Patent application number | Description | Published |
20120110644 | GLOBALLY VALID MEASURED OPERATING SYSTEM LAUNCH WITH HIBERNATION SUPPORT - An event log can comprise, not only entries associated with components instantiated since a most recent power on of a computing device, but also entries of components instantiated prior to that power on, such as components that were instantiated, and represent, a state of the computing device prior to hibernation that has now been resumed. Upon hibernation, the current values of the Platform Configuration Registers (PCRs) of a Trusted Platform Module (trusted execution environment), as well as a quote of those current values, and a current value of a monotonic counter of the trusted execution environment can be logged. The monotonic counter can be incremented at each power on to track successive generations of the computing device and to guard against an intervening, not-logged generation. A subsequent parsing of the event log can verify the prior generational entries with reference to the PCR values in the log that are associated with those generations. | 05-03-2012 |
20130013928 | Secure Credential Unlock Using Trusted Execution Environments - Computing devices utilizing trusted execution environments as virtual smart cards are designed to support expected credential recovery operations when a user credential, e.g., personal identification number (PIN), password, etc. has been forgotten or is unknown. A computing device generates a cryptographic key that is protected with a PIN unlock key (PUK) provided by an administrative entity. If the user PIN cannot be input to the computing device the PUK can be input to unlock the locked cryptographic key and thereby provide access to protected data. A computing device can also, or alternatively, generate a group of challenges and formulate responses thereto. The formulated responses are each used to secure a computing device cryptographic key. If the user PIN cannot be input to the computing device an entity may request a challenge. The computing device issues a challenge from the set of generated challenges. Upon receiving a valid response back, the computing device can unlock the secured computing device cryptographic key associated with the issued challenge and subsequently provide access to protected data. | 01-10-2013 |
Patent application number | Description | Published |
20120226895 | PROTECTING OPERATING SYSTEM CONFIGURATION VALUES - In a pre-operating system environment on a device prior to loading and running an operating system on the device, a policy identifying configuration settings for the operating system is obtained. The operating system itself is prevented from changing this policy, but the policy can be changed under certain circumstances by components of the pre-operating system environment. The policy is compared to configuration values used by the operating system, and the operating system is allowed to boot with the configuration values if the configuration values satisfy the policy. However, if the configuration values do not satisfy the policy, then a responsive action is taken. | 09-06-2012 |
20120257759 | ONE-TIME RECOVERY CREDENTIALS FOR ENCRYPTED DATA ACCESS - A key recovery request for a device is received at a key recovery service and a particular one-time recovery credential in a sequence of multiple one-time recovery credentials is identified. In the sequence of multiple one-time recovery credentials, previous one-time recovery credentials in the sequence are indeterminable given subsequent one-time recovery credentials in the sequence. A recovery key associated with the device is also identified. The particular one-time recovery credential in the sequence is generated based on the recovery key, and is returned in response to the key recovery request. The particular one-time recovery credential can then be used by the device to decrypt encrypted data stored on a storage media of the device. | 10-11-2012 |
20120294445 | CREDENTIAL STORAGE STRUCTURE WITH ENCRYPTED PASSWORD - In accordance with one or more aspects, a storage structure including both an encrypted credential and an encrypted password is obtained. A key can be obtained from a key distribution service and the encrypted password decrypted, based on the key, to obtain a password. The encrypted credential is decrypted, based on the password to obtain the credential. Both devices able to obtain the key from the key distribution service, and devices otherwise able to obtain the password, are able to obtain the credential by decrypting the encrypted credential. | 11-22-2012 |
20130054946 | DIGITAL SIGNING AUTHORITY DEPENDENT PLATFORM SECRET - In accordance with one or more aspects, a representation of a configuration of a firmware environment of a device is generated. A secret of the device is obtained, and a platform secret is generated based on both the firmware environment configuration representation and the secret of the device. One or more keys can be generated based on the platform secret. | 02-28-2013 |
20130054977 | ENCRYPTED CHUNK-BASED RAPID DATA ENCRYPTION POLICY COMPLIANCE - To comply with a policy for a computing device indicating that data written by the computing device to the storage volume after activation of the policy be encrypted, an encrypted chunks map is accessed. The encrypted chunks map identifies whether, for each chunk of sectors of a storage volume, the sectors in the chunk are unencrypted. In response to a request to write content to a sector, the encrypted chunks map is checked to determine whether a chunk that includes the sector is unencrypted. If the chunk that includes the sector is unencrypted, then the sectors in the chunk are encrypted, and the content is encrypted and written to the sector. If the chunk that includes the sector is encrypted or not in use, then the content is encrypted and written to the sector. | 02-28-2013 |
