Patents by Inventor Navaneeth Rameshan
Navaneeth Rameshan has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20240064130Abstract: A computer-implemented method according to one embodiment includes using a first symmetric key to encrypt a second symmetric key. The first symmetric key is securely loaded inside a hardware security module (HSM) by a key management service before the encryption of the second symmetric key, and a cloud provider only has access to encrypted bits of the first symmetric key. Key data of a key-value-pair of the second symmetric key is used as additional authenticated data (AAD) for the encryption of the second symmetric key. The second symmetric key is used to encrypt value data of the key-value-pair. The method further includes storing the encrypted second symmetric key, the AAD used in the encryption of the second symmetric key, and tag bits created during the encryption of the second symmetric key, to thereafter use for verifying node related data.Type: ApplicationFiled: August 17, 2022Publication date: February 22, 2024Inventors: Martin Schmatz, Navaneeth Rameshan, Patricia M. Sagmeister
-
Publication number: 20230394150Abstract: A computer-implemented method according to one embodiment includes performing an attestation of code of a logic loader in a trusted execution environment (TEE) and receiving a request for the logic loader to load service logic code to the TEE. An integrity check of the service logic code associated with the request is performed. In response to the service logic code associated with the request passing the integrity check, the logic loader is allowed to load the service logic code associated with the request to the TEE. A computer program product according to another embodiment includes a computer readable storage medium having program instructions embodied therewith. The program instructions are readable and/or executable by a computer to cause the computer to perform the foregoing method.Type: ApplicationFiled: June 3, 2022Publication date: December 7, 2023Inventors: Martin Schmatz, Navaneeth Rameshan, Patricia M. Sagmeister
-
Publication number: 20230297268Abstract: The invention is notably directed to a method of processing data in-memory. The method applies electrical signals to at least two input lines, which correspond to at least two rows. These two rows include at least one of the K rows and at least one of the L rows. This causes to obtain output signals in output of the M output lines, wherein the output signals depend on target values and operand values, in accordance with data stored across said at least two rows. Finally, the output signals are read out and a transformation operation is concurrently performed, in-memory, on the target values based on the operand values. This way transformed data are obtained by way of in-memory processing. The transformation may for instance be a cryptographic operation; the operand data may encode a cryptographic key. The invention is further directed to related apparatuses and systems, notably cryptographic service systems.Type: ApplicationFiled: March 21, 2022Publication date: September 21, 2023Inventors: Iason Giannopoulos, Navaneeth Rameshan, Vara Sudananda Prasad Jonnalagadda, Abu Sebastian
-
Patent number: 11689375Abstract: Certificate and key management is provided. A signed certificate corresponding to an enterprise is deployed to a plurality of cryptographic communication protocol endpoint proxies located in a heterogeneous distributed computing environment where a private key corresponding to the enterprise is not placed in any of the plurality of cryptographic communication protocol endpoint proxies. Offload of cryptographic communications from the plurality of cryptographic communication protocol endpoint proxies to the hardware security module is received by the hardware security module where the hardware security module verifies connection authenticity for the plurality of cryptographic communication protocol endpoint proxies across the heterogeneous distributed computing environment using the private key corresponding to the enterprise that remains within a security boundary of the hardware security module.Type: GrantFiled: May 21, 2021Date of Patent: June 27, 2023Assignee: International Business Machines CorporationInventors: Nataraj Nagaratnam, Christopher S. Smith, David Nguyen, Martin Schmatz, Marco Pavone, Navaneeth Rameshan
-
Publication number: 20230119304Abstract: Post quantum secure network communication is provided. The process comprises sending, by a client in a first computing cluster, an outbound message to a quantum safe cryptographic (QSC) proxy server in the first computing cluster, wherein the outbound message is addressed to a target server in a second computing cluster. The QSC proxy server initiates a QSC transport layer security (TLS) connection with an ingress controller in the second computing cluster, wherein the ingress controller comprises a QSC algorithm. The QSC proxy server transfers the message to the ingress controller via the QSC TLS connection, and the ingress controller routes the message to the target server in the second computing cluster via a non-QSC connection.Type: ApplicationFiled: October 18, 2021Publication date: April 20, 2023Inventors: Nataraj Nagaratnam, Martin Schmatz, Navaneeth Rameshan, Vaijayanthimala K. Anand, Jeffrey J. Feng
