Patents by Inventor Magnus Bo Gustaf Nyström

Magnus Bo Gustaf Nyström has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 10615967
    Abstract: A computing device uses a data encryption and decryption system that includes a trusted runtime and an inline cryptographic processor. The trusted runtime provides a trusted execution environment, and the inline cryptographic processor provides decryption and encryption of data in-line with storage device read and write operations. When a portion (e.g., partition) of a storage device is defined, the trusted runtime generates an encryption key and provides the encryption key to the inline cryptographic processor, which uses the encryption key to encrypt data written to the portion and decrypt data read from the portion. Access to the portion can be subsequently protected by associating the key with authentication credentials of a user or other entity. The trusted runtime protects the encryption key based on an authentication key associated with the authentication credentials, allowing subsequent access to the encryption key only in response to the proper authentication credentials being provided.
    Type: Grant
    Filed: March 20, 2014
    Date of Patent: April 7, 2020
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Innokentiy Basmov, Magnus Bo Gustaf Nyström, Niels T. Ferguson, Alex M. Semenko
  • Patent number: 9740639
    Abstract: To comply with a policy for a computing device indicating that data written by the computing device to the storage volume after activation of the policy be encrypted, a sector map is accessed. The sector map identifies one or more sectors of a storage volume and also identifies, for each of the one or more sectors of the storage volume, a signature of the content of the sector. In response to a request to read the content of a sector, the content of the sector is returned without decrypting the content if the sector is one of the one or more sectors and the signature of the content of the sector matches the signature of the sector identified in the sector map. Otherwise, the content of the sector is decrypted and the decrypted content is returned.
    Type: Grant
    Filed: September 15, 2016
    Date of Patent: August 22, 2017
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Innokentiy Basmov, Magnus Bo Gustaf Nyström, Alex M. Semenko, Douglas M. MacIver, Donghui Li
  • Publication number: 20170004094
    Abstract: To comply with a policy for a computing device indicating that data written by the computing device to the storage volume after activation of the policy be encrypted, a sector map is accessed. The sector map identifies one or more sectors of a storage volume and also identifies, for each of the one or more sectors of the storage volume, a signature of the content of the sector. In response to a request to read the content of a sector, the content of the sector is returned without decrypting the content if the sector is one of the one or more sectors and the signature of the content of the sector matches the signature of the sector identified in the sector map. Otherwise, the content of the sector is decrypted and the decrypted content is returned.
    Type: Application
    Filed: September 15, 2016
    Publication date: January 5, 2017
    Applicant: Microsoft Technology Licensing, LLC
    Inventors: Innokentiy Basmov, Magnus Bo Gustaf Nyström, Alex M. Semenko, Douglas M. MacIver, Donghui Li
  • Patent number: 9477614
    Abstract: To comply with a policy for a computing device indicating that data written by the computing device to the storage volume after activation of the policy be encrypted, a sector map is accessed. The sector map identifies one or more sectors of a storage volume and also identifies, for each of the one or more sectors of the storage volume, a signature of the content of the sector. In response to a request to read the content of a sector, the content of the sector is returned without decrypting the content if the sector is one of the one or more sectors and the signature of the content of the sector matches the signature of the sector identified in the sector map. Otherwise, the content of the sector is decrypted and the decrypted content is returned.
    Type: Grant
    Filed: October 3, 2014
    Date of Patent: October 25, 2016
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Innokentiy Basmov, Magnus Bo Gustaf Nyström, Alex M. Semenko, Douglas M. MacIver, Donghui Li
  • Patent number: 9424431
    Abstract: In a pre-operating system environment on a device prior to loading and running an operating system on the device, a policy identifying configuration settings for the operating system is obtained. The operating system itself is prevented from changing this policy, but the policy can be changed under certain circumstances by components of the pre-operating system environment. The policy is compared to configuration values used by the operating system, and the operating system is allowed to boot with the configuration values if the configuration values satisfy the policy. However, if the configuration values do not satisfy the policy, then a responsive action is taken.
