公开(公告)号：US09430664B2

公开(公告)日：2016-08-30

申请号：US13933928

申请日：2013-07-02

Applicant: Microsoft Technology Licensing, LLC

Inventor： Preston Derek Adam ,  Peter J. Novotney ,  Nathan J. Ide ,  Innokentiy Basmov ,  Narendra S. Acharya ,  Octavian T. Ureche ,  Saurav Sinha ,  Gopinathan Kannan ,  Christopher R. Macaulay ,  Michael J. Grass

IPC: G06F21/62 ,  H04L29/06

CPC classification number: G06F21/6218 ,  G06F2221/2143 ,  H04L63/0428

Abstract: An application on a device can communicate with organization services. The application accesses a protection system on the device, which encrypts data obtained by the application from an organization service using an encryption key, and includes with the data an indication of a decryption key usable to decrypt the encrypted data. The protection system maintains a record of the encryption and decryption keys associated with the organization. The data can be stored in various locations on at least the device, and can be read by various applications on at least the device. If the organization determines that data of the organization stored on a device is to no longer be accessible on the device (e.g., is to be revoked from the device), a command is communicated to the device to revoke data associated with the organization. In response to this command, the protection system deletes the decryption key.

Abstract translation: 设备上的应用程序可以与组织服务进行通信。 应用程序访问设备上的保护系统，该保护系统使用加密密钥从组织服务加密由应用获得的数据，并且与数据一起包括可用于解密加密数据的解密密钥的指示。 保护系统维护与组织相关联的加密和解密密钥的记录。 该数据可以存储在至少该设备上的各种位置，并且可以至少在该设备上的各种应用程序读取。 如果组织确定存储在设备上的组织的数据在设备上不再可访问（例如，将从设备撤销），则将命令传达到设备以撤销与组织相关联的数据。 响应该命令，保护系统删除解密密钥。

公开(公告)号：US09998438B2

公开(公告)日：2018-06-12

申请号：US14061621

申请日：2013-10-23

Applicant: Microsoft Technology Licensing, LLC

Inventor： Saurav Sinha ,  Gopinathan Kannan ,  Nathan Ide ,  Shawn Corey ,  Tony Ureche

IPC: H04L29/06 ,  G06F21/44 ,  G06F21/57 ,  H04L9/32

CPC classification number: H04L63/08 ,  G06F21/44 ,  G06F21/57 ,  G06F21/575 ,  G06F2221/2111 ,  G06F2221/2115 ,  G06F2221/2133 ,  G06F2221/2143 ,  H04L9/3263 ,  H04L63/0823 ,  H04L63/0876 ,  H04L63/107 ,  H04L63/1483 ,  H04L2209/76

Abstract: In one embodiment, a client device 110 may use an attestation service 140 to verify a secure server 120. The secure server 120 may receive a signed trusted credential 310 from an attestation service 140 validating the secure server 120 as trustworthy to a client device 110 seeking access. The secure server 120 may protect the signed trusted credential 310 in a server secure module 280.

公开(公告)号：US20160321464A1

公开(公告)日：2016-11-03

申请号：US15210112

申请日：2016-07-14

Applicant: Microsoft Technology Licensing, LLC

Inventor： Matthew Z. Tamayo-Rios ,  Saurav Sinha ,  Ruslan Ovechkin ,  Gopinathan Kannan ,  Vijay G. Bharadwaj ,  Christopher R. Macaulay ,  Eric Fleischman ,  Nathan J. Ide ,  Kun Liu

IPC: G06F21/62 ,  H04L29/06 ,  G06F21/44

CPC classification number: G06F21/6218 ,  G06F21/44 ,  G06F21/6245 ,  G06F21/6272 ,  G06F2221/2107 ,  H04L63/0428 ,  H04L63/062 ,  H04L67/1095 ,  H04L67/1097

Abstract: Techniques for secure data synchronization are described. In one or more implementations, a determination is made as to whether enterprise data is stored locally on a first device corresponding to an enterprise device. Based on a determination that the second device is a non-enterprise device, a determination is made as to whether a permission associated with the first device indicates that the first device is permitted to propagate the enterprise data to non-enterprise devices. If the first device lacks permission to propagate the enterprise data to non-enterprise devices, the enterprise data is prevented from being propagated to the second device.

