Patents by Inventor Mahesh Sham ROHERA
Mahesh Sham ROHERA has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 12047185Abstract: A system meters execution of an application module at an edge computing device. A secure workload package is transmitted securely from a workload provisioning service to the edge computing device. The secure workload package includes the application module, a trusted metering application, and a provisioning service authentication token. The provisioning service authentication token is verified in the secure workload package based on an edge device authentication token generated at the edge computing device. The trusted metering application is executed in a trusted execution environment of the edge computing device, responsive to verifying the provisioning service authentication token. The application module of the edge computing device is executed, wherein the trusted metering application is configured to monitor execution metrics of the application module on the edge computing device. The execution of the application module is managed based on the monitored execution metrics.Type: GrantFiled: August 24, 2021Date of Patent: July 23, 2024Assignee: Microsoft Technology Licensing, LLCInventors: Eustace Ngwa Asanghanwa, Mahesh Sham Rohera
-
Publication number: 20230401307Abstract: A device is provisioned to communicate with a cloud service provider when the device is unable to establish a secure connection due to an invalid root certificate authority (CA) certificate installed at the device. The cloud service provider establishes a temporary non-secure connection between a device recovery service and the device. The device recovery service sends a signed updated root CA certificate to the device. Based on the signed updated root CA certificate, a secure connection is established between the device and operational functions at the cloud service provider.Type: ApplicationFiled: March 22, 2023Publication date: December 14, 2023Inventors: Cristian Iuliu POP, Michiel van SCHAIK, Arturo LOTITO, Mahesh Sham ROHERA, Benjamin Livesley THOMAS, David John ROTH
-
Patent number: 11573778Abstract: The disclosed technology provides for packaging a secure cloud workload at a workload provisioning service. A unique device identifier is received from an edge device. The unique identifier is associated with the edge device. A unique packaging key is cryptographically generated based on the received unique device identifier, a unique workload identifier corresponding to a secure cloud workload to be executed on the edge device, and a nonce. The secure cloud workload is encrypted to generate a packaged secure cloud workload using the cryptographically generated unique packaging key. The encrypted secure cloud workload is transmitted to the edge device. The edge device is capable of independently cryptographically generating the unique packaging key using the unique device identifier, the unique workload identifier, and the nonce. The edge device is also capable of decrypting the packaged secure cloud workload using the generated unique packaging key cryptographically generated by the edge device.Type: GrantFiled: August 2, 2021Date of Patent: February 7, 2023Assignee: Microsoft Technology Licensing, LLCInventors: Eustace Ngwa Asanghanwa, Mahesh Sham Rohera
-
Publication number: 20220263712Abstract: A device provisioning service provisions a network-connected device to access one or more service systems using a supplemental cryptographic identity of the network-connected device. An initial enrollment record (associated with an initial cryptographic identity) and a supplemental enrollment record are stored in a device provisioning service. An identity issuance request is received from the network-connected device at the device provisioning service. The identity issuance request includes the initial cryptographic identity. The supplemental cryptographic identity is requested from a supplemental cryptographic identity issuer identified in the initial enrollment record based on the identity issuance request. The requested supplemental cryptographic identity is received at the device provisioning service from the supplemental cryptographic identity issuer. The network-connected device is provisioned to access the one or more service systems according to the supplemental enrollment record.Type: ApplicationFiled: April 25, 2022Publication date: August 18, 2022Inventors: Mounica ARROJU, Alexander I. TOLPIN, Nicole Elaine BERDY, Anush Prabhu RAMACHANDRAN, Timothy James LARDEN, Mengxi CHI, Mahesh Sham ROHERA, Rajeev Mandayam VOKKARNE
-
Patent number: 11343139Abstract: A device provisioning service provisions a network-connected device to access one or more service systems using a supplemental cryptographic identity of the network-connected device. An initial enrollment record (associated with an initial cryptographic identity) and a supplemental enrollment record are stored in a device provisioning service. An identity issuance request is received from the network-connected device at the device provisioning service. The identity issuance request includes the initial cryptographic identity. The supplemental cryptographic identity is requested from a supplemental cryptographic identity issuer identified in the initial enrollment record based on the identity issuance request. The requested supplemental cryptographic identity is received at the device provisioning service from the supplemental cryptographic identity issuer. The network-connected device is provisioned to access the one or more service systems according to the supplemental enrollment record.Type: GrantFiled: March 23, 2020Date of Patent: May 24, 2022Assignee: Microsoft Technology Licensing, LLCInventors: Mounica Arroju, Alexander I. Tolpin, Nicole Elaine Berdy, Anush Prabhu Ramachandran, Timothy James Larden, Mengxi Chi, Mahesh Sham Rohera, Rajeev Mandayam Vokkarne
-