    Type: Grant
    Filed: September 14, 2015
    Date of Patent: August 23, 2016
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Scott D. Anderson, David J. Linsley, Magnus Bo Gustaf Nyström, Douglas M. MacIver, Robert Karl Spiger
  • Patent number: 9281948
    Abstract: Techniques for providing revocation information for revocable items are described. In implementations, a revocation service is employed to manage revocation information for various revocable items. For example, the revocation service can maintain a revoked list that includes revoked revocable items, such as revoked digital certificates, revoked files (e.g., files that are considered to the unsafe), unsafe network resources (e.g., a website that is determined to be unsafe), and so on. In implementations, the revocation service can communicate a revoked list to a client device to enable the client device to maintain an updated list of revocation information.
    Type: Grant
    Filed: February 9, 2012
    Date of Patent: March 8, 2016
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Philip J. Hallin, Yogesh A. Mehta, Violet Anna Barhudarian, Magnus Bo Gustaf Nyström
  • Patent number: 9256745
    Abstract: In a pre-operating system environment on a device prior to loading and running an operating system on the device, a policy identifying configuration settings for the operating system is obtained. The operating system itself is prevented from changing this policy, but the policy can be changed under certain circumstances by components of the pre-operating system environment. The policy is compared to configuration values used by the operating system, and the operating system is allowed to boot with the configuration values if the configuration values satisfy the policy. However, if the configuration values do not satisfy the policy, then a responsive action is taken.
    Type: Grant
    Filed: March 1, 2011
    Date of Patent: February 9, 2016
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Scott D. Anderson, David J. Linsley, Magnus Bo Gustaf Nyström, Douglas M. MacIver, Robert Karl Spiger
  • Publication number: 20160012234
    Abstract: In a pre-operating system environment on a device prior to loading and running an operating system on the device, a policy identifying configuration settings for the operating system is obtained. The operating system itself is prevented from changing this policy, but the policy can be changed under certain circumstances by components of the pre-operating system environment. The policy is compared to configuration values used by the operating system, and the operating system is allowed to boot with the configuration values if the configuration values satisfy the policy. However, if the configuration values do not satisfy the policy, then a responsive action is taken.
    Type: Application
    Filed: September 14, 2015
    Publication date: January 14, 2016
    Inventors: Scott D. Anderson, David J. Linsley, Magnus Bo Gustaf Nyström, Douglas M. MacIver, Robert Karl Spiger
  • Publication number: 20150270956
    Abstract: A computing device uses a data encryption and decryption system that includes a trusted runtime and an inline cryptographic processor. The trusted runtime provides a trusted execution environment, and the inline cryptographic processor provides decryption and encryption of data in-line with storage device read and write operations. When a portion (e.g., partition) of a storage device is defined, the trusted runtime generates an encryption key and provides the encryption key to the inline cryptographic processor, which uses the encryption key to encrypt data written to the portion and decrypt data read from the portion. Access to the portion can be subsequently protected by associating the key with authentication credentials of a user or other entity. The trusted runtime protects the encryption key based on an authentication key associated with the authentication credentials, allowing subsequent access to the encryption key only in response to the proper authentication credentials being provided.
    Type: Application
    Filed: March 20, 2014
    Publication date: September 24, 2015
    Applicant: Microsoft Corporation
    Inventors: Innokentiy Basmov, Magnus Bo Gustaf Nyström, Niels T. Ferguson, Alex M. Semenko
  • Patent number: 9058497
    Abstract: Cryptographic key management techniques are described. In one or more implementations, an access control rule is read that includes a Boolean expression having a plurality of atoms. The cryptographic keys that corresponds each of the plurality of atoms in the access control rule are requested. One or more cryptographic operations are then performed on data using one or more of the cryptographic keys.
