Secure transfer of a data object between user devices

US 10,462,109 B2
Filed: 09/23/2016
Issued: 10/29/2019
Est. Priority Date: 06/12/2016
Status: Active Grant

First Claim

Patent Images

1. A method for transferring a data object from a source device to a destination device, the method comprising:

publishing, by the destination device, a request for the data object on a local network, the request including a randomly generated request identifier;

sending, by the destination device, via a first communication channel that requires participation of at least one system remote from the local network, a message requesting the data object and including the randomly generated request identifier to one or more other devices, the one or more other devices including the source device;

establishing, by the destination device, a second communication channel with the source device via the local network, the source device and the destination device both being registered devices; and

while the second communication channel persists;

exchanging with the source device, by the destination device, a first public key of the destination device and a second public key of the source device via the first communication channel, the exchanging comprising;

receiving, by the destination device via the first communication channel, a key request message from the source device, the key request message including the second public key of the source device; and

sending, by the destination device via the first communication channel, a key response message to the source device, the key response message including the first public key of the destination device;

establishing, by the destination device, via the second communication channel, a secure session for exchanging data with the source device, wherein the secure session is established using the first public key and the second public key and wherein establishing the secure session includes generating a session key;

receiving, by the destination device, via the secure session, an encrypted version of the data object from the source device; and

decrypting, by the destination device, the received data object using the session key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data transfer process can include multiple verification features usable by a “source” device to ensure that a “destination” device is authorized to receive a requested data object. The source device and destination device can communicate via a first communication channel (which can be on a wide-area network) to exchange public keys, then use the public keys to verify their identities and establish a secure session on a second communication channel (which can be a local channel). The data object can be transferred via the secure session. Prior to sending the data object, the source device can perform secondary verification operations (in addition to the key exchange) to confirm the identity of the second device and/or the locality of the connection on the second communication channel.

Citations

19 Claims

1. A method for transferring a data object from a source device to a destination device, the method comprising:
- publishing, by the destination device, a request for the data object on a local network, the request including a randomly generated request identifier;
  
  sending, by the destination device, via a first communication channel that requires participation of at least one system remote from the local network, a message requesting the data object and including the randomly generated request identifier to one or more other devices, the one or more other devices including the source device;
  
  establishing, by the destination device, a second communication channel with the source device via the local network, the source device and the destination device both being registered devices; and
  
  while the second communication channel persists;
  
  exchanging with the source device, by the destination device, a first public key of the destination device and a second public key of the source device via the first communication channel, the exchanging comprising;
  
  receiving, by the destination device via the first communication channel, a key request message from the source device, the key request message including the second public key of the source device; and
  
  sending, by the destination device via the first communication channel, a key response message to the source device, the key response message including the first public key of the destination device;
  
  establishing, by the destination device, via the second communication channel, a secure session for exchanging data with the source device, wherein the secure session is established using the first public key and the second public key and wherein establishing the secure session includes generating a session key;
  
  receiving, by the destination device, via the secure session, an encrypted version of the data object from the source device; and
  
  decrypting, by the destination device, the received data object using the session key.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the data object corresponds to a key usable to decrypt an encrypted data bundle, wherein the encrypted data bundle is synchronized at a cloud-based service between the source device and the destination device.
  - 3. The method of claim 2, wherein the cloud-based service also provides the first communication channel.
  - 4. The method of claim 1, wherein the first communication channel provides authenticated communication between registered devices via a wide-area network.
  - 5. The method of claim 1, wherein the local network comprises a Wi-Fi network.
  - 6. The method of claim 1, wherein the local network comprises a Bluetooth communication channel.
  - 7. The method of claim 1, further comprising:
    - generating, by the destination device, a temporary public/private cryptographic key pair,wherein the first public key is the public key of the temporary public/private cryptographic key pair.