Publication number: 20210385096Abstract: A system meters execution of an application module at an edge computing device. A secure workload package is transmitted securely from a workload provisioning service to the edge computing device. The secure workload package includes the application module, a trusted metering application, and a provisioning service authentication token. The provisioning service authentication token is verified in the secure workload package based on an edge device authentication token generated at the edge computing device. The trusted metering application is executed in a trusted execution environment of the edge computing device, responsive to verifying the provisioning service authentication token. The application module of the edge computing device is executed, wherein the trusted metering application is configured to monitor execution metrics of the application module on the edge computing device. The execution of the application module is managed based on the monitored execution metrics.Type: ApplicationFiled: August 24, 2021Publication date: December 9, 2021Inventors: Eustace Ngwa ASANGHANWA, Mahesh Sham ROHERA
-
Publication number: 20210357197Abstract: The disclosed technology provides for packaging a secure cloud workload at a workload provisioning service. A unique device identifier is received from an edge device. The unique identifier is associated with the edge device. A unique packaging key is cryptographically generated based on the received unique device identifier, a unique workload identifier corresponding to a secure cloud workload to be executed on the edge device, and a nonce. The secure cloud workload is encrypted to generate a packaged secure cloud workload using the cryptographically generated unique packaging key. The encrypted secure cloud workload is transmitted to the edge device. The edge device is capable of independently cryptographically generating the unique packaging key using the unique device identifier, the unique workload identifier, and the nonce. The edge device is also capable of decrypting the packaged secure cloud workload using the generated unique packaging key cryptographically generated by the edge device.Type: ApplicationFiled: August 2, 2021Publication date: November 18, 2021Inventors: Eustace Ngwa ASANGHANWA, Mahesh Sham ROHERA
-
Publication number: 20210328865Abstract: Provisioning an on-premise device within an on-premise communications network includes connecting, via a network connection, an on-premise gateway system in the on-premise communications network with an off-premise device provisioning service system in an off-premise communications network. The network connection is disconnected between the on-premise communications network and the off-premise communications network. A discovery request response is received from the on-premise device via the on-premise communications network, while the network connection is disconnected. A provisioning request from the on-premise device is received at the on-premise device provisioning service of the on-premise gateway system via the on-premise communications network, while the network connection is disconnected. An on-premise device provisioning service of the on-premise gateway system provisions the on-premise device based on provisioning records, while the network connection is disconnected.Type: ApplicationFiled: April 20, 2020Publication date: October 21, 2021Inventors: Morgan Westlee LUNT, Alexander I. TOLPIN, Mengxi CHI, Balendran MUGUNDAN, Rajeev Mandayam VOKKARNE, Nikhil VITHLANI, Nicole Elaine BERDY, Mahesh Sham ROHERA
-
Publication number: 20210297311Abstract: A device provisioning service provisions a network-connected device to access one or more service systems using a supplemental cryptographic identity of the network-connected device. An initial enrollment record (associated with an initial cryptographic identity) and a supplemental enrollment record are stored in a device provisioning service. An identity issuance request is received from the network-connected device at the device provisioning service. The identity issuance request includes the initial cryptographic identity. The supplemental cryptographic identity is requested from a supplemental cryptographic identity issuer identified in the initial enrollment record based on the identity issuance request. The requested supplemental cryptographic identity is received at the device provisioning service from the supplemental cryptographic identity issuer. The network-connected device is provisioned to access the one or more service systems according to the supplemental enrollment record.Type: ApplicationFiled: March 23, 2020Publication date: September 23, 2021Inventors: Mounica ARROJU, Alexander I. TOLPIN, Nicole Elaine BERDY, Anush Prabhu RAMACHANDRAN, Timothy James LARDEN, Mengxi CHI, Mahesh Sham ROHERA, Rajeev Mandayam VOKKARNE
-
Patent number: 11128482Abstract: A system meters execution of an application module at an edge computing device. A secure workload package is transmitted securely from a workload provisioning service to the edge computing device. The secure workload package includes the application module, a trusted metering application, and a provisioning service authentication token. The provisioning service authentication token is verified in the secure workload package based on an edge device authentication token generated at the edge computing device. The trusted metering application is executed in a trusted execution environment of the edge computing device, responsive to verifying the provisioning service authentication token. The application module of the edge computing device is executed, wherein the trusted metering application is configured to monitor execution metrics of the application module on the edge computing device. The execution of the application module is managed based on the monitored execution metrics.Type: GrantFiled: April 19, 2019Date of Patent: September 21, 2021Assignee: Microsoft Technology Licensing, LLCInventors: Eustace Ngwa Asanghanwa, Mahesh Sham Rohera
-
