public key of a first participant authority and a second public key of a second participant authority. In response to the verifying being successful, the exchange uses a public key pair attested to by the first participant authority as belonging to a member in the first device group.

公开(公告)号：US12008087B2

公开(公告)日：2024-06-11

申请号：US17505318

申请日：2021-10-19

Applicant: Apple Inc.

Inventor： Alan M. Dunn ,  Anish C. Trivedi ,  Ronnie G. Misra ,  Wade Benson ,  Anand Dalal

IPC: H04L29/06 ,  G06F1/3234 ,  G06F21/31 ,  G06F21/60 ,  G06F21/62 ,  G06F21/64 ,  H04L9/32

CPC classification number: G06F21/31 ,  G06F1/3234 ,  G06F21/602 ,  G06F21/62 ,  G06F21/64 ,  H04L9/3242 ,  H04L9/3252

Abstract: Techniques are disclosed relating to maintaining device security associated with reduced power modes. In some embodiments, a computing device receives a request to place the computing device in a reduced power mode in which a first memory of the computing device is powered off. Based on the request, the computing device offloads a memory page from the first memory to a second memory such that the offloading includes encrypting the memory page. Based on a request to resume from the reduced power mode, the computing device restores the memory page from the second memory to the first memory such that the restoring includes decrypting the encrypted memory page. After initiating the restoring, the computing device presents a user authentication prompt asking for a user credential.