Patents by Inventor Dirk Herrendoerfer
Dirk Herrendoerfer has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11824984Abstract: Aspects of the invention include loading an image of a virtual server onto a boot partition of a trusted execution environment (TEE), wherein a first key is embedded in the image. A second key is received from an end customer of an application. Data is received from an independent software vendor (ISV) of the application, wherein the data includes a third key. The second key and the third key are combined inside the TEE to create a fourth key. An available memory space in an independent memory device is encrypted using the fourth key to create a secure data volume. Encrypted data is stored in the secure data volume.Type: GrantFiled: January 11, 2022Date of Patent: November 21, 2023Assignee: International Business Machines CorporationInventors: Angel Nunez Mencias, Nicolas Maeding, Peter Morjan, Dirk Herrendoerfer, James Robert Magowan, Anbazhagan Mani
-
Patent number: 11755721Abstract: The present disclosure relates to a computer implemented method for executing an application. The method comprises: executing a bootloader in a trusted execution environment, wherein the executing comprises: decrypting received encrypted secrets using decryption keys of the boot loader, storing the decrypted secrets in a storage accessible by the application, creating a proof record indicating the application, the secrets and the trusted execution environment, storing the proof record in the storage, and deleting the decryption keys. The application may be executed in the trusted execution environment using the decrypted secrets. The proof record may be provided by the application for proving authenticity.Type: GrantFiled: October 25, 2021Date of Patent: September 12, 2023Assignee: International Business Machines CorporationInventors: Angel Nunez Mencias, Nicolas Maeding, Peter Morjan, Dirk Herrendoerfer
-
Publication number: 20230224156Abstract: Aspects of the invention include loading an image of a virtual server onto a boot partition of a trusted execution environment (TEE), wherein a first key is embedded in the image. A second key is received from an end customer of an application. Data is received from an independent software vendor (ISV) of the application, wherein the data includes a third key. The second key and the third key are combined inside the TEE to create a fourth key. An available memory space in an independent memory device is encrypted using the fourth key to create a secure data volume. Encrypted data is stored in the secure data volume.Type: ApplicationFiled: January 11, 2022Publication date: July 13, 2023Inventors: Angel Nunez Mencias, Nicolas Maeding, Peter Morjan, Dirk Herrendoerfer, James Robert Magowan, ANBAZHAGAN Mani
-
Patent number: 11645092Abstract: The present disclosure relates to a method for deploying an application in an execution environment using a first and second sets of key pairs. The method comprises: creating a sequence of tasks comprising build tasks followed by a deploy task. The tasks are configured to receive a task input for performing the tasks. The task input comprises a contribution input and an output of a task preceding at least one of the build tasks. The contribution input comprises secrets. The output of the build tasks is encrypted with a respective encryption key of the first set of key pairs, wherein the contribution input of a task subsequent to the first task is encrypted with a respective encryption key of the second set of keys. The tasks may be executed in the execution environment using unencrypted content of the task inputs.Type: GrantFiled: October 25, 2021Date of Patent: May 9, 2023Assignee: International Business Machines CorporationInventors: Nicolas Maeding, Dirk Herrendoerfer, Peter Morjan, Angel Nunez Mencias
-
Publication number: 20230128099Abstract: The present disclosure relates to a computer implemented method for executing an application. The method comprises: executing a bootloader in a trusted execution environment, wherein the executing comprises: decrypting received encrypted secrets using decryption keys of the boot loader, storing the decrypted secrets in a storage accessible by the application, creating a proof record indicating the application, the secrets and the trusted execution environment, storing the proof record in the storage, and deleting the decryption keys. The application may be executed in the trusted execution environment using the decrypted secrets. The proof record may be provided by the application for proving authenticity.Type: ApplicationFiled: October 25, 2021Publication date: April 27, 2023Inventors: Angel Nunez Mencias, Nicolas Maeding, Peter Morjan, Dirk Herrendoerfer
-
Publication number: 20230127956Abstract: The present disclosure relates to a method for deploying an application in an execution environment using a first and second sets of key pairs. The method comprises: creating a sequence of tasks comprising build tasks followed by a deploy task. The tasks are configured to receive a task input for performing the tasks. The task input comprises a contribution input and an output of a task preceding at least one of the build tasks. The contribution input comprises secrets. The output of the build tasks is encrypted with a respective encryption key of the first set of key pairs, wherein the contribution input of a task subsequent to the first task is encrypted with a respective encryption key of the second set of keys. The tasks may be executed in the execution environment using unencrypted content of the task inputs.Type: ApplicationFiled: October 25, 2021Publication date: April 27, 2023Inventors: Nicolas Maeding, Dirk Herrendoerfer, Peter Morjan, Angel Nunez Mencias
-
