Patents by Inventor Daniel R. Simon
Daniel R. Simon has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 9819666Abstract: This disclosure pertains generally to client authentication. One aspect of the disclosure relates to a first server for presenting evidence to a Domain Controller (DC) of a first authentication context being submitted from a client to the first server to obtain a delegable credential, wherein the credential can be used to request a second authentication context from that client to a second server. Another aspect relates to the first server providing a pass-thru with evidence to a DC. The evidence relates to a first authentication context being submitted from a client to the first server that it obtained a delegable credential. The pass-thru is used in combination with the credential to request a second authentication context from the client to a second server.Type: GrantFiled: March 1, 2016Date of Patent: November 14, 2017Assignee: Microsoft Technology Licensing, LLCInventors: David R. Mowers, John A. Banes, Daniel R. Simon, Paul J. Leach
-
Patent number: 9742560Abstract: A hierarchical key generation and distribution mechanism for a computer system in which devices are organized into secure enclaves. The mechanism enables network access to be tailored to approximate minimum needed privileges for each device. At the lowest level of the hierarchy, keys are used to form security associations between devices. Keys at each level of the hierarchy are generated from keys at a higher level of the hierarchy and key derivation information. Key derivation information is readily ascertainable, either from identifiers for devices or from within messages, supporting hardware offload of cryptographic functions. Because keys may be generated based on the enclaves in which the hosts participating in a security association are located, the system includes a mechanism by which devices can discover the enclave in which they are located.Type: GrantFiled: June 11, 2009Date of Patent: August 22, 2017Assignee: Microsoft Technology Licensing, LLCInventors: Daniel R. Simon, Brian D. Swander, Pascal Menezes, Gabriel E. Montenegro
-
Publication number: 20170180123Abstract: A hierarchical key generation and distribution mechanism for a computer system in which devices are organized into secure enclaves. The mechanism enables network access to be tailored to approximate minimum needed privileges for each device. At the lowest level of the hierarchy, keys are used to form security associations between devices. Keys at each level of the hierarchy are generated from keys at a higher level of the hierarchy and key derivation information. Key derivation information is readily ascertainable, either from identifiers for devices or from within messages, supporting hardware offload of cryptographic functions. Because keys may be generated based on the enclaves in which the hosts participating in a security association are located, the system includes a mechanism by which devices can discover the enclave in which they are located.Type: ApplicationFiled: March 8, 2017Publication date: June 22, 2017Inventors: Daniel R. Simon, Brian D. Swander, Pascal Menezes, Gabriel E. Montenegro
-
Patent number: 9654493Abstract: In one kind of DoS attack, malicious customers may try to send a large number of filter requests against an innocent customer. In one implementation, a Filter Request Server (FRS) may allow a customer against who a filter request is made to dispute the implicit accusation of the filter request or stop sending malicious traffic. If the customer claims innocence, the FRS may log destination addresses of data packets sent by the customer and identify and ignore false filter requests if these filter requests come from customers who do not correspond to one or more of the destination addresses that have previously been logged by the FRS.Type: GrantFiled: May 2, 2016Date of Patent: May 16, 2017Assignee: Microsoft Technology Licensing, LLCInventors: Daniel R. Simon, Sharad Agarwal, David A. Maltz
-
Patent number: 9628276Abstract: A hierarchical key generation and distribution mechanism for a computer system in which devices are organized into secure enclaves. The mechanism enables network access to be tailored to approximate minimum needed privileges for each device. At the lowest level of the hierarchy, keys are used to form security associations between devices. Keys at each level of the hierarchy are generated from keys at a higher level of the hierarchy and key derivation information. Key derivation information is readily ascertainable, either from identifiers for devices or from within messages, supporting hardware offload of cryptographic functions. Because keys may be generated based on the enclaves in which the hosts participating in a security association are located, the system includes a mechanism by which devices can discover the enclave in which they are located.Type: GrantFiled: December 8, 2012Date of Patent: April 18, 2017Assignee: Microsoft Technology Licensing, LLCInventors: Daniel R. Simon, Brian D. Swander, Pascal Menezes, Gabriel E. Montenegro
