Patent application number | Description | Published |
20130191897 | Field Provisioning a Device to a Secure Enclave - This invention includes apparatus, systems, and methods to add a new device to a secure enclave, without requiring the new device to enter close proximity to the security entity and protected area. A new device is able to gain access to the secure enclave by first obtaining a temporary credential from an existing device in the field. The new device presents the temporary credential to the security entity which authenticates, provisions, and if appropriate fully associates the new devices to the secure enclave. The invention also includes a process for creating and distributing the temporary credentials to existing devices in the field including using secure connections to transmit electronic version of the temporary credentials and methods to securely distribute physical copies of the credentials. This invention enables rapid deployment of new devices, or replenishment of lost or damaged devices in the field without compromising the security of the device or the secure enclave. The invention also reduces the resources required, provides a solution that is available at any time, and reduces the technical skill required to add a device to a secure enclave. | 07-25-2013 |
20130340067 | Multi-Wrapped Virtual Private Network - The invention includes a system for transmitting multi-wrapped VPN enabled-data across a communication network from a device to another destination device within a remote protected network. The device comprises a software stack, hardware layer, application-layer VPN software, link-layer VPN software, and user-based application software. Next, the device is coupled to a communication network. Next, the system includes a link-layer VPN aggregator and an application-layer VPN aggregator. Finally, the system includes a protected network that includes the destination device. The invention includes embodiments for configuring a device to transmit multi-wrapped VPN enabled-data and processes for transmitting multi-wrapped VPN enabled-data across a communication network from a device to another destination device within a remote protected network. Finally, the invention includes inverse processes so the destination device can transmit data back through the communication network and to the device. | 12-19-2013 |
20140053255 | Secure Non-Geospatially Derived Device Presence Information - This invention includes a system and method to enable a device to determine the presence information of another device over a secure communication network. First, the device and a presence server establish a secure connection. Next, while the initial secure connection with the presence server is established, the device generates a randomly created token and provides it to the presence server. The token is used as a shared-secret by the device and the presence server to secure future presence communications over a non-secure connection. Next, without the need to again enter a password or establish a secure connection with the presence server, the device uses the shared-secret to sign, encrypt and convey presence information to the presence server over an arbitrary connection. Finally, the presence server may share the first device's presence information with another device. | 02-20-2014 |
20140108785 | Certificate Authority Server Protection - This invention includes a solution to enable a digital authentication solution comprising a network. Next, a first device is coupled to the network. The first device may include an authentication key generator that is able to generate both public and private keys in electronic formats. Next, the first device is coupled to a certificate authority gateway. The certificate authority gateway includes devices capable of converting the electronically formatted public key to a non-electronic format, and vice versa. Next, the certificate authority gateway is coupled to a certificate authority server. The certificate authority server includes devices capable of converting the electronically formatted public key to a non-electronic format, and vice versa. The certificate authority server is also contained in a secure area such as a locked room, or a safe. The secure area includes features that allow the non-electronically formatted public key to be passed across the boundary of the secure area. Finally, a second device is coupled to the network. | 04-17-2014 |
20140112472 | Geospatial Cryptography - The invention includes methods for cryptographically authenticating access between devices when the devices are within a geospatial boundary comprising the first step of keeping track of the physical position of the devices using both low and, or high fidelity geospatial positioning techniques. Next, a first device determines whether any nearby mobile devices have entered the geospatial boundary. Next, the first device determines if any of the mobile devices are peers eligible for cryptographic authentication. After the first device authenticates that the other device within the geospatial boundary is a trusted peer, the devices may perform various data and, or dynamic policy operations. | 04-24-2014 |
20140143538 | Data Security and Integrity by Remote Attestation - This invention includes apparatus, systems, and methods to ensure the security and integrity of data stored, processed, and transmitted across compute devices. The invention includes a system comprising at least one of said devices, application software installed on said devices and coupled to the device's hardware and software stack to execute data encryption and remote attestation, and said devices coupled with an attestation server through a communication network. The invention includes a process to configure said devices for data encryption and remote attestation and performing an initial inventory and content scan of the device's hardware and software stack with results transmitted across a communication network to the attestation server. The invention includes periodic inventory and content scans of the device's hardware and software stack with results transmitted again to the attestation server via the communication network. The attestation server stores said results in a database for comparison to subsequent results sent by devices. The attestation server notes any differences in the most recent results and sends an alert to the device if the device is configured differently based on the previous scan, or configured the same if no differences were noted. | 05-22-2014 |
20140195793 | Remotely Establishing Device Platform Integrity - This invention includes apparatus, systems, and methods for repairing a corrupted device still in the field by sending the corrupted device a known-good configuration derived from the majority group of devices in the field. First, an initial inventory and content scan of the device's hardware and software stack is taken. The attestation server uses the collection of results to determine a statistically known-good configuration for each type of device. The attestation server groups the known good devices by devices and ideally all of the devices of the same type are configured mostly the same. The attestation server sends an alert to the device that the device is configured differently than the plurality of existing devices. Finally, the attestation server will request a known-good configuration from one of the devices in the plurality of existing devices to repair the corrupted device in the field. | 07-10-2014 |
20140281526 | Secure Network Storage - This invention includes apparatus, systems, and methods to secure data in a remote storage device where an end-point device does not have direct access to the storage device to secure the data, or the end-point device does not trust the storage device to adequately secure the data, comprising securing an authenticated communication between the end-point device and a synchronized storage server via a communication network. The synchronized storage server sends the end-point device a notification including the root folder list. The end-point device compares the sent root folder list to a previously stored root folder list in the end-point devices' memory. If the end-point device detects either a new root folder on the synchronized storage server, a change in an existing folder, or deleted content in a folder the end-point device will determine that a change is required to the stored data. Next the end-point device will synchronize with the synchronized storage server and create a new storage list. Finally, the synchronized storage server will send the end-point device a new encrypted folder encryption key which includes the encrypted file contents along with identifying information such as the server name and revision information. | 09-18-2014 |