Patents by Inventor Andrew Leiserson
Andrew Leiserson has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11797715Abstract: The technology disclosed herein enables a method to receive an indication of a change to an operating mode of a device from a first operating mode to a second operating mode, and identify a cryptographic item stored at a memory of the device, wherein the cryptographic item corresponds to an identification of the device signed with a digital signature, and wherein the digital signature is based on a private key that is inaccessible to the device. On response to receiving the indication of the change to the operating mode of the device, the method can modify the cryptographic item stored at the memory, and operate the device in the second operating mode based on the modified cryptographic item. The indication of the change to the operating mode of the device can correspond to a detection of a change in a function of the device.Type: GrantFiled: December 17, 2020Date of Patent: October 24, 2023Assignee: Fortanix, Inc.Inventors: Andrew Leiserson, Jethro Gideon Beekman
-
Patent number: 11606279Abstract: An application may perform operations within a first secure enclave of a processing device. The application may provide secure monitoring data, such as secure heartbeat information. The monitoring data and an application identity may be verified at a second secure enclave of the processing device using local attestation operations. A remote attestation signature may be generated at the second secure enclave based on the monitoring data, the application identity, and a node private key. A monitoring message signature may be generated at the first secure enclave based on an application private key and a message payload that includes the monitoring data, the application identity, and the remote attestation signature. A monitoring message that includes the payload and monitoring message signature may be sent from the first secure enclave to a monitoring system, which may verify the message to detect unauthorized changes to the monitoring data or the application identity.Type: GrantFiled: July 10, 2020Date of Patent: March 14, 2023Assignee: Fortanix, Inc.Inventors: Nehal Bandi, Andrew Leiserson
-
Patent number: 11394546Abstract: An encrypted file system key associated with a first secure enclave may be received. A request from a second secure enclave to access a file system associated with the encrypted file system key may be received. In response to receiving the request, the encrypted file system key may be decrypted with a cryptographic key associated with an enclave manager to obtain a file system key. The file system key may be encrypted based on another cryptographic key associated with the second secure enclave to generate a re-encrypted file system key. Furthermore, the re-encrypted file system key may be provided to the second secure enclave.Type: GrantFiled: October 11, 2019Date of Patent: July 19, 2022Assignee: Fortanix, Inc.Inventor: Andrew Leiserson
-
Patent number: 11244077Abstract: A request to provide an application at a secure enclave of a server may be received. A hash value of the application may be generated. Application data that is to be used with the application at the secure enclave of the server may be identified. Another hash value of the application data that is to be used with the application at the secure enclave of the server may be generated. The hash value of the application and the other hash value of the application data may be signed where the signed hash value and other hash are being used to execute the application with the application data at the secure enclave of the server.Type: GrantFiled: January 31, 2020Date of Patent: February 8, 2022Assignee: Fortanix, Inc.Inventors: Nehal Bandi, Andrew Leiserson
-
Publication number: 20220014456Abstract: An application may perform operations within a first secure enclave of a processing device. The application may provide secure monitoring data, such as secure heartbeat information. The monitoring data and an application identity may be verified at a second secure enclave of the processing device using local attestation operations. A remote attestation signature may be generated at the second secure enclave based on the monitoring data, the application identity, and a node private key. A monitoring message signature may be generated at the first secure enclave based on an application private key and a message payload that includes the monitoring data, the application identity, and the remote attestation signature. A monitoring message that includes the payload and monitoring message signature may be sent from the first secure enclave to a monitoring system, which may verify the message to detect unauthorized changes to the monitoring data or the application identity.Type: ApplicationFiled: July 10, 2020Publication date: January 13, 2022Inventors: Nehal Bandi, Andrew Leiserson
-
