Patents by Inventor Howard C. Herbert

Howard C. Herbert has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 6760441
    Abstract: The present invention is a method, apparatus, and system to generate a key hierarchy for use in an isolated execution environment of a protected platform. In order to bind secrets to particular code operating in isolated execution, a key hierarchy comprising a series of symmetric keys for a standard symmetric cipher is utilized. The protected platform includes a processor that is configured in one of a normal execution mode and an isolated execution mode. A key storage stores an initial key that is unique for the platform. A cipher key creator located in the protected platform creates the hierarchy of keys based upon the initial key. The cipher key creator creates a series of symmetric cipher keys to protect the secrets of loaded software code.
    Type: Grant
    Filed: March 31, 2000
    Date of Patent: July 6, 2004
    Assignee: Intel Corporation
    Inventors: Carl M. Ellison, Roger A. Golliver, Howard C. Herbert, Derrick C. Lin, Francis X. McKeen, Gilbert Neiger, Ken Reneris, James A. Sutton, Shreekant S. Thakkar, Millind Mittal
  • Patent number: 6754815
    Abstract: The present invention provides a method, apparatus, and system for invoking a reset process in response to a processor being individually reset. The reset processor operates within a platform in an isolated execution mode and is associated with an isolated area of memory. An initialization process is invoked for an initializing processor. The initialization process determines whether or not a cleanup flag is set. If the cleanup flag is set, the isolated area of memory is scrubbed. In one embodiment, when a last processor operating in the platform is reset, it is reset without clearing the cleanup flag. Subsequently, an initializing processor invokes the initialization process. The initialization process determines that the cleanup flag is set. The initialization process invokes the execution of a processor nub loader. If the cleanup flag is set, the processor nub loader scrubs the isolated area of memory and invokes a controlled close for the initializing processor.
    Type: Grant
    Filed: July 18, 2000
    Date of Patent: June 22, 2004
    Assignee: Intel Corporation
    Inventors: Carl M. Ellison, Roger A. Golliver, Howard C. Herbert, Derrick C. Lin, Francis X. McKeen, Gilbert Neiger, Ken Reneris, James A. Sutton, Shreekant S. Thakkar, Millind Mittal
  • Publication number: 20040078590
    Abstract: The present invention provides a method, apparatus, and system for controlling memory accesses to multiple memory zones in an isolated execution environment. A processor having a normal execution mode and an isolated execution mode generates an access transaction. The access transaction is configured using a configuration storage that stores configuration settings. The configuration settings include a plurality of subsystem memory range settings defining memory zones. The access transaction also includes access information. A multi-memory zone access checking circuit, coupled to the configuration storage, checks the access transaction using at least one of the configuration settings and the access information. The multi-memory zone access checking circuit generates an access grant signal if the access transaction is valid.
    Type: Application
    Filed: October 10, 2003
    Publication date: April 22, 2004
    Inventors: Carl M. Ellison, Roger A. Golliver, Howard C. Herbert, Derrick C. Lin, Francis X. McKeen, Gilbert Neiger, Ken Reneris, James A. Sutton, Shreekant S. Thakkar, Millind Mittal
  • Patent number: 6708274
    Abstract: A method and system for maintaining integrity and confidentiality of pages paged to an external storage unit from a physically secure environment. An outgoing page is selected to be exported from a physically secure environment to an insecure environment. An integrity check value is generated and stored for the outgoing page. In one embodiment, this takes the form of taking a one-way hash of the page using a well-known one-way hash function. The outgoing page is then encrypted using a cryptographically strong encryption algorithm. Among the algorithms that might be used in one embodiment of the invention are IDEA and DES. The encrypted outgoing page is then exported to the external storage. By virtue of the encryption and integrity check, the security of the data on the outgoing page is maintained in the insecure environment.
