Device-based PIN authentication process to protect encrypted data

US 10,469,469 B1
Filed: 03/27/2017
Issued: 11/05/2019
Est. Priority Date: 12/23/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for securely storing encrypted data on a computing device that includes a microprocessor and memory, the method comprising:

receiving a data encryption key derived from a password, wherein the data encryption key is used to encrypt data on the computing device;

encrypting the data encryption key using a first encryption key;

storing the encrypted data encryption key on the computing device;

encrypting the first encryption key using a second encryption key, wherein the second encryption key is derived from a user-supplied value entered on the computing device, and wherein the user-supplied value is different from the password; and

sending the encrypted first encryption key to a remote server.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for providing a device-based PIN authentication process used to protect encrypted data stored on a computing system, such as a tablet or mobile device. A client component and a server component each store distinct cryptographic keys needed to access encrypted data on the client. The mobile device stores a vault encryption key used to decrypt encrypted sensitive data stored on the mobile device. The vault key is encrypted using a first encryption key and stored on the mobile device. The first encryption key is itself encrypted using a second encryption key. The second encryption key is derived from the PIN value.

Citations

20 Claims

1. A computer-implemented method for securely storing encrypted data on a computing device that includes a microprocessor and memory, the method comprising:
- receiving a data encryption key derived from a password, wherein the data encryption key is used to encrypt data on the computing device;
  
  encrypting the data encryption key using a first encryption key;
  
  storing the encrypted data encryption key on the computing device;
  
  encrypting the first encryption key using a second encryption key, wherein the second encryption key is derived from a user-supplied value entered on the computing device, and wherein the user-supplied value is different from the password; and
  
  sending the encrypted first encryption key to a remote server.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - generating, from the user supplied value, a lookup key;
      
      generating a device key; and
      
      sending the lookup key and the device key to the remote server, wherein remote server uses the device key and the lookup key as an index to the encrypted first encryption key stored on the server.
  - 3. The method of claim 2, wherein the second encryption key is derived from the user supplied value and a salt input to a password key based derivation function.
  - 4. The method of claim 2, further comprising:
    - in response to a request to access encrypted data stored on the computing device;
      
      regenerating, using the user-supplied value, the lookup key and the second encryption key;
      
      sending the regenerated lookup key and the device key to the remote server;
      
      in response, receiving the encrypted first encryption key from the remote server;
      
      decrypting, using regenerated second encryption key, the encrypted first encryption key received from the remote server to recover the first encryption key; and
      
      decrypting, using recovered first encryption key, the encrypted data encryption key stored on the client device.
  - 5. The method of claim 4, wherein the second encryption key is derived from the user supplied value and a 256 byte salt input to a password key based derivation function, and wherein the 256 byte salt is rotated following each request to access the encrypted data on the computing device.
  - 6. The method of claim 1, wherein the user-supplied value is a PIN value.
  - 7. The method of claim 1, wherein the computing device is a mobile computing device.

8. A non-transitory computer-readable storage medium storing instructions, which, when executed on a microprocessor, performs an operation for securely storing encrypted data on a computing device that includes memory and the microprocessor, the operation comprising:
- receiving a data encryption key derived from a password, wherein the data encryption key is used to encrypt data on the computing device;
  
  encrypting the data encryption key using a first encryption key;
  
  storing the encrypted data encryption key on the computing device;
  
  encrypting the first encryption key using a second encryption key, wherein the second encryption key is derived from a user-supplied value entered on the computing device, and wherein the user-supplied value is different from the password; and
  
  sending the encrypted first encryption key to a remote server.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable storage medium of claim 8, wherein the operation further comprises:
    - generating, from the user supplied value, a lookup key;
      
      generating a device key; and
      
      sending the lookup key and the device key to the remote server, wherein remote server uses the device key and the lookup key as an index to the encrypted first encryption key stored on the server.
  - 10. The computer-readable storage medium of claim 9, wherein the second encryption key is derived from the user supplied value and a salt input to a password key based derivation function.
  - 11. The computer-readable storage medium of claim 9, wherein the operation further comprises:
    - in response to a request to access encrypted data stored on the computing device;
      
      regenerating, using the user-supplied value, the lookup key and the second encryption key;
      
      sending the regenerated lookup key and the device key to the remote server;
      
      in response, receiving the encrypted first encryption key from the remote server;
      
      decrypting, using regenerated second encryption key, the encrypted first encryption key received from the remote server to recover the first encryption key; and
      
      decrypting, using recovered first encryption key, the encrypted data encryption key stored on the client device.
  - 12. The computer-readable storage medium of claim 11, wherein the second encryption key is derived from the user supplied value and a 256 byte salt input to a password key based derivation function, and wherein the 256 byte salt is rotated following each request to access the encrypted data on the computing device.
  - 13. The computer-readable storage medium of claim 8, wherein the user-supplied value is a PIN value.
  - 14. The computer-readable storage medium of claim 8, wherein the computing device is a mobile computing device.

15. A computing device, comprising:
- a microprocessor and a memory hosting an application, which, when executed on the microprocessor, performs an operation for securely storing encrypted data on the computing device, the operation comprising;
  
  receiving a data encryption key derived from a password, wherein the data encryption key is used to encrypt data on the computing device, encrypting the data encryption key using a first encryption key, storing the encrypted data encryption key on the computing device, encrypting the first encryption key using a second encryption key, wherein the second encryption key is derived from a user-supplied value entered on the computing device and the user-supplied value is different from the password, and sending the encrypted first encryption key to a remote server.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computing device of claim 15, wherein the operation further comprises:
    - generating, from the user supplied value, a lookup key;
      
      generating a device key; and
      
      sending the lookup key and the device key to the remote server, wherein remote server uses the device key and the lookup key as an index to the encrypted first encryption key stored on the server.
  - 17. The computing device of claim 16, wherein the second encryption key is derived from the user supplied value and a salt input to a password key based derivation function.
  - 18. The computing device of claim 16, wherein the operation further comprises:
    - in response to a request to access encrypted data stored on the computing device;
      
      regenerating, using the user-supplied value, the lookup key and the second encryption key;
      
      sending the regenerated lookup key and the device key to the remote server;
      
      in response, receiving the encrypted first encryption key from the remote server;
      
      decrypting, using regenerated second encryption key, the encrypted first encryption key received from the remote server to recover the first encryption key; and
      
      decrypting, using recovered first encryption key, the encrypted data encryption key stored on the client device.
  - 19. The computing device of claim 18, wherein the second encryption key is derived from the user supplied value and a 256 byte salt input to a password key based derivation function, and wherein the 256 byte salt is rotated following each request to access the encrypted data on the computing device.
  - 20. The computing device of claim 15, wherein the user-supplied value is a PIN value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Cooley, Shaun, Powell, Brian, Chillappa, Srinivas, Lo, Michael W., Kamsala, Mahesh
Primary Examiner(s)
Rahman, Shawnchoy

Application Number

US15/470,707
Time in Patent Office

953 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/6218   to a system of files or obj...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/083   using passwords cryptograph...

Device-based PIN authentication process to protect encrypted data

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Device-based PIN authentication process to protect encrypted data

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links