Patents by Inventor Brian D. Swander
Brian D. Swander has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 9742560Abstract: A hierarchical key generation and distribution mechanism for a computer system in which devices are organized into secure enclaves. The mechanism enables network access to be tailored to approximate minimum needed privileges for each device. At the lowest level of the hierarchy, keys are used to form security associations between devices. Keys at each level of the hierarchy are generated from keys at a higher level of the hierarchy and key derivation information. Key derivation information is readily ascertainable, either from identifiers for devices or from within messages, supporting hardware offload of cryptographic functions. Because keys may be generated based on the enclaves in which the hosts participating in a security association are located, the system includes a mechanism by which devices can discover the enclave in which they are located.Type: GrantFiled: June 11, 2009Date of Patent: August 22, 2017Assignee: Microsoft Technology Licensing, LLCInventors: Daniel R. Simon, Brian D. Swander, Pascal Menezes, Gabriel E. Montenegro
-
Publication number: 20170180123Abstract: A hierarchical key generation and distribution mechanism for a computer system in which devices are organized into secure enclaves. The mechanism enables network access to be tailored to approximate minimum needed privileges for each device. At the lowest level of the hierarchy, keys are used to form security associations between devices. Keys at each level of the hierarchy are generated from keys at a higher level of the hierarchy and key derivation information. Key derivation information is readily ascertainable, either from identifiers for devices or from within messages, supporting hardware offload of cryptographic functions. Because keys may be generated based on the enclaves in which the hosts participating in a security association are located, the system includes a mechanism by which devices can discover the enclave in which they are located.Type: ApplicationFiled: March 8, 2017Publication date: June 22, 2017Inventors: Daniel R. Simon, Brian D. Swander, Pascal Menezes, Gabriel E. Montenegro
-
Patent number: 9628276Abstract: A hierarchical key generation and distribution mechanism for a computer system in which devices are organized into secure enclaves. The mechanism enables network access to be tailored to approximate minimum needed privileges for each device. At the lowest level of the hierarchy, keys are used to form security associations between devices. Keys at each level of the hierarchy are generated from keys at a higher level of the hierarchy and key derivation information. Key derivation information is readily ascertainable, either from identifiers for devices or from within messages, supporting hardware offload of cryptographic functions. Because keys may be generated based on the enclaves in which the hosts participating in a security association are located, the system includes a mechanism by which devices can discover the enclave in which they are located.Type: GrantFiled: December 8, 2012Date of Patent: April 18, 2017Assignee: Microsoft Technology Licensing, LLCInventors: Daniel R. Simon, Brian D. Swander, Pascal Menezes, Gabriel E. Montenegro
-
Patent number: 8689315Abstract: A method and system are provided for adding, removing, and managing a plurality of network policy filters in a network device. Filters are installed in a framework and designated as active or disabled. Each filter has a priority. When a new filter is to be installed into the framework, it is compared to installed filters to determine if a conflict exists. If no conflict exists, the new filter is added as an active filter. If a conflict exists, a higher priority conflicting filter is added as active and a lower priority filter is added as inactive.Type: GrantFiled: July 31, 2008Date of Patent: April 1, 2014Assignee: Microsoft CorporationInventors: Brian D. Swander, Avnish Kumar Chhabra, Paul G. Mayfield
-
Patent number: 8572722Abstract: A system and method for failure recognition is disclosed. The technology initially establishes a security association (SA) between a client and a first server on a network. In addition, an active reference count of a number of connections in the SA between the client and the first server is maintained. The SA is evaluated when the active reference count returns less than two connections within the SA between the client and the first server.Type: GrantFiled: January 3, 2012Date of Patent: October 29, 2013Assignee: Microsoft CorporationInventor: Brian D. Swander
-
Patent number: 8352741Abstract: A hierarchical key generation and distribution mechanism for a computer system in which devices are organized into secure enclaves. The mechanism enables network access to be tailored to approximate minimum needed privileges for each device. At the lowest level of the hierarchy, keys are used to form security associations between devices. Keys at each level of the hierarchy are generated from keys at a higher level of the hierarchy and key derivation information. Key derivation information is readily ascertainable, either from identifiers for devices or from within messages, supporting hardware offload of cryptographic functions. Because keys may be generated based on the enclaves in which the hosts participating in a security association are located, the system includes a mechanism by which devices can discover the enclave in which they are located.Type: GrantFiled: June 11, 2009Date of Patent: January 8, 2013Assignee: Microsoft CorporationInventors: Daniel R. Simon, Brian D. Swander, Pascal Menezes, Gabriel E. Montenegro
-