-
Publication number: 20160248801Abstract: In one kind of DoS attack, malicious customers may try to send a large number of filter requests against an innocent customer. In one implementation, a Filter Request Server (FRS) may allow a customer against who a filter request is made to dispute the implicit accusation of the filter request or stop sending malicious traffic. If the customer claims innocence, the FRS may log destination addresses of data packets sent by the customer and identify and ignore false filter requests if these filter requests come from customers who do not correspond to one or more of the destination addresses that have previously been logged by the FRS.Type: ApplicationFiled: May 2, 2016Publication date: August 25, 2016Inventors: Daniel R. Simon, Sharad Agarwal, David A. Maltz
-
Patent number: 9407617Abstract: This disclosure pertains generally to client authentication. One aspect of the disclosure relates to a first server for presenting evidence to a Domain Controller (DC) of a first authentication context being submitted from a client to the first server to obtain a delegable credential, wherein the credential can be used to request a second authentication context from that client to a second server. Another aspect relates to the first server providing a pass-thru with evidence to a DC. The evidence relates to a first authentication context being submitted from a client to the first server that it obtained a delegable credential. The pass-thru is used in combination with the credential to request a second authentication context from the client to a second server.Type: GrantFiled: January 6, 2014Date of Patent: August 2, 2016Assignee: Microsoft Licensing Technology, LLCInventors: David R. Mowers, John A. Banes, Daniel R. Simon, Paul J. Leach
-
Publication number: 20160182488Abstract: This disclosure pertains generally to client authentication. One aspect of the disclosure relates to a first server for presenting evidence to a Domain Controller (DC) of a first authentication context being submitted from a client to the first server to obtain a delegable credential, wherein the credential can be used to request a second authentication context from that client to a second server. Another aspect relates to the first server providing a pass-thru with evidence to a DC. The evidence relates to a first authentication context being submitted from a client to the first server that it obtained a delegable credential. The pass-thru is used in combination with the credential to request a second authentication context from the client to a second server.Type: ApplicationFiled: March 1, 2016Publication date: June 23, 2016Inventors: David R. Mowers, John A. Banes, Daniel R. Simon, Paul J. Leach
-
Patent number: 9363233Abstract: In one kind of DoS attack, malicious customers may try to send a large number of filter requests against an innocent customer. In one implementation, a Filter Request Server (FRS) may allow a customer against who a filter request is made to dispute the implicit accusation of the filter request or stop sending malicious traffic. If the customer claims innocence, the FRS may log destination addresses of data packets sent by the customer and identify and ignore false filter requests if these filter requests come from customers who do not correspond to one or more of the destination addresses that have previously been logged by the FRS.Type: GrantFiled: June 18, 2012Date of Patent: June 7, 2016Assignee: Microsoft Technolog Licensing, LLCInventors: Daniel R. Simon, Sharad Agarwal, David A. Maltz
-
Publication number: 20140189823Abstract: This disclosure pertains generally to client authentication. One aspect of the disclosure relates to a first server for presenting evidence to a Domain Controller (DC) of a first authentication context being submitted from a client to the first server to obtain a delegable credential, wherein the credential can be used to request a second authentication context from that client to a second server. Another aspect relates to the first server providing a pass-thru with evidence to a DC. The evidence relates to a first authentication context being submitted from a client to the first server that it obtained a delegable credential. The pass-thru is used in combination with the credential to request a second authentication context from the client to a second server.Type: ApplicationFiled: January 6, 2014Publication date: July 3, 2014Applicant: Microsoft CorporationInventors: David R. Mowers, John A. Banes, Daniel R. Simon, Paul J. Leach
