Method and apparatus for hardware based file/document expiry timer enforcement
First Claim
Patent Images
1. A machine readable storage device or storage disc comprising instructions which, when executed, cause a machine to at least:
- request, from a remote key manager in a second remote network storage device, (A) expiry information for an encrypted document and (B) an encryption key for the encrypted document, the expiry information and the encryption key associated with a certificate generated in a trusted execution environment, the certificate associated with a document identification of the encrypted document, the encrypted document from a first remote network storage device, the expiry information indicating a time period for which the encryption key is valid to perform a decryption operation on the encrypted document, the first remote network storage device being separate from the second remote network storage device, and (i) the encrypted document, (ii) the expiry information, and (iii) the encryption key associated with the document identification;
in response to obtaining the expiry information and the encryption key, compare a current time to the time period of the expiry information to determine whether the decryption of the encrypted document is prohibited; and
when the decryption is prohibited, prevent access to the encrypted document.
10 Assignments
0 Petitions
Accused Products
Abstract
A technique for secure network storage includes generating, by a trusted execution environment in a first device, an encryption key and a certificate for a document, wherein the certificate comprises expiry information for the document and the encryption key, encrypting, by a general execution environment in the first device, the document with the encryption key, transmitting the encryption key to a remote key manager, and transmitting the document to a remote network storage device, wherein a second device is allowed to decrypt the document based on the expiry information.
12 Citations
15 Claims
-
1. A machine readable storage device or storage disc comprising instructions which, when executed, cause a machine to at least:
-
request, from a remote key manager in a second remote network storage device, (A) expiry information for an encrypted document and (B) an encryption key for the encrypted document, the expiry information and the encryption key associated with a certificate generated in a trusted execution environment, the certificate associated with a document identification of the encrypted document, the encrypted document from a first remote network storage device, the expiry information indicating a time period for which the encryption key is valid to perform a decryption operation on the encrypted document, the first remote network storage device being separate from the second remote network storage device, and (i) the encrypted document, (ii) the expiry information, and (iii) the encryption key associated with the document identification; in response to obtaining the expiry information and the encryption key, compare a current time to the time period of the expiry information to determine whether the decryption of the encrypted document is prohibited; and when the decryption is prohibited, prevent access to the encrypted document. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system comprising:
-
a general execution environment to request, from a remote key manager in a second remote network storage device, (A) expiry information for an encrypted document and (B) an encryption key for the encrypted document, the expiry information and the encryption key associated with a certificate generated in a trusted execution environment, the certificate associated with a document identification of the encrypted document, the encrypted document from a first remote network storage device, the expiry information indicating a time period for which the encryption key is valid to perform a decryption operation on the encrypted document, the first remote network storage device being separate from the second remote network storage device, and (i) the encrypted document, (ii) the expiry information, and (iii) the encryption key associated with the document identification; and the trusted execution environment to; in response to obtaining the expiry information and the encryption key, compare a current time to the time period of the expiry information to determine whether decryption of the encrypted document is prohibited; and when the decryption is prohibited, prevent access to the encrypted document. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A method of encrypting a document, the method comprising:
-
requesting, from a remote key manager in a second remote network storage device, (A) expiry information for an encrypted document and (B) an encryption key for the encrypted document, the expiry information and the encryption key associated with a certificate generated in a trusted execution environment, the certificate associated with a document identification of the encrypted document, the encrypted document from a first remote network storage device, the expiry information indicating a time period for which the encryption key is valid to perform a decryption operation on the document, the first remote network storage device being separate from the second remote network storage device, and (i) the encrypted document, (ii) the expiry information, and (iii) the encryption key associated with the document identification; in response to obtaining the expiry information and the encryption key, comparing a current time to the time period of the expiry information to determine whether decryption of the encrypted document is prohibited; and when the decryption is prohibited, preventing decryption of the encrypted document. - View Dependent Claims (12, 13, 14, 15)
-
Specification