20130054979 | SECTOR MAP-BASED RAPID DATA ENCRYPTION POLICY COMPLIANCE - To comply with a policy for a computing device indicating that data written by the computing device to the storage volume after activation of the policy be encrypted, a sector map is accessed. The sector map identifies one or more sectors of a storage volume and also identifies, for each of the one or more sectors of the storage volume, a signature of the content of the sector. In response to a request to read the content of a sector, the content of the sector is returned without decrypting the content if the sector is one of the one or more sectors and the signature of the content of the sector matches the signature of the sector identified in the sector map. Otherwise, the content of the sector is decrypted and the decrypted content is returned. | 02-28-2013 |
20130212383 | Revocation Information for Revocable Items - Techniques for providing revocation information for revocable items are described. In implementations, a revocation service is employed to manage revocation information for various revocable items. For example, the revocation service can maintain a revoked list that includes revoked revocable items, such as revoked digital certificates, revoked files (e.g., files that are considered to the unsafe), unsafe network resources (e.g., a website that is determined to be unsafe), and so on. In implementations, the revocation service can communicate a revoked list to a client device to enable the client device to maintain an updated list of revocation information. | 08-15-2013 |
Patent application number | Description | Published |
20130054946 | DIGITAL SIGNING AUTHORITY DEPENDENT PLATFORM SECRET - In accordance with one or more aspects, a representation of a configuration of a firmware environment of a device is generated. A secret of the device is obtained, and a platform secret is generated based on both the firmware environment configuration representation and the secret of the device. One or more keys can be generated based on the platform secret. | 02-28-2013 |
20130054977 | ENCRYPTED CHUNK-BASED RAPID DATA ENCRYPTION POLICY COMPLIANCE - To comply with a policy for a computing device indicating that data written by the computing device to the storage volume after activation of the policy be encrypted, an encrypted chunks map is accessed. The encrypted chunks map identifies whether, for each chunk of sectors of a storage volume, the sectors in the chunk are unencrypted. In response to a request to write content to a sector, the encrypted chunks map is checked to determine whether a chunk that includes the sector is unencrypted. If the chunk that includes the sector is unencrypted, then the sectors in the chunk are encrypted, and the content is encrypted and written to the sector. If the chunk that includes the sector is encrypted or not in use, then the content is encrypted and written to the sector. | 02-28-2013 |
20130054979 | SECTOR MAP-BASED RAPID DATA ENCRYPTION POLICY COMPLIANCE - To comply with a policy for a computing device indicating that data written by the computing device to the storage volume after activation of the policy be encrypted, a sector map is accessed. The sector map identifies one or more sectors of a storage volume and also identifies, for each of the one or more sectors of the storage volume, a signature of the content of the sector. In response to a request to read the content of a sector, the content of the sector is returned without decrypting the content if the sector is one of the one or more sectors and the signature of the content of the sector matches the signature of the sector identified in the sector map. Otherwise, the content of the sector is decrypted and the decrypted content is returned. | 02-28-2013 |
20130212383 | Revocation Information for Revocable Items - Techniques for providing revocation information for revocable items are described. In implementations, a revocation service is employed to manage revocation information for various revocable items. For example, the revocation service can maintain a revoked list that includes revoked revocable items, such as revoked digital certificates, revoked files (e.g., files that are considered to the unsafe), unsafe network resources (e.g., a website that is determined to be unsafe), and so on. In implementations, the revocation service can communicate a revoked list to a client device to enable the client device to maintain an updated list of revocation information. | 08-15-2013 |
20140108814 | CRYPTOGRAPHIC KEY MANAGEMENT - Cryptographic key management techniques are described. In one or more implementations, an access control rule is read that includes a Boolean expression having a plurality of atoms. The cryptographic keys that corresponds each of the plurality of atoms in the access control rule are requested. One or more cryptographic operations are then performed on data using one or more of the cryptographic keys. | 04-17-2014 |
