Patents by Inventor XIAOYU RUAN
XIAOYU RUAN has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20230342459Abstract: An apparatus comprising a computer platform, including a central processing unit (CPU) comprising a first security engine to perform security operations at the CPU and a chipset comprising a second security engine to perform security operations at the chipset, wherein the first security engine and the second security engine establish a secure channel session between the CPU and the chipset to secure data transmitted between the CPU and the chipset.Type: ApplicationFiled: June 22, 2023Publication date: October 26, 2023Applicant: Intel CorporationInventors: Michael Berger, Xiaoyu Ruan, Purushottam Goel, Mahesh Natu, Bharat Pillilli
-
Publication number: 20230291567Abstract: Described herein is a paging technique that can be implemented in any accelerator with attached memory and support for operating on encrypted data when the CPU is not within the trusted compute base (TCB). Memory storing data that is encrypted using hardware physical address (HPA)-based encrypted can be paged out of accelerator device memory by decoupling encryption from the hardware physical address and re-encrypting the data for page-out. Upon page-in, the data is decrypted, the integrity and authenticity of the data is verified, then the data is re-encrypted using HPA-based encryption.Type: ApplicationFiled: March 11, 2022Publication date: September 14, 2023Applicant: Intel CorporationInventors: VIDHYA KRISHNAN, SIDDHARTHA CHHABRA, VEDVYAS SHANBHOGUE, XIAOYU RUAN, ADITYA NAVALE, JULIEN CARRENO
-
Patent number: 11741227Abstract: An apparatus comprising a computer platform, including a central processing unit (CPU) comprising a first security engine to perform security operations at the CPU and a chipset comprising a second security engine to perform security operations at the chipset, wherein the first security engine and the second security engine establish a secure channel session between the CPU and the chipset to secure data transmitted between the CPU and the chipset.Type: GrantFiled: June 22, 2021Date of Patent: August 29, 2023Assignee: Intel CorporationInventors: Michael Berger, Xiaoyu Ruan, Purushottam Goel, Mahesh Natu, Bharat Pillilli
-
Patent number: 11734460Abstract: Connectionless trusted computing base recovery is described. An example of a system includes one or more processors to process data; hardware including a hardware RoT (root of trust); and firmware including a firmware TCB (trusted computing base), the firmware including the credentials including one or more certificates and one or more keys, wherein the one or more processors are to determine that the firmware TCB is compromised and that the hardware RoT is intact; issue new credentials by the hardware RoT to mutable firmware based on a version number or security version number (SVN) of the firmware; and revoke old versions of the credentials for the firmware.Type: GrantFiled: June 23, 2021Date of Patent: August 22, 2023Assignee: INTEL CORPORATIONInventors: Xiaoyu Ruan, Tsippy Mendelson, Yanai Moyal, Daniel Nemiroff
-
Publication number: 20220321361Abstract: Methods and apparatus relating to a Federal Information Processing Standard (FIPS) compliant Device Identifier Composition Engine (DICE) certificate chain architecture for embedded systems are described. In an embodiment, Deterministic Random Bit Generator (DRBG) logic circuitry generates a random number for each layer of a Device Identifier Composition Engine (DICE). The DRBG logic circuitry is a Federal Information Processing Standard (FIPS) approved DRBG logic circuitry. Logic circuitry derives an Elliptic Curve Digital Signature Algorithm (ECDSA) private key for a layer of the DICE based at least in part on one or more operations of a FIPS-approved ECDSA key pair generation logic circuitry. Other embodiments are also disclosed and claimed.Type: ApplicationFiled: March 30, 2022Publication date: October 6, 2022Applicant: Intel CorporationInventors: Xiaoyu Ruan, Ned M. Smith, Matthew G. Pirretti
-
Publication number: 20220245252Abstract: An apparatus is disclosed. The apparatus comprises one or more processors to receive a request to perform a firmware update at a device, prepare a second trusted compute base (TCB) layer for the firmware update, generate a first compound device identifier (CDI) associated with a first TCB layer to be used by the second TCB layer to attest an operational state of the first TCB layer prior to applying the update and generate a second CDI associated with the first TCB layer to be used by the second TCB layer to attest the operational state of the first layer after the update has been applied and perform the firmware update of the second TCB layer.Type: ApplicationFiled: April 21, 2022Publication date: August 4, 2022Applicant: Intel CorporationInventors: Ned M. Smith, Andrew Draper, Xiaoyu Ruan
-
Publication number: 20220179961Abstract: Various embodiments provide apparatuses, systems, and methods for establishing, by a data object exchange (DOE entity) of a peripheral component interconnect express (PCIe) device, a first session for communication between a first host entity of a host device and a first PCIe entity of the PCIe device, and a second session for communication between a second host entity of the host device and a second PCIe entity of the PCIe device. The first session may have a first security policy and be a session of a first connection between the PCIe device and the host device. The second session may have a second security policy and be a session of a second connection between the PCIe device and the host device. Other embodiments may be described and claimed.Type: ApplicationFiled: January 14, 2022Publication date: June 9, 2022Inventors: Jiewen YAO, David HARRIMAN, Xiaoyu RUAN, Mahesh NATU
-
Publication number: 20220138286Abstract: Systems, apparatuses and methods may provide for encryption based technology. Data may be encrypted locally with a graphics processor with encryption engines. The graphics processor components may be verified with a root-of-trust and based on collection of claims. The graphics processor may further be able to modify encrypted data from a non-pageable format to a pageable format. The graphics processor may further process data associated with a virtual machine based on a key that is known by the virtual machine and the graphics processor.Type: ApplicationFiled: December 23, 2020Publication date: May 5, 2022Applicant: Intel CorporationInventors: David Zage, Scott Janus, Ned M. Smith, Vidhya Krishnan, Siddhartha Chhabra, Rajesh Poornachandran, Tomer Levy, Julien Carreno, Ankur Shah, Ronald Silvas, Aravindh Anantaraman, David Puffer, Vedvyas Shanbhogue, David Cowperthwaite, Aditya Navale, Omer Ben-Shalom, Alex Nayshtut, Xiaoyu Ruan