-
Patent number: 8681995Abstract: Multiple peer domain name system (DNS) servers are included in a multi-master DNS environment. One of the multiple peer DNS servers is a key master peer DNS server that generates one or more keys for a DNS zone serviced by the multiple peer DNS servers. The key master peer DNS server can also generate a signing key descriptor that identifies the set of one or more keys for the DNS zone, and communicate the signing key descriptor to the other ones of the multiple peer DNS servers.Type: GrantFiled: December 21, 2010Date of Patent: March 25, 2014Assignee: Microsoft CorporationInventors: Shyam Seshadri, Jeffrey J. Westhead, Vamshi Krishna Kancharla, Daniel R. Simon, Anthony G. Jones, Frank Ronneburg, Guillaume V. Bailey
-
Patent number: 8627440Abstract: This disclosure pertains generally to client authentication. One aspect of the disclosure relates to a first server for presenting evidence to a Domain Controller (DC) of a first authentication context being submitted from a client to the first server to obtain a delegable credential, wherein the credential can be used to request a second authentication context from that client to a second server. Another aspect relates to the first server providing a pass-thru with evidence to a DC. The evidence relates to a first authentication context being submitted from a client to the first server that it obtained a delegable credential. The pass-thru is used in combination with the credential to request a second authentication context from the client to a second server.Type: GrantFiled: December 24, 2009Date of Patent: January 7, 2014Assignee: Microsoft CorporationInventors: David R. Mowers, Daniel R. Simon, Paul J. Leach, John A. Banes
-
Patent number: 8499244Abstract: Systems and methodologies for implementing automation-resistant interactive computing services are provided herein. Function invocation mechanisms can be utilized as described herein to facilitate invocation and/or activation of one or more functions of an interactive service upon performance of an interaction falling within a predefined class of interaction with selected multimedia content. The described functionality invocation mechanisms can operate similarly to a traditional captcha image by requiring interaction that is easily understandable and performable by a human user but is prohibitively difficult for an automated program to carry out. Techniques such as masking relationships between user interaction and function invocation and varying elements of the selected multimedia content for respective accesses can be utilized to provide additional resistance to automation. Described invocation mechanisms can additionally be merged with advertising, which can optionally be targeted to a particular user(s).Type: GrantFiled: July 31, 2008Date of Patent: July 30, 2013Assignee: Microsoft CorporationInventors: Daniel R. Simon, Xiaofeng Fan
-
Strategies for investigating and mitigating vulnerabilities caused by the acquisition of credentials
Patent number: 8380841Abstract: A strategy is described for assessing and mitigating vulnerabilities within a data processing environment. The strategy collects access data that reflects actual log-in behavior exhibited by users in the environment. The strategy also collects rights data that reflects the rights possessed by one or more administrators within the environment. Based on the access data and rights data, the strategy identifies how a user or other entity that gains access to one part of the environment can potentially compromise additional parts of the environment. The strategy can recommend and implement steps aimed at reducing any identified vulnerabilities.Type: GrantFiled: December 7, 2006Date of Patent: February 19, 2013Assignee: Microsoft CorporationInventors: John Dunagan, Gregory D. Hartrell, Daniel R. Simon -
Patent number: 8352741Abstract: A hierarchical key generation and distribution mechanism for a computer system in which devices are organized into secure enclaves. The mechanism enables network access to be tailored to approximate minimum needed privileges for each device. At the lowest level of the hierarchy, keys are used to form security associations between devices. Keys at each level of the hierarchy are generated from keys at a higher level of the hierarchy and key derivation information. Key derivation information is readily ascertainable, either from identifiers for devices or from within messages, supporting hardware offload of cryptographic functions. Because keys may be generated based on the enclaves in which the hosts participating in a security association are located, the system includes a mechanism by which devices can discover the enclave in which they are located.Type: GrantFiled: June 11, 2009Date of Patent: January 8, 2013Assignee: Microsoft CorporationInventors: Daniel R. Simon, Brian D. Swander, Pascal Menezes, Gabriel E. Montenegro
