-
公开(公告)号:US09419794B2
公开(公告)日:2016-08-16
申请号:US14493458
申请日:2014-09-23
Applicant: Apple Inc.
Inventor: R. Stephen Polzin , Fabrice L. Gautier , Mitchell D. Adler , Conrad Sauerwald , Michael L. H. Brouwer
CPC classification number: H04L9/0861 , G06F21/72 , G09C1/00 , H04L9/0822 , H04L9/0897 , H04L2209/24
Abstract: An SOC implements a security enclave processor (SEP). The SEP may include a processor and one or more security peripherals. The SEP may be isolated from the rest of the SOC (e.g. one or more central processing units (CPUs) in the SOC, or application processors (APs) in the SOC). Access to the SEP may be strictly controlled by hardware. For example, a mechanism in which the CPUs/APs can only access a mailbox location in the SEP is described. The CPU/AP may write a message to the mailbox, which the SEP may read and respond to. The SEP may include one or more of the following in some embodiments: secure key management using wrapping keys, SEP control of boot and/or power management, and separate trust zones in memory.
Abstract translation: SOC实现安全飞地处理器(SEP)。 SEP可以包括处理器和一个或多个安全外设。 SEP可以与SOC的其余部分隔离(例如SOC中的一个或多个中央处理单元(CPU),或SOC中的应用处理器(AP))。 对SEP的访问可以由硬件严格控制。 例如,描述了CPU / AP仅能访问SEP中的邮箱位置的机制。 CPU / AP可以向邮箱写入消息,SEP可以读取并响应。 在一些实施例中,SEP可以包括以下一个或多个:使用包装密钥的安全密钥管理,引导和/或电源管理的SEP控制以及存储器中的单独的信任区域。
-
公开(公告)号:US09202061B1
公开(公告)日:2015-12-01
申请号:US14696622
申请日:2015-04-27
Applicant: Apple Inc.
Inventor: R. Stephen Polzin , Fabrice L. Gautier , Mitchell D. Adler , Timothy R. Paaske , Michael J. Smith
IPC: G06F15/177 , G06F9/24 , G06F1/24 , G06F7/04 , H04N7/16 , G06F21/57 , G06F21/60 , G06F12/14 , G06F9/44 , G06F9/445 , G06F21/00
CPC classification number: G06F21/575 , G06F1/24 , G06F9/24 , G06F9/4401 , G06F9/44505 , G06F12/14 , G06F15/167 , G06F21/00 , G06F21/572 , G06F21/60 , G06F21/74 , G06F21/76 , G06F21/81
Abstract: An SOC implements a security enclave processor (SEP). The SEP may include a processor and one or more security peripherals. The SEP may be isolated from the rest of the SOC (e.g. one or more central processing units (CPUs) in the SOC, or application processors (APs) in the SOC). Access to the SEP may be strictly controlled by hardware. For example, a mechanism in which the CPUs/APs can only access a mailbox location in the SEP is described. The CPU/AP may write a message to the mailbox, which the SEP may read and respond to. The SEP may include one or more of the following in some embodiments: secure key management using wrapping keys, SEP control of boot and/or power management, and separate trust zones in memory.
-
公开(公告)号:US09197700B2
公开(公告)日:2015-11-24
申请号:US13839050
申请日:2013-03-15
Applicant: Apple Inc.
Inventor: Michael Brouwer , Dallas B. De Atley , Mitchell D. Adler
CPC classification number: H04L63/061 , G06F17/30174 , G06F17/30575 , H04L9/12 , H04L9/3247 , H04L12/185 , H04L12/44 , H04L63/062 , H04L63/065 , H04L63/068 , H04L63/104 , H04L67/104 , H04L67/1042 , H04L67/1095 , H04L2209/122 , H04W84/18
Abstract: Some embodiments provide non-transitory machine-readable medium that stores a program which when executed by at least one processing unit of a device synchronizes a set of keychains stored on the device with a set of other devices. The device and the set of other devices are communicatively coupled to one another through a peer-to-peer (P2P) network. The program receives a modification to a keychain in the set of keychains stored on the device. The program generates an update request for each device in the set of other devices in order to synchronize the set of keychains stored on device with the set of other devices. The program transmits through the P2P network the set of update requests to the set of other devices over a set of separate, secure communication channels.
