PROTECTING COMMUNICATIONS WITH HARDWARE ACCELERATORS FOR INCREASED WORKFLOW SECURITY

US 20160373416A1
Filed: 06/17/2015
Published: 12/22/2016
Est. Priority Date: 06/17/2015
Status: Active Grant

First Claim

Patent Images

1. A computing device comprising:

a general-purpose central processing unit;

a hardware accelerator to perform a subset of computing operations of the general-purpose central processing unit, wherein the hardware accelerator processes one or more of the subset of computing operations at a processing speed greater than the general-purpose central processing unit;

a network interface to receive a first encrypted communication and to transmit a second encrypted communication; and

one or more computer-readable storage medium comprising computer-executable instructions, which, when executed by the hardware accelerator, cause the hardware accelerator to;

decrypt the first encrypted communication into a first communication using a first cryptographic key that is stored within the hardware accelerator and which, among processes executing on the computing device and components of the computing device, is only accessible to the hardware accelerator;

perform, in accordance with the first communication, at least some of the subset of computing operations that the hardware accelerator is configured to perform;

generate a second communication responsive to the first communication; and

encrypt the second communication to generate the second encrypted communication using a second cryptographic key that is also stored within the hardware accelerator and which, among processes executing on the computing device and components of the computing device, is also only accessible to the hardware accelerator.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To protect customer data and provide increased workflow security for processing requested by a customer, a secure communicational channel can be established between a customer and one or more hardware accelerators such that even processes executing on a host computing device hosting such hardware accelerators are excluded from the secure communicational channel. An encrypted bitstream is provided to hardware accelerators and the hardware accelerators obtain therefrom cryptographic information supporting the secure communicational channel with the customer. Such cryptographic information is stored and used exclusively from within the hardware accelerator, rendering it inaccessible to processes executing on a host computing device. The cryptographic information can be a shared secret, an appropriate one of a pair of cryptographic keys, or other like cryptographic information. Similarly, the encrypted bitstream can comprise the cryptographic information, computer-executable instructions executable by the processing circuitry of the hardware accelerator to derive such cryptographic information, or combinations thereof.

40 Citations

View as Search Results

20 Claims

1. A computing device comprising:
- a general-purpose central processing unit;
  
  a hardware accelerator to perform a subset of computing operations of the general-purpose central processing unit, wherein the hardware accelerator processes one or more of the subset of computing operations at a processing speed greater than the general-purpose central processing unit;
  
  a network interface to receive a first encrypted communication and to transmit a second encrypted communication; and
  
  one or more computer-readable storage medium comprising computer-executable instructions, which, when executed by the hardware accelerator, cause the hardware accelerator to;
  
  decrypt the first encrypted communication into a first communication using a first cryptographic key that is stored within the hardware accelerator and which, among processes executing on the computing device and components of the computing device, is only accessible to the hardware accelerator;
  
  perform, in accordance with the first communication, at least some of the subset of computing operations that the hardware accelerator is configured to perform;
  
  generate a second communication responsive to the first communication; and
  
  encrypt the second communication to generate the second encrypted communication using a second cryptographic key that is also stored within the hardware accelerator and which, among processes executing on the computing device and components of the computing device, is also only accessible to the hardware accelerator.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computing device of claim 1, wherein the first communication comprises a bitstream, which, when loaded onto the hardware accelerator, configures the hardware accelerator to perform the at least some of the subset of computing operations in response to the first communication.
  - 3. The computing device of claim 2, wherein the performance of the at least some of the subset of computing operations for which the bitstream configured the hardware accelerator, generates, on the hardware accelerator, the second cryptographic key.
  - 4. The computing device of claim 1, wherein the first cryptographic key is a preinstalled cryptographic key installed onto the hardware accelerator when the hardware accelerator was manufactured.
  - 5. The computing device of claim 4, wherein the first cryptographic key is a private key corresponding to a public key that encrypted the first encrypted communication.
  - 6. The computing device of claim 1, wherein the second cryptographic key is a public key of a customer to whom the second encrypted communication is transmitted.
  - 7. The computing device of claim 1, wherein the second cryptographic key is derived from a shared secret cryptographic information that is shared with a customer to whom the second encrypted communication is transmitted.
  - 8. The computing device of claim 1, wherein the hardware accelerator is an FPGA device.
  - 9. The computing device of claim 1, wherein the one or more computer-readable storage medium comprise further computer-executable instructions, which, when executed by the hardware accelerator, cause the hardware accelerator to:
    - request a first set of encrypted data from a storage device that is communicationally coupled to the computing device; and
      
      decrypt, within the hardware accelerator, the first set of encrypted data utilizing a cryptographic key obtained from the first communication.
  - 10. The computing device of claim 1, wherein the one or more computer-readable storage medium comprise further computer-executable instructions, which, when executed by the hardware accelerator, cause the hardware accelerator to:
    - obtain a third cryptographic key associated with a second hardware accelerator;
      
      encrypt, within the hardware accelerator, using the third cryptographic key, a third communication comprising the second cryptographic key; and
      
      transmit the third encrypted communication to the second hardware accelerator.

