Virtualization-based platform protection technology
US-2016364341-A1 · Dec 15, 2016 · US
Techniques to secure computation data in a computing environment
US10601596B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10601596-B2 |
| Application number | US-201916273945-A |
| Country | US |
| Kind code | B2 |
| Filing date | Feb 12, 2019 |
| Priority date | Jul 31, 2015 |
| Publication date | Mar 24, 2020 |
| Grant date | Mar 24, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques to secure computation data in a computing environment from untrusted code. These techniques involve an isolated environment within the computing environment and an application programming interface (API) component to execute a key exchange protocol that ensures data integrity and data confidentiality for data communicated out of the isolated environment. The isolated environment includes an isolated memory region to store a code package. The key exchange protocol further involves a verification process for the code package stored in the isolated environment to determine whether the one or more exchanged encryption keys have been compromised. If the signature successfully authenticates the one or more keys, a secure communication channel is established to the isolated environment and access to the code package's functionality is enabled. Other embodiments are described and claimed.
First claim
Opening claim text (preview).
The invention claimed is: 1. An apparatus, comprising: a logic circuit; and a computer-readable storage device comprising a tangible storage medium, the computer-readable storage device comprising instructions executable by the logic circuit to: generate computation data corresponding to execution of a set of computations within an isolated memory region of a computing environment by executing within the isolated memory region a parallel processing job received from code running outside of the isolated memory region; secure the computation data using an encryption key to generate secured computation data; secure the encryption key using a public key associated with the code running outside of the isolated memory region to generate a secured encryption key; invoke a primitive of a primitive programming model to configure the isolated memory region with a secure communications channel to the code running outside of the isolated memory region; and communicate the secured computation data and the secured encryption key to the code running outside of the isolated memory region using the secure communications channel. 2. The apparatus of claim 1 , wherein the instructions are further executable to process a signature of the secured computation data generated using a private key that is associated with the computing environment. 3. The apparatus of claim 1 , wherein the instructions are further executable to invoke a primitive function to generate the encryption key and a primitive function to generate a signature using the encryption key. 4. The apparatus of claim 1 , wherein the instructions are further executable to secure the encryption key with a public key that corresponds to a remote trusted component running on a remote machine. 5. The apparatus of claim 1 , wherein the instructions are further executable to generate a cryptographic digest of a code package on a distributed file system and to use the cryptographic digest to verify a signature of the secured encryption key. 6. The apparatus of claim 1 , wherein the instructions are further executable to decrypt secured user keys using the encryption key to extract user keys and to use the user keys to decrypt secret code in the isolated memory region. 7. The apparatus of claim 1 , wherein the instructions are further executable to process a communication primitive operative to invoke a function on untrusted code running outside of the isolated memory region or trusted code running inside the isolated memory region. 8. A computer-implemented method, comprising: generating computation data corresponding to execution of a set of computations within an isolated memory region of a computing environment by executing within the isolated memory region a parallel processing job received from code running outside of the isolated memory region; securing the computation data using an encryption key to generate secured computation data; securing the encryption key using a public key associated with the code running outside of the isolated memory region to generate a secured encryption key; invoking a primitive of a primitive programming model to configure the isolated memory region with a secure communications channel to the code running outside of the isolated memory region; and communicating the secured computation data and the secured encryption key to the code running outside of the isolated memory region using the secure communications channel. 9. The computer-implemented method of claim 8 , further comprising processing a signature of the secured computation data generated using a private key that is associated with the computing environment. 10. The computer-implemented method of claim 8 , further comprising invoking a primitive function to generate the encryption key and a primitive function to generate a signature using the encryption key. 11. The computer-implemented method of claim 8 , wherein securing the encryption key comprises securing the encryption key with a public key that corresponds to a remote trusted component running on a remote machine. 12. The computer-implemented method of claim 8 , further comprising generating a cryptographic digest of a code package on a distributed file system and to use the cryptographic digest to verify a signature of the secured encryption key. 13. The computer-implemented method of claim 8 , further comprising decrypting secured user keys using the encryption key to extract user keys and to use the user keys to decrypt secret code in the isolated memory region. 14. The computer-implemented method of claim 8 , further comprising processing a communication primitive operative to invoke a function on untrusted code running outside of the isolated memory region or trusted code running inside the isolated memory region.
Assignees
Inventors
Classifications
Applying verification of the received information (cryptographic mechanisms or cryptographic arrangements for data integrity or data verification H04L9/32) · CPC title
Grid computing · CPC title
- H04L9/3247Primary
involving digital signatures · CPC title
between heterogeneous systems · CPC title
Protecting access to data via a platform, e.g. using keys or access control rules · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10601596B2 cover?
- Techniques to secure computation data in a computing environment from untrusted code. These techniques involve an isolated environment within the computing environment and an application programming interface (API) component to execute a key exchange protocol that ensures data integrity and data confidentiality for data communicated out of the isolated environment. The isolated environment incl…
- Who is the assignee on this patent?
- Microsoft Technology Licensing Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L9/3247. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 24 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).