Patent number: 8289970Abstract: Described are embodiments directed to negotiating an encapsulation mode between an initiator and a responder. As part of the negotiation of the security association, an encapsulation mode is negotiated that allows packets to be sent between the initiator and responder without encapsulation. The ability to send packets without encapsulation allows intermediaries, such as a firewall, at the responder to easily inspect the packets and implement additional features such as security filtering.Type: GrantFiled: July 17, 2009Date of Patent: October 16, 2012Assignee: Microsoft CorporationInventors: Brian D. Swander, Daniel R. Simon
-
Patent number: 8275989Abstract: A method for authenticating and negotiating security parameters among two or more network devices is disclosed. The method has a plurality of modes including a plurality of messages exchanged between the two or more network devices. In a main mode, the two or more network devices establish a secure channel and select security parameters to be used during a quick mode and a user mode. In the quick mode, the two or more computers derive a set of keys to secure data sent according to a security protocol. The optional user mode provides a means of authenticating one or more users associated with the two or more network devices. A portion of the quick mode is conducted during the main mode thereby minimizing the plurality of messages that need to be exchanged between the initiator and the responder.Type: GrantFiled: July 9, 2009Date of Patent: September 25, 2012Assignee: Microsoft CorporationInventors: Christian Huitema, Paul G. Mayfield, Brian D. Swander, Sara Bitan, Daniel R. Simon
-
Publication number: 20120110319Abstract: A system and method for failure recognition is disclosed. The technology initially establishes a security association (SA) between a client and a first server on a network. In addition, an active reference count of a number of connections in the SA between the client and the first server is maintained. The SA is evaluated when the active reference count returns less than two connections within the SA between the client and the first server.Type: ApplicationFiled: January 3, 2012Publication date: May 3, 2012Applicant: MICROSOFT CORPORATIONInventor: Brian D. Swander
-
Patent number: 8091126Abstract: A system and method for failure recognition is disclosed. The technology initially establishes a security association (SA) between a client and a first server on a network. In addition, an active reference count of a number of connections in the SA between the client and the first server is maintained. The SA is evaluated when the active reference count returns less than two connections within the SA between the client and the first server.Type: GrantFiled: August 18, 2006Date of Patent: January 3, 2012Assignee: Microsoft CorporationInventor: Brian D. Swander
-
Publication number: 20110013634Abstract: Described are embodiments directed to negotiating an encapsulation mode between an initiator and a responder. As part of the negotiation of the security association, an encapsulation mode is negotiated that allows packets to be sent between the initiator and responder without encapsulation. The ability to send packets without encapsulation allows intermediaries, such as a firewall, at the responder to easily inspect the packets and implement additional features such as security filtering.Type: ApplicationFiled: July 17, 2009Publication date: January 20, 2011Applicant: Microsoft CorporationInventors: Brian D. Swander, Daniel R. Simon
-
Patent number: 7856655Abstract: A system is provided for establishing a secure link among multiple users on a single machine with a remote machine. The system includes a subsystem to filter traffic so that traffic from each user is separate. The subsystem generates and associates a Security Association (SA) with at least one filter corresponding to the user and the traffic, and employs the SA to establish the secure link. An Internet Key Exchange module and a policy module may be included to generate and associate the security association, wherein the policy module is configured via Internet Protocol Security (IPSEC).Type: GrantFiled: June 30, 2004Date of Patent: December 21, 2010Assignee: Microsoft CorporationInventors: Brian D. Swander, Bernard D. Aboba
-
Publication number: 20100318800Abstract: A hierarchical key generation and distribution mechanism for a computer system in which devices are organized into secure enclaves. The mechanism enables network access to be tailored to approximate minimum needed privileges for each device. At the lowest level of the hierarchy, keys are used to form security associations between devices. Keys at each level of the hierarchy are generated from keys at a higher level of the hierarchy and key derivation information. Key derivation information is readily ascertainable, either from identifiers for devices or from within messages, supporting hardware offload of cryptographic functions. Because keys may be generated based on the enclaves in which the hosts participating in a security association are located, the system includes a mechanism by which devices can discover the enclave in which they are located.Type: ApplicationFiled: June 11, 2009Publication date: December 16, 2010Applicant: Microsoft CorporationInventors: Daniel R. Simon, Brian D. Swander, Pascal Menezes, Gabriel E. Montenegro
-
Publication number: 20100318799Abstract: A hierarchical key generation and distribution mechanism for a computer system in which devices are organized into secure enclaves. The mechanism enables network access to be tailored to approximate minimum needed privileges for each device. At the lowest level of the hierarchy, keys are used to form security associations between devices. Keys at each level of the hierarchy are generated from keys at a higher level of the hierarchy and key derivation information. Key derivation information is readily ascertainable, either from identifiers for devices or from within messages, supporting hardware offload of cryptographic functions. Because keys may be generated based on the enclaves in which the hosts participating in a security association are located, the system includes a mechanism by which devices can discover the enclave in which they are located.Type: ApplicationFiled: June 11, 2009Publication date: December 16, 2010Applicant: Microsoft CorporationInventors: Daniel R. Simon, Brian D. Swander, Pascal Menezes, Gabriel E. Montenegro
