-
1.发明申请CRYPTOGRAPHIC DEVICE WITH RESISTANCE TO DIFFERENTIAL POWER ANALYSIS AND OTHER EXTERNAL MONITORING ATTACKS 有权具有抵抗差分功率分析和其他外部监测攻击的结构设备公开(公告)号:US20130173928A1
公开(公告)日:2013-07-04
申请号:US13762703
申请日:2013-02-08
申请人: Paul C. Kocher , Pankaj Rohatgi , Joshua M. Jaffe
发明人: Paul C. Kocher , Pankaj Rohatgi , Joshua M. Jaffe
IPC分类号: G06F12/14
CPC分类号: G06F21/575 , G06F8/71 , G06F9/44505 , G06F12/1408 , G06F21/556 , G06F21/602 , G06F21/755 , G06F21/76 , G06F2212/402 , G06F2221/034 , G06F2221/2107 , G06F2221/2125 , G06F2221/2145 , H04L9/003 , H04L9/0631 , H04L9/085 , H04L9/0861 , H04L9/088 , H04L9/0894 , H04L9/16 , H04L9/3236 , H04L9/3247 , H04L63/0428 , H04L63/0869 , H04L2209/24 , H04L2209/38 , H04L2209/56 , H04L2463/061
摘要: Techniques usable by devices to encrypt and decrypt sensitive data to in a manner that provides security from external monitoring attacks. The encrypting device has access to a base secret cryptographic value (key) that is also known to the decrypting device. The sensitive data are decomposed into segments, and each segment is encrypted with a separate encryption key derived from the base key and a message identifier to create a set of encrypted segments. The encrypting device uses the base secret cryptographic value to create validators that prove that the encrypted segments for this message identifier were created by a device with access to the base key. The decrypting device, upon receiving an encrypted segments and validator(s), uses the validator to verify the message identifier and that the encrypted segment are unmodified, then uses a cryptographic key derived from the base key and message identifier to decrypt the segments.
摘要翻译: 技术可以由设备加密和解密敏感数据,以提供安全性从外部监视攻击。 加密设备可以访问解密设备也是已知的基本密钥加密值(密钥)。 敏感数据被分解为段,并且每个段用来自基本密钥的单独的加密密钥和消息标识符加密,以创建一组加密的段。 加密设备使用基本秘密加密值来创建验证器,证明该消息标识符的加密段由具有访问基本密钥的设备创建。 解密装置在接收到加密的段和验证器时,使用验证器来验证消息标识符,并且加密段未被修改,然后使用从基本密钥和消息标识符导出的加密密钥来解密段。
-
公开(公告)号:US20110138192A1
公开(公告)日:2011-06-09
申请号:US12958570
申请日:2010-12-02
申请人: Paul C. KOCHER , Pankaj Rohatgi , Joshua M. Jaffe
发明人: Paul C. KOCHER , Pankaj Rohatgi , Joshua M. Jaffe
CPC分类号: G06F21/575 , G06F8/71 , G06F9/44505 , G06F12/1408 , G06F21/556 , G06F21/602 , G06F21/755 , G06F21/76 , G06F2212/402 , G06F2221/034 , G06F2221/2107 , G06F2221/2125 , G06F2221/2145 , H04L9/003 , H04L9/0631 , H04L9/085 , H04L9/0861 , H04L9/088 , H04L9/0894 , H04L9/16 , H04L9/3236 , H04L9/3247 , H04L63/0428 , H04L63/0869 , H04L2209/24 , H04L2209/38 , H04L2209/56 , H04L2463/061
摘要: This patent describes techniques usable by devices to encrypt and decrypt sensitive data to in a manner that provides security from external monitoring attacks. The encrypting device has access to a base secret cryptographic value (key) that is also known to the decrypting device. The sensitive data are decomposed into segments, and each segment is encrypted with a separate encryption key derived from the base key and a message identifier to create a set of encrypted segments. The encrypting device uses the base secret cryptographic value to create validators that prove that the encrypted segments for this message identifier were created by a device with access to the base key. The decrypting device, upon receiving an encrypted segments and validator(s), uses the validator to verify the message identifier and that the encrypted segment are unmodified, then uses a cryptographic key derived from the base key and message identifier to decrypt the segments. Derived keys and validators are produced using methods designed to preserve security even if cipher and hashing operations leak information. Embodiments for systems including SoCs, firmware loading, FPGAs and network communications are described.
