Saving and retrieving data based on public key encryption
First Claim
1. A method, implemented in a computing device, the method comprising:
- receiving data from a calling program; and
generating, using public key encryption, ciphertext that includes the data, wherein the ciphertext is generated in a manner that allows any of multiple target programs to be able to obtain the data from the ciphertext.
2 Assignments
0 Petitions
Accused Products
Abstract
In accordance with certain aspects, data is received from a calling program. Ciphertext that includes the data is generated, using public key encryption, in a manner that allows only one or more target programs to be able to obtain the data from the ciphertext. In accordance with another aspect, a bit string is received from a calling program. An identifier of the calling program is checked to determine whether the calling program is allowed to access data encrypted in ciphertext of the bit string. The data is decrypted using public key decryption and returned to the calling program only if the calling program is allowed to access the data.
152 Citations
75 Claims
-
1. A method, implemented in a computing device, the method comprising:
-
receiving data from a calling program; and
generating, using public key encryption, ciphertext that includes the data, wherein the ciphertext is generated in a manner that allows any of multiple target programs to be able to obtain the data from the ciphertext. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method, implemented in a computing device, the method comprising:
-
receiving a bit string from a calling program;
checking an identifier of the calling program to determine whether the calling program is one of multiple programs allowed to access data encrypted in ciphertext of the bit string; and
returning the data, decrypted using public key decryption, to the calling program only if the calling program is one of multiple programs allowed to access the data. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. One or more computer readable media having stored thereon a plurality of instructions that, when executed by one or more processors of a computing device, causes the one or more processors to:
-
receive data from a calling program;
generate, using public key encryption, ciphertext that includes the data, wherein the ciphertext is generated in a manner that allows any of multiple target programs to be able to obtain the data from the ciphertext;
after the ciphertext is generated, receive a bit string from another calling program;
check an identifier of the other calling program to determine whether the other calling program is one of the multiple target programs allowed to access data encrypted in the ciphertext of the bit string; and
return the data, decrypted using public key decryption, to the other calling program only if the other calling program is one of the multiple target programs allowed to access the data. - View Dependent Claims (16, 17)
-
-
18. One or more computer readable media having stored thereon a plurality of instructions to implement a PKSeal operation, wherein the plurality of instructions, when executed by one or more processors of a computing device, causes the one or more processors to:
-
obtain data to be encrypted; and
encrypt, using public key encryption, the data and a set of identifiers of programs that are allowed to decrypt the data. - View Dependent Claims (19, 20)
-
-
21. One or more computer readable media having stored thereon a plurality of instructions to implement a PKUnseal operation, wherein the plurality of instructions, when executed by one or more processors of a computing device, causes the one or more processors to:
-
receive, from a calling program, a bit string including ciphertext;
decrypt, using public key decryption, the ciphertext to generate plaintext;
return the plaintext data to the calling program only if the calling program is one of a set of identified programs to which the plaintext data can be revealed. - View Dependent Claims (22, 23)
-
-
24. A system comprising:
-
means for receiving data from a calling program; and
means for using public key encryption to generate ciphertext that includes the data, wherein the ciphertext is generated in a manner that allows one of a plurality of target programs to be able to obtain the data from the ciphertext.
-
-
25. A system comprising:
-
means for receiving a bit string from a calling program;
means for checking an identifier of the calling program to determine whether the calling program is one of a plurality of programs allowed to access data encrypted in ciphertext of the bit string; and
means for returning the data, decrypted using public key decryption, to the calling program only if the calling program is one of the plurality of programs allowed to access the data.
