公开(公告)号：US11165766B2

公开(公告)日：2021-11-02

申请号：US16106069

申请日：2018-08-21

Applicant: International Business Machines Corporation

Inventor： Timothy R. Block ,  Elaine R. Palmer ,  Kenneth A. Goldman ,  William E. Hall ,  Hugo M. Krawczyk ,  David D. Sanner ,  Christopher J. Engel ,  Peter A. Sandon ,  Alwood P. Williams, III

IPC: H04L29/06 ,  H04L9/08 ,  G06F9/455 ,  G06F9/4401 ,  G06F9/445

Abstract: A method and computer system for implementing authentication protocol for merging multiple server nodes with trusted platform modules (TPMs) utilizing provisioned node certificates to support concurrent node add and node remove. Each of the multiple server nodes boots an instance of enablement level firmware and extended to a trusted platform module (TPM) on each node as the server nodes are powered up. A hardware secure channel is established between the server nodes for firmware message passing as part of physical configuration of the server nodes to be merged. A shared secret is securely exchanged via the hardware secure channel between the server nodes establishing an initial authentication value shared among all server nodes. All server nodes confirm common security configuration settings and exchange TPM log and platform configuration register (PCR) data to establish common history for future attestation requirements, enabling dynamic changing the server nodes and concurrently adding and removing nodes.

公开(公告)号：US09646166B2

公开(公告)日：2017-05-09

申请号：US13958730

申请日：2013-08-05

Applicant: International Business Machines Corporation

Inventor： Charles D. Cash ,  Stanislaw Jarecki ,  Charanjit S. Jutla ,  Hugo M. Krawczyk ,  Marcel C. Rosu ,  Michael Steiner

IPC: G06F21/62 ,  G06F21/60 ,  G06F17/30

CPC classification number: G06F21/6218 ,  G06F17/30864 ,  G06F21/602

Abstract: A method for encrypting a database includes the following step. Keywords in the database are encrypted to obtain encrypted search tags for the keywords. A table of reverse indices is generated for the encrypted search tags. A table of cross keyword indices is generated. A method for searching in an encrypted database includes the following steps. A search is formulated as a conjunct of two or more atomic search queries. One of the conjuncts is selected as a primary atomic search query. Search capabilities are generated for a secondary atomic search query using the primary atomic search query and the secondary atomic search query. Such methods mask query data and the actual composition of the database to reduce computation complexity and privacy leakage.

公开(公告)号：US20200067912A1

公开(公告)日：2020-02-27

申请号：US16106069

申请日：2018-08-21

Applicant: International Business Machines Corporation

Inventor： Timothy R. Block ,  Elaine R. Palmer ,  Kenneth A. Goldman ,  William E. Hall ,  Hugo M. Krawczyk ,  David D. Sanner ,  Christopher J. Engel ,  Peter A. Sandon ,  Alwood P. Williams, III

IPC: H04L29/06 ,  H04L9/08 ,  G06F9/445 ,  G06F9/455 ,  G06F9/4401

Abstract: A method and computer system for implementing authentication protocol for merging multiple server nodes with trusted platform modules (TPMs) utilizing provisioned node certificates to support concurrent node add and node remove. Each of the multiple server nodes boots an instance of enablement level firmware and extended to a trusted platform module (TPM) on each node as the server nodes are powered up. A hardware secure channel is established between the server nodes for firmware message passing as part of physical configuration of the server nodes to be merged. A shared secret is securely exchanged via the hardware secure channel between the server nodes establishing an initial authentication value shared among all server nodes. All server nodes confirm common security configuration settings and exchange TPM log and platform configuration register (PCR) data to establish common history for future attestation requirements, enabling dynamic changing the server nodes and concurrently adding and removing nodes.

公开(公告)号：US20200067699A1

公开(公告)日：2020-02-27

申请号：US16112224

申请日：2018-08-24

Applicant: International Business Machines Corporation

Inventor： Jason K. Resch ,  Hugo M. Krawczyk ,  Mark D. Seaborn

IPC: H04L9/08 ,  H04L9/32

Abstract: A computing device including a processor, memory, and instructions, interfaces with a key management system (KMS) that provides encryption keys using an Oblivious Pseudorandom Function (OPRF). The device obtains, based on a type of encryption key being requested, a public key of a public-private key pair. The device creates an Oblivious Key Access Request (OKAR), including a blinded value associated with a requested encryption key. The OKAR is transmitted to the KMS, and a response is received. The response includes a blinded OPRF output, which yields an OPRF output as a result of being subjected to an unblinding operation. The OPRF output is validated using the public key, either directly or via a challenge, and in response to a positive validation, the OPRF output is used as a final key, or an intermediary key used to derive the final key.

