Using Master Key (e.g., Key-encrypting-key) Patents (Class 380/284)
  • Patent number: 10262141
    Abstract: A computing device includes a secure storage hardware to store a secret value and processing hardware comprising at least one of a cache or a memory. During a secure boot process the processing hardware loads untrusted data into at least one of the cache or the memory of the processing hardware, the untrusted data comprising an encrypted data segment and a validator, retrieves the secret value from the secure storage hardware, derives an initial key based at least in part on an identifier associated with the encrypted data segment and the secret value, verifies, using the validator, whether the encrypted data segment has been modified, and decrypts the encrypted data segment using a first decryption key derived from the initial key to produce a decrypted data segment responsive to verifying that the encrypted data segment has not been modified.
    Type: Grant
    Filed: December 30, 2016
    Date of Patent: April 16, 2019
    Assignee: Cryptography Research, Inc.
    Inventors: Paul C. Kocher, Pankaj Rohatgi, Joshua M. Jaffe
  • Patent number: 10242177
    Abstract: A system for wireless memory device authentication is provided, wherein a communications device receives a certified public key from a wireless memory device. The communications device validates the public key and send a challenge to the wireless memory device. The wireless memory device sends a signature to the communications device and the communications device validates the signature in order to authenticate the wireless memory device.
    Type: Grant
    Filed: September 18, 2017
    Date of Patent: March 26, 2019
    Assignee: NOKIA TECHNOLOGIES OY
    Inventors: Jan-Erik Ekberg, Harald Kaaja
  • Patent number: 10225089
    Abstract: Systems and techniques are provided for per-device authentication. A hardware serial number associated with a hardware component of a computing device may be received. The hardware serial number may be converted to a hardware key check. A hardware key associated with a certificate from the computing device may be received. The hardware key may be compared to the hardware check key to obtain a verification of the certificate. The certificate may be verified when the hardware key check matches the hardware key and the certificate may not be verified when the hardware key check does not match the hardware key. A signature associated with the certificate may be verified. Access to the data processing apparatus by the computing device may be permitted when the certificate is verified and the signature is determined to be authentic.
    Type: Grant
    Filed: March 16, 2018
    Date of Patent: March 5, 2019
    Assignee: Google LLC
    Inventors: Keun young Park, Rakesh Narayan Iyer, Nicholas Julian Pelly
  • Patent number: 10146703
    Abstract: Techniques for providing encryption of individual data objects in a data storage system include realizing data objects in the form of container files stored in a set of file systems, and encrypting individual ones of the data objects by encrypting the container files realizing the data objects using encryption keys associated with the individual data objects. By independently encrypting the container files that realize individual data objects, the disclosed system provides per-data object encryption. Each data object may be encrypted differently, e.g. using a different encryption key, even when multiple data objects are hosted over the same storage device or over a shared set of storage devices.
    Type: Grant
    Filed: December 30, 2015
    Date of Patent: December 4, 2018
    Assignee: EMC IP Holding Company LLC
    Inventors: Jean-Pierre Bono, Frederic Corniquet, William Davenport, Philippe Armangau, Walter Forrester
  • Patent number: 10126972
    Abstract: Techniques for performing de-duplication for data blocks in a computer storage environment. At least one chunking/hashing unit receives input data from a source and processes it to output data blocks and content addresses for them. In one aspect, the chunking/hashing unit outputs all blocks without checking to see whether any is a duplicate of a block previously stored on the storage environment. In another aspect, each data block is processed by one of a plurality of distributed object addressable storage (OAS) devices that each is selected to process data blocks having content addresses with a particular range. The OAS devices determine whether each received data block is a duplicate of another previously stored on the computer storage environment, and when it is not, stores the data block.
    Type: Grant
    Filed: May 23, 2013
    Date of Patent: November 13, 2018
    Assignee: EMC IP Holding Company LLC
    Inventors: Michael W. Healey, J. Michael Dunbar, Avinash Kallat, Michael Craig Fishman
  • Patent number: 10068109
    Abstract: An apparatus for performing secure operations with a dedicated secure processor is described in one embodiment. The apparatus includes security firmware defining secure operations, a processor configured to execute the security firmware and perform a set of operations limited to the secure operations, and a plurality of secure hardware registers, accessible by the processor and configured to receive instructions to perform the secure operations. An apparatus for performing secure operations with a plurality of security assist hardware circuits is described in another embodiment. The apparatus comprises one or more secure hardware registers configured to receive a command to perform secure operations and one or more security assist hardware circuits configured to perform discrete secure operations using one or more secret data objects.
    Type: Grant
    Filed: December 1, 2017
    Date of Patent: September 4, 2018
    Assignee: Micron Technology, Inc.
