公开(公告)号：US20210144004A1

公开(公告)日：2021-05-13

申请号：US16679422

申请日：2019-11-11

申请人： International Business Machines Corporation

发明人： Michael W. Gray ,  Narayana Aditya Madineni ,  Matthew Green ,  Simon D. McMahon ,  Leigh S. McLean ,  Stephen J. McKenzie ,  Luvita Burgess ,  Peter T. Waltenberg

IPC分类号： H04L9/30 ,  H04L29/06 ,  H04L9/32 ,  H04L9/08

摘要： Transport Layer Security (TLS) connection establishment between a client and a server for a new session is enabled using an ephemeral (temporary) key pair. In response to a request, the server generates a temporary certificate by signing an ephemeral public key using the server's private key. A certificate chain comprising at least the temporary certificate that includes the ephemeral public key, together with a server certificate, is output to the client by the server, which acts as a subordinate Certificate Authority. The client validates the certificates, generates a session key and outputs the session key wrapped by the ephemeral public key. To complete the connection establishment, the server applies the ephemeral private key to recover the session key derived at the client for the new session. The client and server thereafter use the session key to encrypt and decrypt data over the link. The ephemeral key pair is not reused.

公开(公告)号：US11153299B2

公开(公告)日：2021-10-19

申请号：US16297830

申请日：2019-03-11

申请人： INTERNATIONAL BUSINESS MACHINES CORPORATION

发明人： Michael W. Gray ,  Narayana A. Madineni ,  Simon D. McMahon ,  Leigh S. McLean ,  Luvita Burgess ,  Stephen J. McKenzie ,  Matthew Green ,  Peter T. Waltenberg

IPC分类号： H04L29/06 ,  H04L9/32 ,  H04L9/08

摘要： A method, computer system, and a computer program product for secure transport of data is provided. The present invention may include defining a trust relationship based on a secret. The present invention may also include associating a trusted transport key identity (TTKI) based on the defined trust relationship. The present invention may then include receiving a trusted transport key (TTK), wherein the TTK is digitally signed and encrypted with the TTKI. The present invention may further include verifying the digitally signed TTK. The present invention may also include enveloping the secret with the TTK.

公开(公告)号：US20200145215A1

公开(公告)日：2020-05-07

申请号：US16180595

申请日：2018-11-05

申请人： International Business Machines Corporation

发明人： Simon McMahon ,  Narayana Madineni ,  Michael W. Gray ,  Leigh McLean ,  Matthew Green ,  Luvita Burgess ,  Stephen J. McKenzie ,  Peter Waltenberg

IPC分类号： H04L9/32 ,  G06F21/31 ,  H04L9/06 ,  G06F21/45

摘要： Secure password lock and recovery is provided. A user password is received to access a secure resource protected by a data processing system. It is determined whether a match exists between a retrieved user password verification string corresponding to a valid user password from a storage of a software token and a generated user password verification string corresponding to the user password. In response to determining that a match does not exist between the retrieved user password verification string and the generated user password verification string, it is determined whether a defined number of user password authentication attempts has been exceeded. In response to determining that the defined number of user password authentication attempts has been exceeded, the retrieved user password verification string is set to a preestablished sequence of values locking the valid user password on the storage of the software token. Access to the secure resource is denied.

公开(公告)号：US12010143B2

公开(公告)日：2024-06-11

申请号：US17445842

申请日：2021-08-25

申请人： International Business Machines Corporation

发明人： Michael W. Gray ,  Narayana Aditya Madineni ,  Leigh S. McLean ,  Luvita Burgess

IPC分类号： H04L29/06 ,  H04L9/40 ,  H04L67/06

CPC分类号： H04L63/166 ,  H04L63/0435 ,  H04L63/20 ,  H04L67/06

摘要： Establishing a transfer mode between devices for large bulk records over a TLS protocol by fragmenting an encrypted bulk record into a set of pre-defined block sizes for convenient transfer. The pre-defined block sizes are specifically sized to indicate a beginning and an end of the transfer of the associated blocks making up the large bulk record. A middle box is unaware of the association between the blocks and permits transfer according to the maximum transmission unit of the transport layer security (TLS) protocol. The fragmented bulk record is reconstructed and decrypted for use after the transfer.

公开(公告)号：US11206135B2

公开(公告)日：2021-12-21

申请号：US16679422

申请日：2019-11-11

申请人： International Business Machines Corporation

发明人： Michael W. Gray ,  Narayana Aditya Madineni ,  Matthew Green ,  Simon D. McMahon ,  Leigh S. McLean ,  Stephen J. McKenzie ,  Luvita Burgess ,  Peter T. Waltenberg

IPC分类号： H04L9/30 ,  H04L29/06 ,  H04L9/08 ,  H04L9/32

摘要： Transport Layer Security (TLS) connection establishment between a client and a server for a new session is enabled using an ephemeral (temporary) key pair. In response to a request, the server generates a temporary certificate by signing an ephemeral public key using the server's private key. A certificate chain comprising at least the temporary certificate that includes the ephemeral public key, together with a server certificate, is output to the client by the server, which acts as a subordinate Certificate Authority. The client validates the certificates, generates a session key and outputs the session key wrapped by the ephemeral public key. To complete the connection establishment, the server applies the ephemeral private key to recover the session key derived at the client for the new session. The client and server thereafter use the session key to encrypt and decrypt data over the link. The ephemeral key pair is not reused.

