Abstract: A computer system includes one or more field programmable gate arrays as a coprocessor that can be shared among processes and programmed using hardware libraries. Given a set of hardware libraries, an update process periodically updates the libraries and/or adds new libraries. One or more update servers can provide information about libraries available for download, either in response to a request or by notifying systems using such libraries. New available libraries can be presented to a user for selection and download. Requests for updated libraries can arise in several ways, such as through polling for updates, exceptions from applications attempting to use libraries, and upon compilation of application code.

Abstract: Application code is analyzed to determine if a hardware library could accelerate its execution. In particular, application code can be analyzed to identify calls to application programming interfaces (APIs) or other functions that have a hardware library implementation. The code can be analyzed to identify the frequency of such calls. Information from the hardware library can indicate characteristics of the library, such as its size, power consumption and FPGA resource usage. Information about the execution pattern of the application code also can be useful. This information, along with information about other concurrent processes using the FPGA resources, can be used to select a hardware library to implement functions called in the application code.

Abstract: Field programmable gate arrays can be used as a shared programmable co-processor resource in a general purpose computing system. Components of an FPGA are isolated to protect the FPGA and data transferred between the FPGA and other components of the computer system. For example, data written by the FPGA to memory is encrypted, and is decrypted within the FPGA when read back from memory. Data transferred between the FPGA and other components such as the CPU or GPU, whether directly or through memory, can similarly be encrypted using cryptographic keys known to the communicating components. Transferred data also can be digitally signed by the FPGA or other component to provide authentication. Code for programming the FPGA can be encrypted and signed by the author, loaded into the FPGA in an encrypted state, and then decrypted and authenticated by the FPGA itself, before programming the FPGA with the code.

Abstract: Described herein are techniques for distributed key management (DKM) in cooperation with Trusted Platform Modules (TPMs). The use of TPMs strengthens the storage and processing security surrounding management of distributed keys. DKM-managed secret keys are not persistently stored in clear form. In effect, the TPMs of participating DKM nodes provide security for DKM keys, and a DKM key, once decrypted with a TPM, is available to be used from memory for ordinary cryptographic operations to encrypt and decrypt user data. TPM public keys can be used to determine the set of trusted nodes to which TPM-encrypted secret keys can be distributed.

Abstract: Field programmable gate arrays can be used as a shared programmable co-processor resource in a general purpose computing system. Components of an FPGA are isolated to protect the FPGA and data transferred between the FPGA and other components of the computer system. Transferred data can be digitally signed by the FPGA or other component to provide authentication. Code for programming the FPGA can be encrypted and signed by the author, loaded into the FPGA in an encrypted state, and then decrypted and authenticated by the FPGA itself, before programming the FPGA with the code. This code can be used to change the cryptographic operations performed in the FPGA, including keys, or decryption and encryption algorithms, or both.

Abstract: This document describes tools that constrain a login to a subset of access rights. In one embodiment, the tools generate a constrained password by executing a cryptographic algorithm on a user ID, general password, and one or more desired constraints. The constrained password is used in place of the general password to gain access rights that are a subset of the access rights that would be granted if the general password were used instead.

Abstract: A resource access system is described herein that solves problems associated with visitor access to resources at a location by using NFC or bump as a fast authentication process to grant persistent visitor rights to a resource, subject to policy conditions such as maintaining the link. The system provides a facility for granting access to NFC/bump-enabled visitors visiting a new location by assigning a persistent link with associated policy. The system provides for a bump/NFC-enabled device to authenticate with a proximate local resource and grant rights to a visiting device. This action proves that the device to be granted rights is physically present at the location of the resource, and does not involve any exchange of codes or user information with the user. Thus, the resource access system provides simplified setup of visitor access to location resources using NFC and similar short-field communication technologies.

Abstract: A computer system includes one or more field programmable gate arrays as a coprocessor that can be shared among processes and programmed using hardware libraries. Given a set of hardware libraries, an update process periodically updates the libraries and/or adds new libraries. One or more update servers can provide information about libraries available for download, either in response to a request or by notifying systems using such libraries. New available libraries can be presented to a user for selection and download. Requests for updated libraries can arise in several ways, such as through polling for updates, exceptions from applications attempting to use libraries, and upon compilation of application code.

Abstract: Field programmable gate arrays can be used as a shared programmable co-processor resource in a general purpose computing system. Components of an FPGA are isolated to protect the FPGA and data transferred between the FPGA and other components of the computer system. Transferred data can be digitally signed by the FPGA or other component to provide authentication. Code for programming the FPGA can be encrypted and signed by the author, loaded into the FPGA in an encrypted state, and then decrypted and authenticated by the FPGA itself, before programming the FPGA with the code. This code can be used to change the cryptographic operations performed in the FPGA, including keys, or decryption and encryption algorithms, or both.