    Inventors: Kenny T. Coker, David A. Pohm, Stephen P. Van Aken, Michael B. Danielson
  • Patent number: 10025921
    Abstract: In an approach for changing a password. Aspects of an embodiment of the present invention include an approach for changing a password, wherein the approach includes a processor identifies a resource protected by a password. A processor discovers at least one information source containing information relevant to a process for changing the password of the resource. A processor constructs a set of procedures to change the password using the information relevant to the process for changing the password. A processor alters the password of the resource according to the constructed set of procedures.
    Type: Grant
    Filed: September 28, 2017
    Date of Patent: July 17, 2018
    Assignee: International Business Machines Corporation
    Inventors: Hisham E. Elshishiny, Mohamed S. Salem, Shady S. M. Samaan, Amr F. Yassin
  • Patent number: 10013364
    Abstract: One embodiment is directed to a technique which secures data on a set of storage drives of a data storage system. The technique involves encrypting data from a first tenant using a first tenant key to form first tenant encrypted data and storing the first tenant encrypted data on the set of storage drives. The technique further involves encrypting data from a second tenant using a second tenant key to form second tenant encrypted data and storing the second tenant encrypted data on the set of storage drives, the first tenant being different from the second tenant, and the first tenant key and the second tenant key being per tenant keys which are different from each other. The technique further involves destroying the first tenant key to prevent the first tenant encrypted data stored on the set of storage drives from being decrypted while maintaining the second tenant key to enable decryption of the second tenant encrypted data stored on the set of storage drives.
    Type: Grant
    Filed: June 26, 2015
    Date of Patent: July 3, 2018
    Assignee: EMC IP Holding Company LLC
    Inventors: Walter O'Brien, Gregory W. Lazar, Thomas Dibb
  • Patent number: 10013558
    Abstract: A method for securely updating at least one software application on a target system includes providing a removable computer readable medium containing an installation package that is encrypted using at least one private encryption key, which is resident in an administrator access area of the target system. The removable medium is connected or inserted into the target system. An update mechanism is launched by an operator level user on the target machine. The update mechanism's privileges are elevated to an administrator level by a privilege configuration utility associated with the operating system of the target system. The update mechanism determines if the removable medium contains an expected file and if so, attempts to decrypt the encrypted file on the removable medium using the private encryption key from the target system. If the decryption is successful, the installation package on the removable medium is installed on the target system.
    Type: Grant
    Filed: December 17, 2015
    Date of Patent: July 3, 2018
    Assignee: Lockheed Martin Corporation
    Inventors: Mark R. Belfield, Joseph M Calcagnino, Lawrence J. Derdzinski
  • Patent number: 10007809
    Abstract: One embodiment provides a document management system comprising a storage system to store one or more encrypted documents, at least a first portion of a first encrypted document encrypted using a first encryption key, and an encryption key manager to manage a set of encryption keys for the documents on the storage system, the encryption key manager further to discard the first encryption key to provide secure removal of the portion of the encrypted document.
    Type: Grant
    Filed: August 26, 2015
    Date of Patent: June 26, 2018
    Assignee: EMC IP Holding Company LLC
    Inventors: Frederick Douglis, Radia Perlman, Philip Shilane, Grant Wallace
  • Patent number: 9973482
    Abstract: A method and system for recording data including content in a recording medium on a computer apparatus. First encrypted data, obtained by encrypting the data using a medium key created for each recording medium, is recorded in a recording medium. Second encrypted data, obtained by encrypting the medium key using a public key, is recorded in the recording medium. A private key corresponding to the public key is not recorded in the recording medium.
    Type: Grant
    Filed: October 23, 2015
    Date of Patent: May 15, 2018
    Assignee: International Business Machines Corporation
    Inventors: Norihisa Hoshino, Kohichi Kamijoh, Takahiro Kashiuchi, Naoko Miyamoto, Maho Takara, Naohiko Uramoto, Katsushi Yamashita
  • Patent number: 9961076
    Abstract: A system, comprising includes an orchestration server including a processor, the orchestration server to receive authentication factors. A rules engine connects with the orchestration server, the orchestration to send the authentication factors to the rules engine and to request a decision on authentication from the rules engine. The rules engine to send the decision on authentication to the orchestration server based on the received authentication factors and a rules set.
    Type: Grant
    Filed: May 11, 2015
    Date of Patent: May 1, 2018
    Assignee: GENESYS TELECOMMUNICATIONS LABORATOREIS, INC.
    Inventors: Daniel Stoops, James Kraeulter, Cliff Bell
  • Patent number: 9940463
    Abstract: A method for device authentication comprises receiving, by processing hardware of a first device, a message from a second device to authenticate the first device. The processing hardware retrieves a secret value from secure storage hardware operatively coupled to the processing hardware. The processing hardware derives a validator from the secret value using a path through a key tree, wherein the path is based on the message, wherein deriving the validator using the path through the key tree comprises computing a plurality of successive intermediate keys starting with a value based on the secret value and leading to the validator, wherein each successive intermediate key is derived based on at least a portion of the message and a prior key. The first device then sends the validator to the second device.