Abstract translation: 一些实施例提供了一种非暂时机器可读介质,其存储当设备的至少一个处理单元执行时将存储在设备上的一组密钥链与一组其他设备同步的程序。 设备和其他设备的集合通过对等(P2P)网络彼此通信地耦合。 该程序接收对存储在设备上的一组钥匙串中的钥匙串的修改。 该程序为该组其他设备中的每个设备生成更新请求,以便将存储在设备上的一组密钥链与该组其他设备同步。 该程序通过一组独立的安全通信信道通过P2P网络将该组更新请求发送到其他设备的集合。
-
公开(公告)号:US20140093084A1
公开(公告)日:2014-04-03
申请号:US13767847
申请日:2013-02-14
Applicant: APPLE INC.
Inventor: Dallas B. De Atley , Jerrold V. Hauck , Mitchell D. Adler
IPC: H04L9/08
CPC classification number: H04L9/0894 , G06F21/00 , G06F21/33 , G06F21/445 , G06F21/606 , G06F21/6245 , G06F21/64 , H04L9/0861 , H04L63/0428 , H04L63/0442 , H04L63/06 , H04L63/062 , H04L63/08 , H04L63/101
Abstract: A method of restoring confidential information items of a first device to a second device by using a set of servers. The method generates a public and private key pair and ties the private key to the hash of executable code of the servers at the time of generating the public and private keys. The method receives the encrypted confidential information items in a secure object which is encrypted with a user-specific key and the public key. The method only provides the confidential information to the second device when the second device provides the same user-specific key as the key that encrypts the secure object and the hash of the executable code of the servers at the time of accessing the private key to decrypt the secure object matches the hash of the executable code running on the servers at the time of generating the private key.
Abstract translation: 一种通过使用一组服务器将第一设备的机密信息项恢复到第二设备的方法。 该方法生成公钥和私钥对,并在生成公钥和私钥时将私钥与服务器的可执行代码的哈希值相关联。 该方法在用用户特定的密钥和公钥加密的安全对象中接收加密的机密信息项。 当第二设备提供与加密安全对象的密钥相同的用户特定密钥时,该方法仅向第二设备提供机密信息,并且在访问私钥以解密时提供服务器的可执行代码的散列 安全对象匹配在生成私钥时在服务器上运行的可执行代码的散列。
-
公开(公告)号:US20230385427A1
公开(公告)日:2023-11-30
申请号:US18301860
申请日:2023-04-17
Applicant: Apple Inc.
Inventor: Timothy R. Paaske , Mitchell D. Adler , Conrad Sauerwald , Fabrice L. Gautier , Shu-Yi Yu
CPC classification number: G06F21/602 , G06F21/71 , H04L9/30 , H04L9/0877 , G09C1/00 , H04L9/3231 , H04L9/0866 , G06F21/6218 , G06F21/32
Abstract: In an embodiment, a system is provided in which the private key is managed in hardware and is not visible to software. The system may provide hardware support for public key generation, digital signature generation, encryption/decryption, and large random prime number generation without revealing the private key to software. The private key may thus be more secure than software-based versions. In an embodiment, the private key and the hardware that has access to the private key may be integrated onto the same semiconductor substrate as an integrated circuit (e.g. a system on a chip (SOC)). The private key may not be available outside of the integrated circuit, and thus a nefarious third party faces high hurdles in attempting to obtain the private key.
-
Patent Agency Ranking
公开(公告)号:US11057210B1
公开(公告)日:2021-07-06
申请号:US16550836
申请日:2019-08-26
Applicant: Apple Inc.
Inventor: Yannick L. Sierra , Mitchell D. Adler
Abstract: A user device can segment a secret (e.g., a data recovery key) into a master segment and a shared segment such that possession of both segments is necessary and sufficient to reconstruct the secret. The user device can provide the master segment to a server system. The user device can further segment the shared segment to generate a set of M shares such that any subset of the shares that includes at least a threshold number t of the shares can be used to reconstruct the shared segment, while fewer than t shares provide no information about the shared segment. The M shares can be distributed to shareholder devices. To reconstruct the secret, a recovery device can obtain the master segment and at least t of the M shares, then reconstruct the secret.