摘要翻译: 本专利描述了可以通过设备加密和解密敏感数据的技术,以提供来自外部监视攻击的安全性的方式。 加密设备可以访问解密设备也是已知的基本密钥加密值(密钥)。 敏感数据被分解为段,并且每个段用来自基本密钥的单独的加密密钥和消息标识符加密,以创建一组加密的段。 加密设备使用基本秘密加密值来创建验证器,证明该消息标识符的加密段由具有访问基本密钥的设备创建。 解密装置在接收到加密的段和验证器时,使用验证器来验证消息标识符,并且加密段未被修改,然后使用从基本密钥和消息标识符导出的加密密钥来解密段。 派生密钥和验证器使用旨在保护安全性的方法生成,即使加密和散列操作泄漏信息。 描述了包括SoC,固件加载,FPGA和网络通信的系统的实施例。
-
公开(公告)号:US08386800B2
公开(公告)日:2013-02-26
申请号:US12958570
申请日:2010-12-02
申请人: Paul C. Kocher , Pankaj Rohatgi , Joshua M. Jaffe
发明人: Paul C. Kocher , Pankaj Rohatgi , Joshua M. Jaffe
CPC分类号: G06F21/575 , G06F8/71 , G06F9/44505 , G06F12/1408 , G06F21/556 , G06F21/602 , G06F21/755 , G06F21/76 , G06F2212/402 , G06F2221/034 , G06F2221/2107 , G06F2221/2125 , G06F2221/2145 , H04L9/003 , H04L9/0631 , H04L9/085 , H04L9/0861 , H04L9/088 , H04L9/0894 , H04L9/16 , H04L9/3236 , H04L9/3247 , H04L63/0428 , H04L63/0869 , H04L2209/24 , H04L2209/38 , H04L2209/56 , H04L2463/061
摘要: This patent describes techniques usable by devices to encrypt and decrypt sensitive data to in a manner that provides security from external monitoring attacks. The encrypting device has access to a base secret cryptographic value (key) that is also known to the decrypting device. The sensitive data are decomposed into segments, and each segment is encrypted with a separate encryption key derived from the base key and a message identifier to create a set of encrypted segments. The encrypting device uses the base secret cryptographic value to create validators that prove that the encrypted segments for this message identifier were created by a device with access to the base key. The decrypting device, upon receiving an encrypted segments and validator(s), uses the validator to verify the message identifier and that the encrypted segment are unmodified, then uses a cryptographic key derived from the base key and message identifier to decrypt the segments. Derived keys and validators are produced using methods designed to preserve security even if cipher and hashing operations leak information. Embodiments for systems including SoCs, firmware loading, FPGAs and network communications are described.
摘要翻译: 本专利描述了可以通过设备加密和解密敏感数据的技术,以提供来自外部监视攻击的安全性的方式。 加密设备可以访问解密设备也是已知的基本密钥加密值(密钥)。 敏感数据被分解为段,并且每个段用来自基本密钥的单独的加密密钥和消息标识符加密,以创建一组加密的段。 加密设备使用基本秘密加密值来创建验证器,证明该消息标识符的加密段由具有访问基本密钥的设备创建。 解密装置在接收到加密的段和验证器时,使用验证器来验证消息标识符,并且加密段未被修改,然后使用从基本密钥和消息标识符导出的加密密钥来解密段。 派生密钥和验证器使用旨在保护安全性的方法生成,即使加密和散列操作泄漏信息。 描述了包括SoC,固件加载,FPGA和网络通信的系统的实施例。
-
公开(公告)号:US08606724B2
公开(公告)日:2013-12-10
申请号:US12266198
申请日:2008-11-06
申请人: Pau-Chen Cheng , John Andrew Clark , Yow Tzu Lim , Pankaj Rohatgi
发明人: Pau-Chen Cheng , John Andrew Clark , Yow Tzu Lim , Pankaj Rohatgi
CPC分类号: G06N99/005
摘要: A method for constructing a classifier which maps an input vector to one of a plurality of pre-defined classes, the method steps includes receiving a set of training examples as input, wherein each training example is an exemplary input vector belonging to one of the pre-defined classes, learning a plurality of functions, wherein each function maps the exemplary input vectors to a numerical value, and determining a class for the input vector by combining numerical outputs of the functions determined for the input vector.
