公开(公告)号：US08880897B2

公开(公告)日：2014-11-04

申请号：US13725957

申请日：2012-12-21

Applicant: Apple Inc.

Inventor： Peter Kiehtreiber ,  Michael Brouwer

IPC: H04L29/06 ,  H04L9/32 ,  G06F21/50 ,  G06F21/64

CPC classification number: G06F21/50 ,  G06F21/54 ,  H04L9/3239 ,  H04L9/3247 ,  H04L2209/38

Abstract: The present invention discloses a method for quickly and easily authenticating large computer program. The system operates by first sealing the computer program with digital signature in an incremental manner. Specifically, the computer program is divided into a set of pages and a hash value is calculated for each page. The set of hash values is formed into a hash value array and then the hash value array is then sealed with a digital signature. The computer program is then distributed along with the hash value array and the digital signature. To authenticate the computer program, a recipient first verifies the authenticity of the hash value array with the digital signature and a public key. Once the hash value array has been authenticated, the recipient can then verify the authenticity of each page of the computer program by calculating a hash of a page to be loaded and then comparing with an associated hash value in the authenticated hash value array. If the hash values do not match, then execution may be halted.

Abstract translation: 本发明公开了一种快速轻松地认证大型计算机程序的方法。 该系统通过以数字签名方式首先密封计算机程序来运行。 具体地说，将计算机程序划分为一组页面，并为每个页面计算哈希值。 哈希值集合形成一个哈希值数组，然后用数字签名封装哈希值数组。 然后将计算机程序与哈希值数组和数字签名一起分发。 为了对计算机程序进行认证，接收者首先使用数字签名和公钥验证散列值数组的真实性。 一旦哈希值数组已被认证，接收者就可以通过计算要加载的页面的散列值，然后与经鉴别的散列值数组中相关的散列值进行比较来验证计算机程序的每一页面的真实性。 如果哈希值不匹配，则执行可能会停止。

公开(公告)号：US20130111216A1

公开(公告)日：2013-05-02

申请号：US13725957

申请日：2012-12-21

Applicant: Apple Inc.

Inventor： Peter Kiehtreiber ,  Michael Brouwer

IPC: G06F21/50

CPC classification number: G06F21/50 ,  G06F21/54 ,  H04L9/3239 ,  H04L9/3247 ,  H04L2209/38

Abstract: The present invention discloses a method for quickly and easily authenticating large computer program. The system operates by first sealing the computer program with digital signature in an incremental manner. Specifically, the computer program is divided into a set of pages and a hash value is calculated for each page. The set of hash values is formed into a hash value array and then the hash value array is then sealed with a digital signature. The computer program is then distributed along with the hash value array and the digital signature. To authenticate the computer program, a recipient first verifies the authenticity of the hash value array with the digital signature and a public key. Once the hash value array has been authenticated, the recipient can then verify the authenticity of each page of the computer program by calculating a hash of a page to be loaded and then comparing with an associated hash value in the authenticated hash value array. If the hash values do not match, then execution may be halted.

Abstract translation: 本发明公开了一种快速轻松地认证大型计算机程序的方法。 该系统通过以数字签名方式首先密封计算机程序来运行。 具体地说，将计算机程序划分为一组页面，并为每个页面计算哈希值。 哈希值集合形成一个哈希值数组，然后用数字签名封装哈希值数组。 然后将计算机程序与哈希值数组和数字签名一起分发。 为了对计算机程序进行认证，接收者首先使用数字签名和公钥验证散列值数组的真实性。 一旦哈希值数组已被认证，接收者就可以通过计算要加载的页面的散列值，然后与经鉴别的散列值数组中相关的散列值进行比较来验证计算机程序的每一页面的真实性。 如果哈希值不匹配，则执行可能会停止。

公开(公告)号：US20240039714A1

公开(公告)日：2024-02-01

申请号：US18447083

申请日：2023-08-09

Applicant: Apple Inc.

