公开(公告)号：US09092644B2

公开(公告)日：2015-07-28

申请号：US13976935

申请日：2011-12-28

申请人： Alpa T. Narendra Trivedi ,  David M. Durham ,  Men Long ,  Siddhartha Chhabra ,  Uday R. Savagaonkar ,  Carlos V. Rozas

发明人： Alpa T. Narendra Trivedi ,  David M. Durham ,  Men Long ,  Siddhartha Chhabra ,  Uday R. Savagaonkar ,  Carlos V. Rozas

IPC分类号： G06F21/64 ,  H04L9/06 ,  G06F12/14 ,  G06F21/78 ,  G06F21/79

CPC分类号： G06F21/64 ,  G06F12/1408 ,  G06F21/78 ,  G06F21/79 ,  H04L9/0643 ,  H04L2209/12

摘要： A method and system to provide an effective, scalable and yet low-cost solution for Confidentiality, Integrity and Replay protection for sensitive information stored in a memory and prevent an attacker from observing and/or modifying the state of the system. In one embodiment of the invention, the system has strong hardware protection for its memory contents via XTS-tweak mode of encryption where the tweak is derived based on “Global and Local Counters”. This scheme offers to enable die-area efficient Replay protection for any sized memory by allowing multiple counter levels and facilitates using small counter-sizes to derive the “tweak” used in the XTS encryption without sacrificing cryptographic strength.

摘要翻译： 一种方法和系统，为存储在存储器中的敏感信息提供有效，可扩展且低成本的保密性，完整性和重放保护解决方案，并防止攻击者观察和/或修改系统的状态。 在本发明的一个实施例中，系统通过经由XTS调整加密模式对其存储器内容具有强大的硬件保护，其中基于“全局和本地计数器”导出调整。 该方案提供了通过允许多个计数器级别为任何大小的存储器提供芯片区域高效的重放保护，并有助于使用小型计数器来导出XTS加密中使用的“调​​整”，而不会牺牲加密强度。

公开(公告)号：US20150205732A1

公开(公告)日：2015-07-23

申请号：US14449467

申请日：2014-08-01

申请人： Uday SAVAGAONKAR ,  Ravi Sahita ,  David Durham ,  Men Long

发明人： Uday SAVAGAONKAR ,  Ravi Sahita ,  David Durham ,  Men Long

IPC分类号： G06F12/14

CPC分类号： G06F12/1408 ,  G06F12/1441 ,  G06F2212/1052

摘要： Systems, apparatuses, and methods, and for seamlessly protecting memory regions to protect against hardware-based attacks are disclosed. In one embodiment, an apparatus includes a decoder, control logic, and cryptographic logic. The decoder is to decode a transaction between a processor and memory-mapped input/output space. The control logic is to redirect the transaction from the memory-mapped input/output space to a system memory. The cryptographic logic is to operate on data for the transaction.

摘要翻译： 公开了系统，装置和方法，并且用于无缝地保护存储器区域以防止基于硬件的攻击。 在一个实施例中，一种装置包括解码器，控制逻辑和加密逻辑。 解码器是对处理器和存储器映射的输入/输出空间之间的事务进行解码。 控制逻辑是将事务从存储器映射的输入/输出空间重定向到系统存储器。 密码逻辑是对数据进行交易操作。

公开(公告)号：US08839450B2

公开(公告)日：2014-09-16

申请号：US11833073

申请日：2007-08-02

申请人： David Durham ,  Hormuzd Khosravi ,  Uri Blumenthal ,  Men Long

发明人： David Durham ,  Hormuzd Khosravi ,  Uri Blumenthal ,  Men Long

IPC分类号： G06F12/14 ,  G06F17/30

CPC分类号： G06F21/6209 ,  G06F12/1408 ,  G06F12/1466 ,  G06F12/1475 ,  G06F21/52 ,  G06F21/53

摘要： Embodiments of apparatuses, articles, methods, and systems for secure vault service for software components within an execution environment are generally described herein. An embodiment includes the ability for a Virtual Machine Monitor, Operating System Monitor, or other underlying platform capability to restrict memory regions for access only by specifically authenticated, authorized and verified software components, even when part of an otherwise compromised operating system environment. The underlying platform to lock and unlock secrets on behalf of the authenticated/authorized/verified software component provided in protected memory regions only accessible to the authenticated/authorized/verified software component. Other embodiments may be described and claimed.

