Protecting communications with hardware accelerators for increased workflow security

US 9,847,980 B2
Filed: 06/17/2015
Issued: 12/19/2017
Est. Priority Date: 06/17/2015
Status: Active Grant

First Claim

Patent Images

1. A method of increasing workflow security in a data center, the method comprising:

receiving, at a computing device of the data center, an encrypted communication from a customer of the data center;

providing, to a hardware accelerator hosted by the computing device, the encrypted communication, the hardware accelerator comprising a Field Programmable Gate Array (FPGA) device;

decrypting, on the hardware accelerator, the encrypted communication using cryptographic information that is stored within the hardware accelerator and is only accessible to the hardware accelerator, the cryptographic information having been provided by the customer;

retrieving, by the computing device, on behalf of the hardware accelerator, encrypted data stored on a storage device that is communicationally coupled to the computing device, the retrieving being responsive to the decrypting;

providing, to the hardware accelerator, the encrypted data; and

decrypting, on the hardware accelerator, the encrypted data using the cryptographic information;

wherein the workflow security comprises communications to and from the customer and data comprising the encrypted data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To protect customer data and provide increased workflow security for processing requested by a customer, a secure communicational channel can be established between a customer and one or more hardware accelerators such that even processes executing on a host computing device hosting such hardware accelerators are excluded from the secure communicational channel. An encrypted bitstream is provided to hardware accelerators and the hardware accelerators obtain therefrom cryptographic information supporting the secure communicational channel with the customer. Such cryptographic information is stored and used exclusively from within the hardware accelerator, rendering it inaccessible to processes executing on a host computing device. The cryptographic information can be a shared secret, an appropriate one of a pair of cryptographic keys, or other like cryptographic information. Similarly, the encrypted bitstream can comprise the cryptographic information, computer-executable instructions executable by the processing circuitry of the hardware accelerator to derive such cryptographic information, or combinations thereof.

32 Citations

View as Search Results

20 Claims

1. A method of increasing workflow security in a data center, the method comprising:
- receiving, at a computing device of the data center, an encrypted communication from a customer of the data center;
  
  providing, to a hardware accelerator hosted by the computing device, the encrypted communication, the hardware accelerator comprising a Field Programmable Gate Array (FPGA) device;
  
  decrypting, on the hardware accelerator, the encrypted communication using cryptographic information that is stored within the hardware accelerator and is only accessible to the hardware accelerator, the cryptographic information having been provided by the customer;
  
  retrieving, by the computing device, on behalf of the hardware accelerator, encrypted data stored on a storage device that is communicationally coupled to the computing device, the retrieving being responsive to the decrypting;
  
  providing, to the hardware accelerator, the encrypted data; and
  
  decrypting, on the hardware accelerator, the encrypted data using the cryptographic information;
  
  wherein the workflow security comprises communications to and from the customer and data comprising the encrypted data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - providing, by the hardware accelerator, to another, different hardware accelerator, the cryptographic information by encrypting the cryptographic information utilizing a cryptographic key associated with the other, different hardware accelerator in a table maintained by another computing device of the data center.
  - 3. The method of claim 2, further comprising:
    - determining that processing to be performed by the hardware accelerator on behalf of the customer should, instead, be performed by the other, different hardware accelerator; and
      
      instructing the hardware accelerator to provision the other, different hardware accelerator to be able to establish a second, independent workflow with the same customer.
  - 4. The method of claim 2, further comprising:
    - retrieving, by the computing device, on behalf of the other, different hardware accelerator, the same encrypted data stored on the storage device that is communicationally coupled to the computing device;
      
      providing, to the other, different hardware accelerator, the same encrypted data; and
      
      decrypting, on the other, different hardware accelerator, the encrypted data using the cryptographic information provided by the hardware accelerator.
  - 5. The method of claim 1, further comprising:
    - receiving, at the computing device, a first encrypted communication from the customer;
      
      providing, to the hardware accelerator, the first encrypted communication;
      
      decrypting, on the hardware accelerator, the first encrypted communication into a first customer communication using a first cryptographic information that is stored within the hardware accelerator and is only accessible to the hardware accelerator;
      
      wherein the cryptographic information provided by the customer is provided, at least in part, by the decrypting, on the hardware accelerator, of the first encrypted communication into the first customer communication.
  - 6. The method of claim 5, wherein the first customer communication comprises a bitstream, which, when loaded onto the hardware accelerator, configures the hardware accelerator to perform at least some of the workflow.
  - 7. The method of claim 5, wherein the first customer communication comprises a bitstream, which, when loaded onto the hardware accelerator, generates, on the hardware accelerator, the cryptographic information provided by the customer.
  - 8. The method of claim 5, wherein the first cryptographic information, that is used to decrypt the first encrypted communication, is a preinstalled cryptographic key that was installed onto the hardware accelerator when the hardware accelerator was manufactured.
  - 9. The method of claim 8, wherein the first cryptographic key is a private key of the hardware accelerator;
    - and wherein further a public key of the hardware accelerator, corresponding to the private key of the hardware accelerator, was used to encrypt the first encrypted communication.
  - 10. The method of claim 1, wherein the cryptographic information provided by the customer is a public key of the customer.
  - 11. The method of claim 1, wherein the cryptographic information provided by the customer is derived from a shared secret cryptographic information that is shared with the customer.