-
Publication number: 20100228962Abstract: Some embodiments are directed to processing packet data sent according to a security protocol between a first computer and a second computer via a forwarding device. The forwarding device performs a portion of the processing, and forwards the packet data to a third computer, connected to the forwarding device, for other processing. The third computer may support non-standard extensions to the security protocol, such as extensions used in authorizing and establishing a connection over the secure protocol. The packet data may be subject to policies, such as firewall policies or security policies, that may be detected by the third computer. The third computer sends the results of its processing, such as a cryptographic key, or a detected access control policy, to the forwarding device.Type: ApplicationFiled: March 9, 2009Publication date: September 9, 2010Applicant: Microsoft CorporationInventors: Daniel R. Simon, Pascal Menezes, Brian D. Swander
-
Patent number: 7761708Abstract: A method and system is disclosed for managing and implementing a plurality of network policies in a network device. Each of the plurality of policies are defined by one or more filters. The filters are installed in a policy engine. A layer identifies the network policy to be applied to a packet by sending a request to the policy engine. The policy engine then returns the policy to the requesting layer. The method and system may be used to implement a programmable, host-based, distributed, authenticating firewall that enables security and other policies to be applied at several protocol layers.Type: GrantFiled: February 1, 2007Date of Patent: July 20, 2010Assignee: Microsoft CorporationInventors: Brian D. Swander, William H. Dixon
-
Publication number: 20090276828Abstract: A method for authenticating and negotiating security parameters among two or more network devices is disclosed. The method has a plurality of modes including a plurality of messages exchanged between the two or more network devices. In a main mode, the two or more network devices establish a secure channel and select security parameters to be used during a quick mode and a user mode. In the quick mode, the two or more computers derive a set of keys to secure data sent according to a security protocol. The optional user mode provides a means of authenticating one or more users associated with the two or more network devices. A portion of the quick mode is conducted during the main mode thereby minimizing the plurality of messages that need to be exchanged between the initiator and the responder.Type: ApplicationFiled: July 9, 2009Publication date: November 5, 2009Applicant: Microsoft CorporationInventors: Brian D. Swander, Sara Bitan, Christian Huitema, Paul G. Mayfield, Daniel R. Simon
-
Patent number: 7574603Abstract: A method for authenticating and negotiating security parameters among two or more network devices is disclosed. The method has a plurality of modes including a plurality of messages exchanged between the two or more network devices. In a main mode, the two or more network devices establish a secure channel and select security parameters to be used during a quick mode and a user mode. In the quick mode, the two or more computers derive a set of keys to secure data sent according to a security protocol. The optional user mode provides a means of authenticating one or more users associated with the two or more network devices. A portion of the quick mode is conducted during the main mode thereby minimizing the plurality of messages that need to be exchanged between the initiator and the responder.Type: GrantFiled: November 14, 2003Date of Patent: August 11, 2009Assignee: Microsoft CorporationInventors: Brian D. Swander, Sara Bitan, Christian Huitema, Paul G. Mayfield, Daniel R. Simon
-
Patent number: 7536719Abstract: The invention provides a method for preventing a denial-of-service attack on a responder during a security protocol key negotiation. The responder receives key negotiation requests designating a source port and source IP address. The responder only maintains state when a key negotiation request is received from an initiating computer with a valid, non-spoofed, source IP address. The responder further limits the number of in-process key negotiations for which the responder maintains state. If a key negotiation request is received from a valid source IP address and the responder has at least one established security association for that source IP address, the responder limits the number of ongoing key negotiations to a maximum number on a per port address basis for that source IP address.Type: GrantFiled: January 7, 2003Date of Patent: May 19, 2009Assignee: Microsoft CorporationInventor: Brian D. Swander
-
Patent number: 7509673Abstract: A method and system are provided for implementing a firewall architecture in a network device. The firewall architecture includes a plurality of network layers, a first firewall engine, and one or more callout modules. The layers send packets and packet information to the first firewall engine, maintain and pass packet context to subsequent layers, and process the packets. The first firewall engine compares the packet information to one or more installed filters and returns an action to the layers indicating how to treat the packet. The callouts provide additional functionality such as intrusion detection, logging, and parental control features.Type: GrantFiled: June 6, 2003Date of Patent: March 24, 2009Assignee: Microsoft CorporationInventors: Brian D. Swander, Paul G. Mayfield