Securing sensitive data in memory

US 20070016803A1
Filed: 11/18/2005
Published: 01/18/2007
Est. Priority Date: 07/15/2005
Status: Active Grant

First Claim

Patent Images

1. A method for using sensitive data, said method comprising:

storing said sensitive data in a secure buffer;

providing a portion of said sensitive data for use, where said portion is less than all of said sensitive data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Sensitive data is stored in a secure buffer, and never in an unencrypted, accessible location at any time. The data is accessed only by low-level processor instructions that load only a portion of the data into processor registers. The portion of data can then be used before the next portion of data is transferred from the secure buffer into the processor registers. In some embodiments, only one portion is available at any time. In other embodiments, a number of portions may be available at one time. However, the entirety of the sensitive data is never present in the clear. Thus, the entirety of the sensitive data will never be available if an adversary gains access to the contents of memory.

11 Citations

View as Search Results

19 Claims

1. A method for using sensitive data, said method comprising:
- storing said sensitive data in a secure buffer;
  
  providing a portion of said sensitive data for use, where said portion is less than all of said sensitive data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, where said step of providing a portion comprises:
    - accessing said sensitive data via a low-level processor instruction.
  - 3. The method of claim 2, where said secure buffer stores said sensitive data in encrypted form, said step of providing a portion of said sensitive data for use further comprising:
    - decrypting only one portion of said sensitive data into a processor register.
  - 4. The method of claim 3, where low-level processor instruction causes said portion to be decrypted and stored in said processor register, and where said low-level processor instruction allows only a set number of portions of sensitive data to be stored in a decrypted state at any one time.
  - 5. The method of claim 1, where said secure buffer is secured by at least one securing algorithm.
  - 6. The method of claim 4, where said at least one securing algorithms is selected from a set of at least two possible securing algorithms, and where a new selection of securing algorithms is performed periodically.
  - 7. The method of claim 1, further comprising:
    - accepting at least one change to said portion of said sensitive data; and
      
      storing a new version of said sensitive data, including said portion of said sensitive data as modified by said at least one change, in said secure buffer.
  - 8. The method of claim 7, where said storing a new version of said sensitive data occurs via a low-level processor instruction, where said low-level processor instruction causes said portion to be encrypted and read from said processor register.

9. A system for storing secure data, comprising:
- a secure buffer for storing sensitive data;
  
  a secure buffer accessor, operably connected to said secure buffer, for accessing said sensitive data, where said secure buffer accessor allows access to only a portion of said sensitive data for use, where said portion is less than all of said sensitive data.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The system of claim 9, where said system further comprises:
    - application logic for executing an application, operably connected to said secure buffer accessor, where said application access said sensitive data only through said secure buffer accessor.
  - 11. The system of claim 9, where said secure buffer accessor accesses said sensitive data via a low-level processor instruction.
  - 12. The system of claim 11, where said secure buffer stores said sensitive data in encrypted form, said secure buffer accessor decrypting only one portion of said sensitive data into a processor register at a time.
  - 13. The system of claim 11, where low-level processor instruction causes said portion to be decrypted and stored in said processor register, and where said low-level processor instruction allows only a set number of portions of sensitive data to be stored in a decrypted state at any one time.
  - 14. The system of claim 9, where said secure buffer is secured by at least one securing algorithm.
  - 15. The method of claim 13, where said at least one securing algorithms is selected from a set of at least two possible securing algorithms, and where a new selection of securing algorithms is performed periodically.
  - 16. The system of claim 9, where said secure buffer accessor further accepts at least one change to said portion of said sensitive data;
    - and where said secure buffer stores a new version of said sensitive data, including said portion of said sensitive data as modified by said at least one change, in said secure buffer.
  - 17. The method of claim 16, where said storing a new version of said sensitive data occurs via a low-level processor instruction, where said low-level processor instruction causes said portion to be encrypted and read from said processor register.

18. An application programming interface for accessing sensitive data in a secure buffer, said application program interface for:
- accessing a portion of said sensitive data, where said portion is less than all of said sensitive data.
- View Dependent Claims (19)
- - 19. The application programming interface of claim 18, where a portion of said application programming interface is implemented in low-level processor instructions, and said portion implements the decryption of said portion of sensitive data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Lelikov, Andrey

Granted Patent

US 7,725,739 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/193
CPC Class Codes

G06F 12/1425   the protection being physic...

G06F 21/6209   to a single file or object,...

G06F 21/85   interconnection devices, e....

G06F 2221/2149   Restricted operating enviro...

Securing sensitive data in memory

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

11 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Securing sensitive data in memory

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links