    Type: Grant
    Filed: August 30, 2017
    Date of Patent: April 10, 2018
    Assignee: Cryptography Research, Inc.
    Inventors: Paul Kocher, Pankaj Rohatgi, Joshua M. Jaffe
  • Patent number: 9779268
    Abstract: Utilizing a non-repeating identifier to encrypt data, including: receiving a request to write data to a storage device; selecting a segment-offset pair where the data will be stored, where the selected segment-offset pair is unique to every other segment-offset pair utilized during the lifetime of the storage device; and encrypting the data in dependence upon an identifier of the segment-offset pair.
    Type: Grant
    Filed: June 3, 2015
    Date of Patent: October 3, 2017
    Assignee: Pure Storage, Inc.
    Inventors: John Colgrove, Mark L. McAuliffe, Ethan L. Miller, Naveen Neelakantam, Marco Sanvido, Neil A. Vachharajani, Taher Vohra
  • Patent number: 9735968
    Abstract: Techniques for a trust service for a client device are described. In various implementations, a trust service is implemented remotely from a client device and provides various trust-related functions to the client device. According to various implementations, communication between a client device and a remote trust service is authenticated by a client identifier (ID) that is maintained by both the client device and the remote trust service. In at least some implementations, the client ID is stored on a location of the client device that is protected from access by (e.g., is inaccessible to) device components such as an operating system, applications, and so forth. Thus, the client ID may be utilized to generate signatures to authenticate communications between the client device and the remote trust service.
    Type: Grant
    Filed: October 20, 2014
    Date of Patent: August 15, 2017
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Stefan Thom, Ronald Aigner, Dennis J. Mattoon, Stuart H. Schaefer, Merzin Kapadia, Robert Karl Spiger, David R. Wooten, Paul England
  • Patent number: 9602283
    Abstract: The present invention addresses encryption systems and methods in the de-duplication of data in a multi-tenant environment. The system provides isolation between tenants' stored data and the storage system. Tenant keys are assigned to tenants. The storage system stores raw data objects backed up for the tenants and fingerprints, corresponding to the data objects, in a single use key encrypted format. Fingerprints are wrapped with a storage system key held by the storage system. A request is received to retrieve data backed up for a tenant. The request includes fingerprints corresponding to the data objects to retrieve, and a tenant key, the fingerprints being in the single use key encrypted format and wrapped with the tenant key. The received fingerprints are unwrapped using the tenant key to retrieve data objects corresponding to the received fingerprints. The data objects are transmitted to the tenant and the tenant key is removed.
    Type: Grant
    Filed: June 20, 2016
    Date of Patent: March 21, 2017
    Assignee: EMC IP Holding Company LLC
    Inventors: Surendar Chandra, Darren Sawyer
  • Patent number: 9576133
    Abstract: A device includes storage hardware to store a secret value and processing hardware coupled to the storage hardware. The processing hardware is to receive an encrypted data segment with a validator and derive a decryption key using the secret value and a plurality of entropy distribution operations. The processing hardware is further to verify, using the received validator, that the encrypted data segment has not been modified. The processing hardware is further to decrypt the encrypted data segment using the decryption key to produce a decrypted data segment responsive to verifying that the encrypted data segment has not been modified.
    Type: Grant
    Filed: June 11, 2015
    Date of Patent: February 21, 2017
    Assignee: Cryptography Research, Inc.
    Inventors: Paul C. Kocher, Pankaj Rohatgi, Joshua M. Jaffe
  • Patent number: 9569623
    Abstract: A computing device includes a secure storage hardware to store a secret value and processing hardware comprising at least one of a cache or a memory. During a secure boot process the processing hardware loads untrusted data into at least one of the cache or the memory of the processing hardware, the untrusted data comprising an encrypted data segment and a validator, retrieves the secret value from the secure storage hardware, derives an initial key based at least in part on an identifier associated with the encrypted data segment and the secret value, verifies, using the validator, whether the encrypted data segment has been modified, and decrypts the encrypted data segment using a first decryption key derived from the initial key to produce a decrypted data segment responsive to verifying that the encrypted data segment has not been modified.
    Type: Grant
    Filed: February 9, 2015
    Date of Patent: February 14, 2017
    Assignee: Cryptography Research, Inc.
