Method and system to maintain application data secure and authentication token for use therein

US 20040073792A1
Filed: 06/27/2003
Published: 04/15/2004
Est. Priority Date: 04/09/2002
Status: Active Grant

First Claim

Patent Images

1. A system to maintain application data stored on a portable computer secure, the system comprising:

an authorization client for use on the portable computer for making requests, the portable computer being capable of providing in-memory portions of address space for an application program;

a security device to be associated with an authorized user of the portable computer and including an authorization server for supplying responses to the requests;

a communication subsystem for wirelessly communicating the requests and the responses to the server and the client, respectively, within a range; and

a cryptographic subsystem for encrypting data located in the in-memory portions of the address space to obtain corresponding encrypted data when the security device is outside the range of the communication subsystem and for decrypting the encrypted data when the security device is back within the range.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Two embodiments of a method and system to maintain application data secure and authentication token for use therein are provided. The present invention uses transient authentication, in which a small hardware token continuously authenticates the user'"'"'s presence over a short-range, wireless link. Four principles underlying transient authentication are described as well as the two embodiments for securing applications. In the first embodiment, applications are protected transparently by encrypting in-memory state when the user departs and decrypting this state when the user returns. This technique is effective, requiring just seconds to protect and restore an entire machine. In the second embodiment, applications utilize an API for transient authentication, protecting only sensitive state. Ports of three applications, PGP, SSH, and Mozilla are described with respect to this API.

169 Citations

25 Claims

1. A system to maintain application data stored on a portable computer secure, the system comprising:
- an authorization client for use on the portable computer for making requests, the portable computer being capable of providing in-memory portions of address space for an application program;
  
  a security device to be associated with an authorized user of the portable computer and including an authorization server for supplying responses to the requests;
  
  a communication subsystem for wirelessly communicating the requests and the responses to the server and the client, respectively, within a range; and
  
  a cryptographic subsystem for encrypting data located in the in-memory portions of the address space to obtain corresponding encrypted data when the security device is outside the range of the communication subsystem and for decrypting the encrypted data when the security device is back within the range.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system as claimed in claim 1 wherein the requests include cryptographic requests for cryptographic information and wherein the server supplies the cryptographic information in response to the cryptographic requests and wherein the cryptographic subsystem utilizes the cryptographic information to either encrypt or decrypt the data.
  - 3. The system as claimed in claim 1 further comprising means for suspending substantially all authorized user processes on the computer when the security device is outside the range and means for restarting the suspended authorized user processes on the computer when the security device is back within the range.
  - 4. The system as claimed in claim 2 wherein the cryptographic information includes keys.
  - 5. The system as claimed in claim 4 wherein the keys are encrypted.
  - 6. The system as claimed in claim 1 further comprising means for suspending selected authorized user processes on the computer when the security device is outside the range and means for restarting the selected authorized user processes on the computer when the security device is back within the range.
  - 7. The system as claimed in claim 1 further comprising a mechanism for establishing a binding between the portable computer and the security device to ensure that the security device only responds to a portable computer with a valid binding.
  - 8. The system as claimed in claim 1 wherein the security device is an authorization token.
  - 9. The system as claimed in claim 4 wherein the keys include at least one master key.
  - 10. The system as claimed in claim 9 wherein the at least one master key is a key-encrypting key.
  - 11. The system as claimed in claim 2 wherein the cryptographic subsystem includes encrypted keys and wherein the cryptographic information includes keys for decrypting the encrypted keys.

12. A method to maintain application data stored on a portable computer secure, the method comprising:
- providing an authorization client for use on the portable computer for making requests, the portable computer being capable of providing in-memory portions of address space for an application program;
  
  providing a security device to be associated with an authorized user of the portable computer and including an authorization server for supplying responses to the requests;
  
  wirelessly communicating the requests and the responses to the server and the client, respectively, within a range;
  
  encrypting data located in the in-memory portions of the address space to obtain corresponding encrypted data when the security device is outside the range; and
  
  decrypting the encrypted data when the security device is back within the range.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method as claimed in claim 12 further comprising suspending substantially all authorized user processes on the computer when the security device is outside the range and restarting the suspended authorized user processes on the computer when the security device is back within the range.
  - 14. The method as claimed in claim 12 wherein the requests include cryptographic requests for cryptographic information and wherein the server supplies the cryptographic information in response to the cryptographic requests and wherein the cryptographic information is used to either encrypt or decrypt the data.
  - 15. The method as claimed in claim 12 further comprising establishing a binding between the portable computer and the security device to ensure that the security device only responds to a portable computer with a valid binding.
  - 16. The method as claimed in claim 12 further comprising suspending selected authorized user processes on the computer when the security device is outside the range and restarting the selected authorized user processes on the computer when the security device is back within the range.
  - 17. The method as claimed in claim 14 wherein the cryptographic information includes keys.
  - 18. The method as claimed in claim 17 wherein the keys include at least one master key.
  - 19. The method as claimed in claim 18 wherein the at least one master key is a key-encrypting key.

20. An authorization token for use in a system to maintain application data stored in in-memory portions of address space on a portable computer secure, the token comprising:
- an authorization server for supplying encrypted responses to encrypted requests; and
  
  a transceiver for receiving the requests and transmitting the responses to the portable computer.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. The token as claimed in claim 20 wherein the requests include cryptographic requests for cryptographic information and wherein the server supplies the cryptographic information in response to the cryptographic requests.
  - 22. The token as claimed in claim 21 wherein the cryptographic information includes keys.
  - 23. The token as claimed in claim 22 wherein the keys are encrypted.
  - 24. The token as claimed in claim 22 wherein the keys include at least one master key.
  - 25. The token as claimed in claim 24 wherein the at least one master key is a key-encrypting key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
University of Michigan
Original Assignee
University of Michigan
Inventors
Corner, Mark D., Noble, Brian D.

Granted Patent

US 7,299,364 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

G06F 21/35 communicating wirelessly

G06F 21/6227 where protection concerns t...

Method and system to maintain application data secure and authentication token for use therein

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

169 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

Method and system to maintain application data secure and authentication token for use therein

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

169 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others