System and method for secure storage data using a key

US 20030194094A1
Filed: 05/07/2003
Published: 10/16/2003
Est. Priority Date: 10/26/1998
Status: Active Grant

First Claim

Patent Images

1. A method, implemented in a system, the method comprising:

receiving a block of data, a current operating system identity, and a target operating system identity;

encrypting the block of data using a key;

subsequently receiving a request to decrypt the encrypted block of data; and

returning the encrypted block of data to the requester only if the target operating system identity is equal to an operating system identity when the request to decrypt is received.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one aspect, a data structure to be encrypted is received in a device, the data structure including content along with a statement of conditions under which the content may be decrypted. The data structure is encrypted using a symmetric key of a processor of the device. In another aspect, a data structure is decrypted using a processor symmetric key. A statement of conditions under which content in the data structure can be decrypted is obtained, and testing is performed as to whether the conditions are satisfied. The decrypted content is returned only if the conditions are satisfied.

173 Citations

View as Search Results

75 Claims

1. A method, implemented in a system, the method comprising:
- receiving a block of data, a current operating system identity, and a target operating system identity;
  
  encrypting the block of data using a key;
  
  subsequently receiving a request to decrypt the encrypted block of data; and
  
  returning the encrypted block of data to the requester only if the target operating system identity is equal to an operating system identity when the request to decrypt is received.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A method as recited in claim 1, wherein the key comprises a symmetric key.
  - 3. A method as recited in claim 1, wherein the key comprises a symmetric key of a processor of the system.
  - 4. A method as recited in claim 1, wherein the current operating system identity comprises a unique value that represents the identity of the operating system in a software identity register.
  - 5. A method as recited in claim 1, wherein the target operating system identity comprises a specified software identity register (SIR) value that must be current in order for the encrypted block of data to be decrypted.
  - 6. A method as recited in claim 1, wherein the current operating system identity and the target operating system are the same.

7. A method, implemented in a device, the method comprising:
- receiving a data structure to be encrypted, wherein the data structure includes content along with a statement of conditions under which the content may be decrypted; and
  
  encrypting the content using a key.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 8. A method as recited in claim 7, wherein the key comprises a symmetric key.
  - 9. A method as recited in claim 7, wherein the key comprises a symmetric key of a processor of the device.
  - 10. A method as recited in claim 7, wherein the content comprises an arbitrary block of data.
  - 11. A method as recited in claim 7, wherein the statement of conditions comprises a specified software identity register (SIR) value that must be current at a point of future decryption.
  - 12. A method as recited in claim 7, wherein the statement of conditions comprises an operating system identity that an operating system executing on the device must have in order for the content to be decrypted.
  - 13. A method as recited in claim 12, wherein the operating system identity is maintained in a software identity register (SIR).
  - 14. A method as recited in claim 12, wherein the operating system identity is identified in a signed certificate from an operating system vendor.
  - 15. A method as recited in claim 12, wherein the operating system identity is for an operating system that is different than an operating system executing when the data structure to be encrypted is received.
  - 16. A method as recited in claim 7, wherein the content can be decrypted only by a same processor as encrypted the data structure.
  - 17. A method as recited in claim 7, wherein the data structure is received as an input to a Seal operation.
  - 18. A method as recited in claim 7, wherein the encrypting comprises encrypting the data structure.

19. One or more computer readable memories having stored thereon a plurality of instructions that, when executed by one or more processors of a device, causes the one or more processors to:
- receive a data structure to be encrypted, wherein the data structure includes content along with a statement of conditions under which the content may be decrypted; and
  
  encrypt the content using a key.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. One or more computer readable memories as recited in claim 19, wherein the key comprises a symmetric key.
  - 21. One or more computer readable memories as recited in claim 19, wherein the key comprises a symmetric key of a processor of the device.
  - 22. One or more computer readable memories as recited in claim 19, wherein the statement of conditions comprises an operating system identity that an operating system executing on the device must have in order for the content to be decrypted.
  - 23. One or more computer readable memories as recited in claim 22, wherein the operating system identity is maintained in a software identity register (SIR).
  - 24. One or more computer readable memories as recited in claim 22, wherein the operating system identity is identified in a signed certificate from an operating system vendor.
  - 25. One or more computer readable memories as recited in claim 22, wherein the operating system identity is for an operating system that is different than an operating system executing when the content to be encrypted is received.
  - 26. One or more computer readable memories as recited in claim 22, wherein one or more of the plurality of instructions that cause the one or more processors to encrypt the content comprises one or more instructions that cause the one or more processors to encrypt the data structure.