摘要翻译： 这里一般地描述用于执行环境中的软件组件的安全保险库服务的装置，物品，方法和系统的实施例。 一个实施例包括虚拟机监视器，操作系统监视器或其他底层平台功能的能力，以限制存储器区域，以便仅通过特定认证的，授权的和已验证的软件组件进行访问，即使在其他受损的操作系统环境的一部分。 代表被保护的内存区域中提供的经过身份验证/授权/验证的软件组件的锁定和解锁秘密的底层平台只能由经过身份验证/授权/验证的软件组件访问。 可以描述和要求保护其他实施例。

公开(公告)号：US08826035B2

公开(公告)日：2014-09-02

申请号：US12646028

申请日：2009-12-23

申请人： David Durham ,  Men Long ,  Uday Savagaonkar

发明人： David Durham ,  Men Long ,  Uday Savagaonkar

IPC分类号： G06F21/00

CPC分类号： G06F21/79 ,  G06F21/72

摘要： In general, in one aspect, the disclosure describes a process that includes a cryptographic engine and first and second registers. The cryptographic engine is to encrypt data to be written to memory, to decrypt data read from memory, to generate read integrity check values (ICVs) and write ICVs for memory accesses. The cryptographic engine is also to create a cumulative read ICV and a cumulative write ICV by XORing the generated read ICV and the generated write ICV with a current read MAC and a current write ICV respectively and to validate data integrity by comparing the cumulative read ICV and the cumulative write ICV. The first and second registers are to store the cumulative read and write ICVs respectively at the processor. Other embodiments are described and claimed.

摘要翻译： 通常，在一个方面，本公开描述了包括密码引擎和第一和第二寄存器的过程。 加密引擎是对要写入存储器的数据进行加密，解密从存储器读取的数据，生成读取完整性检查值（ICV），并为存储器访问写入ICV。 密码引擎还通过分别用当前读取的MAC和当前的写入ICV异或生成的读取ICV和产生的写ICV来创建累积读取ICV和累积写入ICV，并通过比较累积读取ICV和 累积写ICV。 第一和第二寄存器分别在处理器处存储累积读和写ICV。 描述和要求保护其他实施例。

公开(公告)号：US08799673B2

公开(公告)日：2014-08-05

申请号：US12651432

申请日：2009-12-31

申请人： Uday R. Savagaonkar ,  Ravi Sahita ,  David Durham ,  Men Long

发明人： Uday R. Savagaonkar ,  Ravi Sahita ,  David Durham ,  Men Long

IPC分类号： H04L29/06

CPC分类号： G06F12/1408 ,  G06F12/1441 ,  G06F2212/1052

摘要： Systems, apparatuses, and methods, and for seamlessly protecting memory regions to protect against hardware-based attacks are disclosed. In one embodiment, an apparatus includes a decoder, control logic, and cryptographic logic. The decoder is to decode a transaction between a processor and memory-mapped input/output space. The control logic is to redirect the transaction from the memory-mapped input/output space to a system memory. The cryptographic logic is to operate on data for the transaction.

摘要翻译： 公开了系统，装置和方法，并且用于无缝地保护存储器区域以防止基于硬件的攻击。 在一个实施例中，一种装置包括解码器，控制逻辑和加密逻辑。 解码器是对处理器和存储器映射的输入/输出空间之间的事务进行解码。 控制逻辑是将事务从内存映射的输入/输出空间重定向到系统内存。 密码逻辑是对数据进行交易操作。

公开(公告)号：US20140101461A1

公开(公告)日：2014-04-10

申请号：US13646105

申请日：2012-10-05

申请人： Siddhartha Chhabra ,  Uday R. Savagaonkar ,  David M. Durham ,  Niranjan L. Cooray ,  Men Long ,  Carlos V. Rozas ,  Alpa T. Narendra Trivedi

发明人： Siddhartha Chhabra ,  Uday R. Savagaonkar ,  David M. Durham ,  Niranjan L. Cooray ,  Men Long ,  Carlos V. Rozas ,  Alpa T. Narendra Trivedi

IPC分类号： G06F12/14

CPC分类号： G06F12/1408 ,  G06F21/71

摘要： A processor includes a memory encryption engine that provides replay and confidentiality protections to a memory region. The memory encryption engine performs low-overhead parallelized tree walks along a counter tree structure. The memory encryption engine upon receiving an incoming read request for the protected memory region, performs a dependency check operation to identify dependency between the incoming read request and an in-process request and to remove the dependency when the in-process request is a read request that is not currently suspended.