    Type: Grant
    Filed: December 23, 2010
    Date of Patent: June 16, 2015
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Vijay G. Bharadwaj, Niels T Ferguson, Carl M. Ellison, Magnus Bo Gustaf Nyström, Dayi Zhou, Denis Issoupov, Octavian T. Ureche, Peter J. Novotney, Cristian M. Ilac
  • Patent number: 8984597
    Abstract: An access component sends an access request to an intermediary component, the access request being a request to access a service or resource without credentials of a current user of the intermediary component being revealed to the access component. The intermediary component obtains user credentials, for the current user, that are associated with the service or resource. The access request and the user credentials are sent to the service or resource, and in response session state information is received from the service or resource. The session state information is returned to the access component, which allows the access component and the service or resource to communicate with one another based on the session state information and independently of the first component.
    Type: Grant
    Filed: May 27, 2010
    Date of Patent: March 17, 2015
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Kristjan E. Hatlelid, Marc R. Barbour, Magnus Bo Gustaf Nyström
  • Publication number: 20150033039
    Abstract: To comply with a policy for a computing device indicating that data written by the computing device to the storage volume after activation of the policy be encrypted, a sector map is accessed. The sector map identifies one or more sectors of a storage volume and also identifies, for each of the one or more sectors of the storage volume, a signature of the content of the sector. In response to a request to read the content of a sector, the content of the sector is returned without decrypting the content if the sector is one of the one or more sectors and the signature of the content of the sector matches the signature of the sector identified in the sector map. Otherwise, the content of the sector is decrypted and the decrypted content is returned.
    Type: Application
    Filed: October 3, 2014
    Publication date: January 29, 2015
    Inventors: Innokentiy Basmov, Magnus Bo Gustaf Nyström, Alex M. Semenko, Douglas M. MacIver, Donghui Li
  • Patent number: 8924737
    Abstract: In accordance with one or more aspects, a representation of a configuration of a firmware environment of a device is generated. A secret of the device is obtained, and a platform secret is generated based on both the firmware environment configuration representation and the secret of the device. One or more keys can be generated based on the platform secret.
    Type: Grant
    Filed: August 25, 2011
    Date of Patent: December 30, 2014
    Assignee: Microsoft Corporation
    Inventors: Stefan Thom, Robert Karl Spiger, Magnus Bo Gustaf Nyström, David R. Wooten
  • Patent number: 8885833
    Abstract: A key recovery request for a device is received at a key recovery service and a particular one-time recovery credential in a sequence of multiple one-time recovery credentials is identified. In the sequence of multiple one-time recovery credentials, previous one-time recovery credentials in the sequence are indeterminable given subsequent one-time recovery credentials in the sequence. A recovery key associated with the device is also identified. The particular one-time recovery credential in the sequence is generated based on the recovery key, and is returned in response to the key recovery request. The particular one-time recovery credential can then be used by the device to decrypt encrypted data stored on a storage media of the device.
    Type: Grant
    Filed: April 11, 2011
    Date of Patent: November 11, 2014
    Assignee: Microsoft Corporation
    Inventors: Benjamin E. Nick, Magnus Bo Gustaf Nyström, Cristian M. Ilac, Niels T. Ferguson, Nils Dussart
  • Patent number: 8874935
    Abstract: To comply with a policy for a computing device indicating that data written by the computing device to the storage volume after activation of the policy be encrypted, a sector map is accessed. The sector map identifies one or more sectors of a storage volume and also identifies, for each of the one or more sectors of the storage volume, a signature of the content of the sector. In response to a request to read the content of a sector, the content of the sector is returned without decrypting the content if the sector is one of the one or more sectors and the signature of the content of the sector matches the signature of the sector identified in the sector map. Otherwise, the content of the sector is decrypted and the decrypted content is returned.
    Type: Grant
    Filed: August 30, 2011
    Date of Patent: October 28, 2014
    Assignee: Microsoft Corporation
    Inventors: Innokentiy Basmov, Magnus Bo Gustaf Nyström, Alex M. Semenko, Douglas M. MacIver, Donghui Li
  • Publication number: 20140108814
    Abstract: Cryptographic key management techniques are described. In one or more implementations, an access control rule is read that includes a Boolean expression having a plurality of atoms. The cryptographic keys that corresponds each of the plurality of atoms in the access control rule are requested. One or more cryptographic operations are then performed on data using one or more of the cryptographic keys.