-
Patent number: 11575508Abstract: Methods and systems for unified HSM and key management services are disclosed. According to certain embodiments, an encryption service request is issued by a client instance to a key management service (KMS) logic in a KMS cloud instance. The KMS logic parses the request to verify authorization for the request, identify the instance ID, and provide additional information to the request needed by hardware security management (HSM) middleware and hardware. A router receives the request from the KMS logic and routes the request to a service based on the instance ID, that transfers the request to HSM middleware. The HSM middleware parses HSM type from the request, translates the request to HSM vendor-specific instructions and routes the translated request to an HSM. The HSM according to certain embodiments is in a cloud computing environment separate from the KMS cloud instance, and in some embodiments the HSM is on-prem at a physical client site.Type: GrantFiled: June 2, 2021Date of Patent: February 7, 2023Assignee: International Business Machines CorporationInventors: Vaijayanthimala K. Anand, Martin Schmatz, Navaneeth Rameshan, Mathew Richard Odden, Bruno Henriques, Patricia M. Sagmeister
-
Publication number: 20220393857Abstract: Methods and systems for unified HSM and key management services are disclosed. According to certain embodiments, an encryption service request is issued by a client instance to a key management service (KMS) logic in a KMS cloud instance. The KMS logic parses the request to verify authorization for the request, identify the instance ID, and provide additional information to the request needed by hardware security management (HSM) middleware and hardware. A router receives the request from the KMS logic and routes the request to a service based on the instance ID, that transfers the request to HSM middleware. The HSM middleware parses HSM type from the request, translates the request to HSM vendor-specific instructions and routes the translated request to an HSM. The HSM according to certain embodiments is in a cloud computing environment separate from the KMS cloud instance, and in some embodiments the HSM is on-prem at a physical client site.Type: ApplicationFiled: June 2, 2021Publication date: December 8, 2022Inventors: Vaijayanthimala K. ANAND, Martin SCHMATZ, Navaneeth RAMESHAN, Mathew Richard ODDEN, Bruno HENRIQUES, Patricia M. SAGMEISTER
-
Publication number: 20220376929Abstract: Certificate and key management is provided. A signed certificate corresponding to an enterprise is deployed to a plurality of cryptographic communication protocol endpoint proxies located in a heterogeneous distributed computing environment where a private key corresponding to the enterprise is not placed in any of the plurality of cryptographic communication protocol endpoint proxies. Offload of cryptographic communications from the plurality of cryptographic communication protocol endpoint proxies to the hardware security module is received by the hardware security module where the hardware security module verifies connection authenticity for the plurality of cryptographic communication protocol endpoint proxies across the heterogeneous distributed computing environment using the private key corresponding to the enterprise that remains within a security boundary of the hardware security module.Type: ApplicationFiled: May 21, 2021Publication date: November 24, 2022Inventors: Nataraj Nagaratnam, Christopher S. Smith, David Nguyen, Martin Schmatz, Marco Pavone, Navaneeth Rameshan
-
Patent number: 11456867Abstract: A method manages cryptographic objects (COs). The method includes accessing an entropy-based random number and instructing to store this random number. The method includes generating one or more COs based on a deterministic algorithm that causes to interact with a security module (SM), such as a hardware security module (HSM), to generate a seed according to both a reference key of the SM and the random number accessed. A random number generator is seeded with the generated seed to generate the desired COs.Type: GrantFiled: October 25, 2019Date of Patent: September 27, 2022Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Martin Schmatz, Navaneeth Rameshan, Patricia M. Sagmeister
-
Patent number: 11416633Abstract: In a computer-implemented method for providing obfuscated data to users, first, a user request to access data is received; then, an authorization level associated with the request received is identified. Next, obfuscated data is accessed in a protected enclave, which data corresponds to the request received. The data accessed has been obfuscated with an obfuscation algorithm that yields a level of obfuscation compatible with the authorization level identified. Finally, the obfuscated data accessed is provided to the user, from the protected enclave. Related systems and computer program products are also disclosed.Type: GrantFiled: February 15, 2019Date of Patent: August 16, 2022Assignee: International Business Machines CorporationInventors: Martin Schmatz, Navaneeth Rameshan, Patricia M. Sagmeister, Yiyu Chen, Mitch Gusat