    Inventors: Paul C. Kocher, Pankaj Rohatgi, Joshua M. Jaffe
  • Patent number: 9544142
    Abstract: A method for transmitting digital data to a recipient via a communications network includes providing digital data and digitally signing the digital data using N cryptographic keys. Each of the N cryptographic keys is associated with a same sender of the digital data, and N>1. The recipient receives the digital data and verifies the digital signature using N cryptographic keys associated with the N cryptographic keys used to sign the digital data. In dependence upon verifying the digital signature, the recipient accepts the digital data as being authentic.
    Type: Grant
    Filed: March 23, 2015
    Date of Patent: January 10, 2017
    Assignee: Kingston Digital, Inc.
    Inventor: Scott Newman Ashdown
  • Patent number: 9465955
    Abstract: A system includes an application access manager driver and an operating system (OS) kernel module in a kernel-mode address space of an OS. The system also includes application modules, a public application whitelist, a public application whitelist manager, a user/group application whitelist, and a user/group application whitelist manager in a user-mode address space of the OS. A method includes receiving a request to launch an application, calling a “create process” function in the OS kernel module, calling a pre-registered “create process” callback function to the application access manager driver, and determining whether the application is allowed to execute based on whether the application access manager driver identifies the application as an allowable process in either public application whitelist or user/group application whitelist.
    Type: Grant
    Filed: July 16, 2014
    Date of Patent: October 11, 2016
    Assignee: HOPTO INC.
    Inventor: William Tidd
  • Patent number: 9450749
    Abstract: A one-time-pad encryption system where encrypted one-time-pad keys can be distributed to users on physical media or on a computer network from a central server. Each one-time-pad key has a key identification number that facilitates key management. Each encrypted data set includes a header specifying an offset within the one-time-pad key for commencement of decryption so that messages can be decrypted in any order. Before encryption begins, the length of remaining unused key is compared to the length of the data set to be encrypted. Encryption control buttons are added to a word processor and other programs as an addition to the user interface.
    Type: Grant
    Filed: June 15, 2013
    Date of Patent: September 20, 2016
    Inventor: Wolfgang S. Hammersmith
  • Patent number: 9449159
    Abstract: A data security system and method protects stored data from unauthorized access. According to one aspect of the invention, a client computing device communicates periodically with a server. If communications is note established between the client and the server for a selected activation interval and a subsequent grace period, the data is determined to be lost, and programmed security rules are automatically executed. The server with which the client computer device communicates includes one server located inside the firewall of a particular organization, or a mirror server located outside the firewall, and thereby allow for the re-setting of the activation interval when the client is properly outside of the firewall through communication with the mirror server, as well as the to provide command an control over a lost or stolen client by pushing updated rules if communication is subsequently attempted with the mirror server.
    Type: Grant
    Filed: May 26, 2009
    Date of Patent: September 20, 2016
    Assignee: Beachhead Solutions, Inc.
    Inventors: David K. Rensin, John W. Hanay, Timothy C. Lavelle, David A. Montellato, James J. Obot, Jeff M. Rubin, Cuong G. Williams, Yuri Yuryev
  • Patent number: 9436849
    Abstract: A method for sharing encrypted data and encryption keys through a system comprised of the following data types, but not limited to a; 1) Record and its encryption key, 2) RecordSet and its encryption key, and 3) Entity and its encryption key. A Record is encrypted using an encryption key, furthermore, the Record encryption key is encrypted using a RecordSet encryption key, and finally, both the encrypted Record and its encrypted encryption key are wrapped as a single unit, to avoid key the expensive operations of key lookup and general key operation overhead. Access control to the RecordSet encryption keys are provided by a combination of data types, but not limited to a; 1) Entity and its encryption key, 2) Ciphers, and 3) Trusted Entity Lists. For each Entity which is authorized access to access a RecordSet, an encrypted Cipher, made of both the Entity encryption key and RecordSet encryption key, is added to a Trusted Entity List.
    Type: Grant
    Filed: November 21, 2014
    Date of Patent: September 6, 2016
    Inventors: Sze Yuen Wong, Wai Pong Leung
  • Patent number: 9396341
    Abstract: The present invention addresses encryption systems and methods in the de-duplication of data in a multi-tenant environment. The system provides isolation between tenants' stored data and the storage system. The tenants' data is broken down into many smaller raw data items. Fingerprints are generated for the raw data and compared to fingerprints of raw data previously stored on the storage system. The raw data and fingerprint are encrypted with a single use key (SUK) by the storage system. The SUK encrypted fingerprint is wrapped with a storage system key and stored with other fingerprints. The SUK encrypted fingerprint is also returned to the tenants and wrapped with a tenant key. The use of tenant key wraps allows the tenant data to be protected and confidential to each tenant but allows the raw data to be shared by all tenants.
