Patents by Inventor Mahesh Sham ROHERA

Mahesh Sham ROHERA has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 12047185
    Abstract: A system meters execution of an application module at an edge computing device. A secure workload package is transmitted securely from a workload provisioning service to the edge computing device. The secure workload package includes the application module, a trusted metering application, and a provisioning service authentication token. The provisioning service authentication token is verified in the secure workload package based on an edge device authentication token generated at the edge computing device. The trusted metering application is executed in a trusted execution environment of the edge computing device, responsive to verifying the provisioning service authentication token. The application module of the edge computing device is executed, wherein the trusted metering application is configured to monitor execution metrics of the application module on the edge computing device. The execution of the application module is managed based on the monitored execution metrics.
    Type: Grant
    Filed: August 24, 2021
    Date of Patent: July 23, 2024
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Eustace Ngwa Asanghanwa, Mahesh Sham Rohera
  • Publication number: 20230401307
    Abstract: A device is provisioned to communicate with a cloud service provider when the device is unable to establish a secure connection due to an invalid root certificate authority (CA) certificate installed at the device. The cloud service provider establishes a temporary non-secure connection between a device recovery service and the device. The device recovery service sends a signed updated root CA certificate to the device. Based on the signed updated root CA certificate, a secure connection is established between the device and operational functions at the cloud service provider.
    Type: Application
    Filed: March 22, 2023
    Publication date: December 14, 2023
    Inventors: Cristian Iuliu POP, Michiel van SCHAIK, Arturo LOTITO, Mahesh Sham ROHERA, Benjamin Livesley THOMAS, David John ROTH
  • Patent number: 11573778
    Abstract: The disclosed technology provides for packaging a secure cloud workload at a workload provisioning service. A unique device identifier is received from an edge device. The unique identifier is associated with the edge device. A unique packaging key is cryptographically generated based on the received unique device identifier, a unique workload identifier corresponding to a secure cloud workload to be executed on the edge device, and a nonce. The secure cloud workload is encrypted to generate a packaged secure cloud workload using the cryptographically generated unique packaging key. The encrypted secure cloud workload is transmitted to the edge device. The edge device is capable of independently cryptographically generating the unique packaging key using the unique device identifier, the unique workload identifier, and the nonce. The edge device is also capable of decrypting the packaged secure cloud workload using the generated unique packaging key cryptographically generated by the edge device.
    Type: Grant
    Filed: August 2, 2021
    Date of Patent: February 7, 2023
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Eustace Ngwa Asanghanwa, Mahesh Sham Rohera
  • Publication number: 20220263712
    Abstract: A device provisioning service provisions a network-connected device to access one or more service systems using a supplemental cryptographic identity of the network-connected device. An initial enrollment record (associated with an initial cryptographic identity) and a supplemental enrollment record are stored in a device provisioning service. An identity issuance request is received from the network-connected device at the device provisioning service. The identity issuance request includes the initial cryptographic identity. The supplemental cryptographic identity is requested from a supplemental cryptographic identity issuer identified in the initial enrollment record based on the identity issuance request. The requested supplemental cryptographic identity is received at the device provisioning service from the supplemental cryptographic identity issuer. The network-connected device is provisioned to access the one or more service systems according to the supplemental enrollment record.
    Type: Application
    Filed: April 25, 2022
    Publication date: August 18, 2022
    Inventors: Mounica ARROJU, Alexander I. TOLPIN, Nicole Elaine BERDY, Anush Prabhu RAMACHANDRAN, Timothy James LARDEN, Mengxi CHI, Mahesh Sham ROHERA, Rajeev Mandayam VOKKARNE
  • Patent number: 11343139
    Abstract: A device provisioning service provisions a network-connected device to access one or more service systems using a supplemental cryptographic identity of the network-connected device. An initial enrollment record (associated with an initial cryptographic identity) and a supplemental enrollment record are stored in a device provisioning service. An identity issuance request is received from the network-connected device at the device provisioning service. The identity issuance request includes the initial cryptographic identity. The supplemental cryptographic identity is requested from a supplemental cryptographic identity issuer identified in the initial enrollment record based on the identity issuance request. The requested supplemental cryptographic identity is received at the device provisioning service from the supplemental cryptographic identity issuer. The network-connected device is provisioned to access the one or more service systems according to the supplemental enrollment record.
    Type: Grant
    Filed: March 23, 2020
    Date of Patent: May 24, 2022
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Mounica Arroju, Alexander I. Tolpin, Nicole Elaine Berdy, Anush Prabhu Ramachandran, Timothy James Larden, Mengxi Chi, Mahesh Sham Rohera, Rajeev Mandayam Vokkarne
  • Publication number: 20210385096
    Abstract: A system meters execution of an application module at an edge computing device. A secure workload package is transmitted securely from a workload provisioning service to the edge computing device. The secure workload package includes the application module, a trusted metering application, and a provisioning service authentication token. The provisioning service authentication token is verified in the secure workload package based on an edge device authentication token generated at the edge computing device. The trusted metering application is executed in a trusted execution environment of the edge computing device, responsive to verifying the provisioning service authentication token. The application module of the edge computing device is executed, wherein the trusted metering application is configured to monitor execution metrics of the application module on the edge computing device. The execution of the application module is managed based on the monitored execution metrics.
