Patents by Inventor Brian LaMacchia

Brian LaMacchia has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 9424019
    Abstract: A computer system includes one or more field programmable gate arrays as a coprocessor that can be shared among processes and programmed using hardware libraries. Given a set of hardware libraries, an update process periodically updates the libraries and/or adds new libraries. One or more update servers can provide information about libraries available for download, either in response to a request or by notifying systems using such libraries. New available libraries can be presented to a user for selection and download. Requests for updated libraries can arise in several ways, such as through polling for updates, exceptions from applications attempting to use libraries, and upon compilation of application code.
    Type: Grant
    Filed: June 20, 2012
    Date of Patent: August 23, 2016
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Edmund B. Nightingale, Brian LaMacchia, Paul Barham
  • Patent number: 9298438
    Abstract: Application code is analyzed to determine if a hardware library could accelerate its execution. In particular, application code can be analyzed to identify calls to application programming interfaces (APIs) or other functions that have a hardware library implementation. The code can be analyzed to identify the frequency of such calls. Information from the hardware library can indicate characteristics of the library, such as its size, power consumption and FPGA resource usage. Information about the execution pattern of the application code also can be useful. This information, along with information about other concurrent processes using the FPGA resources, can be used to select a hardware library to implement functions called in the application code.
    Type: Grant
    Filed: June 20, 2012
    Date of Patent: March 29, 2016
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Edmund B. Nightingale, Brian A. LaMacchia
  • Patent number: 9230091
    Abstract: Field programmable gate arrays can be used as a shared programmable co-processor resource in a general purpose computing system. Components of an FPGA are isolated to protect the FPGA and data transferred between the FPGA and other components of the computer system. For example, data written by the FPGA to memory is encrypted, and is decrypted within the FPGA when read back from memory. Data transferred between the FPGA and other components such as the CPU or GPU, whether directly or through memory, can similarly be encrypted using cryptographic keys known to the communicating components. Transferred data also can be digitally signed by the FPGA or other component to provide authentication. Code for programming the FPGA can be encrypted and signed by the author, loaded into the FPGA in an encrypted state, and then decrypted and authenticated by the FPGA itself, before programming the FPGA with the code.
    Type: Grant
    Filed: June 20, 2012
    Date of Patent: January 5, 2016
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Brian A. LaMacchia, Edmund B. Nightingale, Paul Barham
  • Patent number: 9026805
    Abstract: Described herein are techniques for distributed key management (DKM) in cooperation with Trusted Platform Modules (TPMs). The use of TPMs strengthens the storage and processing security surrounding management of distributed keys. DKM-managed secret keys are not persistently stored in clear form. In effect, the TPMs of participating DKM nodes provide security for DKM keys, and a DKM key, once decrypted with a TPM, is available to be used from memory for ordinary cryptographic operations to encrypt and decrypt user data. TPM public keys can be used to determine the set of trusted nodes to which TPM-encrypted secret keys can be distributed.
    Type: Grant
    Filed: December 30, 2010
    Date of Patent: May 5, 2015
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Tolga Acar, Brian LaMacchia, Henry Jerez Morales, Lan Duy Nguyen, David Robinson, Talha Bin Tariq
  • Patent number: 8898480
    Abstract: Field programmable gate arrays can be used as a shared programmable co-processor resource in a general purpose computing system. Components of an FPGA are isolated to protect the FPGA and data transferred between the FPGA and other components of the computer system. Transferred data can be digitally signed by the FPGA or other component to provide authentication. Code for programming the FPGA can be encrypted and signed by the author, loaded into the FPGA in an encrypted state, and then decrypted and authenticated by the FPGA itself, before programming the FPGA with the code. This code can be used to change the cryptographic operations performed in the FPGA, including keys, or decryption and encryption algorithms, or both.
    Type: Grant
    Filed: June 20, 2012
    Date of Patent: November 25, 2014
    Assignee: Microsoft Corporation
    Inventors: Brian A. LaMacchia, Edmund B. Nightingale
  • Patent number: 8875258
    Abstract: This document describes tools that constrain a login to a subset of access rights. In one embodiment, the tools generate a constrained password by executing a cryptographic algorithm on a user ID, general password, and one or more desired constraints. The constrained password is used in place of the general password to gain access rights that are a subset of the access rights that would be granted if the general password were used instead.
    Type: Grant
    Filed: February 18, 2013
    Date of Patent: October 28, 2014
    Assignee: Microsoft Corporation
    Inventors: John R. Michener, Niels T. Ferguson, Carl M. Ellison, Josh D. Benaloh, Brian A. LaMacchia
  • Publication number: 20140127994
    Abstract: A resource access system is described herein that solves problems associated with visitor access to resources at a location by using NFC or bump as a fast authentication process to grant persistent visitor rights to a resource, subject to policy conditions such as maintaining the link. The system provides a facility for granting access to NFC/bump-enabled visitors visiting a new location by assigning a persistent link with associated policy. The system provides for a bump/NFC-enabled device to authenticate with a proximate local resource and grant rights to a visiting device. This action proves that the device to be granted rights is physically present at the location of the resource, and does not involve any exchange of codes or user information with the user. Thus, the resource access system provides simplified setup of visitor access to location resources using NFC and similar short-field communication technologies.