    Type: Grant
    Filed: March 31, 2015
    Date of Patent: July 19, 2016
    Assignee: EMC Corporation
    Inventors: Surendar Chandra, Darren Sawyer
  • Patent number: 9369448
    Abstract: Disclosed are various embodiments for facilitating network security parameter distribution and generation in a converged network incorporating multiple heterogeneous link layer networking technologies. Embodiments are provided for connecting network devices through multiple heterogeneous link layer networking technologies using a converged network password. Embodiments are provided for connecting network devices through multiple heterogeneous link layer networking technologies using a pairing event protocol, such as, for example, a push button protocol.
    Type: Grant
    Filed: June 28, 2011
    Date of Patent: June 14, 2016
    Assignee: BROADCOM CORPORATION
    Inventors: Philippe Klein, Avi Kliger
  • Patent number: 9286241
    Abstract: A microcontroller includes on-chip key storage slots stored in a non-volatile memory, wherein selecting which key is to be used is restricted to software, wherein a predetermined key storage slot stores a Key Encrypt Key (KEK), and a register flag is provided for determining whether the predetermined key storage slot stores a key for encrypting/decrypting data or the KEK for encrypting/decrypting a key.
    Type: Grant
    Filed: February 20, 2013
    Date of Patent: March 15, 2016
    Assignee: MICROCHIP TECHNOLOGY INCORPORATED
    Inventor: Michael Simmons
  • Patent number: 9251154
    Abstract: A method and system for determining priority is provided. The method includes generating a list defining specified data objects stored within a back-up/archived data storage system and applying importance levels to the specified data objects. Reliability urgency levels for the storage devices are determined and in response groups of data objects of the specified data objects are generated. Required reliability levels for each group of data objects are determined and associated erasure encoding rates are calculated. Fragment sets for the groups of data objects are generated and numbers of parity objects required for the fragment sets are determined. An erasure code algorithm is executed with respect to the groups of data objects and in response parity objects are computed on demand.
    Type: Grant
    Filed: November 15, 2013
    Date of Patent: February 2, 2016
    Assignee: International Business Machines Corporation
    Inventors: Ramamohan Chennamsetty, Blaine H. Dolph, Sandeep R. Patil, Riyazahamad M. Shiraguppi, Gandhi Sivakumar
  • Patent number: 9225717
    Abstract: Methods and apparatus are provided for signing data transactions using one-time authentication passcodes. User authentication passcodes are generated by generating a time-based user authentication passcode based on a forward-secure pseudorandom number, wherein the generated time-based user authentication passcode is used for authentication of the user; and generating an event-based user authentication passcode based on a forward-secure pseudorandom number, wherein the generated event-based user authentication passcode is used to sign one or more data transactions. The generation of an event-based user authentication passcode can be performed on-demand. The generation of the event-based user authentication passcode can optionally be performed substantially simultaneously with the generation of the time-based user authentication passcode.
    Type: Grant
    Filed: March 14, 2013
    Date of Patent: December 29, 2015
    Assignee: EMC Corporation
    Inventors: John Brainard, Nikolaos Triandopoulos, Marten van Dijk, Ari Juels
  • Patent number: 9191375
    Abstract: A method for performing access management to facilitate a user to access applications in a single sign-on enabled enterprise solution is provided. A challenge token and a response token are transmitted between a server and a client. The challenge token and response token comprises one-way hashed data. The response token is verified at the server and the client to authenticate the user. Further, a request for service token is transmitted between the server and the client. The request for service token is encrypted at the client and decrypted at the server using a unique session key negotiated between the server and client. A service token is generated and transmitted between the server and the client. The service token is encrypted and decrypted at the server using a secret key to verify the service token. Based on the verification, the requested applications are rendered on client based user interface.
    Type: Grant
    Filed: January 13, 2011
    Date of Patent: November 17, 2015
    Assignee: Infosys Limited
    Inventors: Jasdeep Singh Kaler, Preethi Thoppil, Sujit Kumar Mahapatra
  • Patent number: 9191200
    Abstract: The security level of a communications terminal can be changed during operation. A key loading device can reconstitute a key encryption key from plural split portions. The split portions can be loaded into the key loading device via various interfaces. The reconstituted key encryption key can be used to unwrap wrapped keys stored in the key loading device.
    Type: Grant
    Filed: October 7, 2010
    Date of Patent: November 17, 2015
    Assignee: L-3 Communications Corp.
    Inventors: Michael D. Adams, Jared M. Jacobson
  • Patent number: 9172683
    Abstract: In a Digital Rights Management (DRM) system, cryptographic keys for decrypting distributed assets (such as audio or video media) are distributed using an offline (e.g., non-Internet) method for distribution of the key generation process, with an implicit authorization to use the distributed key generation process. This is used to update an asset key for use by a client such as a media player when a key formula for generating the key for decrypting an asset has been compromised, such as by hackers.
