Inventors list

Assignees list

Classification tree browser

Top 100 Inventors

Top 100 Assignees


Security kernel or utility

Subclass of:

713 - Electrical computers and digital processing systems: support

713150000 - MULTIPLE COMPUTER COMMUNICATION USING CRYPTOGRAPHY

Patent class list (only not empty are listed)

Deeper subclasses:

Class / Patent application numberDescriptionNumber of patent applications / Date published
713165000 File protection 137
713167000 Object protection 50
713166000 Security levels 36
Entries
DocumentTitleDate
20130031365INFORMATION PROTECTION SYSTEM AND METHOD - An information protection system includes a mobile terminal and an encryption module. The mobile terminal requests a key sequence by transmitting a message including a Personal Identification Number (PIN) number input by a user, and encrypts or decrypts one or more communication signals, including voice signals and data signals, based on the key sequence when the key sequence is received. The encryption module is connected to the mobile terminal. The encryption module encrypts a security key using the identifier and the PIN number of the mobile terminal, decrypts the encrypted security when requested by the mobile terminal, and transmits the key sequence generated based on the decrypted security key to the mobile terminal.01-31-2013
20090193251SECURE REQUEST HANDLING USING A KERNEL LEVEL CACHE - The present invention discloses a system, method, apparatus, and computer usable product code for handling requests. The invention can include a kernel level cache, a request handling service, and a transport layer security service. The kernel level cache can store request handling data. The request handling service can handle secure requests at a transport layer of a kernel when request handling data is present in the kernel level cache. The transport layer security service can handle encryption/decryption operations for the secure requests and request responses at the transport layer.07-30-2009
20110202762METHOD AND APPARATUS FOR CARRYING OUT SECURE ELECTRONIC COMMUNICATION - The present invention provides a system, method and device, for carrying out secure electronic communication over a computer network via a computer susceptible of being virus infected or eavesdropped by means of a personal apparatus comprising processing means, one or more memory devices, one or more interfacing means suitable for exchanging information with the insecure computer, and a communication software having cryptographic capabilities stored in the one or more memory means, wherein the personal apparatus is adapted to establish a secure channel with a remote computer over the computer network, by means of the insecure computer machine.08-18-2011
20090158036 PROTECTED COMPUTING ENVIRONMENT - A method of establishing a protected environment within a computing device including validating a kernel component loaded into a kernel of the computing device, establishing a security state for the kernel based on the validation, creating a secure process and loading a software component into the secure process, periodically checking the security state of the kernel, and notifying the secure process when the security state of the kernel has changed.06-18-2009
20090125716COMPUTER INITIALIZATION FOR SECURE KERNEL - Dynamic Root of Trust for Measurement (DRTM) mechanisms can be initiated, not by CPU-manufacturer-specific instructions, but by the execution of code in System Management Mode (SMM) that can modify the values stored in specific Platform Configuration Registers (PCRs) of a Trusted Platform Module (TPM). The SMM code can be verified prior to execution and it can be trusted based on the secure mechanisms used to update such code. The SMM code can restore a known, trusted state of the computing device and can initiate the measuring of subsequently executed code. In such a manner the Trusted Computing Base (TCB) can be limited.05-14-2009
20130073848ENABLING USERS TO SELECT BETWEEN SECURE SERVICE PROVIDERS USING A KEY ESCROW SERVICE - Systems and methods are described herein for enabling users to select from available secure service providers (each having a Trusted Service Manager (“TSM”)) for provisioning applications and services on a secure element installed on a device of the user. The device includes a service provider selector (“SPS”) module that provides a user interface for selecting the secure service provider. In one embodiment, the SPS communicates with a key escrow service that maintains cryptographic keys for the secure element and distributes the keys to the user selected secure service provider. The key escrow service also revokes the keys from deselected secure service providers. In another embodiment, the SPS communicates with a central TSM that provisions applications and service on behalf of the user selected secure service provider. The central TSM serves as a proxy between the secure service providers and the secure element.03-21-2013
20130073849ANTI-KEYLOGGER COMPUTER NETWORK SYSTEM - An anti-keylogger computer network system includes a servo-side host computer, with a servo software which requires the user to enter confidential data. An application-side host computer is provided and a keyboard is connected to the application-side host computer. The keys on the keyboard are divided into a data key and control key. An application software is installed in the application-side host computer to receive the instructions from the servo software, and to determine when the anti-keylogger function of the keyboard module shall he started and closed. A connection network is provided for connecting the servo-side host computer to the application-side host computer. A Translate Table program is installed in the application-side host computer and a Translate Table translation program is installed in the servo software of servo-side host computer.03-21-2013
20090271620TECHNIQUES FOR SECURE DATA MANAGEMENT IN A DISTRIBUTED ENVIRONMENT - Techniques for secure data management in a distributed environment are provided. A secure server includes a modified operating system that just allows a kernel application to access a secure hard drive of the secure server. The hard drive comes prepackaged with a service public and private key pair for encryption and decryption services with other secure servers of a network. The hard drive also comes prepackaged with trust certificates to authenticate the other secure servers for secure socket layer (SSL) communications with one another, and the hard drive comes with a data encryption key, which is used to encrypt storage of the secure server. The kernel application is used during data restores, data backups, and/or data versioning operations to ensure secure data management for a distributed network of users.10-29-2009