Abstract translation: 描述了用于安全数据同步的技术。 在一个或多个实现中，确定企业数据是否本地存储在对应于企业设备的第一设备上。 基于第二设备是非企业设备的确定，确定与第一设备相关联的许可证是否允许第一设备将企业数据传播到非企业设备。 如果第一设备没有将企业数据传播到非企业设备的权限，则防止企业数据被传播到第二设备。

公开(公告)号：US11451405B2

公开(公告)日：2022-09-20

申请号：US16276538

申请日：2019-02-14

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： Brian Scott Lounsberry ,  Saurav Sinha ,  Chuanxin Fang ,  Ashok Chandrasekaran

IPC: H04L9/32 ,  H04L9/08 ,  G06F9/455

Abstract: Various methods and systems are provided for providing on-demand emergency management. On-demand emergency management includes emergency management operations (e.g., certificate update operations or managed-secrets rollover operations) for accelerated deployment and expedited installation of certificates or secrets. In operation, a host secret manager on a host machine communicates with client secret managers on virtual machines running the host machine, to provide expedited installation of secrets on the virtual machines. During the certificate update operations, the host secret manager communicates the certificate update secret package having a new secret state to a client secret manager that installs the new certificate state on the virtual machine. And, during managed-secrets rollover operations, based on accessing a managed-secrets rollover secret package having a notification-based new secret state, the host secret manager polls a dSMS service, and communicates with a client secret manager, such that client secret manager installs the new secret on the virtual machine.

公开(公告)号：US10121018B2

公开(公告)日：2018-11-06

申请号：US15210112

申请日：2016-07-14

Applicant: Microsoft Technology Licensing, LLC

Inventor： Matthew Z. Tamayo-Rios ,  Saurav Sinha ,  Ruslan Ovechkin ,  Gopinathan Kannan ,  Vijay G. Bharadwaj ,  Christopher R. Macaulay ,  Eric Fleischman ,  Nathan J. Ide ,  Kun Liu

IPC: H04L29/06 ,  G06F21/62 ,  G06F21/44 ,  H04L29/08

Abstract: Techniques for secure data synchronization are described. In one or more implementations, a determination is made as to whether enterprise data is stored locally on a first device corresponding to an enterprise device. Based on a determination that the second device is a non-enterprise device, a determination is made as to whether a permission associated with the first device indicates that the first device is permitted to propagate the enterprise data to non-enterprise devices. If the first device lacks permission to propagate the enterprise data to non-enterprise devices, the enterprise data is prevented from being propagated to the second device.

公开(公告)号：US09853812B2

公开(公告)日：2017-12-26

申请号：US14489288

申请日：2014-09-17

Applicant: Microsoft Technology Licensing, LLC

Inventor： Yogesh A. Mehta ,  Innokentiy Basmov ,  Octavian T. Ureche ,  Peter J. Novotney ,  Preston Derek Adam ,  Mugdha Lakhani ,  Saurav Sinha ,  Narendra S. Acharya ,  Karanbir Singh

IPC: H04L9/08 ,  G06F21/62 ,  G06F21/60 ,  H04L9/30 ,  H04L29/06 ,  H04W12/02 ,  H04W12/08

CPC classification number: H04L9/0894 ,  G06F21/604 ,  G06F21/62 ,  G06F21/6209 ,  G06F21/6218 ,  H04L9/08 ,  H04L9/0897 ,  H04L9/30 ,  H04L63/0442 ,  H04W12/02 ,  H04W12/08

Abstract: Content on a device is encrypted and protected based on a data protection key corresponding to a particular identity of the user of the device. The protected content can then be stored to cloud storage, and from the cloud storage the protected content can be transferred to various other ones of the user's devices. A data protection key that is used to retrieve the plaintext content from the protected content is maintained by the user's device. This data protection key can be securely transferred to other of the user's devices, allowing any of the user's devices to access the protected content.