公开(公告)号：US10560476B2

公开(公告)日：2020-02-11

申请号：US15439365

申请日：2017-02-22

申请人： INTERNATIONAL BUSINESS MACHINES CORPORATION

发明人： Luvita Burgess ,  Narayana A. Madineni ,  Leigh S. McLean ,  Peter T. Waltenberg

IPC分类号： H04L29/06 ,  H04L9/08

摘要： A computer program product for secure data storage. The present invention may include completing a registration process by sending, by the client device, a connection request to the server. The present invention may include generating, by the server, an authentication session identification (ID). The present invention may include sending, by the server, a stored salt and the generated authentication session ID to the client device. The present invention may include sending, by the server, the generated authentication session ID, the server encryption key and user data to the third-party device. The present invention may include sending, by the client device, the generated authentication session ID and user data to the third-party device. The present invention may include generating, by the third-party device, a decryption key. The present invention may include determining the user data received by the client device and the decrypted user data received by the server is authenticated.

公开(公告)号：US11985239B2

公开(公告)日：2024-05-14

申请号：US17503049

申请日：2021-10-15

申请人： International Business Machines Corporation

发明人： Michael W. Gray ,  Narayana Aditya Madineni ,  Matthew Green ,  Simon D. McMahon ,  Leigh S. McLean ,  Stephen J. McKenzie ,  Luvita Burgess ,  Peter T. Waltenberg

IPC分类号： H04L29/06 ,  H04L9/08 ,  H04L9/30 ,  H04L9/32 ,  H04L9/40

CPC分类号： H04L9/3073 ,  H04L9/0891 ,  H04L9/302 ,  H04L9/3265 ,  H04L63/166

摘要： Transport Layer Security (TLS) connection establishment between a client and a server for a new session is enabled using an ephemeral (temporary) key pair. In response to a request, the server generates a temporary certificate by signing an ephemeral public key using the server's private key. A certificate chain comprising at least the temporary certificate that includes the ephemeral public key, together with a server certificate, is output to the client by the server, which acts as a subordinate Certificate Authority. The client validates the certificates, generates a session key and outputs the session key wrapped by the ephemeral public key. To complete the connection establishment, the server applies the ephemeral private key to recover the session key derived at the client for the new session. The client and server thereafter use the session key to encrypt and decrypt data over the link. The ephemeral key pair is not reused.

公开(公告)号：US11720471B2

公开(公告)日：2023-08-08

申请号：US17397261

申请日：2021-08-09

申请人： International Business Machines Corporation

发明人： Narayana Aditya Madineni ,  Michael W. Gray ,  Matthew Green ,  Luvita Burgess

IPC分类号： G06F11/00 ,  G06F11/34 ,  G06F11/30 ,  G06F8/72 ,  G06F11/36 ,  G06F8/41

CPC分类号： G06F11/3433 ,  G06F8/4434 ,  G06F8/72 ,  G06F11/3037 ,  G06F11/3688 ,  G06F11/3692

摘要： A computer system determines stack usage. An intercept function is executed to store a stack marker in a stack, wherein the intercept function is invoked when a program enters or exits each function of a plurality of functions of the program. A plurality of stack markers are identified in the stack and a memory address is determined for each stack marker during execution of the program to obtain a plurality of memory addresses. The plurality of memory addresses are analyzed to identify a particular memory address associated with a greatest stack depth. A stack usage of the program is determined based on the greatest stack depth. Embodiments of the present invention further include a method and program product for determining stack usage in substantially the same manner described above.

公开(公告)号：US11271968B2

公开(公告)日：2022-03-08

申请号：US16809234

申请日：2020-03-04

申请人： International Business Machines Corporation

发明人： Matthew Green ,  Narayana Aditya Madineni ,  Michael W. Gray ,  Luvita Burgess

IPC分类号： H04L29/06

摘要： Provided is a method, a computer program product, and a system for providing request messages with zero round trip time in a Transport Layer Security (TLS) session. The method includes establishing a TLS session between a server and a client by performing a TLS handshake between the server and the client. The method further includes generating a session ticket associated to the client. The method also includes transmitting the session ticket to the client and receiving an early request message from the client during the TLS session. The early request message includes a request message that is to be sent to the client upon resuming the TLS session with the client. The method further includes associating the early request message with the session ticket and processing the early request message. The data related to the early request message can be sent upon resumption of the TLS session.

公开(公告)号：US10812267B2

公开(公告)日：2020-10-20

申请号：US16180595

申请日：2018-11-05

申请人： International Business Machines Corporation

发明人： Simon McMahon ,  Narayana Madineni ,  Michael W. Gray ,  Leigh McLean ,  Matthew Green ,  Luvita Burgess ,  Stephen J. McKenzie ,  Peter Waltenberg

IPC分类号： G06F21/31 ,  H04L9/32 ,  G06F21/45 ,  H04L9/06

摘要： Secure password lock and recovery is provided. A user password is received to access a secure resource protected by a data processing system. It is determined whether a match exists between a retrieved user password verification string corresponding to a valid user password from a storage of a software token and a generated user password verification string corresponding to the user password. In response to determining that a match does not exist between the retrieved user password verification string and the generated user password verification string, it is determined whether a defined number of user password authentication attempts has been exceeded. In response to determining that the defined number of user password authentication attempts has been exceeded, the retrieved user password verification string is set to a preestablished sequence of values locking the valid user password on the storage of the software token. Access to the secure resource is denied.