20090271619External storage apparatus and method of preventing information leakage - Proposed is an apparatus and method of preventing the leakage of information from an external storage apparatus even when such external storage apparatus is stolen or accessed from an unauthorized host computer. This external storage apparatus accessible from a host computer or another external storage apparatus via a network encrypts or decrypts data written from a host computer to be stored in the storage area, sends a request for existence confirmation to the host computer or the other external storage apparatus every predetermined period of time, and zeroizes an encryption key to be used in the encryption calculation for encrypting or decrypting data to be performed by the encryption calculation unit based on the result of a response from the host computer or the other external storage apparatus in reply to the request.10-29-2009
20120226903SECURE PLATFORM VOUCHER SERVICE FOR SOFTWARE COMPONENTS WITHIN AN EXECUTION ENVIRONMENT - Apparatuses, articles, methods, and systems for secure platform voucher service for software within an execution environment. An embodiment includes the ability for a Virtual Machine Monitor, Operating System Monitor, or other underlying platform capability to restrict memory regions for access only by authenticated, authorized and verified software components. A provisioning remote entity or gateway only needs to know a platform's public key or certificate hierarchy to receive verification for any component. The verification or voucher helps assure to the remote entity that no malware running in the platform or on the network will have access to provisioned material. The underlying platform to lock and unlock secrets on behalf of the authenticated/authorized/verified software component provided in protected memory regions only accessible to the software component.09-06-2012
20090031128TRANSPARENT AWARE DATA TRANSFORMATION AT FILE SYSTEM LEVEL FOR EFFICIENT ENCRYPTION AND INTEGRITY VALIDATION OF NETWORK FILES - A mechanism for enabling efficient encryption and integrity validation of network files. When a request to read a file stored in a local network file system is received, the local network file system examines cryptographic attributes associated with the file to determine if the file is encrypted or integrity-verified. If the cryptographic attributes indicate the file is encrypted, the local network file system omits the encryption of the file by the local network file system prior to passing the file to the remote network file system. If the cryptographic attributes indicate the file is integrity-verified, the local network file system omits the integrity-verification of the file by the local network file system prior to passing the file to the remote network file system. The local network file system then transmits the file to the remote network file system.01-29-2009
20090249065SYSTEM AND METHOD OF AUTHORIZING EXECUTION OF SOFTWARE CODE BASED ON AT LEAST ONE INSTALLED PROFILE - Embodiments include systems and methods for authorizing software code to be executed or access capabilities in secure operating environments. Profiles may be issued by trusted entities to extend trust to other entities to allow those other entities to provide or control execution of applications in a secure operating environment such as on particular computing devices. The profiles allow entities to add software code to the device without reauthorizing each distribution by a trusted authority such as testing, quality assurance, or to limited groups of devices controlled or authorized by the other entities.10-01-2009
20090006847Filtering kernel-mode network communications - Some embodiments of the invention are directed to techniques for determining whether a process on a computer system that is sending or receiving data, or is attempting to send or receive data, with another computer system is executing in kernel mode or user mode and providing an indicator of this determination to a security engine. In some embodiments, such an indication is provided to a security engine (e.g., a firewall) that implements a security policy based at least in part on whether the sending or receiving process is in kernel mode or user mode, and filter communications based on a process' operating mode. This enables a security engine to maintain security policies of greater specificity and thus improve security of a computer system.01-01-2009
20080294892METHOD AND SYSTEM FOR A KERNEL LOCK VALIDATOR - An embodiment relates generally to a method of preventing resource access conflicts in a software component. The method includes intercepting a lock operation in the software component and testing an associated lock type of the lock operation against a set of rules. The method also includes determining an action based on the associated lock type conflicting one of the rules of the set of rules.11-27-2008
20110035586SYSTEM AND METHOD FOR SECURING A COMPUTER COMPRISING A MICROKERNEL - A method of securing a computer comprising a microkernel and a system for interfacing with at least one virtualized operating system are presented. The microkernel includes a clock drive, a scheduler and an inter-process communication manager. The system for interfacing forms at least one virtual machine associated with each operating system and allows execution of the latter without modification. The method includes, at the level of the system for interfacing, the steps of:—intercepting any communication between a means external to the operating system and the operating system,—verifying that predefined rules of access to said external means are validated by said communication;—transmitting the communication to the recipient if the rules are validated.02-10-2011
