公开(公告)号：US10176330B2

公开(公告)日：2019-01-08

申请号：US15923959

申请日：2018-03-16

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： Stefan Thom ,  Ronald Aigner

IPC: H04L29/06 ,  G06F21/62 ,  G06F21/12 ,  G06F21/57

Abstract: The use of one or more device health values to indicate the health status of a computing device may enable operating system developers to directly manage the security configuration of the computing device. For instance, a device health value is generated based on a state of the hardware component and/or a state of a software stack that includes the operating system at boot up. The device health value may be compared to a reference health value to determine whether the computing device is in a secured state. Based on the device health value not matching the reference health value, it is determined that the computing device is operating in an unexpected state. Also, a recovery environment may be implemented on the computing device in order to fix any errors with the computing device.

公开(公告)号：US20180006815A1

公开(公告)日：2018-01-04

申请号：US15199650

申请日：2016-06-30

Applicant: Microsoft Technology Licensing, LLC

Inventor： Robert D. Young ,  Jonathan Bret Barkelew ,  Ronald Aigner ,  Alain L. Michaud ,  Jeremiah J. Cox

IPC: H04L9/08

CPC classification number: H04L9/0894 ,  G06F21/575 ,  H04L9/0819 ,  H04L9/0891 ,  H04L9/0897

Abstract: A device includes a reset resistant store and a trusted key service. The reset resistant store maintains data across various different device reset or data invalidation operations. The trusted key service maintains, for each of one or more operating systems that run on the device from a boot configuration, an encrypted key associated with the boot configuration. The device also has a master key that is specific to the device. Each of the keys associated with a boot configuration is encrypted using the master key. When booting the device, the boot configuration being run on the device is identified, and the key associated with that boot configuration is obtained (e.g., from the reset resistant store or the encrypted key vault). The master key is used to decrypt the obtained key, and the obtained key is used to decrypt secrets associated with the operating system run from the boot configuration.

公开(公告)号：US09735968B2

公开(公告)日：2017-08-15

申请号：US14519010

申请日：2014-10-20

Applicant: Microsoft Technology Licensing, LLC

Inventor： Stefan Thom ,  Ronald Aigner ,  Dennis J. Mattoon ,  Stuart H. Schaefer ,  Merzin Kapadia ,  Robert Karl Spiger ,  David R. Wooten ,  Paul England

IPC: H04L12/22 ,  H04L9/32 ,  G06F21/53 ,  H04L29/06 ,  G06F21/62 ,  G06F21/72 ,  G06F7/04

CPC classification number: H04L9/3247 ,  G06F21/53 ,  G06F21/629 ,  G06F21/72 ,  G06F2221/034 ,  H04L63/0428 ,  H04L63/0876 ,  H04L63/102

Abstract: Techniques for a trust service for a client device are described. In various implementations, a trust service is implemented remotely from a client device and provides various trust-related functions to the client device. According to various implementations, communication between a client device and a remote trust service is authenticated by a client identifier (ID) that is maintained by both the client device and the remote trust service. In at least some implementations, the client ID is stored on a location of the client device that is protected from access by (e.g., is inaccessible to) device components such as an operating system, applications, and so forth. Thus, the client ID may be utilized to generate signatures to authenticate communications between the client device and the remote trust service.

公开(公告)号：US20170124334A1

公开(公告)日：2017-05-04

申请号：US15408005

申请日：2017-01-17

Applicant: Microsoft Technology Licensing, LLC

Inventor： Stefan Thom ,  Ronald Aigner

IPC: G06F21/57

CPC classification number: G06F21/577 ,  G06F21/121 ,  G06F21/57 ,  G06F21/575 ,  G06F21/62 ,  G06F2221/034 ,  H04L63/145

Abstract: The use of one or more device health values to indicate the health status of a computing device may enable operating system developers to directly manage the security configuration of the computing device. For instance, a device health value is generated based on a state of the hardware component and/or a state of a software stack that includes the operating system at boot up. The device health value may be compared to a reference health value to determine whether the computing device is in a secured state. Based on the device health value not matching the reference health value, it is determined that the computing device is operating in an unexpected state. Also, a recovery environment may be implemented on the computing device in order to fix any errors with the computing device.

公开(公告)号：US12111893B2

公开(公告)日：2024-10-08

申请号：US18170584

申请日：2023-02-17

Applicant: Microsoft Technology Licensing, LLC

Inventor： Ronald Aigner ,  Balaji Balasubramanyan

IPC: G06F21/12 ,  G06F16/21 ,  G06F21/55 ,  H04L9/32

CPC classification number: G06F21/123 ,  G06F16/212 ,  G06F21/554 ,  H04L9/3234 ,  H04L9/3236 ,  H04L9/3247 ,  G06F2221/033 ,  G06Q2220/18

Abstract: Methods for protecting software licensing information via a trusted platform module (TPM) are performed by systems and devices. When a licensing server is unreachable, a license is generated for a software application by a licensing manager. The license is generated via a secure register of the TPM using an asymmetric key, specific to the software application and policy-tied to the secure register, to generate a signature of a hashed license file for the software application. The asymmetric key is stored, mapped to the license file, and used for subsequent license validation. A licensing manager validation command is provided to validate the license using the key, as applied to the hash, to verify the signature and checking validity of the time stamp. Time stamp expiration or alteration of the license are determined to provoke invalidation indications for the validating application.

