Patents by Inventor XIAOYU RUAN

XIAOYU RUAN has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20230342459
    Abstract: An apparatus comprising a computer platform, including a central processing unit (CPU) comprising a first security engine to perform security operations at the CPU and a chipset comprising a second security engine to perform security operations at the chipset, wherein the first security engine and the second security engine establish a secure channel session between the CPU and the chipset to secure data transmitted between the CPU and the chipset.
    Type: Application
    Filed: June 22, 2023
    Publication date: October 26, 2023
    Applicant: Intel Corporation
    Inventors: Michael Berger, Xiaoyu Ruan, Purushottam Goel, Mahesh Natu, Bharat Pillilli
  • Publication number: 20230291567
    Abstract: Described herein is a paging technique that can be implemented in any accelerator with attached memory and support for operating on encrypted data when the CPU is not within the trusted compute base (TCB). Memory storing data that is encrypted using hardware physical address (HPA)-based encrypted can be paged out of accelerator device memory by decoupling encryption from the hardware physical address and re-encrypting the data for page-out. Upon page-in, the data is decrypted, the integrity and authenticity of the data is verified, then the data is re-encrypted using HPA-based encryption.
    Type: Application
    Filed: March 11, 2022
    Publication date: September 14, 2023
    Applicant: Intel Corporation
    Inventors: VIDHYA KRISHNAN, SIDDHARTHA CHHABRA, VEDVYAS SHANBHOGUE, XIAOYU RUAN, ADITYA NAVALE, JULIEN CARRENO
  • Patent number: 11741227
    Abstract: An apparatus comprising a computer platform, including a central processing unit (CPU) comprising a first security engine to perform security operations at the CPU and a chipset comprising a second security engine to perform security operations at the chipset, wherein the first security engine and the second security engine establish a secure channel session between the CPU and the chipset to secure data transmitted between the CPU and the chipset.
    Type: Grant
    Filed: June 22, 2021
    Date of Patent: August 29, 2023
    Assignee: Intel Corporation
    Inventors: Michael Berger, Xiaoyu Ruan, Purushottam Goel, Mahesh Natu, Bharat Pillilli
  • Patent number: 11734460
    Abstract: Connectionless trusted computing base recovery is described. An example of a system includes one or more processors to process data; hardware including a hardware RoT (root of trust); and firmware including a firmware TCB (trusted computing base), the firmware including the credentials including one or more certificates and one or more keys, wherein the one or more processors are to determine that the firmware TCB is compromised and that the hardware RoT is intact; issue new credentials by the hardware RoT to mutable firmware based on a version number or security version number (SVN) of the firmware; and revoke old versions of the credentials for the firmware.
    Type: Grant
    Filed: June 23, 2021
    Date of Patent: August 22, 2023
    Assignee: INTEL CORPORATION
    Inventors: Xiaoyu Ruan, Tsippy Mendelson, Yanai Moyal, Daniel Nemiroff
  • Publication number: 20220321361
    Abstract: Methods and apparatus relating to a Federal Information Processing Standard (FIPS) compliant Device Identifier Composition Engine (DICE) certificate chain architecture for embedded systems are described. In an embodiment, Deterministic Random Bit Generator (DRBG) logic circuitry generates a random number for each layer of a Device Identifier Composition Engine (DICE). The DRBG logic circuitry is a Federal Information Processing Standard (FIPS) approved DRBG logic circuitry. Logic circuitry derives an Elliptic Curve Digital Signature Algorithm (ECDSA) private key for a layer of the DICE based at least in part on one or more operations of a FIPS-approved ECDSA key pair generation logic circuitry. Other embodiments are also disclosed and claimed.
    Type: Application
    Filed: March 30, 2022
    Publication date: October 6, 2022
    Applicant: Intel Corporation
    Inventors: Xiaoyu Ruan, Ned M. Smith, Matthew G. Pirretti
  • Publication number: 20220245252
    Abstract: An apparatus is disclosed. The apparatus comprises one or more processors to receive a request to perform a firmware update at a device, prepare a second trusted compute base (TCB) layer for the firmware update, generate a first compound device identifier (CDI) associated with a first TCB layer to be used by the second TCB layer to attest an operational state of the first TCB layer prior to applying the update and generate a second CDI associated with the first TCB layer to be used by the second TCB layer to attest the operational state of the first layer after the update has been applied and perform the firmware update of the second TCB layer.
    Type: Application
    Filed: April 21, 2022
    Publication date: August 4, 2022
    Applicant: Intel Corporation
    Inventors: Ned M. Smith, Andrew Draper, Xiaoyu Ruan
  • Publication number: 20220179961
    Abstract: Various embodiments provide apparatuses, systems, and methods for establishing, by a data object exchange (DOE entity) of a peripheral component interconnect express (PCIe) device, a first session for communication between a first host entity of a host device and a first PCIe entity of the PCIe device, and a second session for communication between a second host entity of the host device and a second PCIe entity of the PCIe device. The first session may have a first security policy and be a session of a first connection between the PCIe device and the host device. The second session may have a second security policy and be a session of a second connection between the PCIe device and the host device. Other embodiments may be described and claimed.