20110296175SYSTEMS AND METHODS FOR SOFTWARE LICENSE DISTRIBUTION USING ASYMMETRIC KEY CRYPTOGRAPHY - Methods and computer readable media for distributing a software license based on asymmetric cryptography via a network. An application publisher generates an asymmetric key-pair having an encryption key and a decryption key. The publisher assembles a software application embedded with the decryption key and releases the software application on an application storefront while keeping the encryption key as secret. A user of a device downloads the software application via a public network. To activate the software application in the device, the user sends a request for a license key to the publisher (or a distribution service provider) via the network. Upon validation of the request, the license key encrypted using the encryption key is sent to the device to thereby activate the software application in the device. Based on the cryptographic technique, the user may surrender the license key to get back the credit for the surrendered license key.12-01-2011
20100169642Remote virtual medical diagnostic imaging viewer - A medical image and data application service provider system provides a way of remotely viewing and manipulating medical images and data for diagnostic and visualization purposes by users unconstrained by geography. Medical images and data are stored on one or more servers running application service provider software along with meta-data such as access control information, origin of information and references to related data. A set of medical data consisting related information is sent as an encrypted stream to a viewing station running client software in a secure execution environment that is logically independent of the viewing station's operating system.07-01-2010
20100115273SYSTEM AND METHOD FOR FINDING KERNEL MEMORY LEAKS - The invention provides a system and method for tracking memory information associated with dynamically loaded kernel modules with the help of a tracking system. The tracking system defines its own kernel memory allocation functions. Whenever, a dynamic kernel module is loaded/unloaded into/from the kernel space, these newly defined functions are called in response to kernel memory allocation/de-allocation requests from the kernel module. The newly defined functions are responsible for allocating and de-allocating kernel memory, as well as, keeping track of information relating to the kernel memory allocations/de-allocations. The tracked information may be used to identify the source of kernel memory leaks.05-06-2010
20090063857METHOD AND SYSTEM FOR PROVIDING A TRUSTED PLATFORM MODULE IN A HYPERVISOR ENVIRONMENT - A method is presented for implementing a trusted computing environment within a data processing system. A hypervisor is initialized within the data processing system, and the hypervisor supervises a plurality of logical, partitionable, runtime environments within the data processing system. The hypervisor reserves a logical partition for a hypervisor-based trusted platform module (TPM) and presents the hypervisor-based trusted platform module to other logical partitions as a virtual device via a device interface. Each time that the hypervisor creates a logical partition within the data processing system, the hypervisor also instantiates a logical TPM within the reserved partition such that the logical TPM is anchored to the hypervisor-based TPM. The hypervisor manages multiple logical TPM's within the reserved partition such that each logical TPM is uniquely associated with a logical partition.03-05-2009
20120131335Collaborative Agent Encryption And Decryption - A method for securely transmitting data from a sender computer system to a receiver computer system comprises receiving a cleartext message by a first intelligent agent environment; splitting said message into a plurality of message fragments; creating an intelligent agent for each message fragment; generating a key for each message fragment; encrypting each said message fragment to produce a respective encrypted message fragment; and transmitting each intelligent agent with said respective encrypted message fragment as a data payload. The method may further comprise receiving each intelligent agent with its respective encrypted message fragment as a data payload by a second intelligent agent environment at the receiver computer system; locating each of a set of agents; decrypting each encrypted respective message fragment to produce a respective cleartext message fragment; and collaborating by the set of agents to recombine cleartext message fragments to form a cleartext message.05-24-2012
20100146267Systems and methods for providing secure platform services - Systems and methods for providing secure platform services using an information handling system, and which may be implemented to sequester or otherwise isolate sensitive cryptographic processes, as well as the keys used during such decryption and encryption processes. The systems and methods may be implemented as a set of secure services that are available to an operating system or to a Hypervisor executing on an information handling system, and the processing environment may be provided as a closed environment, thus preventing malicious code from infiltrating the processing environment. Dedicated and secure memory space may be employed to prevent key detection through memory scans.06-10-2010
20090013179Controlling With Rights Objects Delivery Of Broadcast Encryption Content For A Network Cluster From A Content Server Outside The Cluster - Methods, systems, and products are disclosed for delivering broadcast encryption content. Embodiments of the present invention typically include receiving in a cluster broadcast encryption content; receiving in a cluster a rights object defining device-oriented digital rights for broadcast encryption content; and administering the broadcast encryption content on one or more network devices in the cluster in dependence upon the digital rights. In some embodiments, administering the broadcast encryption content on one or more network devices in the cluster in dependence upon the digital rights include mapping the device-oriented digital rights to digital rights supported in the cluster, excluding device-oriented rights not supported in the cluster. In some embodiments, mapping the device-oriented digital rights to digital rights supported in the cluster includes supporting in the cluster only those device-oriented digital rights having direct analogs in the cluster.01-08-2009
20090089579Secure Policy Differentiation by Secure Kernel Design - A method, computer program product, and data processing system are disclosed for ensuring that applications executed in the data processing system originate only from trusted sources are disclosed. In a preferred embodiment, a secure operating kernel maintains a “key ring” containing keys corresponding to trusted software vendors. The secure kernel uses vendor keys to verify that a given application was signed by an approved vendor. To make it possible for users to execute software from independent software developers, an administrative user may disable the above-described vendor key-checking as an option.04-02-2009