    Type: Grant
    Filed: June 29, 2011
    Date of Patent: October 27, 2015
    Assignee: Apple Inc.
    Inventors: Augustin J. Farrugia, Gianpaolo Fasoli, Nicholas Sullivan
  • Patent number: 9100374
    Abstract: The present invention discloses a method for managing remote upgrading keys in an information security apparatus. A remote source apparatus generates key disabling data according to a divulged remote upgrading key and sends the key disabling data to the information security apparatus, and the information security apparatus performs the disabling operation on the divulged remote upgrading key according to the received key disabling data. Using the method disclosed in the present invention can prevent the information security apparatus from being maliciously attacked by malicious attackers by using the divulged remote upgrading key and through the remote upgrading process.
    Type: Grant
    Filed: February 23, 2012
    Date of Patent: August 4, 2015
    Assignee: Beijing Senselock Software Technology Co., Ltd.
    Inventors: Jiping Sun, Yong Han
  • Patent number: 9054871
    Abstract: A device, including one or more Communication Physical Unclonable Function (CPUF) and key storage devices, the CPUF devices each including: a coherent Electromagnetic (EM) radiation source; a spatial light modulator (SLM) connected to the coherent EM radiation source; a volumetric scattering medium connected to the SLM; a detector connected to the volumetric scattering medium; and one or more processors or circuits connected to the detector and one or more processors or circuits connected to the SLM. A communication protocol is also provided.
    Type: Grant
    Filed: February 21, 2013
    Date of Patent: June 9, 2015
    Assignees: California Institute of Technology, London School of Hygiene & Tropical Medicine
    Inventors: Roarke Horstmeyer, Benjamin Judkewitz, Changhuei Yang, Ivo M. Vellekoop
  • Patent number: 8997245
    Abstract: Systems and techniques for managing software licensing are described. When a computing system service request is made, the request is intercepted and software information that may be more or less continuously updated in a managed computing environment is examined to determine the effect of the service request on software usage by the system. The software usage represented by the service request is evaluated based on licensing information to determine license usage by the system and changes in license usage based on the service request, and license usage information is determined based on the software usage and the licensing information. The license usage information may be used in connection with a system of rules to govern actions such as reporting licensing usage or allowing or preventing the use of software based on whether use of the software will violate licensing requirements.
    Type: Grant
    Filed: August 29, 2013
    Date of Patent: March 31, 2015
    Assignee: International Business Machines Corporation
    Inventors: Han Chen, Minkyong Kim, Hui Lei, Jonathan P. Munson, Suraj Subramanian
  • Patent number: 8990569
    Abstract: A device receives an encrypted key generating value from a first device and decrypts the encrypted key generating value. A temporary session key associated with the first device is generated based on the key generating value. A secure session invitation message is received from the first device. A master session key is generated and encrypted using the temporary session key associated with the first device. The encrypted master session key is transmitted to the first device.
    Type: Grant
    Filed: December 3, 2008
    Date of Patent: March 24, 2015
    Assignee: Verizon Patent and Licensing Inc.
    Inventors: Thomas W. Haynes, Steven R. Rados
  • Patent number: 8958555
    Abstract: In one exemplary embodiment of the invention, a method for computing a resultant and a free term of a scaled inverse of a first polynomial v(x) modulo a second polynomial fn(x), including: receiving the first polynomial v(x) modulo the second polynomial fn(x), where the second polynomial is of a form fn(x)=xn±1, where n=2k and k is an integer greater than 0; computing lowest two coefficients of a third polynomial g(z) that is a function of the first polynomial and the second polynomial, where g(z)?i=0n?1(v(?i)?z), where ?0, ?1, . . . , ?n?1 are roots of the second polynomial fn(x) over a field; outputting the lowest coefficient of g(z) as the resultant; and outputting the second lowest coefficient of g(z) divided by n as the free term of the scaled inverse of the first polynomial v(x) modulo the second polynomial fn(x).
    Type: Grant
    Filed: June 19, 2013
    Date of Patent: February 17, 2015
    Assignee: International Business Machines Corporation
    Inventors: Craig B. Gentry, Shai Halevi
  • Patent number: 8959333
    Abstract: Method for providing a mesh key which can be used to encrypt messages between a first node and a second node of a mesh network, wherein a session key is generated when authenticating the first node in an authentication server, the first node and the authentication server or an authentication proxy server using a predefined key derivation function to derive the mesh key from said session key, which mesh key is transmitted to the second node.
    Type: Grant
    Filed: May 29, 2007
    Date of Patent: February 17, 2015
    Assignee: Nokia Siemens Networks GmbH & Co. KG
    Inventors: Rainer Falk, Florian Kohlmayer
  • Patent number: 8954740
    Abstract: A server receives identifying information of a user of a client device and data encrypted with a public key of a group, where the encrypted data includes an encrypted session key for secure content. The server determines whether the user is a member of the group using the identifying information of the user. If the user is a member of the group, the server decrypts the encrypted session key using a private key of the group, and causes the client device to obtain a session key to access the secure content.