公开(公告)号：US11750591B2

公开(公告)日：2023-09-05

申请号：US17004929

申请日：2020-08-27

Applicant: Microsoft Technology Licensing, LLC

Inventor： Saurav Sinha ,  Victor Warren Heller

IPC: H04L9/40 ,  G06F21/73 ,  H04L9/32 ,  G06F21/72 ,  H04L9/08 ,  H04L9/00 ,  G06F21/57 ,  G06F21/33

CPC classification number: H04L63/0823 ,  G06F21/33 ,  G06F21/57 ,  G06F21/72 ,  G06F21/73 ,  H04L9/006 ,  H04L9/0825 ,  H04L9/0897 ,  H04L9/321 ,  H04L9/3265 ,  H04L63/0407 ,  H04L63/0435 ,  H04L63/0442 ,  H04L63/061 ,  H04L63/062 ,  H04L2209/42

Abstract: A computing device sends a request for an attestation certificate to an attestation service along with information regarding the hardware and/or software of the device. The attestation service processes the request and verifies the information received from the device. After verifying the information, the attestation service selects a public/private key pair from a collection of reusable public/private key pairs and generates an attestation certificate for the device and public key of the public/private key pair. This attestation certificate is digitally signed by the attestation service and returned to the device. The private key of the selected public/private key pair is also encrypted to a trusted secure component of the device, ensuring that the key cannot be stolen by malware and re-used on another device, and is returned to the device. The device uses this attestation certificate to access relying parties, and optionally generates additional public/private key pairs and attestation certificates.

公开(公告)号：US11301575B2

公开(公告)日：2022-04-12

申请号：US16153623

申请日：2018-10-05

Applicant: Microsoft Technology Licensing, LLC

Inventor： Matthew Z. Tamayo-Rios ,  Saurav Sinha ,  Ruslan Ovechkin ,  Gopinathan Kannan ,  Vijay G. Bharadwaj ,  Christopher R. Macaulay ,  Eric Fleischman ,  Nathan J. Ide ,  Kun Liu

IPC: G06F21/00 ,  G06F21/62 ,  G06F21/44 ,  H04L29/06 ,  H04L67/1097 ,  H04L67/1095

Abstract: Techniques for secure data synchronization are described. In one or more implementations, a determination is made as to whether enterprise data is stored locally on a first device corresponding to an enterprise device. Based on a determination that the second device is a non-enterprise device, a determination is made as to whether a permission associated with the first device indicates that the first device is permitted to propagate the enterprise data to non-enterprise devices. If the first device lacks permission to propagate the enterprise data to non-enterprise devices, the enterprise data is prevented from being propagated to the second device.

公开(公告)号：US10819696B2

公开(公告)日：2020-10-27

申请号：US15649085

申请日：2017-07-13

Applicant: Microsoft Technology Licensing, LLC

Inventor： Saurav Sinha ,  Victor Warren Heller

IPC: H04L29/06 ,  G06F21/73 ,  H04L9/32 ,  G06F21/72 ,  H04L9/08 ,  H04L9/00 ,  G06F21/57 ,  G06F21/33

Abstract: A computing device sends a request for an attestation certificate to an attestation service along with information regarding the hardware and/or software of the device. The attestation service processes the request and verifies the information received from the device. After verifying the information, the attestation service selects a public/private key pair from a collection of reusable public/private key pairs and generates an attestation certificate for the device and public key of the public/private key pair. This attestation certificate is digitally signed by the attestation service and returned to the device. The private key of the selected public/private key pair is also encrypted to a trusted secure component of the device, ensuring that the key cannot be stolen by malware and re-used on another device, and is returned to the device. The device uses this attestation certificate to access relying parties, and optionally generates additional public/private key pairs and attestation certificates.

公开(公告)号：US10078747B2

公开(公告)日：2018-09-18

申请号：US14748222

申请日：2015-06-23

Applicant: Microsoft Technology Licensing, LLC

Inventor： Tony Ureche ,  Saurav Sinha ,  Pranav Kukreja ,  Ibrahim Mohammad Ismail ,  Jonathan Schwartz ,  Nathan Ide ,  Yashar Bahman

IPC: G06F7/04 ,  G06F21/45 ,  G06F21/31 ,  H04L9/32 ,  H04L29/06

CPC classification number: G06F21/45 ,  G06F21/31 ,  H04L9/3228 ,  H04L63/08

Abstract: In one embodiment, a user device may reestablish access to a user resource while forgoing use of a user credential during a system reboot. The user device may receive the user credential from a user during an initial login to access the user resource. The user device may create an ephemeral entropy to access the user resource. The user device may access the user resource using the ephemeral entropy.