Inventor： Wade Benson ,  Libor Sykora ,  Vratislav Kuzela ,  Michael Brouwer ,  Andrew R. Whalley ,  Jerrold V. Hauck ,  David Finkelstein ,  Thomas Mensch

IPC: H04L9/08 ,  H04L9/32 ,  H04L9/00 ,  G06F21/32 ,  H04L9/14 ,  G06F21/74 ,  G06F21/72 ,  G06F21/78 ,  H04L9/40

CPC classification number: H04L9/0861 ,  H04L9/3268 ,  H04L9/006 ,  H04L9/3249 ,  G06F21/32 ,  H04L9/3239 ,  H04L9/14 ,  G06F21/74 ,  H04L9/0877 ,  H04L9/3231 ,  H04L9/3234 ,  G06F21/72 ,  G06F21/78 ,  H04L63/0428 ,  H04L63/062 ,  H04L63/0823 ,  H04L63/0861 ,  H04L9/3247 ,  H04L9/3263 ,  H04L2209/127 ,  G06F13/28

Abstract: Techniques are disclosed relating to relating to a public key infrastructure (PKI). In one embodiment, an integrated circuit is disclosed that includes at least one processor and a secure circuit isolated from access by the processor except through a mailbox mechanism. The secure circuit is configured to generate a key pair having a public key and a private key, and to issue, to a certificate authority (CA), a certificate signing request (CSR) for a certificate corresponding to the key pair. In some embodiments, the secure circuit may be configured to receive, via the mailbox mechanism, a first request from an application executing on the processor to issue a certificate to the application. The secure circuit may also be configured to perform, in response to a second request, a cryptographic operation using a public key circuit included in the secure circuit.

公开(公告)号：US10771545B2

公开(公告)日：2020-09-08

申请号：US16184952

申请日：2018-11-08

Applicant: Apple Inc.

Inventor： Mitchell D. Adler ,  Michael Brouwer ,  Dallas De Atley

IPC: H04L29/06 ,  H04L29/08 ,  H04L12/18 ,  G06F16/27 ,  H04L9/12 ,  H04L9/32 ,  G06F16/178 ,  H04L12/44 ,  H04W84/18 ,  G06F17/30

Abstract: Some embodiments provide non-transitory machine-readable medium that stores a program which when executed by at least one processing unit of a device synchronizes a set of keychains stored on the device with a set of other devices. The device and the set of other devices are communicatively coupled to one another through a peer-to-peer (P2P) network. The program receives a modification to a keychain in the set of keychains stored on the device. The program generates an update request for each device in the set of other devices in order to synchronize the set of keychains stored on device with the set of other devices. The program transmits through the P2P network the set of update requests to the set of other devices over a set of separate, secure communication channels.

公开(公告)号：US20200186337A1

公开(公告)日：2020-06-11

申请号：US16730931

申请日：2019-12-30

Applicant: Apple Inc.

Inventor： Wade Benson ,  Libor Sykora ,  Vratislav Kuzela ,  Michael Brouwer ,  Andrew R. Whalley ,  Jerrold V. Hauck ,  David Finkelstein ,  Thomas Mensch

IPC: H04L9/08 ,  H04L9/32 ,  H04L29/06 ,  G06F21/78 ,  G06F21/72 ,  G06F21/74 ,  H04L9/14 ,  G06F21/32 ,  H04L9/00

Abstract: Techniques are disclosed relating to relating to a public key infrastructure (PKI). In one embodiment, an integrated circuit is disclosed that includes at least one processor and a secure circuit isolated from access by the processor except through a mailbox mechanism. The secure circuit is configured to generate a key pair having a public key and a private key, and to issue, to a certificate authority (CA), a certificate signing request (CSR) for a certificate corresponding to the key pair. In some embodiments, the secure circuit may be configured to receive, via the mailbox mechanism, a first request from an application executing on the processor to issue a certificate to the application. The secure circuit may also be configured to perform, in response to a second request, a cryptographic operation using a public key circuit included in the secure circuit.

公开(公告)号：US10523431B2

公开(公告)日：2019-12-31

申请号：US16133645

申请日：2018-09-17

Applicant: Apple Inc.

Inventor： Wade Benson ,  Libor Sykora ,  Vratislav Kuzela ,  Michael Brouwer ,  Andrew R. Whalley ,  Jerrold V. Hauck ,  David Finkelstein ,  Thomas Mensch

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32 ,  H04L9/00 ,  G06F21/32 ,  H04L9/14 ,  G06F21/74 ,  G06F21/72 ,  G06F21/78 ,  G06F13/28 ,  G06F13/40 ,  G06F21/79

Abstract: Techniques are disclosed relating to relating to a public key infrastructure (PKI). In one embodiment, an integrated circuit is disclosed that includes at least one processor and a secure circuit isolated from access by the processor except through a mailbox mechanism. The secure circuit is configured to generate a key pair having a public key and a private key, and to issue, to a certificate authority (CA), a certificate signing request (CSR) for a certificate corresponding to the key pair. In some embodiments, the secure circuit may be configured to receive, via the mailbox mechanism, a first request from an application executing on the processor to issue a certificate to the application. The secure circuit may also be configured to perform, in response to a second request, a cryptographic operation using a public key circuit included in the secure circuit.