-
公开(公告)号:US10771545B2
公开(公告)日:2020-09-08
申请号:US16184952
申请日:2018-11-08
Applicant: Apple Inc.
Inventor: Mitchell D. Adler , Michael Brouwer , Dallas De Atley
IPC: H04L29/06 , H04L29/08 , H04L12/18 , G06F16/27 , H04L9/12 , H04L9/32 , G06F16/178 , H04L12/44 , H04W84/18 , G06F17/30
Abstract: Some embodiments provide non-transitory machine-readable medium that stores a program which when executed by at least one processing unit of a device synchronizes a set of keychains stored on the device with a set of other devices. The device and the set of other devices are communicatively coupled to one another through a peer-to-peer (P2P) network. The program receives a modification to a keychain in the set of keychains stored on the device. The program generates an update request for each device in the set of other devices in order to synchronize the set of keychains stored on device with the set of other devices. The program transmits through the P2P network the set of update requests to the set of other devices over a set of separate, secure communication channels.
-
公开(公告)号:US10708049B2
公开(公告)日:2020-07-07
申请号:US16186426
申请日:2018-11-09
Applicant: Apple Inc.
Inventor: Dallas B. De Atley , Jerrold V. Hauck , Mitchell D. Adler
IPC: H04L9/08 , G06F21/62 , G06F21/33 , G06F21/44 , G06F21/60 , H04L29/06 , G06F21/00 , G06F21/64 , H04L9/12
Abstract: A method of restoring confidential information items of a first device to a second device by using a set of servers. The method generates a public and private key pair and ties the private key to the hash of executable code of the servers at the time of generating the public and private keys. The method receives the encrypted confidential information items in a secure object which is encrypted with a user-specific key and the public key. The method only provides the confidential information to the second device when the second device provides the same user-specific key as the key that encrypts the secure object and the hash of the executable code of the servers at the time of accessing the private key to decrypt the secure object matches the hash of the executable code running on the servers at the time of generating the private key.
-
公开(公告)号:US10198182B2
公开(公告)日:2019-02-05
申请号:US14872013
申请日:2015-09-30
Applicant: Apple Inc.
Inventor: Mitchell D. Adler , Michael Brouwer , Andrew R. Whalley , John C. Hurley , Richard F. Murphy , David P. Finkelstein
Abstract: Some embodiments provide a method for a first device to synchronize a set of data items with a second device. The method receives a request to synchronize the set of data items stored on the first device with the second device. The method determines a subset of the synchronization data items stored on the first device that belong to at least one synchronization sub-group in which the second device participates. Participation in at least one of the synchronization sub-groups is defined based on membership in at least one verification sub-group. The first and second devices are part of a set of related devices with several different verification sub-groups. The method sends only the subset of the synchronization data items that belong to at least one synchronization sub-group in which the second device participates to the second device using a secure channel.
-
公开(公告)号:US10013567B2
公开(公告)日:2018-07-03
申请号:US14866782
申请日:2015-09-25
Applicant: Apple Inc.
Inventor: Per Love Hornquist Astrand , Paul A. Seligman , Van Hong , Mitchell D. Adler
CPC classification number: G06F21/6209 , H04L9/0825 , H04L9/0894 , H04L9/14 , H04L63/06 , H04L63/10
Abstract: The embodiments set forth techniques for implementing a cloud service that enables cloud data to be shared between different users in a secure manner. One embodiment involves a sharing manager and a sharing client, where the sharing manager is configured to manage various data components stored within a storage system managed by the cloud service. These data components can include user accounts, share objects (for sharing data between users—and, in some cases, public users not known to the sharing manager)—as well as various “wrapping objects” that enable data to be logically separated in an organized manner within the storage system. According to this approach, the sharing client is configured to interface with the sharing manager in order to carry out various encryption/decryption techniques that enable the cloud data to be securely shared between the users.
-
-
-
-
-
-
-
-
-
Search Results
84
records
(took 0.022 seconds)