-
Patent number: 11314739Abstract: The present disclosure relates to a method of managing requests to a key-value database. A non-limiting example of the method includes receiving a request that includes a number of keys. The number of keys can be compared with a first threshold number and second threshold number. If the number of keys exceeds the first threshold number, the request can be split. If the number of keys is smaller than the second threshold number, the request can be merged with at least one previous or subsequent request. Requests resulting from the splitting and merging steps can be submitted to the key-value database for further processing of the submitted requests.Type: GrantFiled: April 9, 2018Date of Patent: April 26, 2022Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Robert Birke, Navaneeth Rameshan, Yiyu Chen, Martin Schmatz
-
Patent number: 11265160Abstract: A key management system includes a hardware security module (HSM) with a secure memory; an HSM driver implementing an API, interfaced with the HSM to provide handles to cryptographic objects stored on the secure memory of the HSM; and a shim layer interfaced with the HSM driver. The layer is generally configured to enable a client application to interact with the HSM via the driver, i.e., for the HSM to manage cryptographic objects for the client, notwithstanding the layer. External memory storage resides outside the HSM and is interfaced with the layer. The method includes instructing (at the layer) to: (i) encrypt cryptographic objects from the HSM (with the help of the driver) and store the resulting encrypted objects at respective memory locations on the storage, to free up memory space; and (ii) store handles to such cryptographic objects along with references to said respective memory locations, on the storage.Type: GrantFiled: February 15, 2019Date of Patent: March 1, 2022Assignee: International Business Machines CorporationInventors: Martin Schmatz, Navaneeth Rameshan
-
Publication number: 20210126781Abstract: A method manages cryptographic objects (COs). The method includes accessing an entropy-based random number and instructing to store this random number. The method includes generating one or more COs based on a deterministic algorithm that causes to interact with a security module (SM), such as a hardware security module (HSM), to generate a seed according to both a reference key of the SM and the random number accessed. A random number generator is seeded with the generated seed to generate the desired COs.Type: ApplicationFiled: October 25, 2019Publication date: April 29, 2021Inventors: Martin Schmatz, Navaneeth Rameshan, Patricia M. Sagmeister
-
Patent number: 10931443Abstract: A computer-implemented method manages cryptographic objects in a hierarchical key management system including a hardware security module (HSM), which institutes a key hierarchy extending from a ground level l0. Clients interact with the HSM to obtain cryptographic objects. A request is received from one of the clients for an object at a given level ln of the hierarchy (above the ground level l0). A binary representation of the object is accessed as a primary bit pattern p0, at the HSM and said pattern is scrambled via a bitwise XOR operation. The latter operates, on the one hand, on the primary bit pattern p0 and, on the other hand, on a control bit pattern pc that is a binary representation of an access code of the same length as said primary bit pattern p0. The pattern pc is obtained based on that given level ln of the hierarchy.Type: GrantFiled: August 23, 2018Date of Patent: February 23, 2021Assignee: International Business Machines CorporationInventors: Martin Schmatz, Navaneeth Rameshan, Yiyu Chen, Patricia M. Sagmeister
-
Publication number: 20200266982Abstract: A key management system includes a hardware security module (HSM) with a secure memory; an HSM driver implementing an API, interfaced with the HSM to provide handles to cryptographic objects stored on the secure memory of the HSM; and a shim layer interfaced with the HSM driver. The layer is generally configured to enable a client application to interact with the HSM via the driver, i.e., for the HSM to manage cryptographic objects for the client, notwithstanding the layer. External memory storage resides outside the HSM and is interfaced with the layer. The method includes instructing (at the layer) to: (i) encrypt cryptographic objects from the HSM (with the help of the driver) and store the resulting encrypted objects at respective memory locations on the storage, to free up memory space; and (ii) store handles to such cryptographic objects along with references to said respective memory locations, on the storage.Type: ApplicationFiled: February 15, 2019Publication date: August 20, 2020Inventors: Martin Schmatz, Navaneeth Rameshan
-
