Mark K Novak

US Patent:

8365264, Jan 29, 2013

Filed:

Oct 12, 2009

Appl. No.:

12/577711

Inventors:

Mark F. Novak - Newcastle WA, US

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

H04L 29/06

US Classification:

726 7

Abstract:

A password may be provided along with a validation code, which can help prevent the password from being sent to the wrong recipient. When a password is created, a validation code may be created based on (a) the password, and (b) the identity of the target of authentication (TA) to which the password is intended to be sent. When a user is requested to provide a password, validation component intercepts the request and asks the user to enter both the password and validation code. The validation component then re-calculates the validation code based on the entered password and on the TA that is requesting the password. If the re-calculated validation code matches the validation code entered by the user, then the password is released to the user agent that the user uses to communicate with the TA, and the user agent sends the password to the requesting TA.

US Patent:

8417962, Apr 9, 2013

Filed:

Jun 11, 2010

Appl. No.:

12/813955

Inventors:

Mark F. Novak - Newcastle WA, US
Robert Karl Spiger - Seattle WA, US
Stefan Thom - Snohomish WA, US
David J. Linsley - Seattle WA, US
Scott A. Field - Redmond WA, US
Anil Francis Thomas - Redmond WA, US

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 11/30
G06F 12/14

US Classification:

713188

Abstract:

Booting a computing device includes executing one or more firmware components followed by a boot loader component. A protection component for the computing device, such as an anti-malware program, is identified and executed as an initial component after executing the boot loader component. One or more boot components are also executed, these one or more boot components including only boot components that have been approved by the protection component. A list of boot components that have been previously approved by the protection component can also be maintained in a tamper-proof manner.

US Patent:

8528069, Sep 3, 2013

Filed:

Jan 27, 2011

Appl. No.:

13/015202

Inventors:

Mark Novak - Newcastle WA, US
Yair Tor - Shorashim, IL
Eugene Neystadt - Kfar-Saba, IL
Yoav Yassour - Zikhron Yaakov, IL
Alexey Efron - Nesher, IL
Amos Ortal - Kfar Yona, IL
Daniel Alon - Tel Mond, IL
Ran Didi - Haifa, IL

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 15/16

US Classification:

726 10, 726 8, 726 3, 709203

Abstract:

Embodiments of the invention enable a client device to procure trustworthy device claims describing one or more attributes of the client device, have those device claims included in a data structure having a format suitable for processing by an application, and use the data structure which includes the device claims in connection with a request to access the application. The application may use the device claims to drive any of numerous types of application functionality, such as security-related and/or other functionality.

US Patent:

8561152, Oct 15, 2013

Filed:

May 17, 2011

Appl. No.:

13/109530

Inventors:

Mark F. Novak - Newcastle WA, US
Karanbir Singh - Seattle WA, US
David M. McPherson - Bothell WA, US
Andrey Popov - Renton WA, US
Ming Tang - Redmond WA, US

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 21/00

US Classification:

726 4, 726 1, 726 8, 713150, 713165, 709229, 705 51

Abstract:

A context of a principal is built, at a target system controlling access to a resource, independently of the principal requesting access to the resource. An authorization policy is applied, at the target system, to the context to determine whether the principal is permitted to access the resource, and an indication of whether the principal is permitted to access the resource is provided (e. g. , to an administrator). Modifications can be made to the context and the authorization re-applied to determine whether a principal having the modified context is permitted to access the resource.

US Patent:

8640210, Jan 28, 2014

Filed:

Sep 1, 2011

Appl. No.:

13/224257

Inventors:

Mark Novak - Newcastle WA, US
Paul J. Leach - Seattle WA, US
Yi Zeng - Bothell WA, US
Saurav Sinha - Kirkland WA, US
K Michiko Short - Renton WA, US
Gopinathan Kannan - Redmond WA, US

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 21/00
H04L 9/32
H04L 9/00
H04L 29/06
G06F 15/00

US Classification:

726 6, 726 7, 380 44, 380 45, 380281, 380286

Abstract:

A distributed system in which time-dependent credentials are supplied by controllers that operate according to different local times. Errors that might arise from the controllers generating inconsistent credentials because of time skew are avoided by identifying credentials generated during transition intervals in which different ones of the controllers may generate different credentials at the same absolute time. During a transition interval, controllers and other devices may use credentials differentially based on the nature of the authentication function. Each controller may periodically renew its credentials based on self-scheduled renewals or based on requests from other devices, such that renewal times are offset by random delays to avoid excessive network traffic. Controllers may determine which credential is valid for any given time, based on a cryptographically secure key associated with that time and information identifying the entity that is associated with that credential.

US Patent:

20100071048, Mar 18, 2010

Filed:

Sep 12, 2008

Appl. No.:

12/209489

Inventors:

Mark F. Novak - Newcastle WA, US
Daniel Kaminsky - Seattle WA, US

Assignee:

MICROSOFT CORPORATION - Redmond WA

International Classification:

H04L 9/32
G06F 21/00

US Classification:

726 10

Abstract:

Embodiments for performing service binding between a client and a target server are disclosed. In accordance with one embodiment, a clear text client service binding value is received from a client at the target server, the client service binding value is compared to a server service binding value, and a communication channel is formed between the client and the target server when the client service binding value matches the server service binding value.

US Patent:

20120084851, Apr 5, 2012

Filed:

Jan 27, 2011

Appl. No.:

13/015180

Inventors:

Eugene (John) Neystadt - Kfar-Saba, IL
Daniel Alon - Tel Mond, IL
Yair Tor - Shorashim, IL
Mark Novak - Newcastle WA, US
Khaja E. Ahmed - Bellevue WA, US
Yoav Yassour - Zikhron Yaakov, IL

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 7/04

US Classification:

726 9

Abstract:

Embodiments of the invention make the issuance of trustworthy device claims available to client devices as a service, so that a client device to which device claims are issues may use the device claims in relation to an attempt to access a network application. The service may conduct an assessment of the device's characteristics and/or state, characterize the results of this assessment in device claims, and issue the device claims to the device. The service may be accessible to a client device from outside administrative boundaries of an entity that makes a network application accessible, and thus may be useful to entities making network applications accessible in business-to-consumer (B2C) and business-to-business (B2B) topologies, such as over the publicly accessible Internet.

US Patent:

20120131661, May 24, 2012

Filed:

Dec 10, 2010

Appl. No.:

12/965445

Inventors:

Mark Fishel Novak - Newcastle WA, US
Paul J. Leach - Seattle WA, US
Liqiang Zhu - Redmond WA, US
Paul J. Miller - Redmond WA, US
Alexandru Hanganu - Sammamish WA, US
Yi Zeng - Bothell WA, US
Jeremy Dominic Viegas - Redmond WA, US
K. Michiko Short - Renton WA, US

Assignee:

MICROSOFT CORPORATION - Redmond WA

International Classification:

G06F 15/16

US Classification:

726 9

Abstract:

A client can communicate with a middle tier, which can then, in turn, communicate with a back end tier to access information and resources on behalf of the client within the context of a system that can scale well. Each individual back end can establish a policy that defines which computing device can delegate to that back end. That policy can be enforced by a domain controller within the same administrative domain as the particular back end. When a middle tier requests to delegate to a back end, the domain controller to which that request was directed can either apply the policy, or, if the domain controller is in a different domain than the targeted back end, it can direct the middle tier to a domain controller in a different domain and can sign relevant information that the middle tier can utilize when communicating with that different domain controller.