-
-
26. One or more computer readable media having stored thereon a plurality of instructions that, when executed by one or more processors of a computing device, causes the one or more processors to:
-
identify data to be sealed; and
invoke a PKSeal operation, passing the data as an input to the PKSeal operation and identifying conditions that are to be satisfied in order for the data to be unsealed. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34)
-
-
35. One or more computer readable media having stored thereon a plurality of instructions that, when executed by one or more processors of a computing device, causes the one or more processors to:
-
invoke a PKUnseal operation in order to have a bit string decrypted, passing the bit string as an input to the PKUnseal operation; and
receive, in response to invoking the PKUnseal operation, at least a portion of the decrypted bit string only if the plurality of instructions are one of multiple programs allowed to unseal the bit string, wherein the data is decrypted using public key encryption. - View Dependent Claims (36, 37)
-
-
38. One or more computer readable media having stored thereon a plurality of instructions that, when executed by one or more processors of a computing device, causes the one or more processors to:
-
invoke a PKUnseal operation in order to obtain data from a bit string sealed in response to invocation of a PKSeal operation; and
receive, in response to invoking the unseal operation, the data from the sealed bit string only if conditions that are to be satisfied in order for the data to be unsealed are satisfied. - View Dependent Claims (39, 40, 41, 42)
-
-
43. A system comprising:
-
a plurality of hierarchical layers including a lowest layer that guards a root resource;
wherein the plurality of hierarchical layers further includes one or more intermediate layers that act as principals that request access to the root resource from the next lower layer and that act as guards to the root resource toward principals in the next higher layers; and
allowing access to the root resource only to programs authorized to access the root resource, wherein the allowing comprises using a PKSeal operation to securely seal the root resource and a PKUnseal operation to retrieve the root resource. - View Dependent Claims (44, 45)
-
-
46. One or more computer readable media having stored thereon a plurality of instructions to implement a BoundSign operation, wherein the plurality of instructions, when executed by one or more processors of a computing device, causes the one or more processors to:
-
receive, as an input, both data to be signed and a bound key blob, wherein the bound key blob is bound to the one or more processors;
recover, from the bound key blob, a private key associated with the bound key blob;
generate a digital signature over the data using the private key; and
output the digital signature. - View Dependent Claims (47, 48)
-
-
49. One or more computer readable media having stored thereon a plurality of instructions to implement a BoundQuote operation, wherein the plurality of instructions, when executed by one or more processors of a computing device, causes the one or more processors to:
-
receive, as an input, both data to be signed and a bound key, wherein the bound key is bound to the one or more processors;
reconstruct, based at least in part on the bound key, a private key associated with the bound key;
generate a digital signature over the data using the private key; and
output the digital signature. - View Dependent Claims (50, 51)
-
-
52. One or more computer readable media having stored thereon a plurality of instructions to implement a BoundDecrypt operation, wherein the plurality of instructions, when executed by one or more processors of a computing device, causes the one or more processors to:
-
receive, as an input, both ciphertext and a bound key structure, wherein the bound key structure is bound to the one or more processors;
recover, from the bound key structure, a private key associated with the bound key structure;
decrypt the ciphertext using the private key to generate plaintext corresponding to the ciphertext; and
output the plaintext. - View Dependent Claims (53, 54)
-
-
55. One or more computer readable media having stored thereon a plurality of instructions to implement a BoundPkUnseal operation, wherein the plurality of instructions, when executed by one or more processors of a computing device, causes the one or more processors to:
-
receive, as an input, both ciphertext and a bound key, wherein the bound key is bound to the one or more processors;
reconstruct, based at least in part on the bound key, a private key associated with the bound key;
decrypt the ciphertext using the private key to generate plaintext corresponding to the ciphertext; and
output the plaintext. - View Dependent Claims (56, 57)
-
-
58. One or more computer readable media having stored thereon a plurality of instructions to implement a GenBoundKey operation, wherein the plurality of instructions, when executed by one or more processors of a computing device, causes the one or more processors to:
-
generate a data structure for a new bound key that is to be bound to the one or more processors, wherein the new bound key includes data that allows a private key of a public/private key pair to be recovered from the data structure; and
cryptographically protect the data structure. - View Dependent Claims (59)
-
-
60. One or more computer readable media having stored thereon a plurality of instructions to implement a BoundKeyMigrate operation, wherein the plurality of instructions, when executed by one or more processors of a computing device, causes the one or more processors to:
-
receive, as an input, a bound key, wherein the bound key is bound to a program;
verify that a usage condition associated with the key can be changed by the program; and
change the usage condition if the verification is successful. - View Dependent Claims (61, 62, 63, 64, 65, 66, 67)
-
-
68. One or more computer readable media having stored thereon a plurality of instructions to implement a BoundKeyExport operation, wherein the plurality of instructions, when executed by a processor of a computing device, causes the processor to:
-
receive, as an input, a bound key, wherein the bound key is bound to a guard;
verify that the key can be re-bound to a different guard; and
re-bind the key to the different guard if the verification is successful. - View Dependent Claims (69, 70, 71, 72, 73, 74, 75)
-
Specification