    Type: Application
    Filed: August 24, 2021
    Publication date: December 9, 2021
    Inventors: Eustace Ngwa ASANGHANWA, Mahesh Sham ROHERA
  • Publication number: 20210357197
    Abstract: The disclosed technology provides for packaging a secure cloud workload at a workload provisioning service. A unique device identifier is received from an edge device. The unique identifier is associated with the edge device. A unique packaging key is cryptographically generated based on the received unique device identifier, a unique workload identifier corresponding to a secure cloud workload to be executed on the edge device, and a nonce. The secure cloud workload is encrypted to generate a packaged secure cloud workload using the cryptographically generated unique packaging key. The encrypted secure cloud workload is transmitted to the edge device. The edge device is capable of independently cryptographically generating the unique packaging key using the unique device identifier, the unique workload identifier, and the nonce. The edge device is also capable of decrypting the packaged secure cloud workload using the generated unique packaging key cryptographically generated by the edge device.
    Type: Application
    Filed: August 2, 2021
    Publication date: November 18, 2021
    Inventors: Eustace Ngwa ASANGHANWA, Mahesh Sham ROHERA
  • Publication number: 20210328865
    Abstract: Provisioning an on-premise device within an on-premise communications network includes connecting, via a network connection, an on-premise gateway system in the on-premise communications network with an off-premise device provisioning service system in an off-premise communications network. The network connection is disconnected between the on-premise communications network and the off-premise communications network. A discovery request response is received from the on-premise device via the on-premise communications network, while the network connection is disconnected. A provisioning request from the on-premise device is received at the on-premise device provisioning service of the on-premise gateway system via the on-premise communications network, while the network connection is disconnected. An on-premise device provisioning service of the on-premise gateway system provisions the on-premise device based on provisioning records, while the network connection is disconnected.
    Type: Application
    Filed: April 20, 2020
    Publication date: October 21, 2021
    Inventors: Morgan Westlee LUNT, Alexander I. TOLPIN, Mengxi CHI, Balendran MUGUNDAN, Rajeev Mandayam VOKKARNE, Nikhil VITHLANI, Nicole Elaine BERDY, Mahesh Sham ROHERA
  • Publication number: 20210297311
    Abstract: A device provisioning service provisions a network-connected device to access one or more service systems using a supplemental cryptographic identity of the network-connected device. An initial enrollment record (associated with an initial cryptographic identity) and a supplemental enrollment record are stored in a device provisioning service. An identity issuance request is received from the network-connected device at the device provisioning service. The identity issuance request includes the initial cryptographic identity. The supplemental cryptographic identity is requested from a supplemental cryptographic identity issuer identified in the initial enrollment record based on the identity issuance request. The requested supplemental cryptographic identity is received at the device provisioning service from the supplemental cryptographic identity issuer. The network-connected device is provisioned to access the one or more service systems according to the supplemental enrollment record.
    Type: Application
    Filed: March 23, 2020
    Publication date: September 23, 2021
    Inventors: Mounica ARROJU, Alexander I. TOLPIN, Nicole Elaine BERDY, Anush Prabhu RAMACHANDRAN, Timothy James LARDEN, Mengxi CHI, Mahesh Sham ROHERA, Rajeev Mandayam VOKKARNE
  • Patent number: 11128482
    Abstract: A system meters execution of an application module at an edge computing device. A secure workload package is transmitted securely from a workload provisioning service to the edge computing device. The secure workload package includes the application module, a trusted metering application, and a provisioning service authentication token. The provisioning service authentication token is verified in the secure workload package based on an edge device authentication token generated at the edge computing device. The trusted metering application is executed in a trusted execution environment of the edge computing device, responsive to verifying the provisioning service authentication token. The application module of the edge computing device is executed, wherein the trusted metering application is configured to monitor execution metrics of the application module on the edge computing device. The execution of the application module is managed based on the monitored execution metrics.
    Type: Grant
    Filed: April 19, 2019
    Date of Patent: September 21, 2021
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Eustace Ngwa Asanghanwa, Mahesh Sham Rohera
  • Patent number: 11106441
    Abstract: The disclosed technology provides for packaging a secure cloud workload at a workload provisioning service. A unique device identifier is received from an edge device. The unique identifier is associated with the edge device. A unique packaging key is cryptographically generated based on the received unique device identifier, a unique workload identifier corresponding to a secure cloud workload to be executed on the edge device, and a nonce. The secure cloud workload is encrypted to generate a packaged secure cloud workload using the cryptographically generated unique packaging key. The encrypted secure cloud workload is transmitted to the edge device. The edge device is capable of independently cryptographically generating the unique packaging key using the unique device identifier, the unique workload identifier, and the nonce. The edge device is also capable of decrypting the packaged secure cloud workload using the generated unique packaging key cryptographically generated by the edge device.