-
Publication number: 20220109558Abstract: In one example an apparatus comprises verification circuitry to store an object image in a computer readable memory external to an XMSS verifier circuitry and verify the object image by repeating operations to receive, in a local memory of the XMSS verifier circuitry, a fixed-sized block of data from the object image and process the fixed-sized block of data to compute the signature verification. Other examples may be described.Type: ApplicationFiled: December 15, 2021Publication date: April 7, 2022Applicant: Intel CorporationInventors: Vikram Suresh, Santosh Ghosh, Shalini Sharma, Eduard Lecha, Manoj Sastry, Xiaoyu Ruan, Sanu Mathew
-
Publication number: 20210328779Abstract: The disclosure provides method, system and apparatus to provide authentication between one or more endpoints during an initial and subsequent boot cycles. In an exemplary application, an asymmetric-key cryptography is used only once to set up a persistent seed between the host and the device. After the initial setup, symmetric-key cryptography may be used with the agreed seed for authentication and session key establishment. The device wraps the persistent seed with device secrets and stores it on the host, hence secure NVM is not required on the device. The disclosed embodiments are particularly advantageous over the art of record as they provide authentications speeds of over 20,000 times faster than asymmetric-key cryptography.Type: ApplicationFiled: June 25, 2021Publication date: October 21, 2021Applicant: Intel CorporationInventor: Xiaoyu Ruan
-
Publication number: 20210319139Abstract: Connectionless trusted computing base recovery is described. An example of a system includes one or more processors to process data; hardware including a hardware RoT (root of trust); and firmware including a firmware TCB (trusted computing base), the firmware including the credentials including one or more certificates and one or more keys, wherein the one or more processors are to determine that the firmware TCB is compromised and that the hardware RoT is intact; issue new credentials by the hardware RoT to mutable firmware based on a version number or security version number (SVN) of the firmware; and revoke old versions of the credentials for the firmware.Type: ApplicationFiled: June 23, 2021Publication date: October 14, 2021Applicant: Intel CorporationInventors: Xiaoyu Ruan, Tsippy Mendelson, Yanai Moyal, Daniel Nemiroff
-
Publication number: 20210312044Abstract: An apparatus comprising a computer platform, including a central processing unit (CPU) comprising a first security engine to perform security operations at the CPU and a chipset comprising a second security engine to perform security operations at the chipset, wherein the first security engine and the second security engine establish a secure channel session between the CPU and the chipset to secure data transmitted between the CPU and the chipset.Type: ApplicationFiled: June 22, 2021Publication date: October 7, 2021Applicant: Intel CorporationInventors: Michael Berger, Xiaoyu Ruan, Purushottam Goel, Mahesh Natu, Bharat Pillilli
-
Patent number: 11030317Abstract: Embodiments described herein enable independently recoverable security for processor and peripheral communication, enabling a processor without native non-volatile memory to generate and recover credentials in response to a firmware update. The processor and peripheral can each have credentials burned into secure fuses. The processor can derive a shared secret from the secure fuses using security attributes that are based on the security version number of firmware within the processor and the peripherals to which the processor is to security communicate. The processor and peripherals can generate ephemeral session keys from the shared secret and nonces. The ephemeral session keys can be used to secure communications between the processor and the peripherals.Type: GrantFiled: March 28, 2019Date of Patent: June 8, 2021Assignee: INTEL CORPORATIONInventors: Xiaoyu Ruan, William A. Stevens, Jr., David Novick
-
Patent number: 10938563Abstract: Technologies for provisioning cryptographic keys include hardcoding identical cryptographic key components of a Rivest-Shamir-Adleman (RSA) public-private key pair to each compute device of a plurality of compute devices. A unique cryptographic exponent that forms a valid RSA public-private key pair with cryptographic key components hardcoded into each compute device is provided to each compute device so that each compute device has a unique public key. The public key of each compute device may be used to provision unique secrets to the corresponding compute device.Type: GrantFiled: June 30, 2017Date of Patent: March 2, 2021Assignee: INTEL CORPORATIONInventors: Xiaoyu Ruan, Vincent Von Bokern, Daniel Nemiroff
-
Patent number: 10862680Abstract: In embodiments, an apparatus for microcontroller (?C) or system-on-chip (SoC) computing includes a set of fuses disposed in a ?C or a SoC to store a seed value and M pairs of loop counter values (LCVs) with which to locally generate M private keys from the seed value on the microcontroller or SoC, where M is a positive integer, each private key to decrypt data encrypted with a pre-defined public key cryptosystem, wherein each private key includes two prime numbers p and q (p,q), the LCVs being a number of iterations of a key derivation function (KDF) needed to respectively obtain p and q from the seed value; and a key decoder, disposed in the (?C) or the SoC, and coupled to the set of fuses, to read the seed value and the M pairs of LCVs, and, for each of the M private keys to: respectively generate (p,q) from the seed value by respectively iterating the KDF by the LCVs for that key.Type: GrantFiled: September 26, 2018Date of Patent: December 8, 2020Assignee: Intel CorporationInventors: Daniel Nemiroff, Xiaoyu Ruan, William Stevens, Jr.