20100281255Launching A Secure Kernel In A Multiprocessor System - In one embodiment of the present invention, a method includes verifying a master processor of a system; validating a trusted agent with the master processor if the master processor is verified; and launching the trusted agent on a plurality of processors of the system if the trusted agent is validated. After execution of such a trusted agent, a secure kernel may then be launched, in certain embodiments. The system may be a multiprocessor server system having a partially or fully connected topology with arbitrary point-to-point interconnects, for example.11-04-2010
20080244265MOBILITY DEVICE MANAGEMENT SERVER - A mobility device management server (MDMS) for use as part of a mobility device platform allowing for secure mobile computing is provided. In an illustrative implementation, an exemplary mobility device platform (MDP) comprises a mobility device (MD) operable to communicate with at least one computing environment through a communications interface and wherein the MD is operable to process and store secure web services, a communications network operable to communicate data and computing applications using web services, and a MDMS operable to generate, process, store, communicate and encrypt web services to the MD. Further, the MDMS is operable to perform one or more mobility device management functions to provide encryption keys to cooperating MDs and to authenticate and verify cooperating MDs requesting web services from the MDMS. The MDMS further may operate to perform metering functions and may operate to support intermittent connections between itself and cooperating MDs.10-02-2008
20090265549PREVENTING UNAUTHORIZED DISTRIBUTION OF MEDIA CONTENT WITHIN A GLOBAL NETWORK - One embodiment of the invention is a method for providing media content while preventing its unauthorized distribution. The method includes transmitting from a client to an administrative node a request for delivery of an instance of media content (IMC); determining which content source (CS) of a plurality of CSs to provide delivery of the IMC, provided the client is authorized to receive the IMC; transmitting to the client an access key and a location of the IMC; transmitting from the client to the CS a second request and the access key; in response to receiving the second request and the access key, transferring the IMC from the CS to the client; transmitting from the client to the administrative node an indicator indicating a successful transfer of the IMC; and generating a transaction applicable to the client and associated with the transfer of the IMC to the client.10-22-2009
20090177883METHOD AND DEVICE FOR ONLINE SECURE LOGGING-ON - The invention discloses a method for an online secure logging-on, comprises steps of: determining a correlation between at least one of processes and a logging-on operation; sorting the at least one of processes to two classes, that is, processes related to the logging-on operation and processes unrelated to the logging-on operation; running at least one of the processes related to the logging-on operation, when the logging-on operation is performed and a number of the processes related to the logging-on operation is one or more; and suspending at least one of the 1o processes unrelated to the logging-on operation, when the logging-on operation is performed and a number of the processes unrelated to the logging-on operation is one or more. The scheme of the present invention utilizes a real-time protection, needs less monitoring on the operating system and is easy to guarantee the stability. Since most processes of the operating system are suspended, the protection is more reliable. Corresponding to the method, the present invention also provides a device for an online secure logging-on.07-09-2009
20090259845System and method for execution of a secured environment initialization instruction - A method and apparatus for initiating secure operations in a microprocessor system is described. In one embodiment, one initiating logical processor initiates the process by halting the execution of the other logical processors, and then loading initialization and secure virtual machine monitor software into memory. The initiating processor then loads the initialization software into secure memory for authentication and execution. The initialization software then authenticates and registers the secure virtual machine monitor software prior to secure system operations.10-15-2009
20090094455Frequency Managed Performance - A computer or other electronic device may use a security module to securely control a system or processor clock to set a predetermined performance level. In an exemplary embodiment, the performance level may be high, medium, or low, supporting a range of application performance requirements. Changes to the performance level may be authorized by a third party presenting cryptographic rights to alter the performance level. Alternatively, postpaid ro pre-paid value may be accumulated at a rate corresponding to the predetermined performance level set by the security module.04-09-2009
20090249064SYSTEM AND METHOD OF AUTHORIZING EXECUTION OF SOFTWARE CODE BASED ON A TRUSTED CACHE - Embodiments include systems and methods for authorizing software code to be executed on a device based on a trusted cache. When receiving a request to execute software, this software may be checked for a digital signature by at least one trusted authority. According, a digest value indicative of at least a portion of the software module may be determined. A cache stored in trusted space of the device is then accessed for a matching digest value. If an entry is found, the device may allow execution of the software module; if an entry is not found, then the device may continue with the cryptographic operations for verifying the software's digital signature, or may be configured to block execution of the software.10-01-2009