    Type: Application
    Filed: November 7, 2012
    Publication date: May 8, 2014
    Applicant: Microsoft Corporation
    Inventors: Edmund Nightingale, Paul Barham, Brian LaMacchia
  • Publication number: 20130346669
    Abstract: A computer system includes one or more field programmable gate arrays as a coprocessor that can be shared among processes and programmed using hardware libraries. Given a set of hardware libraries, an update process periodically updates the libraries and/or adds new libraries. One or more update servers can provide information about libraries available for download, either in response to a request or by notifying systems using such libraries. New available libraries can be presented to a user for selection and download. Requests for updated libraries can arise in several ways, such as through polling for updates, exceptions from applications attempting to use libraries, and upon compilation of application code.
    Type: Application
    Filed: June 20, 2012
    Publication date: December 26, 2013
    Applicant: MICROSOFT CORPORATION
    Inventors: Edmund B. Nightingale, Brian LaMacchia, Paul Barham
  • Publication number: 20130346759
    Abstract: Field programmable gate arrays can be used as a shared programmable co-processor resource in a general purpose computing system. Components of an FPGA are isolated to protect the FPGA and data transferred between the FPGA and other components of the computer system. Transferred data can be digitally signed by the FPGA or other component to provide authentication. Code for programming the FPGA can be encrypted and signed by the author, loaded into the FPGA in an encrypted state, and then decrypted and authenticated by the FPGA itself, before programming the FPGA with the code. This code can be used to change the cryptographic operations performed in the FPGA, including keys, or decryption and encryption algorithms, or both.
    Type: Application
    Filed: June 20, 2012
    Publication date: December 26, 2013
    Applicant: Microsoft Corporation
    Inventors: Brian LaMacchia, Edmund B. Nightingale
  • Publication number: 20130346758
    Abstract: Field programmable gate arrays can be used as a shared programmable co-processor resource in a general purpose computing system. Components of an FPGA are isolated to protect the FPGA and data transferred between the FPGA and other components of the computer system. For example, data written by the FPGA to memory is encrypted, and is decrypted within the FPGA when read back from memory. Data transferred between the FPGA and other components such as the CPU or GPU, whether directly or through memory, can similarly be encrypted using cryptographic keys known to the communicating components. Transferred data also can be digitally signed by the FPGA or other component to provide authentication. Code for programming the FPGA can be encrypted and signed by the author, loaded into the FPGA in an encrypted state, and then decrypted and authenticated by the FPGA itself, before programming the FPGA with the code.
    Type: Application
    Filed: June 20, 2012
    Publication date: December 26, 2013
    Applicant: Microsoft Corporation
    Inventors: Brian A. LaMacchia, Edmund B. Nightingale, Paul Barham
  • Publication number: 20130346979
    Abstract: Application code is analyzed to determine if a hardware library could accelerate its execution. In particular, application code can be analyzed to identify calls to application programming interfaces (APIs) or other functions that have a hardware library implementation. The code can be analyzed to identify the frequency of such calls. Information from the hardware library can indicate characteristics of the library, such as its size, power consumption and FPGA resource usage. Information about the execution pattern of the application code also can be useful. This information, along with information about other concurrent processes using the FPGA resources, can be used to select a hardware library to implement functions called in the application code.
    Type: Application
    Filed: June 20, 2012
    Publication date: December 26, 2013
    Applicant: MICROSOFT CORPORATION
    Inventors: Edmund B. Nightingale, Brian A. LaMacchia
  • Patent number: 8381279
    Abstract: This document describes tools that constrain a login to a subset of access rights. In one embodiment, the tools generate a constrained password by executing a cryptographic algorithm on a user ID, general password, and one or more desired constraints. The constrained password is used in place of the general password to gain access rights that are a subset of the access rights that would be granted if the general password were used instead.
    Type: Grant
    Filed: February 13, 2009
    Date of Patent: February 19, 2013
    Assignee: Microsoft Corporation
    Inventors: John R. Michener, Niels T Ferguson, Carl M. Ellison, Josh Benaloh, Brian A LaMacchia
  • Patent number: 8355970
    Abstract: Intelligent Trust Management provides a centralized security facility that gives system components a flexible mechanism for implementing security policies. System components such as applications create a request describing an action that needs to be checked against an appropriate security policy. The request is given to a trust system that determines which policy object applies to the request, and may pass request arguments to the policy. The policy objects include executable code that uses any arguments along with dynamically obtained variable information to make a decision. The decision is returned to the system component, which then operates accordingly. Policy objects may maintain state and interface with the user independent of the system component in order to obtain information to make their decisions. Policy objects may call other policy objects and/or mathematically combine the results of other policy objects to make a decision.