    Type: Grant
    Filed: October 4, 2010
    Date of Patent: February 10, 2015
    Assignee: Symantec Corporation
    Inventors: Vincent E. Moscaritolo, Damon Cokenias, David Finkelstein
  • Patent number: 8949609
    Abstract: The user device includes: a recording unit which stores system parameters as respective parameters given in advance, a disclosure public key, a user public key, a user private key, a member certificate, and an attribute certificate; an input/output unit which receives input of the document from the user and an attribute the user intends to disclose; a cryptograph generating module which generates a cryptograph based on the inputted document, the attribute to be disclosed, and each of the parameters; a signature text generating module which generates a zero-knowledge signature text from the generated cryptograph; and a signature output module which outputs the cryptograph and the zero-knowledge signature text as the signature data. The user public key and the attribute certificate are generated by using a same power.
    Type: Grant
    Filed: July 6, 2010
    Date of Patent: February 3, 2015
    Assignee: NEC Corporation
    Inventor: Isamu Teranishi
  • Patent number: 8929555
    Abstract: Data encryption systems and methods. The system includes a storage device storing data and an encryption/decryption module. The encryption/decryption module randomly generates a device key seed according to the occurrence time of a specific operation or the interval between two specific operations on the storage device, and applies the device key seed to data encryption.
    Type: Grant
    Filed: November 23, 2004
    Date of Patent: January 6, 2015
    Assignee: Transpacific IP I Ltd.
    Inventor: Bo-Er Wei
  • Patent number: 8924719
    Abstract: Secure bulk messaging mechanism in which, roughly described, a sender first encrypts a message once. The message can be decrypted with a message decryption key. These can be symmetric or asymmetric keys. For each recipient, the sender then encrypts the message decryption key with the recipient's public key. The sender then sends the encrypted message and the encrypted message decryption keys to a store-and-forward server. Subsequently, one or more recipients connect to the server and retrieve the encrypted message and the message encryption key that has been encrypted with the recipient's public key. Alternatively, the server can forward these items to each individual recipient. The recipient then decrypts the encrypted message decryption key with the recipient's private key, resulting in an unencrypted message decryption key. The recipient then decrypts the message using the unencrypted message decryption key.
    Type: Grant
    Filed: December 17, 2012
    Date of Patent: December 30, 2014
    Assignee: Axway Inc.
    Inventor: David Jevans
  • Patent number: 8912879
    Abstract: A security system may include a plurality of electronic devices, each having a unique identification (ID) associated therewith and configured to generate a temporary security code based upon the unique ID. The system may further include at least one mobile wireless communications device including a first Near-Field Communication (NFC) circuit, and a mobile controller configured to receive the temporary security code from a given electronic device from among the plurality of electronic devices. The system may also include an access control device associated with a personnel access position and including a second NFC sensor and a security controller. The security controller may be configured to receive the temporary security code from the first NFC sensor via NFC communications, selectively grant personnel access based upon the received temporary security code, and determine the unique ID associated with the given electronic device.
    Type: Grant
    Filed: September 23, 2010
    Date of Patent: December 16, 2014
    Assignee: BlackBerry Limited
    Inventors: Steven Henry Fyke, Jason Tyler Griffin
  • Patent number: 8914635
    Abstract: A method is disclosed for establishing a secure communication session using composite key cryptography. The method comprises generating a first plurality of secret keys all of which are known only to a first communicating party and each one of which is shared with exactly one of a plurality of stewards, and generating a second plurality of secret keys all of which are known only to a second communicating party and each one of which is shared with exactly one of the plurality of stewards. The first and second communicating parties each send information to the other through different stewards, each communication leg being encrypted using a secret key known only to the respective communicating party and steward. These communications are usable to distribute cryptographic seeds to the communicating parties for use in generating a temporary session key that can be used to encrypt direct communications between the parties.
    Type: Grant
    Filed: March 7, 2013
    Date of Patent: December 16, 2014
    Assignee: Grey Heron Technologies, LLC
    Inventor: David L. Parrish
  • Patent number: 8910252
    Abstract: Embodiments of the present invention disclose a peer enrollment method, a route updating method, a communication system, and relevant devices to improve security of a peer-to-peer (P2P) network. The peer enrollment method includes: receiving an enrollment request from a peer, where the enrollment request carries identity information of the peer; verifying the identity information of the peer, and if the verification succeeds, obtaining peer location information of the peer and generating a peer credential according to the peer location information; and sending the peer credential carrying the peer location information to the peer so that the peer joins the P2P network according to the peer credential. Embodiments of the present invention further provide a route updating method, a communication system, and relevant devices. Embodiments of the present invention may improve security of the P2P network effectively.
