公开(公告)号：US11228421B1

公开(公告)日：2022-01-18

申请号：US15884263

申请日：2018-01-30

Applicant: Apple Inc.

Inventor： Arthur Mesh ,  Jerrold V. Hauck ,  Pierre-Olivier J. Martel ,  Wade Benson ,  Oren M. Elrad

IPC: G06F21/00 ,  H04L9/00 ,  H04L9/08 ,  G06F21/31 ,  G06F21/56

Abstract: Secure secrets can be used, in one embodiment, to generate a master key. In one embodiment, a first secret value, generated and stored in a first secure element, can be used with a user's credential (e.g., a user's passcode) to generate, through a first key derivation function, a second secret value. A master key can then be generated through a second key derivation function based on the second secret value and a derived or stored secret such as a device's unique identifier.

公开(公告)号：US10965474B1

公开(公告)日：2021-03-30

申请号：US15953326

申请日：2018-04-13

Applicant: Apple Inc.

Inventor： Wade Benson ,  Arthur Mesh

IPC: H04L9/32 ,  H04L9/08 ,  H04L9/30

Abstract: Some embodiments of the invention provide a method for authenticating a security device (e.g., a smart card or other highly secured device) to modify a security state (e.g., unlocking, decrypting, etc.) at a target device (e.g., laptop computers, mobile phones, tablets, etc.). In some embodiments, the security device does not have a volatile storage for storing volatile parameters for the particular device to use to perform the authentication process. The method of some embodiments sends an encrypted challenge to the security device, in which the encrypted challenge can only be decrypted by the security device. The method receives a response and modifies accessibility for the target device when the response is a valid response. The method of some embodiments determines that a response is valid based on the decrypted contents of the response and/or based on a period of time between the issuance of the challenge and the received response.

公开(公告)号：US11455432B1

公开(公告)日：2022-09-27

申请号：US16895933

申请日：2020-06-08

Applicant: Apple Inc.

Inventor： Pierre Olivier Martel ,  Arthur Mesh ,  Wade Benson

IPC: G06F21/78 ,  G06F21/72 ,  H04L9/08 ,  H04L9/14

Abstract: Embodiments described herein enable multi-user storage volume encryption via a secure enclave processor. One embodiment provides for a computing device comprising a first processor to execute a first operating system having one or more user accounts; a second processor to execute a second operating system, the second processor to receive a first encrypted key from the first processor and decrypt a volume encryption key via a key encryption key derived from the first encrypted key, the first encrypted key derived via the secure enclave without user-provided entropy; and a non-volatile memory controller to access encrypted data within non-volatile memory using the volume encryption key.

公开(公告)号：US10691837B1

公开(公告)日：2020-06-23

申请号：US15832887

申请日：2017-12-06

Applicant: Apple Inc.

Inventor： Pierre Olivier Martel ,  Arthur Mesh ,  Wade Benson

IPC: G06F21/78 ,  G06F21/72 ,  H04L9/08 ,  H04L9/14

Abstract: Embodiments described herein enable multi-user storage volume encryption via a secure enclave processor. One embodiment provides for a computing device comprising a first processor to execute a first operating system having one or more user accounts; a second processor to execute a second operating system, the second processor including a secure enclave, the secure enclave to receive a first encrypted key from the first processor and decrypt a volume encryption key via a key encryption key derived from the first encrypted key, the first encrypted key derived via the secure enclave without user-provided entropy; and a non-volatile memory controller to access encrypted data within non-volatile memory using the volume encryption key.

公开(公告)号：US11531758B2

公开(公告)日：2022-12-20

申请号：US17122771

申请日：2020-12-15

Applicant: Apple Inc.

Inventor： Pierre Oliver Martel ,  Arthur Mesh ,  Wade Benson

IPC: G06F21/57 ,  G06F21/31 ,  G06F21/45

Abstract: Embodiments described herein provide for a system, method, and apparatus to provision domains in a secure enclave processor to support multiple users. One embodiment provides for an apparatus comprising a first processor to receive a set of credentials associated with one of multiple user accounts on the apparatus and a second processor including a secure circuit to provide a secure enclave, the secure enclave to receive a request from the first processor to authenticate the set of credentials, the request including supplied credentials and an authentication type, where the secure enclave is to block the request from the first processor in response to a determination that the user account has exceeded a threshold number of successive failed authentication attempts for the authentication type.

公开(公告)号：US20210141902A1

公开(公告)日：2021-05-13

申请号：US17122771

申请日：2020-12-15

Applicant: Apple Inc.

Inventor： Pierre Oliver Martel ,  Arthur Mesh ,  Wade Benson

IPC: G06F21/57 ,  G06F21/31 ,  G06F21/45

Abstract: Embodiments described herein provide for a system, method, and apparatus to provision domains in a secure enclave processor to support multiple users. One embodiment provides for an apparatus comprising a first processor to receive a set of credentials associated with one of multiple user accounts on the apparatus and a second processor including a secure circuit to provide a secure enclave, the secure enclave to receive a request from the first processor to authenticate the set of credentials, the request including supplied credentials and an authentication type, where the secure enclave is to block the request from the first processor in response to a determination that the user account has exceeded a threshold number of successive failed authentication attempts for the authentication type.