Patent number: 11176245Abstract: Aspects of the invention include obtaining, via a processor, an original docker image from a customer, encrypting a disk image using content from the original docker image and encrypting a bootloader. A re-packaged image is created using the encrypted disk image and the secure encrypted bootloader. The re-packaged image is deployed by inserting the re-package image into a pod container and by means of using a mutating webhook, granting elevated privileges to said container and creating a secured Kubernetes pod for protecting workloads, wherein the secured Kubernetes pod has at least one virtual machine containing the pod container.Type: GrantFiled: September 30, 2019Date of Patent: November 16, 2021Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Angel Nunez Mencias, Peter Morjan, Dirk Herrendoerfer, Preethi Polepalli Yeshwanth
-
Publication number: 20210097169Abstract: Aspects of the invention include obtaining, via a processor, an original docker image from a customer, encrypting a disk image using content from the original docker image and encrypting a bootloader. A re-packaged image is created using the encrypted disk image and the secure encrypted bootloader. The re-packaged image is deployed by inserting the re-package image into a pod container and by means of using a mutating webhook, granting elevated privileges to said container and creating a secured Kubernetes pod for protecting workloads, wherein the secured Kubernetes pod has at least one virtual machine containing the pod container.Type: ApplicationFiled: September 30, 2019Publication date: April 1, 2021Inventors: Angel Nunez Mencias, Peter Morjan, Dirk Herrendoerfer, Preethi Polepalli Yeshwanth
-
Patent number: 9569239Abstract: A method includes loading a virtual machine snapshot of a virtual machine from a first computing device to a mobile device. The virtual machine runs on the first computing device and the virtual machine snapshot includes a COW file and an image file with files from the virtual machine. The method includes launching the virtual machine on a second computing device, where the second computing device reads the virtual machine snapshot from the mobile device and the second computing device records changes to a copy of the COW file stored on the second computing device while the second computing device runs the virtual machine. The method includes terminating a virtual machine session running on the second computing device and copying the COW file to the mobile device. The COW file includes changes to the virtual machine snapshot from execution of the virtual machine on the second computing device.Type: GrantFiled: February 10, 2016Date of Patent: February 14, 2017Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventor: Dirk Herrendoerfer
-
Patent number: 9563454Abstract: A VM loading module loads a virtual machine snapshot of a virtual machine from a first computing device to a mobile device. The virtual machine runs on the first computing device and the virtual machine snapshot includes a copy-on-write (“COW”) file and an image file of files from the virtual machine. A VM launch module launches the virtual machine on a second computing device, which reads the virtual machine snapshot from the mobile device and the second computing device records changes to the COW file stored on the second computing device while running the virtual machine. A session termination module terminates a session of execution of the virtual machine running on the second computing device and copies the COW file from the second computing device to the mobile device. The COW file includes changes to the virtual machine snapshot from the virtual machine on the second computing device.Type: GrantFiled: February 3, 2015Date of Patent: February 7, 2017Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventor: Dirk Herrendoerfer
-
Publication number: 20160224361Abstract: A method includes loading a virtual machine snapshot of a virtual machine from a first computing device to a mobile device. The virtual machine runs on the first computing device and the virtual machine snapshot includes a COW file and an image file with files from the virtual machine. The method includes launching the virtual machine on a second computing device, where the second computing device reads the virtual machine snapshot from the mobile device and the second computing device records changes to a copy of the COW file stored on the second computing device while the second computing device runs the virtual machine. The method includes terminating a virtual machine session running on the second computing device and copying the COW file to the mobile device. The COW file includes changes to the virtual machine snapshot from execution of the virtual machine on the second computing device.Type: ApplicationFiled: February 10, 2016Publication date: August 4, 2016Inventor: Dirk Herrendoerfer
-
Publication number: 20160224364Abstract: A VM loading module loads a virtual machine snapshot of a virtual machine from a first computing device to a mobile device. The virtual machine runs on the first computing device and the virtual machine snapshot includes a copy-on-write (“COW”) file and an image file of files from the virtual machine. A VM launch module launches the virtual machine on a second computing device, which reads the virtual machine snapshot from the mobile device and the second computing device records changes to the COW file stored on the second computing device while running the virtual machine. A session termination module terminates a session of execution of the virtual machine running on the second computing device and copies the COW file from the second computing device to the mobile device. The COW file includes changes to the virtual machine snapshot from the virtual machine on the second computing device.Type: ApplicationFiled: February 3, 2015Publication date: August 4, 2016Inventor: Dirk Herrendoerfer