    Type: Application
    Filed: December 23, 2010
    Publication date: April 17, 2014
    Applicant: MICROSOFT CORPORATION
    Inventors: Vijay G. Bharadwaj, Niels T. Ferguson, Carl M. Ellison, Magnus Bo Gustaf Nyström, Dayi Zhou, Denis Issoupov, Octavian T. Ureche, Peter J. Novotney, Cristian M. Ilac
  • Patent number: 8689279
    Abstract: To comply with a policy for a computing device indicating that data written by the computing device to the storage volume after activation of the policy be encrypted, an encrypted chunks map is accessed. The encrypted chunks map identifies whether, for each chunk of sectors of a storage volume, the sectors in the chunk are unencrypted. In response to a request to write content to a sector, the encrypted chunks map is checked to determine whether a chunk that includes the sector is unencrypted. If the chunk that includes the sector is unencrypted, then the sectors in the chunk are encrypted, and the content is encrypted and written to the sector. If the chunk that includes the sector is encrypted or not in use, then the content is encrypted and written to the sector.
    Type: Grant
    Filed: August 30, 2011
    Date of Patent: April 1, 2014
    Assignee: Microsoft Corporation
    Inventors: Innokentiy Basmov, Alex M. Semenko, Dustin L. Green, Magnus Bo Gustaf Nyström
  • Publication number: 20130212383
    Abstract: Techniques for providing revocation information for revocable items are described. In implementations, a revocation service is employed to manage revocation information for various revocable items. For example, the revocation service can maintain a revoked list that includes revoked revocable items, such as revoked digital certificates, revoked files (e.g., files that are considered to the unsafe), unsafe network resources (e.g., a website that is determined to be unsafe), and so on. In implementations, the revocation service can communicate a revoked list to a client device to enable the client device to maintain an updated list of revocation information.
    Type: Application
    Filed: February 9, 2012
    Publication date: August 15, 2013
    Inventors: Philip J. Hallin, Yogesh A. Mehta, Violet Anna Barhudarian, Magnus Bo Gustaf Nyström
  • Patent number: 8462955
    Abstract: An online key stored by a remote service is generated or otherwise obtained, and a storage media (as it applies to the storage of data on a physical or virtual storage media) master key for encrypting and decrypting a physical or virtual storage media or encrypting and decrypting one or more storage media encryption keys that are used to encrypt a physical or virtual storage media is encrypted based at least in part on the online key. A key protector for the storage media is stored, the key protector including the encrypted master key. The key protector can be subsequently accessed, and the online key obtained from the remote service. The master key is decrypted based on the online key, allowing the one or more storage media encryption keys that are used to decrypt the storage media to be decrypted.
    Type: Grant
    Filed: June 3, 2010
    Date of Patent: June 11, 2013
    Assignee: Microsoft Corporation
    Inventors: Octavian T. Ureche, Nils Dussart, Michael A. Halcrow, Charles G. Jeffries, Nathan T. Lewis, Cristian M. Ilac, Innokentiy Basmov, Magnus Bo Gustaf Nyström, Niels T. Ferguson
  • Publication number: 20130054979
    Abstract: To comply with a policy for a computing device indicating that data written by the computing device to the storage volume after activation of the policy be encrypted, a sector map is accessed. The sector map identifies one or more sectors of a storage volume and also identifies, for each of the one or more sectors of the storage volume, a signature of the content of the sector. In response to a request to read the content of a sector, the content of the sector is returned without decrypting the content if the sector is one of the one or more sectors and the signature of the content of the sector matches the signature of the sector identified in the sector map. Otherwise, the content of the sector is decrypted and the decrypted content is returned.
    Type: Application
    Filed: August 30, 2011
    Publication date: February 28, 2013
    Applicant: MICROSOFT CORPORATION
    Inventors: Innokentiy Basmov, Magnus Bo Gustaf Nyström, Alex M. Semenko, Douglas M. MacIver, Donghui Li