-
Patent number: 10853472Abstract: In one embodiment, an apparatus includes a non-volatile storage to store a seed value and a signature that is based on an iterative execution of a function for a predetermined number of intervals. The apparatus may further include the security processor coupled to the non-volatile storage, where the security processor is to independently recover a credential for an updated version of the firmware based at least in part on the seed value and a security version number for the updated version of the firmware. Other embodiments are described and claimed.Type: GrantFiled: June 28, 2018Date of Patent: December 1, 2020Assignee: Intel CorporationInventors: Xiaoyu Ruan, William A. Stevens, Jr.
-
Publication number: 20190220602Abstract: Embodiments described herein enable independently recoverable security for processor and peripheral communication, enabling a processor without native non-volatile memory to generate and recover credentials in response to a firmware update. The processor and peripheral can each have credentials burned into secure fuses. The processor can derive a shared secret from the secure fuses using security attributes that are based on the security version number of firmware within the processor and the peripherals to which the processor is to security communicate. The processor and peripherals can generate ephemeral session keys from the shared secret and nonces. The ephemeral session keys can be used to secure communications between the processor and the peripherals.Type: ApplicationFiled: March 28, 2019Publication date: July 18, 2019Applicant: Intel CorporationInventors: Xiaoyu Ruan, William A. Stevens, JR., David Novick
-
Publication number: 20190042725Abstract: In one embodiment, an apparatus includes a non-volatile storage to store a seed value and a signature that is based on an iterative execution of a function for a predetermined number of intervals. The apparatus may further include the security processor coupled to the non-volatile storage, where the security processor is to independently recover a credential for an updated version of the firmware based at least in part on the seed value and a security version number for the updated version of the firmware. Other embodiments are described and claimed.Type: ApplicationFiled: June 28, 2018Publication date: February 7, 2019Inventors: Xiaoyu Ruan, William A. Stevens, JR.
-
Publication number: 20190044716Abstract: In embodiments, an apparatus for microcontroller (?C) or system-on-chip (SoC) computing includes a set of fuses disposed in a ?C or a SoC to store a seed value and M pairs of loop counter values (LCVs) with which to locally generate M private keys from the seed value on the microcontroller or SoC, where M is a positive integer, each private key to decrypt data encrypted with a pre-defined public key cryptosystem, wherein each private key includes two prime numbers p and q (p,q), the LCVs being a number of iterations of a key derivation function (KDF) needed to respectively obtain p and q from the seed value; and a key decoder, disposed in the (?C) or the SoC, and coupled to the set of fuses, to read the seed value and the M pairs of LCVs, and, for each of the M private keys to: respectively generate (p,q) from the seed value by respectively iterating the KDF by the LCVs for that key.Type: ApplicationFiled: September 26, 2018Publication date: February 7, 2019Inventors: Daniel Nemiroff, Xiaoyu Ruan, William Stevens, JR.
-
Publication number: 20190007209Abstract: Technologies for provisioning cryptographic keys include hardcoding identical cryptographic key components of a Rivest-Shamir-Adleman (RSA) public-private key pair to each compute device of a plurality of compute devices. A unique cryptographic exponent that forms a valid RSA public-private key pair with cryptographic key components hardcoded into each compute device is provided to each compute device so that each compute device has a unique public key. The public key of each compute device may be used to provision unique secrets to the corresponding compute device.Type: ApplicationFiled: June 30, 2017Publication date: January 3, 2019Inventors: Xiaoyu Ruan, Vincent Von Bokern, Daniel Nemiroff