摘要翻译: 一种用于构建将输入向量映射到多个预定义类之一的分类器的方法,所述方法步骤包括接收一组训练样本作为输入,其中每个训练样本是属于所述预定义类别之一的示例性输入向量 学习多个功能,其中每个功能将示例性输入向量映射到数值,并且通过组合为输入向量确定的函数的数字输出来确定输入向量的类。
-
公开(公告)号:US08087090B2
公开(公告)日:2011-12-27
申请号:US12131206
申请日:2008-06-02
申请人: Pau-Chen Cheng , Shai Halevi , Trent Ray Jaeger , Paul Ashley Karger , Ronald Perez , Pankaj Rohatgi , Angela Marie Schuett , Michael Steiner , Grant M. Wagner
发明人: Pau-Chen Cheng , Shai Halevi , Trent Ray Jaeger , Paul Ashley Karger , Ronald Perez , Pankaj Rohatgi , Angela Marie Schuett , Michael Steiner , Grant M. Wagner
CPC分类号: G06N7/023 , G06F21/577 , G06F21/604 , G06F21/6218 , H04L63/105
摘要: An access control system and method includes a risk index module which computes a risk index for a dimension contributing to risk. A boundary range defined for a parameter representing each risk index such that the parameter above the range is unacceptable, below the range is acceptable and in the range is acceptable with mitigation measures. A mitigation module determines the mitigation measures which reduce the parameter within the range by mapping the effectiveness of performing the mitigation measures to determine a residual risk after a mitigation measure has been implemented.
摘要翻译: 访问控制系统和方法包括风险指数模块,其计算用于风险的维度的风险指数。 为表示每个风险指数的参数定义的边界范围,使得高于该范围的参数是不可接受的,低于该范围是可接受的,并且在该范围内可以用缓解措施来接受。 缓解模块通过绘制执行缓解措施的有效性来确定缓解措施实施后的剩余风险,确定减少范围内的参数的缓解措施。
-
公开(公告)号:US20090064343A1
公开(公告)日:2009-03-05
申请号:US12130308
申请日:2008-05-30
申请人: Weifeng Chen , Alexandre V. Evfimievski , Zhen Liu , Ralf Rantzau , Anton Viktorovich Riabov , Pankaj Rohatgi , Angela Marie Schuett , Ramakrishnan Srikant , Grant Wagner
发明人: Weifeng Chen , Alexandre V. Evfimievski , Zhen Liu , Ralf Rantzau , Anton Viktorovich Riabov , Pankaj Rohatgi , Angela Marie Schuett , Ramakrishnan Srikant , Grant Wagner
IPC分类号: G06F21/24
CPC分类号: H04L63/105
摘要: A method for protecting information in a distributed stream processing system, including: assigning a principal label to a processing component; assigning a first channel label to a first communication channel that is input to the processing component; comparing the principal label to the first channel label to determine if the processing component can read data attributes of the first channel label; and reading the data attributes of the first channel label when the principal label is equal to or has precedence over the first channel label, wherein the principal label includes a read label and a write label and at least one of a selection label, an addition label or a suppression label.
摘要翻译: 一种用于保护分布式流处理系统中的信息的方法,包括:将主标签分配给处理组件; 将第一信道标签分配给被输入到所述处理部件的第一通信信道; 将主标签与第一通道标签进行比较,以确定处理组件是否可以读取第一通道标签的数据属性; 以及当所述主标签等于或优先于所述第一信道标签时,读取所述第一信道标签的数据属性,其中所述主标签包括读标签和写标签,以及选择标签,添加标签中的至少一个 或抑制标签。
-
7.发明授权Method, apparatus and system for resistance to side channel attacks on random number generators 失效对随机数发生器进行侧向通道攻击的方法,装置和系统公开(公告)号:US07496616B2
公开(公告)日:2009-02-24
申请号:US10987640
申请日:2004-11-12
申请人: Suresh Narayana Chari , Vincenzo Valentino Diluoffo , Paul Ashley Karger , Elaine Rivette Palmer , Tal Rabin , Josyula Ramachandra Rao , Pankaj Rohatgi , Helmut Scherzer , Michael Steiner , David Claude Toll
发明人: Suresh Narayana Chari , Vincenzo Valentino Diluoffo , Paul Ashley Karger , Elaine Rivette Palmer , Tal Rabin , Josyula Ramachandra Rao , Pankaj Rohatgi , Helmut Scherzer , Michael Steiner , David Claude Toll
IPC分类号: G06F1/02
CPC分类号: G06F7/582 , H04L9/003 , H04L9/0662
摘要: A random number generator (RNG) resistant to side channel attacks includes an activation pseudo random number generator (APRNG) having an activation output connected to an activation seed input to provide a next seed to the activation seed input. A second random number generator includes a second seed input, which receives the next seed and a random data output, which outputs random data in accordance with the next seed. An input seed memory is connected to the activation seed input and a feedback connection from the activation output so that the next seed is stored in the input seed memory to be used by the APRNG as the activation seed input at a next startup cycle.