8. An electronic device, comprising:
- a storage device;
  
  a network interface to communicate via one or more networks including at least a local network; and
  
  one or more processors coupled to the network interface and the storage device, the one or more processors being configured to;
  
  publish a request for the data object on the local network, the request including a randomly generated request identifier;
  
  send, via a first communication channel that requires participation of at least one system remote from the local network, a message requesting the data object and including the randomly generated request identifier to one or more other devices, the one or more other devices including a source device;
  
  establish a second communication channel with the source device via the local network, the source device and the destination device both being registered devices; and
  
  while the second communication channel persists;
  
  exchange with the source device a first public key of the destination device and a second public key of the source device via the first communication channel, the exchanging comprising;
  
  receiving, by the destination device via the first communication channel, a key request message from the source device, the key request message including the second public key of the source device; and
  
  sending, by the destination device via the first communication channel, a key response message to the source device, the key response message including the first public key of the destination device;
  
  establish, via the second communication channel, a secure session for exchanging data with the source device, wherein the secure session is established using the first public key and the second public key and wherein establishing the secure session comprises generating a session key;
  
  receive, via the secure session, an encrypted version of the data object from the source device; and
  
  decrypt the received data object using the session key.
- View Dependent Claims (9, 10, 11)
- - 9. The electronic device of claim 8, wherein the data object corresponds to a key usable to decrypt an encrypted data bundle, wherein the encrypted data bundle is synchronized at a cloud-based service between the source device and the destination device.
  - 10. The electronic device of claim 8, wherein the first communication channel provides authenticated communication between registered devices via a wide-area network.
  - 11. The electronic device of claim 8, wherein the one or more processors are further configured to generate a temporary public/private cryptographic key pair, wherein the first public key is the public key of the temporary public/private cryptographic key pair.

12. A non-transitory computer-readable storage medium having stored thereon program instructions that, when executed by one or more processors of a source device, cause the source device to perform operations comprising:
- receiving via a first communication channel, a message from the destination device requesting the data object, wherein the message from the destination device includes a request identifier;
  
  thereafterdetecting, on a local network, a published request from the destination device requesting the data object, wherein the published request includes the request identifier and wherein the local network is such that the first communication channel requires participation of at least one system remote from the local networkestablishing a second communication channel with the destination device via the local network, the source device and the destination device both being registered devices; and
  
  while the second communication channel persists;
  
  exchanging, with the destination device, a first public key of the destination device and a second public key of the source device via the first communication channel, the exchanging comprising;
  
  receiving, by the destination device via the first communication channel, a key request message from the source device, the key request message including the second public key of the source device; and
  
  sending, by the destination device via the first communication channel, a key response message to the source device, the key response message including the first public key of the destination device;
  
  establishing, via the second communication channel, a secure session for exchanging data with the destination device, wherein the secure session is established using the first public key and the second public key and wherein establishing the secure session includes generating a session key; and
  
  sending, via the secure session, an encrypted version of the data object to the destination device.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The non-transitory computer-readable storage medium of claim 12, further comprising performing a secondary test to verify the authenticity of the destination device while the second communication channel persists and prior to exchanging the first and second public keys.
  - 14. The non-transitory computer-readable storage medium of claim 13, wherein performing the secondary test includes communicating with a third device, other than the destination device, that is expected to be present when the source device is connected to the local network.
  - 15. The non-transitory computer-readable storage medium of claim 14, wherein the third device is an accessory that is controllable by the source device.
  - 16. The non-transitory computer-readable storage medium of claim 12, wherein the data object corresponds to a key usable to decrypt an encrypted data bundle, wherein the encrypted data bundle is synchronized at a cloud-based service between the source device and the destination device.
  - 17. The non-transitory computer-readable storage medium of claim 16, wherein the cloud-based service also provides the first communication channel.
  - 18. The non-transitory computer-readable storage medium of claim 12, wherein the first communication channel provides authenticated communication between registered devices via a wide-area network.
  - 19. The non-transitory computer-readable storage medium of claim 12, wherein the local network comprises a Wi-Fi network or a Bluetooth communication channel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Mathias, Arun G., Dilligan, Thomas A., Lucas, Matthew C., Nadathur, Anush G., McLaughlin, Kevin P.
Primary Examiner(s)
Kabir, Jahangir

Application Number

US15/274,388
Publication Number

US 20170359314A1
Time in Patent Office

1,131 Days
Field of Search

713168
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/083   using passwords cryptograph...

H04L 63/18   using different networks or...

H04L 67/06   specially adapted for file ...

H04L 67/10   in which an application is ...

H04L 67/1095   Replication or mirroring of...

H04L 9/0827   involving distinctive inter...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/12   Transmitting and receiving ...

H04L 9/3215   using a plurality of channe...

Secure transfer of a data object between user devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Secure transfer of a data object between user devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links