    Type: Application
    Filed: January 14, 2022
    Publication date: June 9, 2022
    Inventors: Jiewen YAO, David HARRIMAN, Xiaoyu RUAN, Mahesh NATU
  • Publication number: 20220138286
    Abstract: Systems, apparatuses and methods may provide for encryption based technology. Data may be encrypted locally with a graphics processor with encryption engines. The graphics processor components may be verified with a root-of-trust and based on collection of claims. The graphics processor may further be able to modify encrypted data from a non-pageable format to a pageable format. The graphics processor may further process data associated with a virtual machine based on a key that is known by the virtual machine and the graphics processor.
    Type: Application
    Filed: December 23, 2020
    Publication date: May 5, 2022
    Applicant: Intel Corporation
    Inventors: David Zage, Scott Janus, Ned M. Smith, Vidhya Krishnan, Siddhartha Chhabra, Rajesh Poornachandran, Tomer Levy, Julien Carreno, Ankur Shah, Ronald Silvas, Aravindh Anantaraman, David Puffer, Vedvyas Shanbhogue, David Cowperthwaite, Aditya Navale, Omer Ben-Shalom, Alex Nayshtut, Xiaoyu Ruan
  • Publication number: 20220109558
    Abstract: In one example an apparatus comprises verification circuitry to store an object image in a computer readable memory external to an XMSS verifier circuitry and verify the object image by repeating operations to receive, in a local memory of the XMSS verifier circuitry, a fixed-sized block of data from the object image and process the fixed-sized block of data to compute the signature verification. Other examples may be described.
    Type: Application
    Filed: December 15, 2021
    Publication date: April 7, 2022
    Applicant: Intel Corporation
    Inventors: Vikram Suresh, Santosh Ghosh, Shalini Sharma, Eduard Lecha, Manoj Sastry, Xiaoyu Ruan, Sanu Mathew
  • Publication number: 20210328779
    Abstract: The disclosure provides method, system and apparatus to provide authentication between one or more endpoints during an initial and subsequent boot cycles. In an exemplary application, an asymmetric-key cryptography is used only once to set up a persistent seed between the host and the device. After the initial setup, symmetric-key cryptography may be used with the agreed seed for authentication and session key establishment. The device wraps the persistent seed with device secrets and stores it on the host, hence secure NVM is not required on the device. The disclosed embodiments are particularly advantageous over the art of record as they provide authentications speeds of over 20,000 times faster than asymmetric-key cryptography.
    Type: Application
    Filed: June 25, 2021
    Publication date: October 21, 2021
    Applicant: Intel Corporation
    Inventor: Xiaoyu Ruan
  • Publication number: 20210319139
    Abstract: Connectionless trusted computing base recovery is described. An example of a system includes one or more processors to process data; hardware including a hardware RoT (root of trust); and firmware including a firmware TCB (trusted computing base), the firmware including the credentials including one or more certificates and one or more keys, wherein the one or more processors are to determine that the firmware TCB is compromised and that the hardware RoT is intact; issue new credentials by the hardware RoT to mutable firmware based on a version number or security version number (SVN) of the firmware; and revoke old versions of the credentials for the firmware.
    Type: Application
    Filed: June 23, 2021
    Publication date: October 14, 2021
    Applicant: Intel Corporation
    Inventors: Xiaoyu Ruan, Tsippy Mendelson, Yanai Moyal, Daniel Nemiroff
  • Publication number: 20210312044
    Abstract: An apparatus comprising a computer platform, including a central processing unit (CPU) comprising a first security engine to perform security operations at the CPU and a chipset comprising a second security engine to perform security operations at the chipset, wherein the first security engine and the second security engine establish a secure channel session between the CPU and the chipset to secure data transmitted between the CPU and the chipset.
    Type: Application
    Filed: June 22, 2021
    Publication date: October 7, 2021
    Applicant: Intel Corporation
    Inventors: Michael Berger, Xiaoyu Ruan, Purushottam Goel, Mahesh Natu, Bharat Pillilli
  • Patent number: 11030317
    Abstract: Embodiments described herein enable independently recoverable security for processor and peripheral communication, enabling a processor without native non-volatile memory to generate and recover credentials in response to a firmware update. The processor and peripheral can each have credentials burned into secure fuses. The processor can derive a shared secret from the secure fuses using security attributes that are based on the security version number of firmware within the processor and the peripherals to which the processor is to security communicate. The processor and peripherals can generate ephemeral session keys from the shared secret and nonces. The ephemeral session keys can be used to secure communications between the processor and the peripherals.
    Type: Grant
    Filed: March 28, 2019
    Date of Patent: June 8, 2021
    Assignee: INTEL CORPORATION
    Inventors: Xiaoyu Ruan, William A. Stevens, Jr., David Novick
  • Patent number: 10938563
    Abstract: Technologies for provisioning cryptographic keys include hardcoding identical cryptographic key components of a Rivest-Shamir-Adleman (RSA) public-private key pair to each compute device of a plurality of compute devices. A unique cryptographic exponent that forms a valid RSA public-private key pair with cryptographic key components hardcoded into each compute device is provided to each compute device so that each compute device has a unique public key. The public key of each compute device may be used to provision unique secrets to the corresponding compute device.