    Type: Grant
    Filed: October 13, 2011
    Date of Patent: December 9, 2014
    Assignee: Huwei Technologies Co., Ltd.
    Inventors: Yingjie Gu, Xingfeng Jiang, Haibin Song
  • Patent number: 8908870
    Abstract: Methods and systems for transferring information to a device include assigning a unique identifier to a device and generating a unique key for the device. The device is located at a first site, and the unique identifier is sent from the device to a second site. The unique key is obtained at the second site, and it is used for encrypting information at the second site. The encrypted information is sent from the second site to the device, where it can then be decrypted.
    Type: Grant
    Filed: April 4, 2008
    Date of Patent: December 9, 2014
    Assignee: Infineon Technologies AG
    Inventors: Jurijus Cizas, Shrinath Eswarahally, Peter Laackmann, Berndt Gammel, Mark Stafford, Joerg Borchert
  • Patent number: 8908871
    Abstract: The AAA server generates and delivers a new HA-RK before expiry of the old HA-RK, thus eliminating the time gap between expiry of the old HA-RK and obtaining of the new HA-RK and making the MIP registration seamless. In the system, if the remaining lifetime of the old HA-RK is less than or equal to the lifecycle of the MSK in the EAP process, a new HA-RK is delivered; otherwise, no new HA-RK needs to be delivered. If both a new HA-RK and an old HA-RK are valid on the network entity at a time, then only the old HA-RK applies and the new HA-RK is not active until expiry of the old HA-RK. Alternatively, both the new HA-RK and the old HA-RK are active concurrently, and are differentiated by an SPI.
    Type: Grant
    Filed: July 15, 2009
    Date of Patent: December 9, 2014
    Assignee: Huawei Technologies Co., Ltd.
    Inventors: Wenliang Liang, Jianjun Wu, Xianhui He
  • Patent number: 8904193
    Abstract: A method for operating a security device includes a microcontroller, a protected memory area, in which at least one item of protection-worthy information is stored, and a unit, the microcontroller being connected to the protected memory area via the unit, the at least one item of protection-worthy information being accessed by the microcontroller via the unit when the method is carried out.
    Type: Grant
    Filed: November 22, 2010
    Date of Patent: December 2, 2014
    Assignee: Robert Bosch GmbH
    Inventors: Markus Ihle, Robert Szerwinski, Oliver Bubeck, Jan Hayek, Jamshid Shokrollahi
  • Patent number: 8885832
    Abstract: A distributed peer-to-peer document archive system provides version-control, security, access control, linking among stored documents and remote access to documents usually associated with centralized storage systems while still providing the simplicity, personalization and robustness to network outages associated with personal and peer-to-peer storage systems. A “keyring” is an encrypted repository that allows a user to recover and access a user's entire digital archive with a single master key. After the key is created, it does not need to be updated, and can be stored in a safe, safety-deposit box or other secure location. In the event the user's computer is stolen or destroyed, the user need only install the system on a new machine and import the master key. The system will then use that key to browse nearby servers to find and decrypt all files necessary to recreate the full digital archive in its most recent state.
    Type: Grant
    Filed: March 31, 2008
    Date of Patent: November 11, 2014
    Assignee: Ricoh Company, Ltd.
    Inventors: Bradley J. Rhodes, Stephen R Savitzky, Kurt Piersol
  • Patent number: 8874896
    Abstract: This disclosure relates to systems and methods for enabling the use of secret digital or electronic information without exposing the sensitive information to unsecured applications. In certain embodiments, the methods may include invoking, by a client application executing in an open processing domain, a secure abstraction layer configured to interface with secret data protected by a secure processing domain. Secure operations may be securely performed on the secret data by the secure abstraction layer in the secure processing domain based on an invocation from a client application running in the open processing domain.
    Type: Grant
    Filed: June 17, 2011
    Date of Patent: October 28, 2014
    Assignee: Intertrust Technologies Corporation
    Inventors: Gilles Boccon-Gibod, Gary Ellison
  • Patent number: 8874916
    Abstract: Systems and methods may provide introducing a first root of trust on a platform to a second root of trust on the same platform. In one example, the method may include using an authenticated code module to transfer a first encryption key from a first root of trust on a platform to a second root of trust on the platform, receiving a challenge response from the first root of trust at the second root of trust, and using the first encryption key to verify the challenge response.
    Type: Grant
    Filed: September 28, 2012
    Date of Patent: October 28, 2014
    Assignee: Intel Corporation
    Inventors: Ned Smith, Sharon Smith, Willard Wiseman