    Type: Grant
    Filed: December 27, 2010
    Date of Patent: January 15, 2013
    Assignee: Microsoft Corporation
    Inventors: Barbara L. Fox, Brian A. LaMacchia
  • Publication number: 20120173885
    Abstract: Described herein are techniques for distributed key management (DKM) in cooperation with Trusted Platform Modules (TPMs). The use of TPMs strengthens the storage and processing security surrounding management of distributed keys. DKM-managed secret keys are not persistently stored in clear form. In effect, the TPMs of participating DKM nodes provide security for DKM keys, and a DKM key, once decrypted with a TPM, is available to be used from memory for ordinary cryptographic operations to encrypt and decrypt user data. TPM public keys can be used to determine the set of trusted nodes to which TPM-encrypted secret keys can be distributed.
    Type: Application
    Filed: December 30, 2010
    Publication date: July 5, 2012
    Applicant: MICROSOFT CORPORATION
    Inventors: Tolga Acar, Brian LaMacchia, Henry Jerez Morales, Lan Duy Nguyen, David Robinson, Talha Bin Tariq
  • Publication number: 20120159577
    Abstract: Techniques to allow a security policy language to accommodate anonymous credentials are described. A policy statement in a security policy language can reference an anonymous credential. When the policy statement is evaluated to decide whether to grant access to a resource mediated by the policy statement, the anonymous credential is used. The policy language can be implemented to allow one anonymous credential to delegate access-granting rights to another anonymous credential. Furthermore, an anonymous credential can be re-randomized to avoid linkage between uses of the anonymous credential, which can compromise anonymity.
    Type: Application
    Filed: December 16, 2010
    Publication date: June 21, 2012
    Applicant: MICROSOFT CORPORATION
    Inventors: Mira Belinkiy, Tolga Acar, Thomas Roeder, Jason Mackay, Brian LaMacchia
  • Patent number: 8190895
    Abstract: AKE with derived ephemeral keys is described. In one aspect, a first party computes a derived ephemeral public-key based on a derived ephemeral secret key and a mathematical group. The derived ephemeral secret key is based on an ephemeral secret key and a long-term secret key. The first party generates a session key for secure exchange of information with a second party. The session key is generated using the derived ephemeral secret key and a second party derived ephemeral public-key key to demonstrate to the second party that the first party possesses the long-term secret key.
    Type: Grant
    Filed: August 18, 2005
    Date of Patent: May 29, 2012
    Assignee: Microsoft Corporation
    Inventors: Kristin E. Lauter, Brian A. LaMacchia, Anton Mityagin
  • Patent number: 8095969
    Abstract: Security assertion revocation enables a revocation granularity in a security scheme down to the level of individual assertions. In an example implementation, a security token includes multiple respective assertions that are associated with multiple respective assertion identifiers. More specifically, each individual assertion is associated with at least one individual assertion identifier.
    Type: Grant
    Filed: September 8, 2006
    Date of Patent: January 10, 2012
    Assignee: Microsoft Corporation
    Inventors: Blair B. Dillaway, Moritz Y. Becker, Andrew D. Gordon, Cedric Fournet, Brian A. LaMacchia
  • Patent number: 8024770
    Abstract: Techniques for managing security contexts may be described. An apparatus may comprise a processor and a security management module. The security management module may form a merged security context for multiple concurrent threads, with one of the threads depending on more than one preceding operation from other threads. Other embodiments are described and claimed.
    Type: Grant
    Filed: June 21, 2006
    Date of Patent: September 20, 2011
    Assignee: Microsoft Corporation
    Inventors: Gregory D. Fee, Brian A. LaMacchia, Blair Dillaway
  • Publication number: 20110093423
    Abstract: Intelligent Trust Management provides a centralized security facility that gives system components a flexible mechanism for implementing security policies. System components such as applications create a request describing an action that needs to be checked against an appropriate security policy. The request is given to a trust system that determines which policy object applies to the request, and may pass request arguments to the policy. The policy objects include executable code that uses any arguments along with dynamically obtained variable information to make a decision. The decision is returned to the system component, which then operates accordingly. Policy objects may maintain state and interface with the user independent of the system component in order to obtain information to make their decisions. Policy objects may call other policy objects and/or mathematically combine the results of other policy objects to make a decision.
    Type: Application
    Filed: December 27, 2010
    Publication date: April 21, 2011
    Applicant: Microsoft Corporation
    Inventors: Barbara L. Fox, Brian A. LaMacchia
  • Patent number: 7908482
    Abstract: Key confirmed (KC) authenticated key exchange (AKE) with derived ephemeral keys protocol using a mathematical group is described. In one aspect, a first party, using the mathematical group, determines whether a second party has received information to compute an agreed session key value for exchanging information securely with the first party. At least a subset of the received information is computed using derived ephemeral keys of the first and second parties. The first party generates the agreed session key value only when the second party has demonstrated receipt of the information.
    Type: Grant
    Filed: August 18, 2005
    Date of Patent: March 15, 2011
    Assignee: Microsoft Corporation
    Inventors: Kristin E. Lauter, Brian A. LaMacchia, Anton Mityagin