20090249066Method for Safe Operation and A System Thereof - The present invention relating to computer security field provides a method for safe operation and a system thereof. The method includes: loading the compressed kernel of a safe operating system to a memory of a computer, decompressing the driver of a security device to the memory of the computer; a security master process inquiring the security device and determining whether the security device is legitimate, and if so, the safe operating system creates a security sub-process with which the safe operating system performing information interaction with the security device; verifying whether a user is legitimate, if so, permitting the safe operating system to run properly; otherwise, performing exception handling. The system includes an operating system storage device, a security device and a computer. The presented invention provides a solution that a kernel program of a safe operating system is cooperated with a security device by starting the safe operating system. In the whole process of the computer operation, the kernel of the safe operating system works with the security device, and the security device completes the verification of the user ID and the processing of file data encryption/decryption, which assures the security of the computer operation.10-01-2009
20100191961METHOD AND SYSTEM ACHIEVING INDIVIDUALIZED PROTECTED SPACE IN AN OPERATING SYSTEM - Aspects for achieving individualized protected space in an operating system are provided. The aspects include performing on demand hardware instantiation via an ACE (an adaptive computing engine), and utilizing the hardware for monitoring predetermined software programming to protect an operating system.07-29-2010
20120272059SYSTEM AND METHOD FOR SECURE EXCHANGE OF INFORMATION IN A COMPUTER SYSTEM - A system and method for secure exchange of information in a computing system is described. In one embodiment, the method includes receiving a request to switch to a safe mode from a target application. Encryption/decryption keystring is generated based on the request. The target application is responded with the decryption keystring. A key-stroke is encrypted using the encryption keystring. The encrypted key-stroke is stored in a keyboard buffer. The target application retrieves the encrypted key-stroke and decrypts the encrypted key-stroke using the decryption keystring.10-25-2012
20100262823Launching A Secure Kernel In A Multiprocessor System - In one embodiment of the present invention, a method includes verifying an initiating logical processor of a system; validating a trusted agent with the initiating logical processor if the initiating logical processor is verified; and launching the trusted agent on a plurality of processors of the system if the trusted agent is validated. After execution of such a trusted agent, a secure kernel may then be launched, in certain embodiments. The system may be a multiprocessor server system having a partially or fully connected topology with arbitrary point-to-point interconnects, for example.10-14-2010
20100161976SYSTEM AND METHOD FOR HANDLING CROSS-PLATFORM SYSTEM CALL WITH SHARED PAGE CACHE IN HYBRID SYSTEM - A system and associated method for handling a cross-platform system call with a shared page cache in a hybrid system. The hybrid system comprises a first computer system and a second computer system. Each computer system has a respective copy of the shared page cache, and validates an entry in the respective copy of the shared page cache for pages available in the respective computer system. The cross-platform system call is invoked by a first kernel to provide a kernel service to a user application in the first computer system. The cross-platform system call has a parameter referring to raw data in the first computer system. The cross-platform system call is converted to be executed in the second computer system and the raw data is copied to the second computer system only when a page fault for the raw data occurs while executing the cross-platform system call.06-24-2010
20080294893DEVICE AND METHOD FOR SECURITY RECONFIGURATION - A security reconfigurable device is adapted for use in an integrated wireless network integrating at least two wireless networks, and includes a plurality of security modules and a control unit. The security modules are used to respectively realize security mechanisms related to the wireless networks. According to security requirements, the control unit selects one of the security modules for operation. The security reconfigurable device can reduce time and cost for updating the security mechanisms. A method for security reconfiguration is also disclosed.11-27-2008
20100180114PROCESSING PACKET STREAMS - Systems and methods are disclosed that include a data-bus, system memory, a first processor arranged to receive an input stream, and a second processor programmed to apply one or more security algorithms to secure packets of the input stream to generate at least partially security-processed packets.07-15-2010
20100161975PROCESSING SYSTEM WITH APPLICATION SECURITY AND METHODS FOR USE THEREWITH - A processing system includes an interface for receiving application data at the processing system corresponding to an application, the application data including authentication data. A one-time programmable memory stores at least one application key. A processing module executes an operating system that includes a security routine to authenticate the application data based on the authentication data and the at least one application key. The security routine permits the execution of the application by the processing module when the authentication data is authenticated, and prevents the execution of the application by the processing system when the authentication data is not authenticated.06-24-2010
20110093699COMMUNICATION BETWEEN KEY MANAGER AND STORAGE SUBSYSTEM KERNEL VIA MANAGEMENT CONSOLE - System, computer program product, and method embodiments for communication between a kernel operational on a storage subsystem and a key manager (KM) through a hardware management console (HMC) to provide encryption support are provided. In one embodiment, an event request is initiated by the kernel to the KM to execute an event flow. Pursuant to a communication request by the kernel to the HMC, a socket of the HMC is opened along a communication path between the KM and the kernel according to an event flow type selected by the KM for the event flow. Pursuant to a data request by the kernel to the KM, data including a data payload is sent by the KM to the kernel, the data payload corresponding to the selected event flow type.04-21-2011