摘要翻译： 处理器包括为存储器区域提供重放和保密性保护的存储器加密引擎。 存储器加密引擎沿着计数器树结构执行低架构并行化的树行走。 存储器加密引擎在接收到对受保护的存储器区域的传入读取请求时，执行依赖性检查操作以识别传入的读取请求与进程内请求之间的依赖关系，并且当进程内请求是读取请求时，去除依赖关系 目前尚未暂停。

公开(公告)号：US08532303B2

公开(公告)日：2013-09-10

申请号：US11957184

申请日：2007-12-14

申请人： Divya Naidu Kolar Sunder ,  Prashant Dewan ,  Men Long

发明人： Divya Naidu Kolar Sunder ,  Prashant Dewan ,  Men Long

IPC分类号： H04L9/08

CPC分类号： H04L63/0435 ,  H04L9/083 ,  H04L63/0428 ,  H04L63/062 ,  H04L63/20

摘要： A method, device, and system are disclosed. In one embodiment the method includes receiving measured health information from a client on a key distribution server. Once the measured health information is received the server is capable of validating the measured health information to see if it is authentic. The server is also capable of sending a session key to the client when the measured health information is validated. When the client receives the session key, the client is capable of initiating an encrypted and authenticated connection with an application server in the domain using the session key.

摘要翻译： 公开了一种方法，装置和系统。 在一个实施例中，该方法包括从密钥分发服务器上的客户端接收测量的健康信息。 一旦接收到测量的健康信息，服务器就能够验证测量的健康信息，看它是否可信。 当测量的健康信息被验证时，服务器还能够向客户端发送会话密钥。 当客户端接收会话密钥时，客户端能够使用会话密钥发起与域中的应用服务器的加密和认证连接。

公开(公告)号：US08498420B2

公开(公告)日：2013-07-30

申请号：US11957184

申请日：2007-12-14

申请人： Divya Naidu Kolar Sunder ,  Prashant Dewan ,  Men Long

发明人： Divya Naidu Kolar Sunder ,  Prashant Dewan ,  Men Long

IPC分类号： H04L9/08

摘要： A method, device, and system are disclosed. In one embodiment the method includes receiving measured health information from a client on a key distribution server. Once the measured health information is received the server is capable of validating the measured health information to see if it is authentic. The server is also capable of sending a session key to the client when the measured health information is validated. When the client receives the session key, the client is capable of initiating an encrypted and authenticated connection with an application server in the domain using the session key.

公开(公告)号：US20080022388A1

公开(公告)日：2008-01-24

申请号：US11478986

申请日：2006-06-30

申请人： Karanvir Grewal ,  David Durham ,  Hormuzd Khosravi ,  Men Long ,  Prashant Dewan

发明人： Karanvir Grewal ,  David Durham ,  Hormuzd Khosravi ,  Men Long ,  Prashant Dewan

IPC分类号： G06F15/16

CPC分类号： H04L63/105

摘要： A method and apparatus to define multiple zones in a data packet for inclusion in processing by security operations of a security protocol. In one embodiment, each defined zone has an associated list of security operations to which the zone is subjected. In another embodiment, the list of security operations for a zone includes parameters to be passed when performing the security operations on the zone.

摘要翻译： 一种在数据分组中定义多个区域以包括在安全协议的安全操作的处理中的方法和装置。 在一个实施例中，每个定义的区域具有该区域经受的安全操作的关联列表。 在另一个实施例中，区域的安全操作的列表包括在区域上执行安全操作时要传递的参数。

公开(公告)号：US09319220B2

公开(公告)日：2016-04-19

申请号：US12032618

申请日：2008-02-15

申请人： Karanvir Grewal ,  Men Long ,  Prashant Dewan

发明人： Karanvir Grewal ,  Men Long ,  Prashant Dewan

IPC分类号： H04L29/06 ,  H04L9/08 ,  H04L9/32

CPC分类号： H04L63/061 ,  H04L9/083 ,  H04L9/321 ,  H04L9/3247

摘要： Methods and apparatus are disclosed to provide for security within a network enclave. In one embodiment authentication logic initiates authentication with a central network authority. Packet processing logic receives a key and an identifier from the central network authority. Security protocol logic then establishes a client-server security association through a communication that includes a client identifier and an encrypted portion and/or an authorization signature, wherein a client authorization key allocated by the central network authority can be reproduced by a server, other than said central network authority, from the client identifier and a derivation key provided to the server by the central network authority to decrypt the encrypted portion and/or to validate the communication using the authorization signature. The server may also provide the client with new session keys and/or new client session identifiers using server-generated derivation keys if desired, protecting these with the client authorization key.

摘要翻译： 公开了提供网络飞地内的安全性的方法和装置。 在一个实施例中，认证逻辑启动与中央网络授权机构的认证。 分组处理逻辑从中央网络机构接收密钥和标识符。 然后，安全协议逻辑通过包括客户端标识符和加密部分和/或授权签名的通信来建立客户机 - 服务器安全关联，其中由中央网络机构分配的客户机授权密钥可以由服务器再现，除了 所述中央网络机构根据客户端标识符和由中央网络机构提供给服务器的导出密钥来解密加密部分和/或使用授权签名验证通信。 如果需要，服务器还可以使用服务器生成的导出密钥向客户端提供新的会话密钥和/或新的客户端会话标识符，并用客户端授权密钥来保护它们。