摘要翻译: 具有抗侧向信道攻击的随机数发生器(RNG)包括具有连接到激活种子输入的激活输出的激活伪随机数生成器(APRNG),以向激活种子输入提供下一种子。 第二随机数生成器包括第二种子输入,其接收下一个种子和随机数据输出,其根据下一种子输出随机数据。 输入种子存储器连接到激活种子输入和来自激活输出的反馈连接,使得下一种子存储在输入种子存储器中,以供APRNG使用,作为下一个启动周期的激活种子输入。
-
公开(公告)号:US07142670B2
公开(公告)日:2006-11-28
申请号:US09943720
申请日:2001-08-31
CPC分类号: G06F21/556 , H04L9/002 , H04L2209/043 , H04L2209/08
摘要: Methods, apparatus and computer software and hardware products providing method, apparatus and system solutions for implementing table lookups in a side-channel attack resistant manner. Embodiments are provided for devices and situations where there is limited amount of RAM memory available or restrictions on memory addressing. The solutions solve problems associated with look up tables with large indices, as well as problems associated with looking up large sized tables or a collection of tables of large cumulative size, in limited devices, in an efficient side-channel attack resistant manner. These solutions provide defenses against both first-order side channel attacks as well as higher-order side channel attacks. One aspect of the present invention is the creation of one or more random tables which are used possibly in conjunction with other tables to perform a table lookup. This denies an adversary information about the table lookup from the side channel and thereby imparting side-channel resistance to the table lookup operation. Another aspect of the present invention is the use of a combination of some operations such as Table Split, Table Mask and Table Aggregate, to achieve this side-channel resistance within the limited amounts of available RAM and limited memory addressing capabilities of the device performing table lookups.
-
公开(公告)号:US20060161982A1
公开(公告)日:2006-07-20
申请号:US11037695
申请日:2005-01-18
申请人: Suresh Chari , Pau-Chen Cheng , Josyula Rao , Pankaj Rohatgi , Michael Steiner
发明人: Suresh Chari , Pau-Chen Cheng , Josyula Rao , Pankaj Rohatgi , Michael Steiner
IPC分类号: G06F12/14
CPC分类号: G06F21/554 , G06F21/53
摘要: An intrusion detection system (IDS), method of protecting computers against intrusions and program product therefor. The IDS determines which applications are to run in native environment (NE) and places the remaining applications in a sandbox. Some of the applications in sandboxes may be placed in a personalized virtual environment (PVE) in the sandbox. Upon detecting an attempted attack, a dynamic honeypot may be started for an application in a sandbox and not in a PVE. A virtualized copy of system resources may be created for each application in a sandbox and provided to the corresponding application in the respective sandbox.
摘要翻译: 入侵检测系统(IDS),防止计算机入侵的方法和程序产品。 IDS确定在本地环境(NE)中运行哪些应用程序,并将剩余的应用程序放在沙箱中。 砂箱中的一些应用程序可能会放置在沙箱中的个性化虚拟环境(PVE)中。 在检测到尝试的攻击时,可以为沙箱而不是PVE中的应用启动动态蜜罐。 可以为沙箱中的每个应用程序创建系统资源的虚拟副本,并提供给相应沙箱中的相应应用程序。
-
10.发明申请公开(公告)号:US20060104443A1
公开(公告)日:2006-05-18
申请号:US10987640
申请日:2004-11-12
申请人: Suresh Chari , Vincenzo Diluoffo , Paul Karger , Elaine Palmer , Tal Rabin , Josyula Rao , Pankaj Rohatgi , Helmut Scherzer , Michael Steiner , David Toll
发明人: Suresh Chari , Vincenzo Diluoffo , Paul Karger , Elaine Palmer , Tal Rabin , Josyula Rao , Pankaj Rohatgi , Helmut Scherzer , Michael Steiner , David Toll
IPC分类号: H04L9/00
CPC分类号: G06F7/582 , H04L9/003 , H04L9/0662
摘要: A random number generator (RNG) resistant to side channel attacks includes an activation pseudo random number generator (APRNG) having an activation output connected to an activation seed input to provide a next seed to the activation seed input. A second random number generator includes a second seed input, which receives the next seed and a random data output, which outputs random data in accordance with the next seed. An input seed memory is connected to the activation seed input and a feedback connection from the activation output so that the next seed is stored in the input seed memory to be used by the APRNG as the activation seed input at a next startup cycle.
-
-
-
-
-
-
-
-
-
搜索结果
40 条记录 (耗时 0.044 秒)