20110154030Methods and apparatus for restoration of an anti-theft platform - Embodiments of methods for restoration an anti-theft platform are generally described herein. Other embodiments may be described and claimed.06-23-2011
20110161666DIGITAL CONTENT RETRIEVAL UTILIZING DISPERSED STORAGE - A method begins by a processing module obtaining a unique retrieval matrix based on an identity of the playback device and sending a request for retrieval of a set of encoded broadcast data slices to a dispersed storage network (DSN) memory, wherein the request includes the unique retrieval matrix and identity of the set of encoded broadcast data slices. The method continues with the processing module receiving a subset of the set of encoded broadcast data slices from the DSN memory, wherein the subset of the set of encoded broadcast data slices is based on the unique retrieval matrix. The method continues with the processing module storing the subset of the sets of encoded broadcast data slices.06-30-2011
20110093700METHOD AND APPARATUS FOR SECURE EXECUTION USING A SECURE MEMORY PARTITION - A processor capable of secure execution. The processor contains an execution unit and secure partition logic that secures a partition in memory. The processor also contains cryptographic logic coupled to the execution unit that encrypts and decrypts secure data and code.04-21-2011
20110167259SOFTWARE LICENSE ENFORCEMENT - Systems and methods for performing software license enforcement are provided. According to one embodiment, file or operating system activity relating to a code module are intercepted by a kernel mode driver of a computer system. The kernel mode driver causes a cryptographic hash value of the code module to be authenticated with reference to a local whitelist containing cryptographic hash values of approved code modules known not to contain malicious code. The local whitelist also contains licensing control information. If the cryptographic hash value matches a cryptographic hash value of an approved code module, then (i) authority to execute the code module is further validated if the licensing control information so indicates by performing a license check regarding the code module; and (ii) the code module is allowed to be loaded and executed within the computer system if the authority is affirmed by the license check.07-07-2011
20090132816PC on USB drive or cell phone - Disclosed are virtual, personal computers implemented on USB drive, cell phone platforms, or other small portable computing platform. Exemplary personal computers include a nanokernel or minikernel configured to boot when connected to a host computer. A memory is provide for storing the nanokernel or minikernel, along with encrypted data, secure keys and certificates, and one or more software applications. The nanokernel or minikernel is configured to allow selected stored software applications to run on the host computer and execute on the user data stored in the memory when the computing apparatus is connected to the host computer and booted. The nanokernel or minikernel is also configured to prevent any other application from executing on user data stored in the memory. The TPM provides the mechanism to seal and authenticate the compute environment of the host computer its components and/or the USB drive et al itself. The contents of the virtual, personal computer are meant to execute on the host computer, but have persistent, encrypted storage on the USB drive, cell phone platforms, or other small portable computing platform which may have additional biometric identification.05-21-2009
20120084560REBOOT CONTROLLER TO PREVENT UNAUTHORIZED REBOOT - A method, computer program product and system of preventing the unauthorized rebooting of a server having a change record, reboot password and valid reboot key. The method includes authenticating that rebooting is authorized by the change record; responsive to entering a reboot password, authenticating that a valid reboot password has been entered; and responsive to entering a reboot key, authenticating by a computer processor that a valid reboot key has been entered.04-05-2012
20120260089SYSTEM AND METHOD FOR SECURING DATA TRANSACTION - A secure messaging channel is necessary especially when the message involves confidential transactions, for example a bank transaction which involves funds transfer and other additional information. The present disclosure describes securing message. The method of securing a message comprises providing a personal identification number by the user, wherein the personal identification number is associated to a unique number of a user. The unique number can be a mobile number. The correct personal identification number invokes the one-time password generator. The one time password generator accesses a metadata which comprises a value stored. The value stored in the metadata is retrieved to generate a dynamic key. The dynamic key is converted to a symmetric encryption key to encrypt the data. The dynamic key can also be converted to a symmetric decryption key to decrypt the data.10-11-2012
20080301440Updateable Secure Kernel Extensions - A method, computer program product, and data processing system for providing an updateable encrypted operating kernel are disclosed. In a preferred embodiment, secure initialization hardware decrypts a minimal secure kernel containing sensitive portions of data and/or code into a portion of the processor-accessible memory space, from which the kernel is executed. Most system software functions are not directly supported by the secure kernel but are provided by dynamically loaded kernel extensions that are encrypted with a public key so that they can only be decrypted with a private key possessed by the secure kernel. The public/private key pair is processor-specific. Before passing control to a kernel extension the secure kernel deletes a subset of its sensitive portions, retaining only those sensitive portions needed to perform the task(s) delegated to the kernel extension. Which sensitive portions are retained is determined by a cryptographic key with which the kernel extension is signed.12-04-2008