公开(公告)号：US10313121B2

公开(公告)日：2019-06-04

申请号：US15199650

申请日：2016-06-30

Applicant: Microsoft Technology Licensing, LLC

Inventor： Robert D. Young ,  Jonathan Bret Barkelew ,  Ronald Aigner ,  Alain L. Michaud ,  Jeremiah J. Cox

IPC: H04L9/08 ,  G06F12/14 ,  G06F21/57 ,  G06F21/62 ,  G06F21/78 ,  G06F9/4401

Abstract: A device includes a reset resistant store and a trusted key service. The reset resistant store maintains data across various different device reset or data invalidation operations. The trusted key service maintains, for each of one or more operating systems that run on the device from a boot configuration, an encrypted key associated with the boot configuration. The device also has a master key that is specific to the device. Each of the keys associated with a boot configuration is encrypted using the master key. When booting the device, the boot configuration being run on the device is identified, and the key associated with that boot configuration is obtained (e.g., from the reset resistant store or the encrypted key vault). The master key is used to decrypt the obtained key, and the obtained key is used to decrypt secrets associated with the operating system run from the boot configuration.

公开(公告)号：US10284375B2

公开(公告)日：2019-05-07

申请号：US15654126

申请日：2017-07-19

Applicant: Microsoft Technology Licensing, LLC

Inventor： Stefan Thom ,  Ronald Aigner ,  Dennis J. Mattoon ,  Stuart H. Schaefer ,  Merzin Kapadia ,  Robert Karl Spiger ,  David R. Wooten ,  Paul England

IPC: G06F21/45 ,  H04L9/32 ,  G06F21/53 ,  H04L29/06 ,  G06F21/62 ,  G06F21/72

Abstract: Techniques for a trust service for a client device are described. In various implementations, a trust service is implemented remotely from a client device and provides various trust-related functions to the client device. According to various implementations, communication between a client device and a remote trust service is authenticated by a client identifier (ID) that is maintained by both the client device and the remote trust service. In at least some implementations, the client ID is stored on a location of the client device that is protected from access by (e.g., is inaccessible to) device components such as an operating system, applications, and so forth. Thus, the client ID may be utilized to generate signatures to authenticate communications between the client device and the remote trust service.

公开(公告)号：US10212156B2

公开(公告)日：2019-02-19

申请号：US15658072

申请日：2017-07-24

Applicant: Microsoft Technology Licensing, LLC

Inventor： Stefan Thom ,  Ronald Aigner ,  Merzin Kapadia ,  Stuart H. Schaefer ,  Robert Karl Spiger

IPC: H04L9/00 ,  H04L29/06 ,  G06F21/64 ,  H04L9/08 ,  G06F21/57

Abstract: Techniques for utilizing a trusted platform module of a host device are described. According to various embodiments, a client device that does not include a trusted platform module (TPM) may leverage a TPM of a host device to provide trust services to the client device.

公开(公告)号：US20180131523A1

公开(公告)日：2018-05-10

申请号：US15654126

申请日：2017-07-19

Applicant: Microsoft Technology Licensing, LLC

Inventor： Stefan Thom ,  Ronald Aigner ,  Dennis J. Mattoon ,  Stuart H. Schaefer ,  Merzin Kapadia ,  Robert Karl Spiger ,  David R. Wooten ,  Paul England

IPC: H04L9/32 ,  H04L29/06 ,  G06F21/72 ,  G06F21/62 ,  G06F21/53

CPC classification number: H04L9/3247 ,  G06F21/53 ,  G06F21/629 ,  G06F21/72 ,  G06F2221/034 ,  H04L63/0428 ,  H04L63/0876 ,  H04L63/102

Abstract: Techniques for a trust service for a client device are described. In various implementations, a trust service is implemented remotely from a client device and provides various trust-related functions to the client device. According to various implementations, communication between a client device and a remote trust service is authenticated by a client identifier (ID) that is maintained by both the client device and the remote trust service. In at least some implementations, the client ID is stored on a location of the client device that is protected from access by (e.g., is inaccessible to) device components such as an operating system, applications, and so forth. Thus, the client ID may be utilized to generate signatures to authenticate communications between the client device and the remote trust service.

公开(公告)号：US09742762B2

公开(公告)日：2017-08-22

申请号：US14557197

申请日：2014-12-01

Applicant: Microsoft Technology Licensing, LLC

Inventor： Stefan Thom ,  Ronald Aigner ,  Merzin Kapadia ,  Stuart H. Schaefer ,  Robert Karl Spiger

IPC: H04L9/00 ,  H04L29/06 ,  G06F21/64 ,  H04L9/08 ,  G06F21/57

CPC classification number: H04L63/0853 ,  G06F21/57 ,  G06F21/645 ,  H04L9/0897 ,  H04L63/0823 ,  H04L2209/76

Abstract: Techniques for utilizing a trusted platform module of a host device are described. According to various embodiments, a client device that does not include a trusted platform module (TPM) may leverage a TPM of a host device to provide trust services to the client device.