11. A system comprising:
- a computing device comprising a general-purpose central processing unit;
  
  a first hardware accelerator to perform a subset of computing operations of the general-purpose central processing unit, wherein the first hardware accelerator processes one or more of the subset of computing operations at a processing speed greater than the general-purpose central processing unit;
  
  a second hardware accelerator of a same type as the first hardware accelerator;
  
  a first set of computer-readable storage media comprising computer-executable instructions, which, when executed by the first hardware accelerator, cause the first hardware accelerator to;
  
  maintain a first secure communication channel with a customer based on a first cryptographic information;
  
  obtain a second cryptographic information associated with the second hardware accelerator;
  
  generate a first encrypted communication by encrypting the first cryptographic information utilizing the second cryptographic information; and
  
  transmit the first encrypted communication to the second hardware accelerator; and
  
  a second set of computer-readable storage media comprising computer-executable instructions, which, when executed by the second hardware accelerator, cause the second hardware accelerator to;
  
  obtain the first cryptographic information by decrypting the first encrypted communication; and
  
  establish a second secure communication channel with the same customer based on the first cryptographic information.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The system of claim 11, wherein the second cryptographic information is a public key of the second hardware accelerator;
    - and wherein further the decrypting of the first encrypted communication is performed by the second hardware accelerator with reference to a private key, associated with the public key, the private key being an initial, preinstalled cryptographic key installed onto the second hardware accelerator when the second hardware accelerator was manufactured.
  - 13. The system of claim 11, wherein the first cryptographic information is a shared secret cryptographic information that is shared between the customer and the first hardware accelerator and that is subsequently shared with the second hardware accelerator after the second hardware accelerator decrypts the first encrypted communication.
  - 14. The system of claim 11, wherein the first encrypted communication comprises a bitstream, which, when loaded onto the second hardware accelerator configures the second hardware accelerator to generate, on the second hardware accelerator, the first cryptographic information.
  - 15. The system of claim 11, wherein the computing device comprises one or more computer-readable storage medium comprising computer-executable instructions, which, when executed by the general-purpose central processing unit, cause the computing device to:
    - maintain at least a portion of a table comprising a correlation between the second hardware accelerator and the second cryptographic information.
  - 16. The system of claim 11, wherein the computing device comprises one or more computer-readable storage medium comprising computer-executable instructions, which, when executed by the general-purpose central processing unit, cause the computing device to:
    - determine that processing to be performed by the first hardware accelerator on behalf of the customer should, instead, be performed by the second hardware accelerator; and
      
      instructing the first hardware accelerator to provision the second hardware accelerator to be able to establish the second secure communication channel with the same customer.
  - 17. The system of claim 11, further comprising a storage device having stored thereon a first set of encrypted data;
    - wherein the first set of computer-readable storage media comprise further computer-executable instructions, which, when executed by the first hardware accelerator, cause the first hardware accelerator to;
      
      request the first set of encrypted data; and
      
      decrypt, within the first hardware accelerator, the first set of encrypted data utilizing the first cryptographic information.
  - 18. The system of claim 17, wherein the second set of computer-readable storage media comprise further computer-executable instructions, which, when executed by the second hardware accelerator, cause the second hardware accelerator to:
    - also request the first set of encrypted data; and
      
      also decrypt, within the second hardware accelerator, the first set of encrypted data utilizing the first cryptographic information provided by the first hardware accelerator.

19. A method of increasing workflow security in a data center, the method comprising:
- receiving, at a computing device of the data center, an encrypted communication from a customer of the data center;
  
  providing, to a hardware accelerator hosted by the computing device, the encrypted communication, the hardware accelerator comprising an FPGA device;
  
  decrypting, on the hardware accelerator, the encrypted communication using cryptographic information that is stored within the hardware accelerator and is only accessible to the hardware accelerator, the cryptographic information having been provided by the customer;
  
  retrieving, by the computing device, on behalf of the hardware accelerator, encrypted data stored on a storage device that is communicationally coupled to the computing device, the retrieving being responsive to the decrypting;
  
  providing, to the hardware accelerator, the encrypted data; and
  
  decrypting, on the hardware accelerator, the encrypted data using the cryptographic information;
  
  wherein the workflow comprises communications to and from the customer and data comprising the encrypted data.
- View Dependent Claims (20)
- - 20. The method of claim 19, further comprising:
    - providing, by the hardware accelerator, to another, different hardware accelerator, the cryptographic information by encrypting the cryptographic information utilizing a cryptographic key associated with the other, different hardware accelerator in a table maintained by another computing device of the data center.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Burger, Douglas Christopher, Chung, Eric S., Eguro, Kenneth

Granted Patent

US 9,847,980 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/72   in cryptographic circuits

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/0464   using hop-by-hop encryption...

H04L 63/0485   Networking architectures fo...

H04L 63/08   for authentication of entit...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3234   involving additional secure...

PROTECTING COMMUNICATIONS WITH HARDWARE ACCELERATORS FOR INCREASED WORKFLOW SECURITY

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

40 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

PROTECTING COMMUNICATIONS WITH HARDWARE ACCELERATORS FOR INCREASED WORKFLOW SECURITY

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links