12. A computing device providing increased workflow security in a data center, the computing device comprising:
- a general-purpose central processing unit;
  
  a hardware accelerator comprising a Field Programmable Gate Array (FPGA) device;
  
  a network interface;
  
  a first set of one or more computer-readable storage media comprising computer-executable instructions, which, when executed by the general-purpose central processing unit, cause the computing device to;
  
  receive an encrypted communication from a customer of the data center;
  
  provide, to the hardware accelerator, the encrypted communication;
  
  retrieve, on behalf of the hardware accelerator, encrypted data stored on a storage device that is communicationally coupled to the computing device; and
  
  provide, to the hardware accelerator, the encrypted data; and
  
  a second set of one or more computer-readable storage media comprising computer-executable instructions, which, when executed by the hardware accelerator, cause the hardware accelerator to;
  
  decrypt the encrypted communication using cryptographic information that is stored within the hardware accelerator and is only accessible to the hardware accelerator, the cryptographic information having been provided by the customer, wherein the retrieving performed by the computing device is performed responsive to the decrypting; and
  
  decrypt the encrypted data using the cryptographic information;
  
  wherein the workflow security comprises communications to and from the customer and data comprising the encrypted data.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The computing device of claim 12, wherein the second set of one or more computer-readable storage media comprise further computer-executable instructions, which, when executed by the hardware accelerator, cause the hardware accelerator to:
    - provide, to another, different hardware accelerator, the cryptographic information by encrypting the cryptographic information utilizing a cryptographic key associated with the other, different hardware accelerator in a table maintained by another computing device of the data center.
  - 14. The computing device of claim 13, wherein the first set of one or more computer-readable storage media comprise further computer-executable instructions, which, when executed by the general-purpose central processing unit, cause the computing device to:
    - determine that processing to be performed by the hardware accelerator on behalf of the customer should, instead, be performed by the other, different hardware accelerator; and
      
      instruct the hardware accelerator to provision the other, different hardware accelerator to be able to establish a second, independent workflow with the same customer.
  - 15. The computing device of claim 13,wherein the first set of one or more computer-readable storage media comprise further computer-executable instructions, which, when executed by the general-purpose central processing unit, cause the computing device to:
    - receive a first encrypted communication from the customer; and
      
      provide, to the hardware accelerator, the first encrypted communication;
      
      wherein further the second set of one or more computer-readable storage media comprise further computer-executable instructions, which, when executed by the hardware accelerator, cause the hardware accelerator to;
      
      decrypt, on the hardware accelerator, the first encrypted communication into a first customer communication using a first cryptographic information that is stored within the hardware accelerator and is only accessible to the hardware accelerator; and
      
      wherein still further the cryptographic information provided by the customer is provided, at least in part, by the decrypting, on the hardware accelerator, of the first encrypted communication into the first customer communication.
  - 16. The computing device of claim 15, wherein the first customer communication comprises a bitstream, which, when loaded onto the hardware accelerator, configures the hardware accelerator to perform at least some of the workflow.
  - 17. The computing device of claim 15, wherein the first customer communication comprises a bitstream, which, when loaded onto the hardware accelerator, generates, on the hardware accelerator, the cryptographic information provided by the customer.
  - 18. The computing device of claim 15, wherein the first cryptographic information, that is used to decrypt the first encrypted communication, is a preinstalled cryptographic key that was installed onto the hardware accelerator when the hardware accelerator was manufactured.
  - 19. The computing device of claim 15, wherein the cryptographic information provided by the customer is derived from a shared secret cryptographic information that is shared with the customer.

20. A system providing increased workflow security in a data center, the system comprising:
- a computer device of the data center configured to perform steps comprising;
  
  receiving an encrypted communication from a customer of the data center;
  
  providing, to a hardware accelerator, the encrypted communication;
  
  retrieving, on behalf of the hardware accelerator, encrypted data stored on a storage device that is communicationally coupled to the computing device; and
  
  providing, to the hardware accelerator, the encrypted data; and
  
  the hardware accelerator comprising a Field Programmable Gate Array (FPGA) device, the hardware accelerator configured to perform steps comprising;
  
  decrypting the encrypted communication using cryptographic information that is stored within the hardware accelerator and is only accessible to the hardware accelerator, the cryptographic information having been provided by the customer, wherein the retrieving performed by the computing device is performed responsive to the decrypting; and
  
  decrypting the encrypted data using the cryptographic information;
  
  wherein the workflow security comprises communications to and from the customer and data comprising the encrypted data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Burger, Douglas Christopher, Chung, Eric S., Eguro, Kenneth
Primary Examiner(s)
DE JESUS LASSALA, CARLOS MANUEL

Application Number

US14/742,702
Publication Number

US 20160373416A1
Time in Patent Office

916 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/72   in cryptographic circuits

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/0464   using hop-by-hop encryption...

H04L 63/0485   Networking architectures fo...

H04L 63/08   for authentication of entit...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3234   involving additional secure...

Protecting communications with hardware accelerators for increased workflow security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

32 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting communications with hardware accelerators for increased workflow security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links