Abstract: A method and apparatus are disclosed in a data processing system for establishing virtual endorsement credentials. The data processing system includes a hardware trusted platform module (TPM). Logical partitions are generated in the system. A different virtual TPM is generated for each one of the logical partitions. For each one of the logical partitions, the virtual TPM that was generated for the logical partition then dynamically generates a virtual endorsement key, which is stored only within a corresponding virtual TPM. Using the virtual endorsement key, each virtual TPM also generates a virtual endorsement credential for use by the logical partition that includes the virtual TPM. The virtual endorsement credential is generated within the data processing system without the data processing system or its devices accessing a trusted third party that is external to the data processing system.

Abstract: A method, computer program, and system for paging platform configuration registers in and out of a trusted platform module. In a trusted computing platform, an unlimited number of platform configuration registers can be obtained through paging. The trust platform module encrypts and decrypts platform configuration registers for storage outside the trusted platform module.

Abstract: A method for a plurality of key cache managers for a plurality of localities to share cryptographic key storage resources of a security chip, includes: loading an application key into the key storage; and saving a restoration data for the application key by a key cache manager, where the restoration data can be used by the key cache manager to re-load the application key into the key storage if the application key is evicted from the key storage by another key cache manager. The method allows each of a plurality of key cache managers to recognize that its key had been removed from the security chip and to restore its key. The method also allows each key cache manager to evict or destroy any key currently loaded on the security chip without affecting the functionality of other localities.

Abstract: A computer system is presented which provides a trusted platform by which operations can be performed with an increased level trust and confidence. The basis of trust for the computer system is established by an encryption coprocessor and by code which interfaces with the encryption coprocessor and establishes root of trust metrics for the platform. The encryption coprocessor is built such that certain critical operations are allowed only if physical presence of an operator has been detected. Physical presence is determined by inference based upon the status of registers in the core chipset.

Abstract: An apparatus, system and method of secure communications from a human interface device are provided. The apparatus, system, and method receive input data and calculate encrypted data from the input data using a secure credential. In one embodiment the apparatus, system, and method request and receive a single instance credential and calculate the encrypted data using the secure credential and the single instance credential. The encrypted data may be a secure authorization that may be valid for one use. Communication of the encrypted data through networks and communicating devices is secure. The encrypted data may not be decrypted even if intercepted without the secure credential. The apparatus, system, and method enable secure communications from the human interface device.

Abstract: An update utility requests a signature verification of the utility's signature along with a request to unlock the flash memory stored in the utility. A trusted platform module (“TPM”) performs a signature verification of the utility using a previously stored public key. Upon verification of the signature, the TPM unlocks the flash memory to permit update of the utility. Upon completion of the update, the flash utility issues a lock request to the TPM to relock the flash memory.

Abstract: A method and system for enabling security attestation for a computing device during a return from an S4 sleep state. When the computing device enters into the S4 state following a successful boot up, the attestation log is appended to the TPM tick count and the log is signed (with a security signature). When the device is awaken from S4 state, the BIOS obtains and verifies the log created during the previous boot. The CRTM maintains a set of virtual PCRs and references these virtual PCRs against the log. If the values do not match, the return from S4 state fails and the device is rebooted.

Abstract: Access to secure data through a portable computing system is provided only when a timer within the system is running. The timer is reset with the portable system connected to a base system, either directly, as by a cable, or indirectly, as through a telephone network. In an initialization process, the portable and base systems exchange data, such as public cryptographic keys, which are later used to confirm that the portable system is connected to the same base system. In one embodiment, the initialization process also includes storing a password transmitted from the portable system within the base system, with this password later being required within the reset process.

Abstract: A computer system is presented which provides a trusted platform by which operations can be performed with an increased level trust and confidence. The basis of trust for the computer system is established by an encryption coprocessor and by code which interfaces with the encryption coprocessor and establishes root of trust metrics for the platform. The encryption coprocessor is built such that certain critical operations are allowed only if physical presence of an operator has been detected. Physical presence is determined by inference based upon the status of registers in the core chipset.

Abstract: A Trusted Computing Platform Alliance (TCPA) endorsement certificate is provided by comparing a trusted platform module (TPM) public key transmitted by an owner of the computing device to which the TPM belongs to a copy of the key as originally stored in a remote database prior to vending the device. If a match is found the certificate is created using the public key, and then sent to the owner of the computing device.

Abstract: A method and system for configuring an operating system in a computer system including language selection during bootup rather than at manufacture. A first aspect of the method and system comprises providing a plurality of operating system images in the computer system, each of the plurality of operating system images being based upon a particular language, selecting one of the plurality of operating system images based on the language supported by the computer system and loading the selected operating system image into the computer system. A second aspect of the method and system comprises providing a language-independent operating system image in the computer system, determining a language supported by the computer system, loading the language-independent operating system image into the computer system, and associating the language supported by the computer system with the language-independent operating system image.