公开(公告)号：US10229282B2

公开(公告)日：2019-03-12

申请号：US15275284

申请日：2016-09-23

Applicant: Apple Inc.

Inventor： Yannick L. Sierra ,  Abhradeep Guha Thakurta ,  Umesh S. Vaishampayan ,  John C. Hurley ,  Keaton F. Mowery ,  Michael Brouwer

IPC: G06F21/62 ,  H04L9/06 ,  H04L29/06 ,  H04L9/08

Abstract: The system described may implement a 1-bit protocol for differential privacy for a set of client devices that transmit information to a server. Implementations of the system may leverage specialized instruction sets or engines built into the hardware or firmware of a client device to improve the efficiency of the protocol. For example, a client device may utilize these cryptographic functions to randomize information sent to the server. In one embodiment, the client device may use cryptographic functions such as hashes including SHA or block ciphers including AES. Accordingly, the system provides an efficient mechanism for implementing differential privacy.

公开(公告)号：US10198182B2

公开(公告)日：2019-02-05

申请号：US14872013

申请日：2015-09-30

Applicant: Apple Inc.

Inventor： Mitchell D. Adler ,  Michael Brouwer ,  Andrew R. Whalley ,  John C. Hurley ,  Richard F. Murphy ,  David P. Finkelstein

IPC: G06F3/06 ,  H04L9/32 ,  H04L29/08 ,  H04W4/08

Abstract: Some embodiments provide a method for a first device to synchronize a set of data items with a second device. The method receives a request to synchronize the set of data items stored on the first device with the second device. The method determines a subset of the synchronization data items stored on the first device that belong to at least one synchronization sub-group in which the second device participates. Participation in at least one of the synchronization sub-groups is defined based on membership in at least one verification sub-group. The first and second devices are part of a set of related devices with several different verification sub-groups. The method sends only the subset of the synchronization data items that belong to at least one synchronization sub-group in which the second device participates to the second device using a secure channel.

公开(公告)号：US20170373844A1

公开(公告)日：2017-12-28

申请号：US15173647

申请日：2016-06-04

Applicant: Apple Inc.

Inventor： Libor Sykora ,  Wade Benson ,  Vratislav Kuzela ,  Michael Brouwer ,  Andrew R. Whalley ,  Jerrold V. Hauck ,  David Finkelstein ,  Thomas Mensch

IPC: H04L9/08 ,  G06F21/32 ,  H04L9/32

Abstract: Techniques are disclosed relating to relating to a public key infrastructure (PKI). In one embodiment, an integrated circuit is disclosed that includes at least one processor and a secure circuit isolated from access by the processor except through a mailbox mechanism. In some embodiments, the secure circuit is configured to generate a public key and a private key for an application, and receive, from the application via an API, a request to perform a cryptographic operation using the private key. The secure circuit is further configured to perform the cryptographic operation in response to the request.

公开(公告)号：US20170359169A1

公开(公告)日：2017-12-14

申请号：US15497203

申请日：2017-04-26

Applicant: Apple Inc.

Inventor： Wade Benson ,  Marc J. Krochmal ,  Alexander R. Ledwith ,  John Iarocci ,  Jerrold V. Hauck ,  Michael Brouwer ,  Mitchell D. Adler ,  Yannick L. Sierra

IPC: H04L9/08 ,  H04L9/14 ,  H04W12/08 ,  H04L9/32 ,  H04L29/06 ,  H04W12/06

CPC classification number: G06F9/44505 ,  H04L9/0822 ,  H04L9/085 ,  H04L9/0894 ,  H04L9/14 ,  H04L9/3226 ,  H04L63/0428 ,  H04L63/06 ,  H04L63/08 ,  H04L63/083 ,  H04L63/107 ,  H04L63/108 ,  H04L63/1466 ,  H04L2209/80 ,  H04W12/04 ,  H04W12/06 ,  H04W12/08

Abstract: Some embodiments of the invention provide a method for a trusted (or originator) device to modify the security state of a target device (e.g., unlocking the device) based on a securing ranging operation (e.g., determining a distance, proximity, etc.). The method of some embodiments exchanges messages as a part of a ranging operation in order to to determine whether the trusted and target devices are within a specified range of each other before allowing the trusted device to modify the security state of the target device. In some embodiments, the messages are derived by both devices based on a shared secret and are used to verify the source of ranging signals used for the ranging operation. In some embodiments, the method is performed using multiple different frequency bands.