-
Patent number: 6859879Abstract: The present invention relates to a client-server system having a security system for controlling access to application functions. The security system separated from the clients and the application functions routes all incoming requests created by various PVC-devices to a centralized security system providing an authentication component and a security component. The authentication component provides several authentication mechanisms which may be selected by information contained in the client's request. The authentication mechanism may be changed or extended without changing conditions on the client as well on the server or application side. The security component provides a security policy describing security requirements for accessing application functions which may be invoked by the security component. If the selected authentication mechanism succeeds and fulfills the security policy associated to that application function then the application function will be invoked by the security component.Type: GrantFiled: March 16, 2001Date of Patent: February 22, 2005Assignee: International Business Machine CorporationInventors: Horst Henn, Dirk Herrendoerfer, Thomas Schaeck, Roland Weber
-
Publication number: 20040139349Abstract: The present invention relates to a client-server system having a security system for controlling access to application functions. The security system separated from the clients and the application functions routes all incoming requests created by various PVC-devices to a centralized security system providing an authentication component and a security component. The authentication component provides several authentication mechanisms which may be selected by information contained in the client's request. The authentication mechanism may be changed or extended without changing conditions on the client as well on the server or application side. The security component provides a security policy describing security requirements for accessing application functions which may be invoked by the security component. If the selected authentication mechanism succeeds and fulfills the security policy associated to that application function then the application function will be invoked by the security component (FIG. 3).Type: ApplicationFiled: March 16, 2001Publication date: July 15, 2004Applicant: International Business Machines CorporationInventors: Horst Henn, Dirk Herrendoerfer, Thomas Schaeck, Roland Weber
-
Patent number: 6612490Abstract: An Extended SmartCard file system is proposed which resides in one flat file within the ISO file system of a SmartCard. A second file containing user information like size of the file system, owner information, and key fields is used to configure the file system driver dynamically. However, this file may be omitted if the file system driver is statically initialized. The nested file system of the present invention has the advantage that files can be fully dynamically accessed and edited without affecting the underlying ISO file layout, i.e. the outer fixed structure of the outer file system. Further, data integrity and consistency are achieved by a transaction oriented commit concept. Additionally, all security mechanisms of the underlying SmartCards in terms of data protection are fully maintained and are enhanced in cases of power loss or unexpected card removal as two distinct directories are provided for data management.Type: GrantFiled: December 17, 1999Date of Patent: September 2, 2003Assignee: International Business Mahines CorporationInventors: Dirk Herrendoerfer, Robert Sulzmann, Martin Welsch
-
Patent number: 6481621Abstract: A system and method for processing information contained in a smart card (130) uses a local computer (100) on which a proxy server (120) is installed. The local computer is connected to a data communication network (110), such as the Internet, and comprises a network browser which is used to generate access requests to data stored on a smart card and in a local storage (122). The requests are received by an HTTP server (210) and passed to request brokers (214, 215, 216). In response to a request parsing operation access functions (226, 228, 340, 440, 350, 460) are activated for accessing the local storage and a smart card (130). Data read from a smart card may be inserted into a HTML document accessed in the local storage, and data from the local storage or from remote sources may be uploaded to a smart card.Type: GrantFiled: November 19, 1999Date of Patent: November 19, 2002Assignee: International Business Machines CorporationInventors: Dirk Herrendoerfer, Robert Sulzmann, Martin Welsch
-
Patent number: 6473759Abstract: Java methods contained in a Java class and method database are accessed by a non-Java application running on a local machine or a remote machine. The non-Java application generates a standard TCP/IP communication call for a method of a Java class in the database. A Java service server running on a Java VM on the local machine receives the method call and related parameter data and performs their processing including a conversion of the call and of related parameter data from a transport format into Java native data types. The converted data is used for invoking a Java method for execution by applying the method to the converted parameter data. The result data of the method execution is converted from the Java format into the transport format in which they are transmitted to the non-Java application.Type: GrantFiled: October 5, 1999Date of Patent: October 29, 2002Assignee: International Business Machines CorporationInventors: Dirk Herrendoerfer, Robert Sulzmann, Martin Welsch