公开(公告)号：US09742557B2

公开(公告)日：2017-08-22

申请号：US15429590

申请日：2017-02-10

Applicant: International Business Machines Corporation

Inventor： Camit Hazay ,  Ashish Jagmohan ,  Demijan Klinc ,  Hugo M. Krawczyk ,  Tal Rabin

IPC: G06F21/00 ,  H04L9/06 ,  H04L29/06

CPC classification number: H04L9/0637 ,  G06F2221/2107 ,  H04L9/0618 ,  H04L9/0819 ,  H04L9/32 ,  H04L63/0428 ,  H04L69/04 ,  H04L2209/24 ,  H04L2209/30

Abstract: A method, system and computer program product are disclosed for compressing encrypted data, wherein the data is encrypted by using a block encryption algorithm in a chained mode of operation, and the encrypted data is comprised of a set of N encrypted blocks, C1 . . . CN. In one embodiment, the method comprises leaving block CN uncompressed, and compressing all of the blocks C1 . . . CN in a defined sequence using a Slepian-Wolf code. In an embodiment, the data is encrypted using an encryption key K, and the compressing includes compressing all of the blocks C1 . . . CN without using the encryption key. In one embodiment, the compressing includes outputting the blocks C1 . . . CN as a set of compressed blocks CmprC1 . . . CmprCN-1, and the method further comprises decrypting CN to generate a reconstructed block {tilde over (X)}n, and decrypting and decompressing the set of compressed blocks using {tilde over (X)}n.

公开(公告)号：US20150039885A1

公开(公告)日：2015-02-05

申请号：US13958739

申请日：2013-08-05

Applicant: International Business Machines Corporation

Inventor： Charles D. Cash ,  Stanislaw Jarecki ,  Charanjit S. Jutla ,  Hugo M. Krawczyk ,  Marcel C. Rosu ,  Michael Steiner

IPC: G06F21/62

CPC classification number: G06F21/6227 ,  G06F21/335 ,  G06F2221/2141 ,  G06F2221/2149 ,  H04L9/0894 ,  H04L63/0428 ,  H04L63/0435 ,  H04L63/168

Abstract: A method comprises receiving a first cryptographic token for one search term and a second cryptographic token is generated using the one search term and at least another search term. A first search is conducted using the first cryptographic token to generate a first result set, and the second cryptographic token is used for computing a subset of results of the first result set.

Abstract translation: 一种方法包括接收一个搜索项的第一加密令牌，并且使用所述一个搜索项和至少另一个搜索项来生成第二加密令牌。 使用第一加密令牌进行第一搜索以生成第一结果集，并且第二密码令牌用于计算第一结果集的结果的子集。

公开(公告)号：US10924267B2

公开(公告)日：2021-02-16

申请号：US16112224

申请日：2018-08-24

Applicant: International Business Machines Corporation

Inventor： Jason K. Resch ,  Hugo M. Krawczyk ,  Mark D. Seaborn

IPC: H04L9/08 ,  H04L9/32 ,  H04L9/00

Abstract: A computing device including a processor, memory, and instructions, interfaces with a key management system (KMS) that provides encryption keys using an Oblivious Pseudorandom Function (OPRF). The device obtains, based on a type of encryption key being requested, a public key of a public-private key pair. The device creates an Oblivious Key Access Request (OKAR), including a blinded value associated with a requested encryption key. The OKAR is transmitted to the KMS, and a response is received. The response includes a blinded OPRF output, which yields an OPRF output as a result of being subjected to an unblinding operation. The OPRF output is validated using the public key, either directly or via a challenge, and in response to a positive validation, the OPRF output is used as a final key, or an intermediary key used to derive the final key.