Publication number: 20200265159Abstract: In a computer-implemented method for providing obfuscated data to users, first, a user request to access data is received; then, an authorization level associated with the request received is identified. Next, obfuscated data is accessed in a protected enclave, which data corresponds to the request received. The data accessed has been obfuscated with an obfuscation algorithm that yields a level of obfuscation compatible with the authorization level identified. Finally, the obfuscated data accessed is provided to the user, from the protected enclave. Related systems and computer program products are also disclosed.Type: ApplicationFiled: February 15, 2019Publication date: August 20, 2020Inventors: Martin Schmatz, Navaneeth Rameshan, Patricia M. Sagmeister, Yiyu Chen, Mitch Gusat
-
Patent number: 10623183Abstract: Embodiments of the invention provide a computer-implemented method for managing cryptographic objects in a key management system. This system comprises a set of one or more hardware security modules (HSMs), as well as clients interacting with the HSMs on behalf of users who interact with the clients. The method comprises monitoring, for each HSM of the set, an entropy pool and/or a load at each HSM. The entropy pool of a HSM is the entropy that is available at this HSM for generating cryptographic objects. The load induced at a HSM is the load due to the users interacting with the clients to obtain cryptographic objects. Cryptographic objects are generated, at each HSM, according to the monitored entropy pool and/or load. The extent to which such objects are generated depends on the monitored entropy pool and/or load.Type: GrantFiled: November 1, 2017Date of Patent: April 14, 2020Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Robert Birke, Mathias Björkqvist, Yiyu Chen, Mitch Gusat, Navaneeth Rameshan, Martin Schmatz
-
Publication number: 20200067698Abstract: A computer-implemented method manages cryptographic objects in a hierarchical key management system including a hardware security module (HSM), which institutes a key hierarchy extending from a ground level l0. Clients interact with the HSM to obtain cryptographic objects. A request is received from one of the clients for an object at a given level ln of the hierarchy (above the ground level l0). A binary representation of the object is accessed as a primary bit pattern p0, at the HSM and said pattern is scrambled via a bitwise XOR operation. The latter operates, on the one hand, on the primary bit pattern p0 and, on the other hand, on a control bit pattern pc that is a binary representation of an access code of the same length as said primary bit pattern p0. The pattern pc is obtained based on that given level ln of the hierarchy.Type: ApplicationFiled: August 23, 2018Publication date: February 27, 2020Inventors: Martin Schmatz, Navaneeth Rameshan, Yiyu Chen, Patricia M. Sagmeister
-
Patent number: 10545871Abstract: A method for coordinating cache and memory reservation in a computerized system includes identifying at least one running application, recognizing the at least one application as a latency-critical application, monitoring information associated with a current cache access rate and a required memory bandwidth of the at least one application, allocating a cache partition, a size of the cache partition corresponds to the cache access rate and the required memory bandwidth of the at least one application, defining a threshold value including a number of cache misses per time unit, determining a reduction of cache misses per time unit, in response to the reduction of cache misses per time unit being above the threshold value, retaining the cache partition, assigning a priority of scheduling memory request including a medium priority level, and assigning a memory channel to the at least one application to avoid memory channel contention.Type: GrantFiled: April 22, 2019Date of Patent: January 28, 2020Assignee: International Business Machines CorporationInventors: Robert Birke, Yiyu Chen, Navaneeth Rameshan, Martin Schmatz
-
Patent number: 10540285Abstract: A method for coordinating cache and memory reservation in a computerized system includes identifying at least one running application, recognizing the at least one application as a latency-critical application, monitoring information associated with a current cache access rate and a required memory bandwidth of the at least one application, allocating a cache partition, a size of the cache partition corresponds to the cache access rate and the required memory bandwidth of the at least one application, defining a threshold value including a number of cache misses per time unit, determining a reduction of cache misses per time unit, in response to the reduction of cache misses per time unit being above the threshold value, retaining the cache partition, assigning a priority of scheduling memory request including a medium priority level, and assigning a memory channel to the at least one application to avoid memory channel contention.Type: GrantFiled: April 22, 2019Date of Patent: January 21, 2020Assignee: International Business Machines CorporationInventors: Robert Birke, Yiyu Chen, Navaneeth Rameshan, Martin Schmatz