27. A system comprising:
- means for receiving a data structure to be encrypted, wherein the data structure includes content along with a statement of conditions under which the content may be decrypted; and
  
  means for encrypting the data structure using a symmetric key of the system.
- View Dependent Claims (28, 29)
- - 28. A system as recited in claim 27, wherein the symmetric key comprises a symmetric key of a processor of the system.
  - 29. A system as recited in claim 27, wherein the statement of conditions comprises an operating system identity that an operating system executing on the system must have in order for the data structure to be decrypted.

30. A method comprising:
- decrypting a data structure using a key;
  
  obtaining a statement of conditions under which content in the data structure can be decrypted;
  
  testing whether the conditions are satisfied; and
  
  returning the decrypted content only if the conditions are satisfied.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38)
- - 31. A method as recited in claim 30, wherein the key comprises a symmetric key.
  - 32. A method as recited in claim 30, wherein the key comprises a symmetric key of a processor.
  - 33. A method as recited in claim 30, wherein obtaining the statement of conditions comprises obtaining the statement of conditions from the data structure.
  - 34. A method as recited in claim 30, wherein the statement of conditions comprises an operating system identity that an operating system executing on a device including the processor must have in order for the content to be decrypted.
  - 35. A method as recited in claim 34, wherein the operating system identity is maintained in a software identity register (SIR).
  - 36. A method as recited in claim 34, wherein the operating system identity is identified in a signed certificate from an operating system vendor.
  - 37. A method as recited in claim 30, further comprising returning an error if the conditions are not satisfied.
  - 38. A method as recited in claim 30, further comprising decrypting the data structure only if the key is the same key as was previously used to encrypt the content.

39. One or more computer readable memories having stored thereon a plurality of instructions that, when executed by one or more processors of a device, causes the one or more processors to:
- decrypt a data structure using a key;
  
  obtain a statement of conditions under which content in the data structure can be decrypted;
  
  test whether the conditions are satisfied; and
  
  return the decrypted content only if the conditions are satisfied.
- View Dependent Claims (40, 41, 42, 43, 44)
- - 40. One or more computer readable memories as recited in claim 39, wherein the key comprises a symmetric key.
  - 41. One or more computer readable memories as recited in claim 39, wherein the key comprises a symmetric key of one of the one or more processors.
  - 42. One or more computer readable memories as recited in claim 39, wherein the statement of conditions comprises an operating system identity that an operating system executing on the device must have in order for the content to be decrypted.
  - 43. One or more computer readable memories as recited in claim 42, wherein the operating system identity is maintained in a software identity register (SIR).
  - 44. One or more computer readable memories as recited in claim 42, wherein the operating system identity is identified in a signed certificate from an operating system vendor.

45. A system comprising:
- means for decrypting a data structure using a symmetric key;
  
  means for obtaining a statement of conditions under which content in the data structure can be decrypted;
  
  means for testing whether the conditions are satisfied; and
  
  means for returning the decrypted content only if the conditions are satisfied.
- View Dependent Claims (46, 47)
- - 46. A system as recited in claim 45, wherein the symmetric key comprises a symmetric key of a processor of the system.
  - 47. A system as recited in claim 45, wherein the statement of conditions comprises an operating system identity that an operating system executing on the system must have in order for the content to be decrypted.

48. A method, implemented in a device, the method comprising:
- obtaining a block of data to be encrypted, a current operating system identity, and a target operating system identity; and
  
  invoking a seal operation to have the block of data encrypted by a processor of the device using a symmetric key of the processor.
- View Dependent Claims (49)
- - 49. A method as recited in claim 48, further comprising invoking the seal operation so that only an operating system having the target operating system identity can decrypt the encrypted block of data.

50. One or more computer readable memories having stored thereon a plurality of instructions that, when executed by one or more processors of a device, causes the one or more processors to:
- obtain content to be encrypted; and
  
  invoke a seal operation, inputting the content to have the content encrypted using a key so that the content can be decrypted only if a statement of conditions under which the content may be decrypted is satisfied.
- View Dependent Claims (51, 52, 53, 54, 55, 56)
- - 51. One or more computer readable memories as recited in claim 50, wherein the inputting comprises inputting both the content and the statement of conditions under which the content may be decrypted.
  - 52. One or more computer readable memories as recited in claim 50, wherein the key comprises a symmetric key.
  - 53. One or more computer readable memories as recited in claim 50, wherein the key comprises a symmetric key of a processor of the device.
  - 54. One or more computer readable memories as recited in claim 50, wherein the statement of conditions comprises an operating system identity that an operating system executing on the device must have in order for the content to be decrypted.
  - 55. One or more computer readable memories as recited in claim 54, wherein the operating system identity is identified in a signed certificate from an operating system vendor.
  - 56. One or more computer readable memories as recited in claim 54, wherein the operating system identity is for an operating system that is different than an operating system invoking the seal operation.