    Type: Grant
    Filed: September 14, 2018
    Date of Patent: August 31, 2021
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Eustace Ngwa Asanghanwa, Mahesh Sham Rohera
  • Patent number: 11038678
    Abstract: A root of trust is established between a cloud and an edge device that communicates with the cloud. The root of trust may be embodied as a secret device key securely stored by the edge device and the cloud. The edge device receives arbitrary cloud modules (workloads) that include guest/tenant code that may communicate with the cloud and possibly local/leaf devices connected to or included with the edge device. The edge device extends or diversifies the root of trust to the cloud modules based on the device key. New keys are derived from the device key. The new keys are used to sign credentials (e.g. tokens or certificates) for the respective cloud modules. This provides each cloud module with its own trusted unique cloud identity that can be verified by the cloud using the cloud's copy of the device key.
    Type: Grant
    Filed: November 9, 2018
    Date of Patent: June 15, 2021
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Eustace Ngwa Asanghanwa, Angelo Roncalli Ribeiro, Mahesh Sham Rohera, Michael Richard Yagley
  • Publication number: 20200336322
    Abstract: A system meters execution of an application module at an edge computing device. A secure workload package is transmitted securely from a workload provisioning service to the edge computing device. The secure workload package includes the application module, a trusted metering application, and a provisioning service authentication token. The provisioning service authentication token is verified in the secure workload package based on an edge device authentication token generated at the edge computing device. The trusted metering application is executed in a trusted execution environment of the edge computing device, responsive to verifying the provisioning service authentication token. The application module of the edge computing device is executed, wherein the trusted metering application is configured to monitor execution metrics of the application module on the edge computing device. The execution of the application module is managed based on the monitored execution metrics.
    Type: Application
    Filed: April 19, 2019
    Publication date: October 22, 2020
    Inventors: Eustace Ngwa ASANGHANWA, Mahesh Sham ROHERA
  • Publication number: 20200153623
    Abstract: A root of trust is established between a cloud and an edge device that communicates with the cloud. The root of trust may be embodied as a secret device key securely stored by the edge device and the cloud. The edge device receives arbitrary cloud modules (workloads) that include guest/tenant code that may communicate with the cloud and possibly local/leaf devices connected to or included with the edge device. The edge device extends or diversifies the root of trust to the cloud modules based on the device key. New keys are derived from the device key. The new keys are used to sign credentials (e.g. tokens or certificates) for the respective cloud modules. This provides each cloud module with its own trusted unique cloud identity that can be verified by the cloud using the cloud's copy of the device key.
    Type: Application
    Filed: November 9, 2018
    Publication date: May 14, 2020
    Inventors: Eustace Ngwa Asanghanwa, Angelo Roncalli Ribeiro, Mahesh Sham Rohera, Michael Richard Yagley
  • Publication number: 20200089481
    Abstract: The disclosed technology provides for packaging a secure cloud workload at a workload provisioning service. A unique device identifier is received from an edge device. The unique identifier is associated with the edge device. A unique packaging key is cryptographically generated based on the received unique device identifier, a unique workload identifier corresponding to a secure cloud workload to be executed on the edge device, and a nonce. The secure cloud workload is encrypted to generate a packaged secure cloud workload using the cryptographically generated unique packaging key. The encrypted secure cloud workload is transmitted to the edge device. The edge device is capable of independently cryptographically generating the unique packaging key using the unique device identifier, the unique workload identifier, and the nonce. The edge device is also capable of decrypting the packaged secure cloud workload using the generated unique packaging key cryptographically generated by the edge device.
    Type: Application
    Filed: September 14, 2018
    Publication date: March 19, 2020
    Inventors: Eustace Ngwa ASANGHANWA, Mahesh Sham ROHERA
  • Publication number: 20200092263
    Abstract: The disclosed technology provides for processing a secure cloud workload with an associated unique workload identifier received from a workload provisioning service including one or more workload provisioning servers at an edge device. A unique device identifier is provided to the one or more workload provisioning servers. The unique device identifier is associated with the edge device. A packaged secure cloud workload is received from the one or more workload provisioning servers and is encrypted by the one more workload provisioning servers using a unique packaging key generated by the one or more workload provisioning servers based on the unique device identifier, the unique workload identifier, and a nonce. The edge device cryptographically generates the unique packaging key using the unique device identifier, the unique workload identifier, and the nonce. The packaged secure cloud workload is decrypted using the generated unique packaging key cryptographically generated by the edge device.
    Type: Application
    Filed: September 14, 2018
    Publication date: March 19, 2020
    Inventors: Mahesh Sham ROHERA, Eustace Ngwa ASANGHANWA