20120265987COMMUNICATION BETWEEN KEY MANAGER AND STORAGE SUBSYSTEM KERNEL VIA MANAGEMENT CONSOLE - System, computer program product, and method embodiments for communication between a kernel operational on a storage subsystem and a key manager (KM) through a hardware management console (HMC) to provide encryption support are provided. In one embodiment, an event request is initiated by the kernel to the KM to execute an event flow. Pursuant to a communication request by the kernel to the HMC, a socket of the HMC is opened along a communication path between the KM and the kernel according to an event flow type selected by the KM for the event flow. Pursuant to a data request by the kernel to the KM, data including a data payload is sent by the KM to the kernel, the data payload corresponding to the selected event flow type.10-18-2012
20110047376METHOD AND APPARATUS FOR SECURE EXECUTION USING A SECURE MEMORY PARTITION - A processor capable of secure execution. The processor contains an execution unit and secure partition logic that secures a partition in memory. The processor also contains cryptographic logic coupled to the execution unit that encrypts and decrypts secure data and code.02-24-2011
20120102321SECRET INFORMATION DISTRIBUTION SYSTEM, SECRET INFORMATION DISTRIBUTION METHOD AND PROGRAM - Secret information is encoded/distributed into distributed information according to access structure, a random number sequence corresponding to number of pieces into which the secret information is distributed is generated by randomly selecting polynomial coefficients, the coefficients are encoded/distributed into random number information according to access structure, a hash function whose hash values correspond to the random number sequence is generated, keys for which the hash function applies are selected so as to individually set data for checking whether restored secret information is being manipulated as number of pieces of check data corresponding to number of pieces into which the secret information is distributed, the distributed information is read, the secret information is restored; the random number information is read, the random number sequence is restored, the check data is read, and the restored secret information is judged as not being manipulated when the read check data satisfies the hash function.04-26-2012
20130019095Data services outsourcing verificationAANM Cohen; Alexander J.AACI BellevueAAST WAAACO USAAGP Cohen; Alexander J. Bellevue WA USAANM Jung; Edward K. Y.AACI BellevueAAST WAAACO USAAGP Jung; Edward K. Y. Bellevue WA USAANM Levien; Royce A.AACI LexingtonAAST MAAACO USAAGP Levien; Royce A. Lexington MA USAANM Lord; Robert W.AACI SeattleAAST WAAACO USAAGP Lord; Robert W. Seattle WA USAANM Malamud; Mark A.AACI SeattleAAST WAAACO USAAGP Malamud; Mark A. Seattle WA USAANM Mangione-Smith; William HenryAACI KirklandAAST WAAACO USAAGP Mangione-Smith; William Henry Kirkland WA USAANM Rinaldo, JR.; John D.AACI BellevueAAST WAAACO USAAGP Rinaldo, JR.; John D. Bellevue WA USAANM Tegreene; Clarence T.AACI BellevueAAST WAAACO USAAGP Tegreene; Clarence T. Bellevue WA US - A method and system for verifying outsource data and providing a certification system includes but is not limited to a method including receiving one or more deposits of one or more data elements in connection with an outsourcing transaction from or on behalf of a third party, verifying an identification of the third party, maintaining a transaction log to provide a validation record acknowledging receipt of the one or more deposits, and performing a cryptographic action against one or more aspects of the outsourcing transaction to provide a certified version of the transaction log to confirm the outsourcing transaction.01-17-2013
20110246767SECURE VIRTUAL MACHINE MEMORY - Apparatus, systems, and methods may operate to allocating encrypted memory locations to store encrypted information, the information to be encrypted and decrypted using a single hypervisor. Further activity may include permitting access to a designated number of the encrypted memory locations to a single application executed by an associated virtual machine (VM) subject to the hypervisor, and denying access to the designated number of the encrypted memory locations to any other application executed by the associated VM, or any other VM. In some embodiments, the operational state of the associated VM may be restored using the encrypted information. Additional apparatus, systems, and methods are disclosed.10-06-2011
20130103941METHOD FOR UPDATING DATA IN A SECURITY MODULE - A method for updating operating data in a security module associated to a user unit for processing digital data broadcast in a transport stream, said unit being connected to a conditional access system transmitting, in said transport stream, to the security module a first stream comprising management messages includes: broadcasting a second stream of operating data patch messages, adding to the first stream of management messages, a trigger message to direct the security module to a conditional access system transmitting a second stream transporting suitable operating data patch messages if a current version of the operating data in the security module requires an update, updating the operating data of the concerned security module with the operating data patch messages from the second stream, directing the security module towards the conditional access system transmitting another stream based on an identifier of the conditional access system in the security module.04-25-2013
20130124860Method for the Cryptographic Protection of an Application - A method is provided for cryptographic protection of an application associated with an application owner and executed in an external data processing center having a security module that stores private cryptographic material of the application owner. A first secure channel between the security module and application owner and a second secure channel between the application owner and the application are used for transmitting a cryptographic key. The cryptographic key is automatically made available to the secure module and the application via the secure channels, without the data processing center service operator being able to access said key. The application can authenticate itself using the key so that the cryptographic material can be transmitted to the application via a channel protected by the cryptographic key. The application data can be encrypted using the cryptographic material such that the application data cannot be accessed by the data processing center service operator.05-16-2013
