Patents by Inventor Dayi Zhou
Dayi Zhou has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11361086Abstract: Methods and systems are disclosed for activating data encryption at rest in a storage device server in a cloud storage. In particular, an encryption orchestrator orchestrates activation processes through encryption controllers that controls policies and privileges to access data in storage device servers. To reduce a risk of a data loss and time loss in activations, the encryption controller pre-checks a storage device server for anomalies in configurations in network connectivity, encryption keys, and security certificates before starting the activation. Furthermore, the encryption controller performs a health-check of the storage device servers to detect anomalies that require restarting the storage device servers. The health-check reduces a risk of data loss when the storage device servers become unable restart itself. User interface tools may be provided to visually identify and manage encryption statuses and policies of the encryption controllers, the storage device servers, and data storage devices.Type: GrantFiled: December 30, 2019Date of Patent: June 14, 2022Assignee: Microsoft Technology Licensing, LLCInventors: Piyush Joshi, Akil M. Merchant, Octavian T. Ureche, Jack Smith Richins, Soumya D. Pani, Asad Yaqoob, Salil Bhagurkar, Preston Derek Adam, Dayi Zhou
-
Publication number: 20210200881Abstract: Methods and systems are disclosed for activating data encryption at rest in a storage device server in a cloud storage. In particular, an encryption orchestrator orchestrates activation processes through encryption controllers that controls policies and privileges to access data in storage device servers. To reduce a risk of a data loss and time loss in activations, the encryption controller pre-checks a storage device server for anomalies in configurations in network connectivity, encryption keys, and security certificates before starting the activation. Furthermore, the encryption controller performs a health-check of the storage device servers to detect anomalies that require restarting the storage device servers. The health-check reduces a risk of data loss when the storage device servers become unable restart itself. User interface tools may be provided to visually identify and manage encryption statuses and policies of the encryption controllers, the storage device servers, and data storage devices.Type: ApplicationFiled: December 30, 2019Publication date: July 1, 2021Applicant: Microsoft Technology Licensing, LLCInventors: Piyush JOSHI, Akil M. MERCHANT, Octavian T. URECHE, Jack Smith RICHINS, Soumya D. PANI, Asad YAQOOB, Salil BHAGURKAR, Preston Derek ADAM, Dayi ZHOU
-
Patent number: 10204241Abstract: Systems and methods are provided for adding security to client data by maintaining keys providing access to the client data remotely from the client data. In some circumstances, the systems encrypt a cluster of data using an encryption key, associate the cluster of encrypted data with a unique identifier and send the unique identifier and the decryption key to a server for storage. The decryption key is then received from the server and is used to decrypt the cluster of encrypted data. A server can also perform policy checks or trigger additional authentication such as SMS, phone, or email notification before allowing access to a key. Furthermore, in some instances, the server can also prevent access to the stored keys in response to anomalies, such as decommissioning and other asset management events.Type: GrantFiled: June 30, 2017Date of Patent: February 12, 2019Assignee: Microsoft Technology Licensing, LLCInventors: Scott A. Field, Aravind N. Thoram, John Michael Walton, Dayi Zhou, Alex M. Semenko, Avraham Michael Ben-Menahem
-
Patent number: 10200194Abstract: Systems and methods are provided for adding security to client data by maintaining decryption keys at a server that provide access to encrypted keys that are maintained at a client system with encrypted client data. A specialized protocol is utilized for accessing the decryption keys from the server. Once obtained, the decryption key is used to decrypt the encrypted key at the client and then the newly decrypted decryption key is used to decrypt the encrypted data. A server can also perform policy checks or trigger additional authentication such as SMS, phone, or email notification before allowing access to the server decryption key. Furthermore, in some instances, the server can also prevent access to the server decryption keys in response to anomalies, such as decommissioning and other asset management events.Type: GrantFiled: June 30, 2017Date of Patent: February 5, 2019Assignee: Microsoft Technology Licensing, LLCInventors: Scott A. Field, Aravind N. Thoram, John Michael Walton, Dayi Zhou, Alex M. Semenko, Avraham Michael Ben-Menahem
-
