Balancing public and personal security needs

US 10,498,712 B2
Filed: 11/10/2016
Issued: 12/03/2019
Est. Priority Date: 11/10/2016
Status: Active Grant

First Claim

Patent Images

1. A computing device operated by a user of the computing device, said computing device comprising:

a first partition accessible by the user in which only applications authorized by a digital signature verification using an application verification key and performed on the computing device can execute, wherein digital signatures verified by the application verification key are not generated on the computing device;

a second partition in which applications can execute without the authorization required for applications to execute in the first partition, wherein applications that execute in the second partition are accessible by an authorized external access entity and by the user, wherein the authorized external access entity is not the user and is not a module executing on the computing device;

coupled to the first and second partitions and executing on the computing device, a set of protection modules configured to protect data used by applications authorized to execute in the first partition and to prevent even the authorized external access entity from accessing protected data used by applications authorized to execute in the first partition, wherein protected data resides in device resources and a disk drive; and

coupled to the second partition, an access control module having access to an access verification key, wherein;

digitally signed requests to access the second partition are verified by the access control module using the access verification key; and

digital signatures verified using the access verification key are not generated on the computing device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus and methods for balancing public and personal security needs in a computing device (1). In an apparatus embodiment, the device (1) has two partitions: a first partition (310) in which only applications (312) authorized by a protected application approval entity can execute; and a second partition (205, 210) in which applications that execute are accessible by an authorized external access entity (500). Coupled to the partitions (310, 205, 210) are protection modules (215, 250, 290) configured to protect data used by applications (312) authorized to execute in the first partition (310), and to prevent even authorized external access entities (500) from accessing protected data used by applications (312) authorized to execute in the first partition (310).

Citations

11 Claims

1. A computing device operated by a user of the computing device, said computing device comprising:
- a first partition accessible by the user in which only applications authorized by a digital signature verification using an application verification key and performed on the computing device can execute, wherein digital signatures verified by the application verification key are not generated on the computing device;
  
  a second partition in which applications can execute without the authorization required for applications to execute in the first partition, wherein applications that execute in the second partition are accessible by an authorized external access entity and by the user, wherein the authorized external access entity is not the user and is not a module executing on the computing device;
  
  coupled to the first and second partitions and executing on the computing device, a set of protection modules configured to protect data used by applications authorized to execute in the first partition and to prevent even the authorized external access entity from accessing protected data used by applications authorized to execute in the first partition, wherein protected data resides in device resources and a disk drive; and
  
  coupled to the second partition, an access control module having access to an access verification key, wherein;
  
  digitally signed requests to access the second partition are verified by the access control module using the access verification key; and
  
  digital signatures verified using the access verification key are not generated on the computing device.
- View Dependent Claims (2, 3, 4)
- - 2. The computing device of claim 1, further comprising an output module associated with the access control module, said output module configured to output a record of authorized external access to the second partition, wherein a record stored in the output module cannot be modified or deleted by the authorized external access entity.
  - 3. The computing device of claim 2, wherein the output module is configured to enforce a delay in the output of a record of authorized external access.
  - 4. The computing device of claim 1, further comprising an access control module coupled to the second partition, said access control module configured to verify that an external access entity is authorized to access the second partition, and further configured so that the user cannot modify the access control module to keep an authorized external access entity from being verified.

5. A method for allowing authorized access to certain partitions of a computing device operated by a user of the computing device while protecting other partitions of the computing device, said method comprising the steps of:
- an application authorization module validating approval for any applications executing in, and for protecting data in, a first partition of the computing device accessible by the user, wherein the application authorization module is not the user;
  
  verifying authorization to an external access entity to enable the authorized external access entity to access a second partition of the computing device, wherein the authorized external access entity is not the user and is not a module executing on the computing device, the user can also access the second partition, and applications can execute in the second partition without approval from the application authorization module;
  
  enabling said authorized external access entity to access data of applications executing in the second partition; and
  
  preventing even the authorized external access entity from accessing protected data used by applications executing in the first partition;
  
  wherein;
  
  approval to execute an application in the first partition is performed by validating a digital signature, using an application verification key stored in said computing device; and
  
  digital signatures verified using the application verification key are not generated on the computing device.
- View Dependent Claims (6, 7)
- - 6. Method of claim 5, where the authorization granted to the external access entity is performed by validating a digital signature, using an access verification key stored in said computing device, wherein the digital signature verified using the access verification key is not generated on the computing device.
  - 7. Method of claim 6, wherein the user cannot modify the verification process of an authorized external access entity in order to keep an authorized external access entity from accessing the second partition.

8. A computing device comprising:
- a public cryptographic key;
  
  an unlocking component comprising two modules for unlocking the device;
  
  a primary unlock module, and an authorized external unlock module in which the authorized external unlock module confirms a cryptographic verification with the public cryptographic key before authorizing an external unlock;
  
  a first partition in which only applications authorized by a cryptographic verification performed on the computing device can execute and store protected data, wherein applications are accessible after unlocking through the primary unlock module;
  
  a second partition in which applications can execute without the authorization required by the first partition, wherein applications are accessible after unlocking through either the primary unlock module or the authorized external unlock module;
  
  coupled to the first and second partitions, a resource protection module configured to prevent access to protected data of applications authorized to execute in the first partition conditioned upon the device having been unlocked using the authorized external unlock module, wherein protected data resides in device resources and a disk drive.
- View Dependent Claims (9)
- - 9. The computing device of claim 8, further comprising, coupled to said first partition, an application authorization module having access to an application verification key, wherein said application authorization module is configured to verify a digitally signed request to execute an application in the first partition using the application verification key.

10. A method for allowing authorized access to certain partitions of a computing device operated by a user of the computing device while protecting other partitions of the computing device, said method comprising the steps of:
- an application authorization module validating approval for any applications executing in, and for protecting data in, a first partition of the computing device accessible by the user, wherein the application authorization module is not the user;
  
  digitally signing, on a component that is not on the computing device, a request of an external access entity to access the computing device, wherein the external access entity is not the user and is not a module executing on the computing device;
  
  verifying on the computing device the digitally signed request of the external access entity to access the computing device;
  
  enabling the verified external access entity to access data of applications executing in a second partition of the computing device, wherein the user can also access the second partition and applications can execute in the second partition without approval from the application authorization module;
  
  preventing the authorized external access entity from accessing protected data used by applications executing in the first partition; and
  
  recording information contained in the verified external access entity request in a record that cannot be deleted or modified by the external access entity;
  
  wherein;
  
  approval to execute an application in the first partition is performed by validating a digital signature, using an application verification key stored in said computing device; and
  
  digital signatures verified using the application verification key are not generated on the computing device.
- View Dependent Claims (11)
- - 11. Method of claim 10, wherein the user cannot modify the verification process of an authorized external access entity in order to keep an authorized external access entity from accessing the second partition.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Brickell Cryptology LLC
Original Assignee
Ernest Brickell
Inventors
Brickell, Ernest
Primary Examiner(s)
Rashid, Harunur
Assistant Examiner(s)
Taylor, Sakinah White

Application Number

US15/348,210
Publication Number

US 20180131677A1
Time in Patent Office

1,118 Days
Field of Search

713171
US Class Current
CPC Class Codes

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0876   based on the identity of th...

H04L 63/0884   by delegation of authentica...

H04L 63/102   Entity profiles

H04L 9/3247   involving digital signatures

Balancing public and personal security needs

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Balancing public and personal security needs

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links