20150033039 | SECTOR MAP-BASED RAPID DATA ENCRYPTION POLICY COMPLIANCE - To comply with a policy for a computing device indicating that data written by the computing device to the storage volume after activation of the policy be encrypted, a sector map is accessed. The sector map identifies one or more sectors of a storage volume and also identifies, for each of the one or more sectors of the storage volume, a signature of the content of the sector. In response to a request to read the content of a sector, the content of the sector is returned without decrypting the content if the sector is one of the one or more sectors and the signature of the content of the sector matches the signature of the sector identified in the sector map. Otherwise, the content of the sector is decrypted and the decrypted content is returned. | 01-29-2015 |
20150082048 | KEYING INFRASTRUCTURE - A keying infrastructure may generate and/or manage cryptographic keys. The cryptographic keys may include identity keys, encryption keys, and a variety of other types of keys. The cryptographic keys may be derived or created with a key derivation function (KDF) or other one-way function. The cryptographic keys may include keys that are accessible to a boot loader, keys that are accessible to particular components of a Trusted Execution Environment (TrEE), and so on. In some examples, a key may be derived from a preceding key in a sequence of keys. The preceding key may be deleted when the key is derived. | 03-19-2015 |
Patent application number | Description | Published |
20080224825 | Method and Device For Operating a Multifunctional Near-Field Communication Device Supporting Several Data Formats - The present invention relates in the field of power saving battery-operated radio frequency identification (RFID) and near field communication (NFC) devices and provides a method to operate a multifunctional NFC/RFID device that supports two or more data formats according to respective protocols of respective standards. The method of the invention comprises obtaining context information about the context of said multifunctional near-field communication device, and selecting an operation mode for the multifunctional near-field communication device for communicating with external devices on the basis of said obtained context information. In the method said selected operation mode defines proportionality values for communicating according to said two or more supported data formats according to respective protocols of respective standards. Said operation mode is used to for switching operation of said multifunctional near-field communication device between said two or more supported data formats according to respective protocols of respective standards based on the proportionality values. | 09-18-2008 |
20080254780 | Automated Application-Selective Processing of Information Obtained Through Wireless Data Communication Links - The present invention provides a method for automated application-selective processing of data by a portable processor based terminal device and the portable processor based terminal device enabled to perform the aforementioned method. The data is receivable wirelessly from an external counterpart data provision entity. One or more content data is extracted from the wirelessly received data. Then it is checked whether an application, which is currently carried out on the portable processor based terminal device, is applicable or compatible with the one or more content data and in case a content data is applicable with the current running application, the content data is supplied to the application, which processed on the supplied content data accordingly. | 10-16-2008 |
20090075592 | METHOD AND DEVICE FOR CONTROLLING AND PROVIDING INDICATIONS OF COMMUNICATION EVENTS - The present invention relates to the field of contact-less transactions, in particular to the field of near field communication and more particularly to smart card transactions over radio frequency identification interface. The present invention relates also to a method and system for providing a user of a mobile terminal with additional information and control over various transaction processes and at the same time additional visibility to various transaction service providers by providing indications of near field communication events on a near field communication device, with the steps of detecting a near field communication event, obtaining at least one indication of near field communication events in accordance with said detected near field communication event, and providing said at least one obtained indication. | 03-19-2009 |
20090313689 | Method, Device, And System For Network-Based Remote Control Over Contactless Secure Storages - A typical system environment comprises a terminal device, a secure storage subsystem, and an interconnectivity component. The terminal device has a network connectivity subsystem enabled for data connectivity with a wireless communications network. The secure storage subsystem has a secure storage memory for securely storing contents and is enabled for local RF connectivity through a local RF communication subsystem. The secure storage subsystem is operable as a contactless smartcard in accordance with any contactless technology. The interconnectivity component is adapted to enable communication of the secure storage subsystem through the network connectivity subsystem with the network. The interconnectivity component is further configured to detect that messages received from the network are destined for the secure storage subsystem and is configured to supply that identified messages to the secure storage subsystem. The messages enable exercising control over the secure storage subsystem in that the messages comprise one or more instructions to be processed by a secure memory controller of the secure storage subsystem. | 12-17-2009 |