20090132815Systems and methods for secure transaction management and electronic rights protection - The present invention provides systems and methods for secure transaction management and electronic rights protection. Electronic appliances such as computers equipped in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions. Distributed and other operating systems, environments and architectures, such as, for example, those using tamper-resistant hardware-based processors, may establish security at each node. These techniques may be used to support an all-electronic information distribution, for example, utilizing the “electronic highway.”05-21-2009
20130151848CRYPTOGRAPHIC CERTIFICATION OF SECURE HOSTED EXECUTION ENVIRONMENTS - Implementations for providing a persistent secure execution environment with a hosted computer are described. A host operating system of a computing system provides an encrypted checkpoint to a persistence module that executes in a secure execution environment of a hardware-protected memory area initialized by a security-enabled processor. The encrypted checkpoint is derived at least partly from another secure execution environment that is cryptographically certifiable as including another hardware-protected memory area established in an activation state to refrain from executing software not trusted by the client system.06-13-2013
20130151849DEVICE, METHOD, AND SYSTEM FOR PROCESSING COMMUNICATIONS FOR SECURE OPERATION OF INDUSTRIAL CONTROL SYSTEM FIELD DEVICES - A device, method, and system for processing communications for secure operation of industrial control system field devices, includes: a processing device to be placed in-line between a Master Telemetry Unit (MTU) and a field device. A software verified microkernel includes instructions for the processing device to provide a secure partitioning of memory between a communication network interface address space, a security cell address space, and a field device interface address space. The security cell address space includes instructions to: receive communication messages from the MTU via the communication network interface address space; authenticate a user identification of each communication message; verify that an operation requested in each message is authorized for the user identification; and send each communication message having an authenticated user identification and a verified operation to the field network interface address space for communication with the field device.06-13-2013
20100318794System and Method for Providing Security Aboard a Moving Platform - A system for providing network security on a vehicle information system and methods for manufacturing and using same. The security system comprises an all-in-one security system that facilitates security system functions for the vehicle information system. Exemplary security system functions include secure storage of keys used to encrypt and/or decrypt system data, security-related application programming interfaces, a security log file, and/or private data. The security system likewise can utilize antivirus software, anti-spyware software, an application firewall, and/or a network firewall. As desired, the security system can include an intrusion prevention system and/or an intrusion detection system. If the information system includes a wireless distribution system, the security system can include an intrusion prevention (and/or detection) system that is suitable for use with wireless network systems. Thereby, the security system advantageously can provide a defense in depth approach by adding multiple layers of security to the information system.12-16-2010
20100318793Permission-Based Dynamically Tunable Operating System Kernel - A server includes a central processing unit and electronic memory communicatively coupled to the central processing unit. The memory stores a dynamically tunable operating system kernel that includes at least one tunable implemented as a plurality of states. Each application managed by the operating system is assigned to one of these states according to a permission level association with the application. Each state defines a range of automated tuning of the tunable that is authorized to applications assigned to the state.12-16-2010
20130159707Host Device and Method for Super-Distribution of Content Protected with a Localized Content Encryption Key - In one embodiment, a host device creates a super-distribution token by encrypting a content encryption key with a super-distribution key and stores the super-distribution token and encrypted content retrieved from a source storage device in a target storage device. In another embodiment, a host device provides a super-distribution token to a server, wherein the server is configured to generate an activation token from the super-distribution token, receive the activation token from the server, retrieve a content encryption key from the activation token, and decrypt encrypted content received from a storage device using the content encryption key retrieved from the activation token.06-20-2013
20130191634Resource Restriction Systems and Methods - Resource restrictions are associated with a user identifier. A resource restriction agent receives operating system calls related for resources and provides resource request data to a resource agent. The resource agent determines whether the resource is restricted based on the resource request data and resource restriction data and generates access data based on the determination. The resource restriction agent grants or denies the system call based on the access data.07-25-2013
20130212384ENABLING USERS TO SELECT BETWEEN SECURE SERVICE PROVIDERS USING A KEY ESCROW SERVICE - Systems and methods are described herein for enabling users to select from available secure service providers (each having a Trusted Service Manager (“TSM”)) for provisioning applications and services on a secure element installed on a device of the user. The device includes a service provider selector (“SPS”) module that provides a user interface for selecting the secure service provider. In one embodiment, the SPS communicates with a key escrow service that maintains cryptographic keys for the secure element and distributes the keys to the user selected secure service provider. The key escrow service also revokes the keys from deselected secure service providers. In another embodiment, the SPS communicates with a central TSM that provisions applications and service on behalf of the user selected secure service provider. The central TSM serves as a proxy between the secure service providers and the secure element.08-15-2013

Patent applications in class Security kernel or utility

Patent applications in all subclasses Security kernel or utility