KEY Recovery Patents:
The following patents were related to the proposed US Key Escrow requirements (AKA "clipper chip"). IBM wanted to have a solution that, if mandated, could offer customers better protections. Fortunately these algorithms were never needed. My favorite was the second, which was my variation of multi-party Diffie-Hellman.
US5796830 INTEROPERABLE CRYPTOGRAPHIC KEY RECOVERY SYSTEM
US5907618 METHOD AND APPARATUS FOR VERIFIABLY PROVIDING KEY RECOVERY INFORMATION IN A CRYPTOGRAPHIC SYSTEM
US5937066 TWO-PHASE CRYPTOGRAPHIC KEY RECOVERY SYSTEM
US6058188 METHOD AND APPARATUS FOR INTEROPERABLE VALIDATION OF KEY RECOVERY INFORMATION IN A CRYPTOGRAPHIC SYSTEM
US6535607 METHOD AND APPARATUS FOR PROVIDING INTEROPERABILITY BETWEEN KEY RECOVERY AND NON-KEY RECOVERY SYSTEMS
Crypto Patents:
The next few patents were related to IBM's candidate for the AES competition. While our entry didn't win, I still think the concept of different rounds is important.
US6185304 METHOD AND APPARATUS FOR A SYMMETRIC BLOCK CIPHER USING MULTIPLE STAGES
US6189095 SYMMETRIC BLOCK CIPHER USING MULTIPLE STAGES WITH MODIFIED TYPE-1 AND TYPE-3 FEISTEL NETWORKS
US6192129 METHOD AND APPARATUS FOR ADVANCED BYTE-ORIENTED SYMMETRIC KEY BLOCK CIPHER WITH VARIABLE LENGTH KEY AND BLOCK
US6243470 METHOD AND APPARATUS FOR ADVANCED SYMMETRIC KEY BLOCK CIPHER WITH VARIABLE LENGTH KEY AND BLOCK
TPM related Patents:
US6311270 METHOD AND APPARATUS FOR SECURING COMMUNICATION UTILIZING A SECURITY PROCESSOR
US7315950 METHOD OF SECURELY SHARING INFORMATION OVER PUBLIC NETWORKS USING UNTRUSTED SERVICE PROVIDERS AND TGHTLY CONTROLLING CLIENT ACCESSIBILITY
US7805765 EXECUTION VALIDATION USING HEADER CONTAINING VALIDATION DATA
US8055912 METHOD AND SYSTEM FOR BOOTSTRAPPING A TRUSTED SERVER HAVING REDUNDANT TRUSTED PLATFORM MODULES
US20020166055A1 SECURE PIN ENTRY INTO A SECURITY CHIP
US20030188179A1 ENCRYPTED FILE SYSTEM USING TCPA
US20030229802A1 COMPUTER SYSTEM APPARATUS AND METHOD FOR IMPROVED ASSURANCE OF AUTHENTICATION
US20080025212A1 METHOD AND APPARATUS FOR REMOTELY ACCESSING RESOURCES OVER AN INSECURE NETWORK
Processor Security Patents:
The last two are the most interesting. Hardware Based Mandatory Access Control extends a CPU to label all process and all data (in memory and registers) with mandatory access control labels. A policy engine then looks at each instruction to apply the policy during execution. It's horribly expensive (the labels double memory usage), but it's able to implement any security policy in hardware, including integrity, secrecy, capability, taint flow, and so on. The last is a novel take on embedding a "security processor" in a CPU as a new "ultravisor" context. This monitor is very small, and proven correct, and it deals with just the minimal functions necessary to provide memory isolation even in the presence of malicious operating systems and hypervisors.
US8135937 LOGICAL PARTITION MEMORY
US8301863 RECURSIVE LOGICAL PARTITION REAL MEMORY MAP
US8850557 PROCESSOR AND DATA PROCESSING METHOD WITH NON-HERARCHICAL COMPUTER SECURITY ENHANCEMENTS FOR CONTEXT STATES
US9075644 SECURE RECURSIVE VIRTUALIZATION
US9996709 SECURE COMPUTER ARCHITECTURE
US10802990 HARDWARE BASED MANDATORY ACCESS CONTROL
US20200218799A1 SYSTEM AND METHOD FOR SUPPORTING SECURE OBJECTS USING A MEMORY ACCESS CONTROL MONITOR
Industrial Controller Security:
The three firewall related patents cover a novel highly secure boundary application proxy gateway suitable for remote access into critical infrastructure sites, such as powerplant control rooms. Current proxies are large monolithic applications that run on a dual homed host, and provide little assurance of isolation. The patents provide strict isolation between untrusted outside and inside containers, with a small provably secure monitor process connecting the two at the application level.
US10210333 SECURE INDUSTRIAL CONTROL PLATFORM
US20190238512A1 FIREWALL RULE CREATION INTEGRATED WITH APPLICATION DEVELOPMENT
US20190238513A1 DATA DIODES IMPLEMENTED WITH CONTAINERIZED FIREWALLS
US20190238514A1 CONTAINER BASED APPLICATION PROXY FIREWALL
US10489597 BLOCKCHAIN VERIFICATION OF NETWORK SECURITY SERVICE
US10706179 SECURE PROVISIONING OF SECRETS INTO MPSOC DEVICES USING UNTRUSTED THIRD - PARTY SYSTEMS
Miscellaneous:
US10528740 SECURELY BOOTING A SERVICE PROCESSOR AND MONITORING SERVICE PROCESSOR INTEGRITY
US10754323 METHODS AND SYSTEMS FOR IMPLEMENTING DISTRIBUTED LEDGER MANUFACTURING HISTORY
US20040059704A1 SELF-MANAGING COMPUTING SYSTEM
US20070169195A1 SYSTEM AND METHOD OF DYNAMICALLY WEIGHTED ANALYSIS FOR INTRUSION DECISION-MAKING
US10228924 APPLICATION DEPLOYMENT AND MONITORING IN A CLOUD ENVIRONMENT TO SATISFY INTEGRITY AND GEO - FENCING CONSTRAINTS
US20130291067A1 IDENTIFICATION OF UNAUTHORIZED OR MISCONFIGURED WIRELESS ACCESS POINT USING DISTRIBUTED ENDPOINTS
US20190364048A1 SERVICE PROCESSOR AND SYSTEM WITH SECURE BOOTING AND MONITORING OF SERVICE PROCESSOR INTEGRITY
US20200067941A1 VERIFICATION OF GEOLOCATION OF DEVICES IN A CLOUD DATA CENTER