    Type: Grant
    Filed: April 30, 1998
    Date of Patent: March 16, 2004
    Assignee: Intel Corporation
    Inventors: Howard C. Herbert, Derek L. Davis
  • Patent number: 6678825
    Abstract: The present invention provides a method, apparatus, and system for controlling memory accesses to multiple isolated memory areas in an isolated execution environment. A page manager is used to distribute a plurality of pages to a plurality of different areas of a memory, respectively. The memory is divided into non-isolated areas and isolated areas. The page manager is located in an isolated area of memory. Further, a memory ownership page table describes each page of memory and is also located in an isolated area of memory. The page manager assigns an isolated attribute to a page if the page is distributed to an isolated area of memory. On the other hand, the page manager assigns a non-isolated attribute to a page if the page is distributed to a non-isolated area of memory. The memory ownership page table records the attribute for each page. In one embodiment, a processor having a normal execution mode and an isolated execution mode generates an access transaction.
    Type: Grant
    Filed: July 18, 2000
    Date of Patent: January 13, 2004
    Assignee: Intel Corporation
    Inventors: Carl M. Ellison, Roger A. Golliver, Howard C. Herbert, Derrick C. Lin, Francis X. McKeen, Gilbert Neiger, Ken Reneris, James A. Sutton, Shreekant S. Thakkar, Millind Mittal
  • Patent number: 6633963
    Abstract: A processor having a normal execution mode and an isolated execution mode generates an access transaction. The access transaction is configured using a configuration storage that stores configuration settings. The configuration settings include a plurality of subsystem memory range settings defining memory zones. The access transaction also includes access information. A multi-memory zone access checking circuit, coupled to the configuration storage, checks the access transaction using at least one of the configuration settings and the access information. The multi-memory zone access checking circuit generates an access grant signal if the access transaction is valid.
    Type: Grant
    Filed: July 18, 2000
    Date of Patent: October 14, 2003
    Assignee: Intel Corporation
    Inventors: Carl M. Ellison, Roger A. Golliver, Howard C. Herbert, Derrick C. Lin, Francis X. McKeen, Gilbert Neiger, Ken Reneris, James A. Sutton, Shreekant S. Thakkar, Millind Mittal
  • Patent number: 6629244
    Abstract: A cryptographic device comprising a processing logic and memory associated with the processing logic. The memory is loaded with a first segment of code to control execution of cryptographic functions and hash functions, and a second segment of code to perform cryptographic functions on behalf of a third party having no physical control of hardware employing the cryptographic device.
    Type: Grant
    Filed: November 16, 2001
    Date of Patent: September 30, 2003
    Assignee: Intel Corporation
    Inventors: Derek L. Davis, Howard C. Herbert
  • Patent number: 6507904
    Abstract: A technique is provided to execute isolated instructions according to an embodiment of the present invention. An execution unit executes an isolated instruction in a processor operating in a platform. The processor is configured in one of a normal execution mode and an isolated execution mode. A parameter storage containing at least one parameter to support execution of the isolated instruction when the processor is configured in the isolated execution mode.
    Type: Grant
    Filed: March 31, 2000
    Date of Patent: January 14, 2003
    Assignee: Intel Corporation
    Inventors: Carl M. Ellison, Roger A. Golliver, Howard C. Herbert, Derrick C. Lin, Francis X. McKeen, Gilbert Neiger, Ken Reneris, James A. Sutton, Shreekant S. Thakkar, Millind Mittal
  • Publication number: 20020144121
    Abstract: A signature key is generated in a secure platform. The secure platform has a processor configured in one of a normal execution mode and an isolated execution mode. A file checker is loaded into an isolated memory area accessible to the processor in the isolated execution mode. In isolated execution mode, a file checker performs a scan operation on the original file and produces a result. A signature associated with the scanned file is generated based on the result and using the signature key. The signature indicates file integrity.
    Type: Application
    Filed: March 30, 2001
    Publication date: October 3, 2002
    Inventors: Carl M. Ellison, Roger A. Golliver, Howard C. Herbert, Derrick C. Lin, Francis X. McKeen, Gilbert Neiger, Ken Reneris, James A. Sutton, Shreekant S. Thakkar
  • Publication number: 20020144140
    Abstract: A file is sent to a remote signing authority via a network. The signing authority checks the file and provides a signature indicating file integrity of the file. The signature returned from the signing authority via the network is verified.