Patent number: 11095684Abstract: A network service may be identified. One or more attributes of the network service may be determined. An attribute manifest for the network service may be generated based on the determined one or more attributes of the network service. Furthermore, the attribute manifest may be transmitted based on the determined one or more attributes to the network service.Type: GrantFiled: January 7, 2019Date of Patent: August 17, 2021Assignee: Fortanix, Inc.Inventors: Ambuj Kumar, Andrew Leiserson
-
Publication number: 20210240857Abstract: A request to provide an application at a secure enclave of a server may be received. A hash value of the application may be generated. Application data that is to be used with the application at the secure enclave of the server may be identified. Another hash value of the application data that is to be used with the application at the secure enclave of the server may be generated. The hash value of the application and the other hash value of the application data may be signed where the signed hash value and other hash are being used to execute the application with the application data at the secure enclave of the server.Type: ApplicationFiled: January 31, 2020Publication date: August 5, 2021Inventors: Nehal Bandi, Andrew Leiserson
-
Patent number: 11057368Abstract: A request to issue a digital certificate may be received. A hash value corresponding to an application that has provided the request for the digital certificate may be identified. A determination may be made as to whether the hash value corresponding to the application matches with a known hash value. In response to determining that the hash value corresponding to the application matches with the known hash value the digital certificate may be issued to the application.Type: GrantFiled: July 19, 2018Date of Patent: July 6, 2021Assignee: Fortanix, Inc.Inventors: Andrew Leiserson, Jethro Gideon Beekman, Manas Agarwal
-
Publication number: 20210141942Abstract: The technology disclosed herein enables a method to receive an indication of a change to an operating mode of a device from a first operating mode to a second operating mode, and identify a cryptographic item stored at a memory of the device, wherein the cryptographic item corresponds to an identification of the device signed with a digital signature, and wherein the digital signature is based on a private key that is inaccessible to the device. On response to receiving the indication of the change to the operating mode of the device, the method can modify the cryptographic item stored at the memory, and operate the device in the second operating mode based on the modified cryptographic item. The indication of the change to the operating mode of the device can correspond to a detection of a change in a function of the device.Type: ApplicationFiled: December 17, 2020Publication date: May 13, 2021Inventors: Andrew Leiserson, Jethro Gideon Beekman
-
Publication number: 20210111886Abstract: An encrypted file system key associated with a first secure enclave may be received. A request from a second secure enclave to access a file system associated with the encrypted file system key may be received. In response to receiving the request, the encrypted file system key may be decrypted with a cryptographic key associated with an enclave manager to obtain a file system key. The file system key may be encrypted based on another cryptographic key associated with the second secure enclave to generate a re-encrypted file system key. Furthermore, the re-encrypted file system key may be provided to the second secure enclave.Type: ApplicationFiled: October 11, 2019Publication date: April 15, 2021Inventor: Andrew Leiserson
-
Patent number: 10911538Abstract: Authentication information at a first portion of encrypted data may be identified. A cryptographic key may be derived based on a combination of an identification of the first portion of the received encrypted data and a master key. Additional authentication information may be generated based on a combination of the derived cryptographic key and another portion of the received encrypted data. The encrypted data may be verified by comparing the authentication information at the first portion of the received encrypted data with the generated additional authentication information. In response to verifying the received encrypted data, a second cryptographic key may be derived based on a combination of an identification of the another portion of the encrypted data and the master key. The other portion of the received encrypted data may be decrypted by using the second cryptographic key.Type: GrantFiled: April 11, 2017Date of Patent: February 2, 2021Assignee: Fortanix, Inc.Inventors: Ambuj Kumar, Anand Kashyap, Jethro Gideon Beekman, Faisal Faruqui, Andrew Leiserson
-
Patent number: 10878418Abstract: A payment reader and a POS terminal may communicate over a wireless connection. The methods and systems include receiving, from POS terminal, a request for establishing a network connection with the payment card reader. The server determines whether the payment card reader is associated with the POS terminal or a payment application thereon. If the payment card reader is not associated with the POS terminal or the payment application thereon, the server determines the probability of the request being fraudulent.Type: GrantFiled: February 15, 2018Date of Patent: December 29, 2020Assignee: Square, Inc.Inventors: Shane Hamilton, Andrew Leiserson, Todd Aument