57. A method, implemented in a device, the method comprising:
- invoking an unseal operation in order to have a data block decrypted using a key; and
  
  receiving, in response to invoking the unseal operation, the decrypted data block only if conditions under which content in the data block can be decrypted are satisfied.
- View Dependent Claims (58, 59, 60, 61, 62)
- - 58. A method as recited in claim 57, wherein the key comprises a symmetric key.
  - 59. A method as recited in claim 57, wherein the key comprises a symmetric key of a processor of the device.
  - 60. A method as recited in claim 57, wherein the conditions comprise an operating system identity that an operating system invoking the unseal operation must have in order for the content to be decrypted.
  - 61. A method as recited in claim 60, wherein the operating system identity of the operating system invoking the unseal operation is different than an operating system identity of an operating system that previously had the data block encrypted.
  - 62. A method as recited in claim 57, further comprising receiving, in response to invoking the unseal operation, an error indication if the conditions are not satisfied.

63. One or more computer readable memories having stored thereon a plurality of instructions that, when executed by one or more processors of a device, causes the one or more processors to:
- invoke an unseal operation in order to have a data block decrypted using a key; and
  
  receive, in response to invoking the unseal operation, the decrypted data block only if conditions under which content in the data block can be decrypted are satisfied.
- View Dependent Claims (64, 65, 66, 67, 68)
- - 64. One or more computer readable memories as recited in claim 63, wherein the key comprises a symmetric key.
  - 65. One or more computer readable memories as recited in claim 63, wherein the key comprises a symmetric key of a processor of the device.
  - 66. One or more computer readable memories as recited in claim 63, wherein the conditions comprise an operating system identity that an operating system invoking the unseal operation must have in order for the content to be decrypted.
  - 67. One or more computer readable memories as recited in claim 66, wherein the operating system identity of the operating system that invokes the unseal operation is different than an operating system identity of an operating system that previously had the data block encrypted.
  - 68. One or more computer readable memories as recited in claim 63, wherein the instructions further cause the one or more processors to receive, in response to invoking the unseal operation, an error indication if the conditions are not satisfied.

69. One or more computer readable memories having stored thereon a plurality of instructions that, when executed by one or more processors of a device, causes the one or more processors to:
- make a seal operation and an unseal operation available for invoking;
  
  wherein the seal operation causes content to be encrypted using a symmetric key along with a statement of the conditions under which it may be decrypted; and
  
  wherein the unseal operation causes the content to be returned to a requester if the conditions are satisfied.
- View Dependent Claims (70, 71, 72, 73)
- - 70. One or more computer readable memories as recited in claim 69, wherein the seal operation and unseal operation collectively provide the ability to seal secrets only for subsequent use on the device.
  - 71. One or more computer readable memories as recited in claim 69, wherein the unseal operation allows the content to be decrypted only by the processor that encrypted the content.
  - 72. One or more computer readable memories as recited in claim 69, wherein the statement of conditions comprises an operating system identity that an operating system executing on the device must have in order for the content to be decrypted.
  - 73. One or more computer readable memories as recited in claim 72, wherein the operating system identity is identified in a signed certificate from an operating system vendor.

74. One or more computer readable memories having stored thereon a plurality of instructions that, when executed by one or more processors of a device, causes the one or more processors to:
- receive, upon invocation of a seal operation, content to be encrypted;
  
  encrypt the content using a symmetric key so that the encrypted content can be decrypted only by the one or more processors running a specified operating system.
- View Dependent Claims (75)
- - 75. One or more computer readable memories as recited in claim 74, wherein the instructions further cause the one or more processors to receive, upon invocation of the seal operation, an identity of the specified operating system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
England, Paul, Lampson, Butler W., DeTreville, John D.

Granted Patent

US 7,434,263 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/282
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/575   Secure boot

G06F 2221/2113   Multi-level security, e.g. ...

G06F 9/4406   Loading of operating system

G06F 9/468   Specific access rights for ...

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/166   at the transport layer

System and method for secure storage data using a key

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

173 Citations

75 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for secure storage data using a key

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

173 Citations

75 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links