-
Patent number: 8332643Abstract: A process for establishing secure mutual trust includes generating a one-time-password. The one-time-password is transferred between the devices in a communication occurring off of the network. Each device generates a set of authenticators by hashing a plurality of sub-strings of the password and the device's authentication certificate with a respective set of nonces. The devices exchange the respective sets of authenticators. Each device then alternates revealing its respective set of nonces and its authentication certificate in a multi-stage process. The devices re-calculate the authenticators based upon the respective set of nonces and authentication certificate revealed by the other device along with the one-time-password sub-strings that it posses. If each device determines that the authenticators re-calculated by the given device matches the authenticators previously received from the other device, secure mutual trust is established.Type: GrantFiled: October 19, 2010Date of Patent: December 11, 2012Assignee: Microsoft CorporationInventors: Harry S. Pyle, Bruce Louis Lieberman, Daniel R. Simon, Guillaume Simonnet, William Dollar
-
Patent number: 8301895Abstract: Enhanced network data transmission security and individualized data transmission processing can be implemented by intermediaries in a communication path between two endpoint peers individually having the capability to identify and authenticate one or both of the endpoint peers. Communication session establishment, endpoint peer identity processing and authentication and data traffic encryption protocols are modified to allow intermediaries to track the communications between endpoint peers for a particular communication session and obtain information to authenticate the endpoint peers and identify data traffic transmitted between them. Intermediaries can use the identities of one or both of the endpoint peers to enforce identity based rules for processing data traffic between the endpoint peers for a communication session.Type: GrantFiled: December 2, 2009Date of Patent: October 30, 2012Assignee: Microsoft CorporationInventors: Brian Swander, Daniel R. Simon, Pascal Menezes
-
Patent number: 8289970Abstract: Described are embodiments directed to negotiating an encapsulation mode between an initiator and a responder. As part of the negotiation of the security association, an encapsulation mode is negotiated that allows packets to be sent between the initiator and responder without encapsulation. The ability to send packets without encapsulation allows intermediaries, such as a firewall, at the responder to easily inspect the packets and implement additional features such as security filtering.Type: GrantFiled: July 17, 2009Date of Patent: October 16, 2012Assignee: Microsoft CorporationInventors: Brian D. Swander, Daniel R. Simon
-
Publication number: 20120260336Abstract: In one kind of DoS attack, malicious customers may try to send a large number of filter requests against an innocent customer. In one implementation, a Filter Request Server (FRS) may allow a customer against who a filter request is made to dispute the implicit accusation of the filter request or stop sending malicious traffic. If the customer claims innocence, the FRS may log destination addresses of data packets sent by the customer and identify and ignore false filter requests if these filter requests come from customers who do not correspond to one or more of the destination addresses that have previously been logged by the FRS.Type: ApplicationFiled: June 18, 2012Publication date: October 11, 2012Applicant: Microsoft CorporationInventors: Daniel R. Simon, Sharad Agarwal, David A. Maltz
-
Patent number: 8275989Abstract: A method for authenticating and negotiating security parameters among two or more network devices is disclosed. The method has a plurality of modes including a plurality of messages exchanged between the two or more network devices. In a main mode, the two or more network devices establish a secure channel and select security parameters to be used during a quick mode and a user mode. In the quick mode, the two or more computers derive a set of keys to secure data sent according to a security protocol. The optional user mode provides a means of authenticating one or more users associated with the two or more network devices. A portion of the quick mode is conducted during the main mode thereby minimizing the plurality of messages that need to be exchanged between the initiator and the responder.Type: GrantFiled: July 9, 2009Date of Patent: September 25, 2012Assignee: Microsoft CorporationInventors: Christian Huitema, Paul G. Mayfield, Brian D. Swander, Sara Bitan, Daniel R. Simon