-
Patent number: 10872175Abstract: An indication of a change to an operating mode of a device may be received. A cryptographic item stored at a memory of the device may be identified. In response to receiving the indication of the change to the operating mode of the device, the cryptographic item stored at the memory may be modified. The device may operate in the changed operating mode based on the modified cryptographic item.Type: GrantFiled: December 6, 2018Date of Patent: December 22, 2020Assignee: Fortanix, Inc.Inventors: Andrew Leiserson, Jethro Gideon Beekman
-
Patent number: 10810136Abstract: An input data may be received. Memory pages may be identified where each of the memory pages includes one or more cache lines. A first index table that includes cache lines may be generated from the memory pages based on the input data. Subsequently, an output data may be provided based on a particular cache line from the cache lines of the first index table.Type: GrantFiled: June 12, 2018Date of Patent: October 20, 2020Assignee: Fortanix, Inc.Inventors: Andrew Leiserson, Jethro Gideon Beekman
-
Patent number: 10803461Abstract: A payment reader and a POS terminal may communicate over a wireless connection. An original state of the payment reader can be used to determine a behavioral model, wherein the behavioral model defines an expected behavior of the payment entity. The system and method include detecting a change in the original state of the payment entity, wherein the change in the original state is triggered by another payment entity not authorized by the merchant; comparing the change of the original state with a threshold deviation defined by the behavioral model; and if the change of state is not within the threshold deviation, performing one or more actions to revert the payment entity to the original state.Type: GrantFiled: September 30, 2016Date of Patent: October 13, 2020Assignee: Square, Inc.Inventors: Shane Hamilton, Todd Aument, Andrew Leiserson
-
Publication number: 20200220898Abstract: A network service may be identified. One or more attributes of the network service may be determined. An attribute manifest for the network service may be generated based on the determined one or more attributes of the network service. Furthermore, the attribute manifest may be transmitted based on the determined one or more attributes to the network service.Type: ApplicationFiled: January 7, 2019Publication date: July 9, 2020Inventors: Ambuj Kumar, Andrew Leiserson
-
Patent number: 10686769Abstract: A first connection between a first network server and a second network server may be established where the first connection is based on a connection key stored at a secure location of the first network server. A request for one or more cryptographic keys may be transmitted from the first network server to the second network server. The first network server may receive the one or more cryptographic keys from the second network server over the first connection. The one or more cryptographic keys from the second server may be stored at the secure location of the first network server that is storing the connection key used to establish the first connection.Type: GrantFiled: August 7, 2017Date of Patent: June 16, 2020Assignee: FORTANIX, INC.Inventors: Anand Kashyap, Andrew Leiserson, Jeffrey Seyfried, Jethro Gideon Beekman
-
Publication number: 20200184114Abstract: An indication of a change to an operating mode of a device may be received. A cryptographic item stored at a memory of the device may be identified. In response to receiving the indication of the change to the operating mode of the device, the cryptographic item stored at the memory may be modified. The device may operate in the changed operating mode based on the modified cryptographic item.Type: ApplicationFiled: December 6, 2018Publication date: June 11, 2020Inventors: Andrew Leiserson, Jethro Gideon Beekman
-
Publication number: 20200028842Abstract: A request to issue a digital certificate may be received. A hash value corresponding to an application that has provided the request for the digital certificate may be identified. A determination may be made as to whether the hash value corresponding to the application matches with a known hash value. In response to determining that the hash value corresponding to the application matches with the known hash value the digital certificate may be issued to the application.Type: ApplicationFiled: July 19, 2018Publication date: January 23, 2020Inventors: Andrew Leiserson, Jethro Gideon Beekman, Manas Agarwal
-
Publication number: 20190377692Abstract: An input data may be received. Memory pages may be identified where each of the memory pages includes one or more cache lines. A first index table that includes cache lines may be generated from the memory pages based on the input data. Subsequently, an output data may be provided based on a particular cache line from the cache lines of the first index table.Type: ApplicationFiled: June 12, 2018Publication date: December 12, 2019Inventors: Andrew Leiserson, Jethro Gideon Beekman