公开(公告)号：US10700859B2

公开(公告)日：2020-06-30

申请号：US15943142

申请日：2018-04-02

Applicant: International Business Machines Corporation

Inventor： Jason K. Resch ,  Hugo M. Krawczyk

IPC: H04L9/08 ,  H04L9/06 ,  H04L9/32

Abstract: A computing device includes an interface configured to interface and communicate with a communication system, a memory that stores operational instructions, and processing circuitry operably coupled to the interface and to the memory that is configured to execute the operational instructions to perform various operations. The computing device processes an input value in accordance with a Threshold Partially-Oblivious Pseudorandom Function (TP-OPRF) blinding operation to generate a blinded input. The computing device then selects a threshold number of shareholder computing devices that are associated with a Key Management System (KMS) service and transmits the blinded input to them. The computing device then receives at least a threshold number of blinded output components from at least some of the shareholder computing devices and processes them to generate a blinded output. The computing device then processes the blinded output in accordance with a TP-OPRF unblinding operation to generate a key.

公开(公告)号：US20190296896A1

公开(公告)日：2019-09-26

申请号：US15926651

申请日：2018-03-20

Applicant: International Business Machines Corporation

Inventor： Jason K. Resch ,  Hugo M. Krawczyk ,  Mark D. Seaborn

IPC: H04L9/06 ,  H04L9/08 ,  H04L29/06

Abstract: A computing device includes an interface configured to interface and communicate with a communication system, a memory that stores operational instructions, and processing circuitry operably coupled to the interface and to the memory that is configured to execute the operational instructions to perform various operations. The computing device processes an input value associated with a key based on a blinding key in accordance with an Oblivious Pseudorandom Function (OPRF) blinding operation to generate a blinded value and transmits it to another computing device (e.g., that is associated with a Key Management System (KMS) service). The computing device then receives a blinded key that is based on processing of the blinded value based on an OPRF using an OPRF secret. The computing device processes the blinded key based on the blinding key in accordance with the OPRF unblinding operation to generate the key (e.g., to be used for secure information access).

公开(公告)号：US09584323B2

公开(公告)日：2017-02-28

申请号：US14993577

申请日：2016-01-12

Applicant: International Business Machines Corporation

Inventor： Camit Hazay ,  Ashish Jagmohan ,  Demijan Klinc ,  Hugo M. Krawczyk ,  Tal Rabin

IPC: H04L9/06 ,  G06F21/00 ,  H04L9/32 ,  H04L29/06 ,  H04L9/08

CPC classification number: H04L9/0637 ,  G06F2221/2107 ,  H04L9/0618 ,  H04L9/0819 ,  H04L9/32 ,  H04L63/0428 ,  H04L69/04 ,  H04L2209/24 ,  H04L2209/30

Abstract: A method, system and computer program product are disclosed for compressing encrypted data, wherein the data is encrypted by using a block encryption algorithm in a chained mode of operation, and the encrypted data is comprised of a set of N encrypted blocks, C1 . . . CN. In one embodiment, the method comprises leaving block CN uncompressed, and compressing all of the blocks C1 . . . CN in a defined sequence using a Slepian-Wolf code. In an embodiment, the data is encrypted using an encryption key K, and the compressing includes compressing all of the blocks C1 . . . CN without using the encryption key. In one embodiment, the compressing includes outputting the blocks C1 . . . CN as a set of compressed blocks CmprC1 . . . CmprCN-1, and the method further comprises decrypting CN to generate a reconstructed block {tilde over (X)}n, and decrypting and decompressing the set of compressed blocks using {tilde over (X)}n.

Abstract translation: 公开了一种用于压缩加密数据的方法，系统和计算机程序产品，其中通过使用链式操作模式中的块加密算法来加密数据，并且加密数据由一组N个加密块C1组成。 。 。 CN。 在一个实施例中，该方法包括将块CN未压缩，并压缩所有块C1。 。 。 CN以定义的顺序使用Slepian-Wolf代码。 在一个实施例中，使用加密密钥K对数据进行加密，并且压缩包括压缩所有块C1。 。 。 CN，而不使用加密密钥。 在一个实施例中，压缩包括输出块C1。 。 。 CN作为一组压缩块CmprC1。 。 。 CmprCN-1，并且所述方法还包括解密CN以生成重构块{（t）），并且使用{tilde over（X）} n来解密和解压缩该组压缩块。