公开(公告)号：WO2014105129A1

公开(公告)日：2014-07-03

申请号：PCT/US2013/046187

申请日：2013-06-17

Applicant: INTEL CORPORATION ,  GOTZE, Kevin C. ,  LI, Jiangtao ,  LOVINO, Gregory M.

Inventor： GOTZE, Kevin C. ,  LI, Jiangtao ,  LOVINO, Gregory M.

IPC: H04L9/30 ,  H04L9/14 ,  H04L9/08

CPC classification number: G06F21/73 ,  G06F21/44 ,  G09C1/00 ,  H04L9/0861 ,  H04L9/0866 ,  H04L9/3278

Abstract: Embodiments of an invention for fuse attestation to secure the provisioning of secret keys during integrated circuit manufacturing are disclosed. In one embodiment, an apparatus includes a storage location, a physically unclonable function (PUF) circuit, a PUF key generator, an encryption unit, and a plurality of fuses. The storage location is to store a configuration fuse value. The PUF circuit is to provide a PUF value. The PUF key generator is to generate a PUF key based on the PUF value. The encryption unit is to encrypt the configuration fuse value using the PUF key. The PUF key and the configuration fuse value are to be provided to a key server. The key server is to determine that the configuration fuse value indicates that the apparatus is a production component, and, in response, provide a fuse key to be stored in the plurality of fuses.

Abstract translation: 公开了用于在集成电路制造期间确保秘密密钥供应的熔丝证明的发明的实施例。 在一个实施例中，一种装置包括存储位置，物理上不可克隆功能（PUF）电路，PUF密钥发生器，加密单元和多个保险丝。 存储位置是存储配置熔丝值。 PUF电路提供PUF值。 PUF密钥生成器基于PUF值生成PUF密钥。 加密单元使用PUF密钥加密配置熔丝值。 PUF键和配置保险丝值将提供给密钥服务器。 密钥服务器是确定配置熔丝值表示该设备是生产部件，并且作为响应，提供要存储在多个保险丝中的熔丝钥匙。

公开(公告)号：WO2015047385A1

公开(公告)日：2015-04-02

申请号：PCT/US2013/062598

申请日：2013-09-30

Applicant: INTEL CORPORATION

Inventor： LI, Jiangtao ,  WALKER, Jesse

IPC: G06F21/30 ,  G06F21/46

CPC classification number: H04L9/0866 ,  G06F21/60

Abstract: In an embodiment, an apparatus includes a processor including a first core. The first core includes multi-biometric logic to output first biometric data w i (i =1 to n , n ≥ 2), each w i determined based on a corresponding one of first biometric input M i ( i =1 to n , n ≥ 2) received during a first time period. The apparatus also includes setup logic to transform a cryptographic key k via a transformation that uses the first biometric data w i where transformation of the cryptographic key k results in output of helper data h i ( i =1 to n ). Other embodiments are described and claimed.

Abstract translation: 在一个实施例中，一种装置包括包括第一核的处理器。 第一核心包括用于输出第一生物特征数据wi（i = 1至n，n≥2）的多生物统计学逻辑，每个wi基于第一生物特征输入M i（i = 1至n，n≥2 ）在第一时间段内收到。 该设备还包括设置逻辑，用于通过使用第一生物特征数据w i的变换来加密密钥k，其中加密密钥k的变换导致辅助数据h i（i = 1至n）的输出。 描述和要求保护其他实施例。

公开(公告)号：WO2014112999A1

公开(公告)日：2014-07-24

申请号：PCT/US2013/021765

申请日：2013-01-16

Applicant: INTEL CORPORATION ,  LI, Jiangtao ,  KOEBERL, Patrick ,  MATHEW, Sanu K. ,  WU, Wei

Inventor： LI, Jiangtao ,  KOEBERL, Patrick ,  MATHEW, Sanu K. ,  WU, Wei

IPC: G06F17/00 ,  G06F9/06 ,  G06F13/14

CPC classification number: H03K19/17768 ,  G06F21/72 ,  H04L9/3247 ,  H04L9/3278

Abstract: A physically unclonable function (PUF) includes a plurality of PUF elements to generate an N-bit PUF signature. For each bit in the N-bit PUF signature, a PUF group of K number of individual PUF elements indicating a single-bit PUF value is used to generate a group bit. The group bits are more repeatable than the individual PUF elements. The value K may be selected such that (K+1)/2 is an odd number.

Abstract translation: 物理上不可克隆的功能（PUF）包括多个PUF元件以产生N位PUF签名。 对于N位PUF签名中的每个比特，使用指示单位PUF值的K个个体PUF元素的PUF组来生成组比特。 组位比PUF单个元件更可重复。 可以选择值K使得（K + 1）/ 2是奇数。

公开(公告)号：WO2013100903A1

公开(公告)日：2013-07-04

申请号：PCT/US2011/067384

申请日：2011-12-27

Applicant: INTEL CORPORATION ,  LI, Jiangtao ,  BRICKELL, Ernie ,  WISEMAN, Willard Monten

Inventor： LI, Jiangtao ,  BRICKELL, Ernie ,  WISEMAN, Willard Monten

IPC: H04L9/32 ,  H04L9/08

CPC classification number: H04L9/0816 ,  H04L9/3066 ,  H04L9/3252 ,  H04L2209/127

Abstract: A method and system computes a basepoint for use in a signing operation of a direct anonymous attestation scheme. The method and system includes computing a basepoint at a host computing device and verifying the base point at a trusted platform module (TPM) device.