Publication number: 20190005274Abstract: Systems and methods are provided for adding security to client data by maintaining keys providing access to the client data remotely from the client data. In some circumstances, the systems encrypt a cluster of data using an encryption key, associate the cluster of encrypted data with a unique identifier and send the unique identifier and the decryption key to a server for storage. The decryption key is then received from the server and is used to decrypt the cluster of encrypted data. A server can also perform policy checks or trigger additional authentication such as SMS, phone, or email notification before allowing access to a key. Furthermore, in some instances, the server can also prevent access to the stored keys in response to anomalies, such as decommissioning and other asset management events.Type: ApplicationFiled: June 30, 2017Publication date: January 3, 2019Inventors: Scott A. Field, Aravind N. Thoram, John Michael Walton, Dayi Zhou, Alex M. Semenko, Avraham Michael Ben-Menahem
-
Publication number: 20190007204Abstract: Systems and methods are provided for adding security to client data by maintaining decryption keys at a server that provide access to encrypted keys that are maintained at a client system with encrypted client data. A specialized protocol is utilized for accessing the decryption keys from the server. Once obtained, the decryption key is used to decrypt the encrypted key at the client and then the newly decrypted decryption key is used to decrypt the encrypted data. A server can also perform policy checks or trigger additional authentication such as SMS, phone, or email notification before allowing access to the server decryption key. Furthermore, in some instances, the server can also prevent access to the server decryption keys in response to anomalies, such as decommissioning and other asset management events.Type: ApplicationFiled: June 30, 2017Publication date: January 3, 2019Inventors: Scott A. Field, Aravind N. Thoram, John Michael Walton, Dayi Zhou, Alex M. Semenko, Avraham Michael Ben-Menahem
-
Patent number: 9705879Abstract: A computing device, or a security component of a computing device, implements delayed attestation by initially providing first credentials to a remote access device to establish a first level of trust. The first credentials may be provided before or while the computing device or the security component is obtaining security information from a remote security device. The security information is used to generate second credentials that are subsequently provided to the remote access device to establish a second level of trust. The first credentials may comprise an encryption key that can be generated by the security component without having to retrieve information via a network, and the second credentials may comprise an attestation statement that is more trustworthy than the encryption key and that is generated based on a certificate retrieved from a remote security device (e.g., a certificate authority server).Type: GrantFiled: February 24, 2015Date of Patent: July 11, 2017Assignee: Microsoft Technology Licensing, LLCInventors: Anoosh Saboori, Victor W. Heller, Xiaohong Su, Dayi Zhou, Kinshuman Kinshumann, James Hugh Morgan, Stefan Thom
-
Patent number: 9614835Abstract: A system for bootstrap provisioning of a device is provided. A vouching device is provisioned to access a bootstrap account of a bootstrap account provider and a secondary account of a secondary account provider. The bootstrap account provider stores an indication of the secondary account, and the secondary account provider stores verification data to verify a certification of the vouching device. A target device is provisioned to access the bootstrap account of the bootstrap account provider. The target device receives from the bootstrap account provider an indication that the target device is provisioned with the secondary account provider. The target device directs generation of a certification by the vouching device of target authentication data of the target device. The target device then sends the certification to the secondary account provider to effect the provisioning of the target device to access the secondary account.Type: GrantFiled: June 8, 2015Date of Patent: April 4, 2017Assignee: Microsoft Technology Licensing, LLCInventors: Anooshiravan Saboori, Himanshu Soni, Peter Dawoud, Magnus Nystrom, Jonathan David Schwartz, Dayi Zhou
-