Abstract: A network includes a plurality of wall plates, each of the wall plates couples a network resource such as a computer or a network attached device to the network and includes an RFID circuit to detect proximate devices having an RFID tag. The proximate devices can be network attached devices or non network attached devices such as desks, phones, and artwork. Logic is included within each wall plate which includes wall plate physical location information. The logic is designed to respond to a broadcast signal. In so doing, the physical location of any resource can be determined. The physical location of all known resources are provided to an inventory application in the network, thereby allowing network administrators and users to remotely determine the physical location (room, floor, building, etc.) of any and all known resources attached to the network. Likewise, local computer users are able to identify the network resources located in their vicinity.

Abstract: A motherboard for a computer system is presented which provides a trusted platform by which operations can be performed with an increased level trust and confidence. The basis of trust for the motherboard is established by an encryption coprocessor and by code which interfaces with the encryption coprocessor and establishes root of trust metrics for the platform. The encryption coprocessor is built such that certain critical operations are allowed only if physical presence of an operator has been detected. Physical presence is determined by inference based upon the status of registers in the core chipset on the motherboard.

Abstract: A wireless communication network comprising: (1) a plurality of mobile devices each configured to receive a beacon being broadcasted within the network and determine based on information transmitted within the beacon whether the mobile device is supported within the network; and (2) one or more access devices configured to broadcast the beacon within the network. Each of the mobile devices has a transmitting mechanism for communicating with the one or more access device. However, only those mobile devices that are supported by the network respond to the receipt of the beacon. Thus, no transmission occurs from the mobile devices until the device is identified as being supported by the network. These mobile devices instantiating a communication path with the one or more access devices and request an authentication from the one or more access devices. In this manner, a handshake mechanism is established between the access devices and the mobile devices that are supported by the network.

Abstract: Apparatus and method provides dynamic load balancing of network bandwidth between access points in an 802.11 wireless LAN. The access point generates and monitors average bandwidth utilization of client devices connected to said access point. The average bandwidth utilization for each client device is aggregated and selected clients are forced to roam to other access points if the aggregate bandwidth is equal or exceeds a threshold.

Abstract: A method and system for providing automatic notification of an end of lease of a computer system and its location within a computer network is disclosed. The computer network includes a server computer system and multiple client computer systems. A message is initially sent from the server computer system to all the client computer systems to inquire the lease status of each of the client computer systems. At each of the client computer systems, a determination is made as to whether or not a current date falls within a predetermined amount of days from the end of lease date for the client computer system. If the current date falls within the predetermined amount of days from the end of lease date for the client computer system, the physical location of the client computer system is obtained from a storage device located at an Ethernet wall plate to which the client computer system is attached.

Abstract: A method for authentication in a computer system includes registering a biometric template in the computer system, thereafter, verifying the authenticity of the registered biometric template and then comparing the biometric template with a biometric image of a user if the biometric template is authentic. If the user's biometric image matches the biometric template, the computer system will continue to boot.

Abstract: A method, system and computer program product for securing decrypted files in a shared environment. A filter driver in a kernel space may be configured to control service requests to encrypted files stored in a shared area, e.g., a shared directory on a disk unit, accessible by multiple users. The filter driver may receive a service request to open an encrypted document in the shared area issued from an authorized user. Upon receiving the encrypted data, the filter driver may decrypt the encrypted data. The filter driver may subsequently store the decrypted data in a file in a non-shared area, e.g., a non-shared directory. The non-shared area may be accessible only by the authorized user that requested access to the encrypted file. By storing the decrypted data in a file in the non-shared area, a file once decrypted may be protected in a file sharing environment.

Abstract: A data processing system and method are disclosed for maintaining a secure data block within the system. A block of data is established within the system. The block of data is associated with a particular user and a particular application. A hardware master key pair is established for the system. The hardware master key pair includes a master private key and a master public key. The hardware master key pair is associated with the system for which it was established so that the master private key is known to only that system. The block of data is encrypted utilizing the master public key. The master private key is required to decrypt the encrypted block of data. This data processing system is the only system capable of decrypting the encrypted block of data.

Abstract: A remote mobile unit (MU) including a radio device is provided with an ability to communicate through a LAN by remote association with an access point (AP) that is out of range for communication with the radio device of the remote MU. The remote MU transmits a quest frames that is received and retransmitted by one or more intermediate MUs until a connection is made with the AP. Each of the intermediate MUs adds an identifying address to the request, forming a path that is used in both directions to transmit a response from the AP to the remote MU and to transmit data between the AP and the MU.