Abstract translation: 方法和系统计算用于直接匿名证明方案的签名操作的基点。 该方法和系统包括在主计算设备处计算基点并验证可信平台模块（TPM）设备处的基点。

公开(公告)号：WO2013101085A1

公开(公告)日：2013-07-04

申请号：PCT/US2011/067881

申请日：2011-12-29

Applicant: INTEL CORPORATION ,  LI, Jiangtao ,  RAJAN, Anand ,  MAES, Roel ,  MATHEW, Sanu, K. ,  KRISHNAMURTHY, Ram, K. ,  BRICKELL, Ernie

Inventor： LI, Jiangtao ,  RAJAN, Anand ,  MAES, Roel ,  MATHEW, Sanu, K. ,  KRISHNAMURTHY, Ram, K. ,  BRICKELL, Ernie

IPC: H04L9/14

CPC classification number: H04L9/0891 ,  G09C1/00 ,  H04L9/0822 ,  H04L9/0861 ,  H04L9/0866 ,  H04L9/0894 ,  H04L2209/12

Abstract: Some implementations disclosed herein provide techniques and arrangements for provisioning keys to integrated circuits/processors. A processor may include physically unclonable functions component, which may generate a unique hardware key based at least on at least one physical characteristic of the processor. The hardware key may be employed in encrypting a key such as a secret key. The encrypted key may be stored in a memory of the processor. The encrypted key may be validated. The integrity of the key may be protected by communicatively isolating at least one component of the processor.

Abstract translation: 本文公开的一些实施例提供了用于向集成电路/处理器供应密钥的技术和布置。 处理器可以包括物理上不可克隆的功能组件，其可以至少基于处理器的至少一个物理特性来生成唯一的硬件密钥。 硬件密钥可用于加密诸如秘密密钥的密钥。 加密密钥可以存储在处理器的存储器中。 可以验证加密的密钥。 可以通过通信地隔离处理器的至少一个组件来保护密钥的完整性。

公开(公告)号：WO2012074720A1

公开(公告)日：2012-06-07

申请号：PCT/US2011/060345

申请日：2011-11-11

Applicant: INTEL CORPORATION ,  BRICKELL, Ernie F. ,  GUERON, Shay ,  LI, Jiangtao ,  ROZAS, Carlos V. ,  NEMIROFF, Daniel ,  SCARLATA, Vincent R. ,  SAVAGAONKAR, Uday R. ,  JOHNSON, Simon P.

Inventor： BRICKELL, Ernie F. ,  GUERON, Shay ,  LI, Jiangtao ,  ROZAS, Carlos V. ,  NEMIROFF, Daniel ,  SCARLATA, Vincent R. ,  SAVAGAONKAR, Uday R. ,  JOHNSON, Simon P.

IPC: H04L9/08 ,  H04L9/14

CPC classification number: H04L9/0816 ,  G06F21/572 ,  G06F21/73

Abstract: Keying materials used for providing security in a platform are securely provisioned both online and offline to devices in a remote platform. The secure provisioning of the keying materials is based on a revision of firmware installed in the platform.

Abstract translation: 用于在平台中提供安全性的键控材料可以安全地在线和离线地配置到远程平台中的设备。 密钥材料的安全配置基于安装在平台中的固件的修订版本。

公开(公告)号：EP2647156A1

公开(公告)日：2013-10-09

申请号：EP11844100.5

申请日：2011-11-11

Applicant: Intel Corporation

Inventor： BRICKELL, Ernie F. ,  GUERON, Shay ,  LI, Jiangtao ,  ROZAS, Carlos V. ,  NEMIROFF, Daniel ,  SCARLATA, Vincent R. ,  SAVAGAONKAR, Uday R. ,  JOHNSON, Simon P.

IPC: H04L9/08 ,  H04L9/14

CPC classification number: H04L9/0816 ,  G06F21/572 ,  G06F21/73

Abstract: Keying materials used for providing security in a platform are securely provisioned both online and offline to devices in a remote platform. The secure provisioning of the keying materials is based on a revision of firmware installed in the platform.

