Patents by Inventor Eric David Rossman
Eric David Rossman has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 12489642Abstract: According to one embodiment, a method, computer system, and computer program product for establishing identity-based hierarchical sessions on a hardware security module (HSM) for binding secure keys to a guest system, is disclosed. The present invention may include establishing a communication channel between the guest system and the HSM, wherein the communication channel is identity-based, end-to-end and encrypted, thereby establishing a session, transferring login information of the guest system through the communication channel to the HSM, maintaining a predefined security level throughout a hierarchy of the sessions, wherein no child session has a higher security level than its parent session, and performing a challenge-response protocol based on a session ownership verification with the guest, such that an HSM generated and secured key is bound to a related session.Type: GrantFiled: July 19, 2023Date of Patent: December 2, 2025Assignee: International Business Machines CorporationInventors: Volker Urban, Tamas Visegrady, Reinhard Theodor Buendgen, Michael D. Hocker, Eric David Rossman
-
Patent number: 12468859Abstract: A method for a policy-based association of a hardware security module to a secure guest is disclosed. The method comprises maintaining a binding between a secure guest and an HSM. Thereby, the binding enables the trusted guest to send only non-sensitive request to the HSM. The method comprises further maintaining, for a secure guest, a pair of a secret and a secret name, submitting a query to the bound HSM for obtaining HSM configuration data, and upon determining that the obtained HSM configuration data match a rule available to the secure guest, wherein the rule associates the HSM to a secret name, requesting to associate the secret from the pair of secret and the secret name to the bound HSM, thereby triggering that the trusted firmware allows the secure guest to submit a sensitive crypto-request to the bound and associated HSM.Type: GrantFiled: January 25, 2023Date of Patent: November 11, 2025Assignee: International Business Machines CorporationInventors: Reinhard Theodor Buendgen, Viktor Mihajlovski, Jonathan D. Bradbury, Harald Freudenberger, Steffen Eiden, Volker Urban, Eric David Rossman
-
Publication number: 20250330311Abstract: A computer-implemented method (CIM), according to one approach, includes generating a primary cryptographic recovery key, and generating an alternate cryptographic recovery key, where the alternate cryptographic recovery key is generated and stored in a cryptographic Hardware Security Module (HSM). The method further includes storing an encrypted fallback key in metadata associated with a data set, where the encrypted fallback key is an operational key encrypted by the primary cryptographic recovery key, and storing a Recovery Key Verification Pattern (RKVP) in the metadata, where the RKVP is associated with the primary cryptographic recovery key and is stored for the primary cryptographic recovery key. In response to a determination that the operational key is unavailable, the encrypted fallback key is retrieved to perform a data decryption operation.Type: ApplicationFiled: April 17, 2024Publication date: October 23, 2025Inventors: Eysha Shirrine Powers, Cecilia Carranza Lewis, Eric David Rossman, Garry Joseph Sullivan, Michael Joseph Jordan
-
Publication number: 20240396747Abstract: According to one embodiment, a method, computer system, and computer program product for establishing identity-based hierarchical sessions on a hardware security module (HSM) for binding secure keys to a guest system, is disclosed. The present invention may include establishing a communication channel between the guest system and the HSM, wherein the communication channel is identity-based, end-to-end and encrypted, thereby establishing a session, transferring login information of the guest system through the communication channel to the HSM, maintaining a predefined security level throughout a hierarchy of the sessions, wherein no child session has a higher security level than its parent session, and performing a challenge-response protocol based on a session ownership verification with the guest, such that an HSM generated and secured key is bound to a related session.Type: ApplicationFiled: July 19, 2023Publication date: November 28, 2024Inventors: Volker Urban, Tamas Visegrady, Reinhard Theodor Buendgen, Michael D. Hocker, Eric David Rossman
-
Publication number: 20240176913Abstract: A method for a policy-based association of a hardware security module to a secure guest is disclosed. The method comprises maintaining a binding between a secure guest and an HSM. Thereby, the binding enables the trusted guest to send only non-sensitive request to the HSM. The method comprises further maintaining, for a secure guest, a pair of a secret and a secret name, submitting a query to the bound HSM for obtaining HSM configuration data, and upon determining that the obtained HSM configuration data match a rule available to the secure guest, wherein the rule associates the HSM to a secret name, requesting to associate the secret from the pair of secret and the secret name to the bound HSM, thereby triggering that the trusted firmware allows the secure guest to submit a sensitive crypto-request to the bound and associated HSM.Type: ApplicationFiled: January 25, 2023Publication date: May 30, 2024Inventors: Reinhard Theodor Buendgen, Viktor Mihajlovski, Jonathan D. Bradbury, Harald Freudenberger, Steffen Eiden, Volker Urban, Eric David Rossman
-
Patent number: 11875200Abstract: A message limit value to be used in enqueuing one or more messages on a queue of a device of the computing environment is obtained. The message limit value indicates whether an extended maximum message length is supported by the device. The extended maximum message length is different from a default maximum message length supported by the device. Based on determining that the extended maximum message length is supported and that the obtained message limit value has a defined relationship with a select value, at least one message of an extended length is enqueued on the queue of the device.Type: GrantFiled: September 23, 2021Date of Patent: January 16, 2024Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Louis P. Gomes, Damian Osisek, Harald Freudenberger, Richard John Moore, Volker Urban, Michael D. Hocker, Eric David Rossman, Richard Victor Kisley
-
Publication number: 20230089541Abstract: A message limit value to be used in enqueuing one or more messages on a queue of a device of the computing environment is obtained. The message limit value indicates whether an extended maximum message length is supported by the device. The extended maximum message length is different from a default maximum message length supported by the device. Based on determining that the extended maximum message length is supported and that the obtained message limit value has a defined relationship with a select value, at least one message of an extended length is enqueued on the queue of the device.Type: ApplicationFiled: September 23, 2021Publication date: March 23, 2023Inventors: Louis P. Gomes, Damian Osisek, Harald Freudenberger, Richard John Moore, Volker Urban, Michael D. Hocker, Eric David Rossman, Richard Victor Kisley
-
Patent number: 11277262Abstract: Generating unique data encryption keys for a data set, by allocating a data set associated with a security policy, where the security policy specifies a key encryption key (KEK) label, retrieving the KEK label from the security policy, storing the KEK label as metadata of the data set, opening the data set for a first time write, generating a data encryption key (DEK), retrieving a KEK from a key store according to the KEK label, encrypting the DEK using the KEK, storing the encrypted DEK as metadata of the data set, and encrypting the data set using the DEK.Type: GrantFiled: July 1, 2020Date of Patent: March 15, 2022Assignee: International Business machines CorporationInventors: Eysha Shirrine Powers, Michael Joseph Jordan, Cecilia Carranza Lewis, Eric David Rossman
-
Publication number: 20220006618Abstract: Generating unique data encryption keys for a data set, by allocating a data set associated with a security policy, where the security policy specifies a key encryption key (KEK) label, retrieving the KEK label from the security policy, storing the KEK label as metadata of the data set, opening the data set for a first time write, generating a data encryption key (DEK), retrieving a KEK from a key store according to the KEK label, encrypting the DEK using the KEK, storing the encrypted DEK as metadata of the data set, and encrypting the data set using the DEK.Type: ApplicationFiled: July 1, 2020Publication date: January 6, 2022Inventors: Eysha Shirrine Powers, Michael Joseph Jordan, Cecilia Carranza Lewis, Eric David Rossman