    Type: Grant
    Filed: June 30, 2017
    Date of Patent: March 2, 2021
    Assignee: INTEL CORPORATION
    Inventors: Xiaoyu Ruan, Vincent Von Bokern, Daniel Nemiroff
  • Patent number: 10862680
    Abstract: In embodiments, an apparatus for microcontroller (?C) or system-on-chip (SoC) computing includes a set of fuses disposed in a ?C or a SoC to store a seed value and M pairs of loop counter values (LCVs) with which to locally generate M private keys from the seed value on the microcontroller or SoC, where M is a positive integer, each private key to decrypt data encrypted with a pre-defined public key cryptosystem, wherein each private key includes two prime numbers p and q (p,q), the LCVs being a number of iterations of a key derivation function (KDF) needed to respectively obtain p and q from the seed value; and a key decoder, disposed in the (?C) or the SoC, and coupled to the set of fuses, to read the seed value and the M pairs of LCVs, and, for each of the M private keys to: respectively generate (p,q) from the seed value by respectively iterating the KDF by the LCVs for that key.
    Type: Grant
    Filed: September 26, 2018
    Date of Patent: December 8, 2020
    Assignee: Intel Corporation
    Inventors: Daniel Nemiroff, Xiaoyu Ruan, William Stevens, Jr.
  • Patent number: 10853472
    Abstract: In one embodiment, an apparatus includes a non-volatile storage to store a seed value and a signature that is based on an iterative execution of a function for a predetermined number of intervals. The apparatus may further include the security processor coupled to the non-volatile storage, where the security processor is to independently recover a credential for an updated version of the firmware based at least in part on the seed value and a security version number for the updated version of the firmware. Other embodiments are described and claimed.
    Type: Grant
    Filed: June 28, 2018
    Date of Patent: December 1, 2020
    Assignee: Intel Corporation
    Inventors: Xiaoyu Ruan, William A. Stevens, Jr.
  • Publication number: 20190220602
    Abstract: Embodiments described herein enable independently recoverable security for processor and peripheral communication, enabling a processor without native non-volatile memory to generate and recover credentials in response to a firmware update. The processor and peripheral can each have credentials burned into secure fuses. The processor can derive a shared secret from the secure fuses using security attributes that are based on the security version number of firmware within the processor and the peripherals to which the processor is to security communicate. The processor and peripherals can generate ephemeral session keys from the shared secret and nonces. The ephemeral session keys can be used to secure communications between the processor and the peripherals.
    Type: Application
    Filed: March 28, 2019
    Publication date: July 18, 2019
    Applicant: Intel Corporation
    Inventors: Xiaoyu Ruan, William A. Stevens, JR., David Novick
  • Publication number: 20190044716
    Abstract: In embodiments, an apparatus for microcontroller (?C) or system-on-chip (SoC) computing includes a set of fuses disposed in a ?C or a SoC to store a seed value and M pairs of loop counter values (LCVs) with which to locally generate M private keys from the seed value on the microcontroller or SoC, where M is a positive integer, each private key to decrypt data encrypted with a pre-defined public key cryptosystem, wherein each private key includes two prime numbers p and q (p,q), the LCVs being a number of iterations of a key derivation function (KDF) needed to respectively obtain p and q from the seed value; and a key decoder, disposed in the (?C) or the SoC, and coupled to the set of fuses, to read the seed value and the M pairs of LCVs, and, for each of the M private keys to: respectively generate (p,q) from the seed value by respectively iterating the KDF by the LCVs for that key.
    Type: Application
    Filed: September 26, 2018
    Publication date: February 7, 2019
    Inventors: Daniel Nemiroff, Xiaoyu Ruan, William Stevens, JR.
  • Publication number: 20190042725
    Abstract: In one embodiment, an apparatus includes a non-volatile storage to store a seed value and a signature that is based on an iterative execution of a function for a predetermined number of intervals. The apparatus may further include the security processor coupled to the non-volatile storage, where the security processor is to independently recover a credential for an updated version of the firmware based at least in part on the seed value and a security version number for the updated version of the firmware. Other embodiments are described and claimed.
    Type: Application
    Filed: June 28, 2018
    Publication date: February 7, 2019
    Inventors: Xiaoyu Ruan, William A. Stevens, JR.
  • Publication number: 20190007209
    Abstract: Technologies for provisioning cryptographic keys include hardcoding identical cryptographic key components of a Rivest-Shamir-Adleman (RSA) public-private key pair to each compute device of a plurality of compute devices. A unique cryptographic exponent that forms a valid RSA public-private key pair with cryptographic key components hardcoded into each compute device is provided to each compute device so that each compute device has a unique public key. The public key of each compute device may be used to provision unique secrets to the corresponding compute device.
    Type: Application
    Filed: June 30, 2017
    Publication date: January 3, 2019
    Inventors: Xiaoyu Ruan, Vincent Von Bokern, Daniel Nemiroff