Abstract translation: 用于在平台中提供安全性的键控材料可以在线和离线安全地配置到远程平台中的设备。 密钥材料的安全配置基于安装在平台中的固件的修订版本。

公开(公告)号：WO2016077017A2

公开(公告)日：2016-05-19

申请号：PCT/US2015/055508

申请日：2015-10-14

Applicant: INTEL CORPORATION

Inventor： SARANGDHAR, Nitin V. ,  NEMIROFF, Daniel ,  SMITH, Ned M. ,  BRICKELL, Ernie ,  LI, Jiangtao

IPC: H04L9/32 ,  H04L9/08

CPC classification number: H04L9/3234 ,  G06F21/57 ,  G06F21/64 ,  H04L9/0861 ,  H04L9/0866 ,  H04L9/14 ,  H04L9/3263 ,  H04L2209/127

Abstract: This application is directed to trusted platform module certification and attestation utilizing an anonymous key system. In general, TPM certification and TPM attestation may be supported in a device utilizing integrated TPM through the use of anonymous key system (AKS) certification. An example device may comprise at least combined AKS and TPM resources that load AKS and TPM firmware (FW) into a runtime environment that may further include at least an operating system (OS) encryption module, an AKS service module and a TPM Certification and Attestation (CA) module. For TPM certification, the CA module may interact with the other modules in the runtime environment to generate a TPM certificate, signed by an AKS certificate, that may be transmitted to a certification platform for validation. For TPM attestation, the CA module may cause TPM credentials to be provided to the attestation platform for validation along with the TPM and/or AKS certificates.

Abstract translation: 该应用程序针对使用匿名密钥系统的可信平台模块认证和认证。 一般来说，通过使用匿名密钥系统（AKS）认证，可以在使用集成TPM的设备中支持TPM认证和TPM认证。 一个示例设备可以包括将AKS和TPM固件（FW）加载到可以进一步包括至少一个操作系统（OS）加密模块，AKS服务模块和TPM认证和认证的运行时环境中的至少组合的AKS和TPM资源 （CA）模块。 对于TPM认证，CA模块可以与运行时环境中的其他模块进行交互，以生成由AKS证书签名的TPM证书，该证书可能被传送到认证平台进行验证。 对于TPM认证，CA模块可能会将TPM凭据与TPM和/或AKS证书一起提供给认证平台进行验证。

公开(公告)号：WO2014200496A1

公开(公告)日：2014-12-18

申请号：PCT/US2013/045690

申请日：2013-06-13

Applicant: INTEL CORPORATION ,  NEGI, Anusya ,  JOHNSON, Erik ,  LI, Jiangtao

Inventor： NEGI, Anusya ,  JOHNSON, Erik ,  LI, Jiangtao

IPC: H04L9/30

CPC classification number: H04L9/3268 ,  H04L9/0841

Abstract: Technologies for securely pairing a first computing device with a second computing device include the first computing device to generate a session message key based on a key exchange with the second computing device. The first computing device receives a message including a hardware key certificate, 5 a cryptographically-signed communication, and a message authentication code from the second computing device. The cryptographically-signed communication is signed with a private hardware key of the second computing device. The first computing device validates the message authentication code, the certificate, and the signature received from the second computing device. After validation, the first computing device 10 identifies a user of the second computing device based on user-identifying data received from the second computing device.

Abstract translation: 用于将第一计算设备与第二计算设备安全地配对的技术包括：第一计算设备，用于基于与第二计算设备的密钥交换来生成会话消息密钥。 第一计算设备从第二计算设备接收包括硬件密钥证书，密码签名的通信和消息认证码的消息。 密码签名的通信使用第二计算设备的专用硬件密钥进行签名。 第一计算设备验证从第二计算设备接收的消息认证码，证书和签名。 在验证之后，第一计算设备10基于从第二计算设备接收的用户识别数据来识别第二计算设备的用户。

公开(公告)号：WO2014105310A1

公开(公告)日：2014-07-03

申请号：PCT/US2013/071346

申请日：2013-11-21

Applicant: INTEL CORPORATION ,  KOEBERL, Patrick ,  LI, Jiangtao

Inventor： KOEBERL, Patrick ,  LI, Jiangtao

IPC: G06F21/30

CPC classification number: G06F21/70 ,  G06F21/44 ,  G06F21/73

Abstract: At least one machine accessible medium having instructions stored thereon for authenticating a hardware device is provided. When executed by a processor, the instructions cause the processor to receive two or more device keys from a physically unclonable function (PUF) on the hardware device, generate a device identifier from the two or more device keys, obtain a device certificate from the hardware device, perform a verification of the device identifier, and provide a result of the device identifier verification. In a more specific embodiment, the instructions cause the processor to perform a verification of a digital signature in the device certificate and to provide a result of the digital signature verification. The hardware device may be rejected if at least one of the device identifier verification and the digital signature verification fails.

Abstract translation: 提供了至少一个具有存储在其上用于认证硬件设备的指令的机器可访问介质。 当处理器执行时，指令使处理器从硬件设备上的物理不可克隆功能（PUF）接收两个或多个设备密钥，从两个或多个设备密钥生成设备标识符，从硬件获得设备证书 设备，执行设备标识符的验证，并提供设备标识符验证的结果。 在更具体的实施例中，指令使处理器执行设备证书中的数字签名的验证并提供数字签名验证的结果。 如果设备标识符验证和数字签名验证中的至少一个失败，则硬件设备可能被拒绝。