Abstract: Application code is analyzed to determine if a hardware library could accelerate its execution. In particular, application code can be analyzed to identify calls to application programming interfaces (APIs) or other functions that have a hardware library implementation. The code can be analyzed to identify the frequency of such calls. Information from the hardware library can indicate characteristics of the library, such as its size, power consumption and FPGA resource usage. Information about the execution pattern of the application code also can be useful. This information, along with information about other concurrent processes using the FPGA resources, can be used to select a hardware library to implement functions called in the application code.

Abstract: Field programmable gate arrays can be used as a shared programmable co-processor resource in a general purpose computing system. Components of an FPGA are isolated to protect the FPGA and data transferred between the FPGA and other components of the computer system. For example, data written by the FPGA to memory is encrypted, and is decrypted within the FPGA when read back from memory. Data transferred between the FPGA and other components such as the CPU or GPU, whether directly or through memory, can similarly be encrypted using cryptographic keys known to the communicating components. Transferred data also can be digitally signed by the FPGA or other component to provide authentication. Code for programming the FPGA can be encrypted and signed by the author, loaded into the FPGA in an encrypted state, and then decrypted and authenticated by the FPGA itself, before programming the FPGA with the code.

Abstract: This document describes tools that constrain a login to a subset of access rights. In one embodiment, the tools generate a constrained password by executing a cryptographic algorithm on a user ID, general password, and one or more desired constraints. The constrained password is used in place of the general password to gain access rights that are a subset of the access rights that would be granted if the general password were used instead.

Abstract: Intelligent Trust Management provides a centralized security facility that gives system components a flexible mechanism for implementing security policies. System components such as applications create a request describing an action that needs to be checked against an appropriate security policy. The request is given to a trust system that determines which policy object applies to the request, and may pass request arguments to the policy. The policy objects include executable code that uses any arguments along with dynamically obtained variable information to make a decision. The decision is returned to the system component, which then operates accordingly. Policy objects may maintain state and interface with the user independent of the system component in order to obtain information to make their decisions. Policy objects may call other policy objects and/or mathematically combine the results of other policy objects to make a decision.

Abstract: Described herein are techniques for distributed key management (DKM) in cooperation with Trusted Platform Modules (TPMs). The use of TPMs strengthens the storage and processing security surrounding management of distributed keys. DKM-managed secret keys are not persistently stored in clear form. In effect, the TPMs of participating DKM nodes provide security for DKM keys, and a DKM key, once decrypted with a TPM, is available to be used from memory for ordinary cryptographic operations to encrypt and decrypt user data. TPM public keys can be used to determine the set of trusted nodes to which TPM-encrypted secret keys can be distributed.

Abstract: Techniques to allow a security policy language to accommodate anonymous credentials are described. A policy statement in a security policy language can reference an anonymous credential. When the policy statement is evaluated to decide whether to grant access to a resource mediated by the policy statement, the anonymous credential is used. The policy language can be implemented to allow one anonymous credential to delegate access-granting rights to another anonymous credential. Furthermore, an anonymous credential can be re-randomized to avoid linkage between uses of the anonymous credential, which can compromise anonymity.

Abstract: AKE with derived ephemeral keys is described. In one aspect, a first party computes a derived ephemeral public-key based on a derived ephemeral secret key and a mathematical group. The derived ephemeral secret key is based on an ephemeral secret key and a long-term secret key. The first party generates a session key for secure exchange of information with a second party. The session key is generated using the derived ephemeral secret key and a second party derived ephemeral public-key key to demonstrate to the second party that the first party possesses the long-term secret key.

Abstract: Security assertion revocation enables a revocation granularity in a security scheme down to the level of individual assertions. In an example implementation, a security token includes multiple respective assertions that are associated with multiple respective assertion identifiers. More specifically, each individual assertion is associated with at least one individual assertion identifier.

Abstract: Techniques for managing security contexts may be described. An apparatus may comprise a processor and a security management module. The security management module may form a merged security context for multiple concurrent threads, with one of the threads depending on more than one preceding operation from other threads. Other embodiments are described and claimed.

Abstract: Intelligent Trust Management provides a centralized security facility that gives system components a flexible mechanism for implementing security policies. System components such as applications create a request describing an action that needs to be checked against an appropriate security policy. The request is given to a trust system that determines which policy object applies to the request, and may pass request arguments to the policy. The policy objects include executable code that uses any arguments along with dynamically obtained variable information to make a decision. The decision is returned to the system component, which then operates accordingly. Policy objects may maintain state and interface with the user independent of the system component in order to obtain information to make their decisions. Policy objects may call other policy objects and/or mathematically combine the results of other policy objects to make a decision.

Abstract: Key confirmed (KC) authenticated key exchange (AKE) with derived ephemeral keys protocol using a mathematical group is described. In one aspect, a first party, using the mathematical group, determines whether a second party has received information to compute an agreed session key value for exchanging information securely with the first party. At least a subset of the received information is computed using derived ephemeral keys of the first and second parties. The first party generates the agreed session key value only when the second party has demonstrated receipt of the information.