Patent number: 11106441Abstract: The disclosed technology provides for packaging a secure cloud workload at a workload provisioning service. A unique device identifier is received from an edge device. The unique identifier is associated with the edge device. A unique packaging key is cryptographically generated based on the received unique device identifier, a unique workload identifier corresponding to a secure cloud workload to be executed on the edge device, and a nonce. The secure cloud workload is encrypted to generate a packaged secure cloud workload using the cryptographically generated unique packaging key. The encrypted secure cloud workload is transmitted to the edge device. The edge device is capable of independently cryptographically generating the unique packaging key using the unique device identifier, the unique workload identifier, and the nonce. The edge device is also capable of decrypting the packaged secure cloud workload using the generated unique packaging key cryptographically generated by the edge device.Type: GrantFiled: September 14, 2018Date of Patent: August 31, 2021Assignee: Microsoft Technology Licensing, LLCInventors: Eustace Ngwa Asanghanwa, Mahesh Sham Rohera
-
Patent number: 11038678Abstract: A root of trust is established between a cloud and an edge device that communicates with the cloud. The root of trust may be embodied as a secret device key securely stored by the edge device and the cloud. The edge device receives arbitrary cloud modules (workloads) that include guest/tenant code that may communicate with the cloud and possibly local/leaf devices connected to or included with the edge device. The edge device extends or diversifies the root of trust to the cloud modules based on the device key. New keys are derived from the device key. The new keys are used to sign credentials (e.g. tokens or certificates) for the respective cloud modules. This provides each cloud module with its own trusted unique cloud identity that can be verified by the cloud using the cloud's copy of the device key.Type: GrantFiled: November 9, 2018Date of Patent: June 15, 2021Assignee: Microsoft Technology Licensing, LLCInventors: Eustace Ngwa Asanghanwa, Angelo Roncalli Ribeiro, Mahesh Sham Rohera, Michael Richard Yagley
-
Publication number: 20200336322Abstract: A system meters execution of an application module at an edge computing device. A secure workload package is transmitted securely from a workload provisioning service to the edge computing device. The secure workload package includes the application module, a trusted metering application, and a provisioning service authentication token. The provisioning service authentication token is verified in the secure workload package based on an edge device authentication token generated at the edge computing device. The trusted metering application is executed in a trusted execution environment of the edge computing device, responsive to verifying the provisioning service authentication token. The application module of the edge computing device is executed, wherein the trusted metering application is configured to monitor execution metrics of the application module on the edge computing device. The execution of the application module is managed based on the monitored execution metrics.Type: ApplicationFiled: April 19, 2019Publication date: October 22, 2020Inventors: Eustace Ngwa ASANGHANWA, Mahesh Sham ROHERA
-
Publication number: 20200153623Abstract: A root of trust is established between a cloud and an edge device that communicates with the cloud. The root of trust may be embodied as a secret device key securely stored by the edge device and the cloud. The edge device receives arbitrary cloud modules (workloads) that include guest/tenant code that may communicate with the cloud and possibly local/leaf devices connected to or included with the edge device. The edge device extends or diversifies the root of trust to the cloud modules based on the device key. New keys are derived from the device key. The new keys are used to sign credentials (e.g. tokens or certificates) for the respective cloud modules. This provides each cloud module with its own trusted unique cloud identity that can be verified by the cloud using the cloud's copy of the device key.Type: ApplicationFiled: November 9, 2018Publication date: May 14, 2020Inventors: Eustace Ngwa Asanghanwa, Angelo Roncalli Ribeiro, Mahesh Sham Rohera, Michael Richard Yagley
-
Publication number: 20200089481Abstract: The disclosed technology provides for packaging a secure cloud workload at a workload provisioning service. A unique device identifier is received from an edge device. The unique identifier is associated with the edge device. A unique packaging key is cryptographically generated based on the received unique device identifier, a unique workload identifier corresponding to a secure cloud workload to be executed on the edge device, and a nonce. The secure cloud workload is encrypted to generate a packaged secure cloud workload using the cryptographically generated unique packaging key. The encrypted secure cloud workload is transmitted to the edge device. The edge device is capable of independently cryptographically generating the unique packaging key using the unique device identifier, the unique workload identifier, and the nonce. The edge device is also capable of decrypting the packaged secure cloud workload using the generated unique packaging key cryptographically generated by the edge device.Type: ApplicationFiled: September 14, 2018Publication date: March 19, 2020Inventors: Eustace Ngwa ASANGHANWA, Mahesh Sham ROHERA
-
Publication number: 20200092263Abstract: The disclosed technology provides for processing a secure cloud workload with an associated unique workload identifier received from a workload provisioning service including one or more workload provisioning servers at an edge device. A unique device identifier is provided to the one or more workload provisioning servers. The unique device identifier is associated with the edge device. A packaged secure cloud workload is received from the one or more workload provisioning servers and is encrypted by the one more workload provisioning servers using a unique packaging key generated by the one or more workload provisioning servers based on the unique device identifier, the unique workload identifier, and a nonce. The edge device cryptographically generates the unique packaging key using the unique device identifier, the unique workload identifier, and the nonce. The packaged secure cloud workload is decrypted using the generated unique packaging key cryptographically generated by the edge device.Type: ApplicationFiled: September 14, 2018Publication date: March 19, 2020Inventors: Mahesh Sham ROHERA, Eustace Ngwa ASANGHANWA