Publication number: 20160359844Abstract: A system for bootstrap provisioning of a device is provided. A vouching device is provisioned to access a bootstrap account of a bootstrap account provider and a secondary account of a secondary account provider. The bootstrap account provider stores an indication of the secondary account, and the secondary account provider stores verification data to verify a certification of the vouching device. A target device is provisioned to access the bootstrap account of the bootstrap account provider. The target device receives from the bootstrap account provider an indication that the target device is provisioned with the secondary account provider. The target device directs generation of a certification by the vouching device of target authentication data of the target device. The target device then sends the certification to the secondary account provider to effect the provisioning of the target device to access the secondary account.Type: ApplicationFiled: June 8, 2015Publication date: December 8, 2016Inventors: Anooshiravan Saboori, Himanshu Soni, Peter Dawoud, Magnus Nystrom, Jonathan David Schwartz, Dayi Zhou
-
Publication number: 20160080379Abstract: A computing device, or a security component of a computing device, implements delayed attestation by initially providing first credentials to a remote access device to establish a first level of trust. The first credentials may be provided before or while the computing device or the security component is obtaining security information from a remote security device. The security information is used to generate second credentials that are subsequently provided to the remote access device to establish a second level of trust. The first credentials may comprise an encryption key that can be generated by the security component without having to retrieve information via a network, and the second credentials may comprise an attestation statement that is more trustworthy than the encryption key and that is generated based on a certificate retrieved from a remote security device (e.g., a certificate authority server).Type: ApplicationFiled: February 24, 2015Publication date: March 17, 2016Inventors: Anoosh Saboori, Victor W. Heller, Xiaohong Su, Dayi Zhou, Kinshuman Kinshumann, James Hugh Morgan, Stefan Thom
-
Patent number: 9058497Abstract: Cryptographic key management techniques are described. In one or more implementations, an access control rule is read that includes a Boolean expression having a plurality of atoms. The cryptographic keys that corresponds each of the plurality of atoms in the access control rule are requested. One or more cryptographic operations are then performed on data using one or more of the cryptographic keys.Type: GrantFiled: December 23, 2010Date of Patent: June 16, 2015Assignee: Microsoft Technology Licensing, LLCInventors: Vijay G. Bharadwaj, Niels T Ferguson, Carl M. Ellison, Magnus Bo Gustaf Nyström, Dayi Zhou, Denis Issoupov, Octavian T. Ureche, Peter J. Novotney, Cristian M. Ilac
-
Publication number: 20140108814Abstract: Cryptographic key management techniques are described. In one or more implementations, an access control rule is read that includes a Boolean expression having a plurality of atoms. The cryptographic keys that corresponds each of the plurality of atoms in the access control rule are requested. One or more cryptographic operations are then performed on data using one or more of the cryptographic keys.Type: ApplicationFiled: December 23, 2010Publication date: April 17, 2014Applicant: MICROSOFT CORPORATIONInventors: Vijay G. Bharadwaj, Niels T. Ferguson, Carl M. Ellison, Magnus Bo Gustaf Nyström, Dayi Zhou, Denis Issoupov, Octavian T. Ureche, Peter J. Novotney, Cristian M. Ilac
-
Patent number: 8682948Abstract: In embodiments of scalable random number generation, a system includes one or more entropy pools that combine entropy data, which is derived from entropy sources based on event data. A root pseudo-random number generator (PRNG) maintains a seeded entropy state that is reseeded by the entropy pools, and a seed version identifier updates to indicate a current seed version of the root PRNG. Processor PRNGs are instantiated one each per logical processor in a kernel of the system, where each processor PRNG maintains a PRNG entropy state that is reseeded from the root PRNG, and a processor PRNG generates a random number from a respective PRNG entropy state when invoked.Type: GrantFiled: January 6, 2011Date of Patent: March 25, 2014Assignee: Microsoft CorporationInventors: Niels T. Ferguson, Dayi Zhou, Vijay G. Bharadwaj
-
Publication number: 20120179735Abstract: In embodiments of scalable random number generation, a system includes one or more entropy pools that combine entropy data, which is derived from entropy sources based on event data. A root pseudo-random number generator (PRNG) maintains a seeded entropy state that is reseeded by the entropy pools, and a seed version identifier updates to indicate a current seed version of the root PRNG. Processor PRNGs are instantiated one each per logical processor in a kernel of the system, where each processor PRNG maintains a PRNG entropy state that is reseeded from the root PRNG, and a processor PRNG generates a random number from a respective PRNG entropy state when invoked.Type: ApplicationFiled: January 6, 2011Publication date: July 12, 2012Applicant: MICROSOFT CORPORATIONInventors: Niels T. Ferguson, Dayi Zhou, Vijay G. Bharadwaj