    Type: Application
    Filed: March 30, 2001
    Publication date: October 3, 2002
    Inventors: Carl M. Ellison, Roger A. Golliver, Howard C. Herbert, Derrick C. Lin, Francis X. McKeen, Gilbert Neiger, Ken Reneris, James A. Sutton, Shreekant S. Thakkar
  • Publication number: 20020099946
    Abstract: A method and system for maintaining integrity and confidentiality of pages paged to an external storage unit from a physically secure environment An outgoing page is selected to be exported from a physically secure environment to an insecure environment An integrity check value is generated and stored for the outgoing page. In one embodiment, this takes the form of taking a one-way hash of the page using a well-known one-way hash function. The outgoing page is then encrypted using a cryptographically strong encryption algorithm. Among the algorithms that might be used in one embodiment of the invention are IDEA and DES. The encrypted outgoing page is then exported to the external storage. By virtue of the encryption and integrity check, the security of the data on the outgoing page is maintained in the insecure environment.
    Type: Application
    Filed: April 30, 1998
    Publication date: July 25, 2002
    Inventors: HOWARD C. HERBERT, DEREK L. DAVIS
  • Patent number: 6389537
    Abstract: A cryptographic device comprising a processing logic and memory associated with the processing logic. The memory is loaded with a first segment of code to control execution of cryptographic functions and hash functions, and a second segment of code to perform cryptographic functions on behalf of a third party having no physical control of hardware employing the cryptographic device.
    Type: Grant
    Filed: April 23, 1999
    Date of Patent: May 14, 2002
    Assignee: Intel Corporation
    Inventors: Derek L. Davis, Howard C. Herbert
  • Publication number: 20020040436
    Abstract: A cryptographic device comprising a processing logic and memory associated with the processing logic. The memory is loaded with a first segment of code to control execution of cryptographic functions and hash functions, and a second segment of code to perform cryptographic functions on behalf of a third party having no physical control of hardware employing the cryptographic device.
    Type: Application
    Filed: November 16, 2001
    Publication date: April 4, 2002
    Inventors: Derek L. Davis, Howard C. Herbert
  • Patent number: 6199053
    Abstract: A method and apparatus for encoding a purpose into a digital signature, where purpose and digital signature bound into an extended digital signature. The extended digital signature capability binds a purpose description identifying the purpose for the digital signature so that when affixed to a digital signature, the digital signature cannot be employed for improper purposes. A hash function is used to generate a hash value from the purpose description. The hash value is used in a digital signature function to bind the purpose to a digital signature. The extended digital signature can be verified for validity by comparing it to a hash value. In an electronic transaction, the extended digital signature can allow a purpose to be bound with the digital signature so that improper or unauthorized transactions are detected and disallowed.
    Type: Grant
    Filed: April 8, 1999
    Date of Patent: March 6, 2001
    Assignee: Intel Corporation
    Inventors: Howard C. Herbert, Derek L. Davis
  • Patent number: 6023509
    Abstract: A method and apparatus for encoding a purpose into a digital signature, where purpose and digital signature bound into an extended digital signature. The extended digital signature capability binds a purpose description identifying the purpose for the digital signature so that when affixed to a digital signature, the digital signature cannot be employed for improper purposes. A hash function is used to generate a hash value from the purpose description. The hash value is used in a digital signature function to bind the purpose to a digital signature. The extended digital signature can be verified for validity by comparing it to a hash value. In an electronic transaction, the extended digital signature can allow a purpose to be bound with the digital signature so that improper or unauthorized transactions are detected and disallowed.
    Type: Grant
    Filed: September 30, 1996
    Date of Patent: February 8, 2000
    Assignee: Intel Corporation
    Inventors: Howard C. Herbert, Derek L. Davis
  • Patent number: 5757919
    Abstract: A method and system for maintaining integrity and confidentiality of pages paged to an external storage unit from a physically secure environment. An outgoing page is selected to be exported from a physically secure environment to an insecure environment. An integrity check value is generated and stored for the outgoing page. In one embodiment, this takes the form of taking a one-way hash of the page using a well-known one-way hash function. The outgoing page is then encrypted using a cryptographically strong encryption algorithm. Among the algorithms that might be used in one embodiment of the invention are IDEA and DES. The encrypted outgoing page is then exported to the external storage. By virtue of the encryption and integrity check, the security of the data on the outgoing page is maintained in the insecure environment.
    Type: Grant
    Filed: December 12, 1996
    Date of Patent: May 26, 1998
    Assignee: Intel Corporation
    Inventors: Howard C. Herbert, Derek L. Davis