METHOD AND APPARATUS FOR PREVENTING ACCESS TO ENCRYPTED DATA IN A NODE

US 20090282265A1
Filed: 05/07/2008
Published: 11/12/2009
Est. Priority Date: 05/07/2008
Status: Abandoned Application

First Claim

Patent Images

1. A method of preventing access to data in a node, wherein the data is encrypted using an encryption algorithm with a cryptographic key-material, comprising:

receiving a trigger, wherein the trigger indicates suspicious activity performed on the node or indicates theft of the node;

sending the trigger to a central authority, wherein the central authority has a policy setting for preventing access to the encrypted data;

receiving an acknowledgement of the trigger from the central authority;

verifying the validity of the trigger;

updating a theft status of the node when the trigger is verified;

requesting an approval from the central authority for preventing access to the encrypted data after updating the theft status;

receiving the approval from the central authority; and

preventing access to the encrypted data based on the policy setting, responsive to receiving the approval.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of preventing access of data in a node quickly and securely when the node is lost or stolen. The data is first encrypted using an encryption algorithm with a cryptographic key-material. Heuristic methods of detecting un-authorized access to the node are implemented to generate a theft-trigger. The theft-trigger is received and sent to a central authority. The validity of the trigger is verified and the central authority sends an acknowledgement of the trigger. When approval is given from the central authority, access to the data is prevented by deleting or concealing some cryptographic key-material.

20 Citations

View as Search Results

26 Claims

1. A method of preventing access to data in a node, wherein the data is encrypted using an encryption algorithm with a cryptographic key-material, comprising:
- receiving a trigger, wherein the trigger indicates suspicious activity performed on the node or indicates theft of the node;
  
  sending the trigger to a central authority, wherein the central authority has a policy setting for preventing access to the encrypted data;
  
  receiving an acknowledgement of the trigger from the central authority;
  
  verifying the validity of the trigger;
  
  updating a theft status of the node when the trigger is verified;
  
  requesting an approval from the central authority for preventing access to the encrypted data after updating the theft status;
  
  receiving the approval from the central authority; and
  
  preventing access to the encrypted data based on the policy setting, responsive to receiving the approval.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method in claim 1 further comprising obtaining the policy setting from the central authority.
  - 3. The method in claim 1, wherein preventing access to the encrypted data comprises:
    - deleting the cryptographic key-material or concealing the cryptographic key-material.
  - 4. The method in claim 1, wherein requesting the approval comprises:
    - notifying an authorized user of the node before preventing access to the encrypted data.
  - 5. The method in claim 1 further comprising storing the cryptographic key-material in a secure non-volatile storage memory.
  - 6. The method in claim 1, wherein receiving the trigger comprises:
    - implementing at least one heuristic method of detecting unauthorized activity in the node.
  - 7. The method in claim 6, wherein the heuristic method comprises:
    - monitoring a number of unsuccessful login attempts to the node; and
      
      generating the trigger when the number of unsuccessful login attempts exceeds a threshold.
  - 8. The method in claim 6, wherein the heuristic method comprises:
    - setting a timer that runs for a configurable interval in the node;
      
      resetting and restarting the timer when contact is maintained between the node and the central authority; and
      
      generating the trigger by the node when the timer expires.

9. A node comprising:
- a mass storage device having data encrypted using an encryption algorithm with a cryptographic key-material;
  
  a host processor having an Operating System (OS) executing on the host processor, wherein the OS comprises;
  
  a key management module, to manage the storage of the cryptographic key-material;
  
  a theft management module, to monitor a theft status and to detect a trigger, wherein the trigger indicates suspicious activity performed on the node or indicates theft of the node;
  
  a shredding agent, to prevent access to the encrypted data; and
  
  a Secure File Shredding Management (SFSM) module to;
  
  receive the trigger;
  
  send the trigger to a central authority, wherein the central authority has a policy setting for preventing access to the encrypted data;
  
  receive an acknowledgement of the trigger from the central authority;
  
  verify the validity of the trigger;
  
  update the theft status of the node when the trigger is verified;
  
  request an approval from the central authority for preventing access to the encrypted data after updating the theft status;
  
  receive the approval from the central authority; and
  
  initiate the shredding agent to prevent access to the encrypted data based on the policy setting, responsive to receiving the approval.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 10. The node of claim 9, wherein the OS is a first OS, the node further comprising:
    - a security module having a second OS executing on the security module, wherein the SFSM module runs on the second OS.
  - 11. The shredding agent in claim 9, wherein preventing access to the encrypted data is to:
    - delete the cryptographic key-material or to conceal the cryptographic key-material.
  - 12. The node in claim 9, wherein the SFSM module is to:
    - notify an authorized user of the node before preventing access to the encrypted data.
  - 13. The node in claim 9, wherein the SFSM module is further to obtain the policy setting from the central authority.
  - 14. The node in claim 9, wherein the key management module is to:
    - store the cryptographic key-material in a secure non-volatile storage memory.
  - 15. The node in claim 9, wherein the theft management module is to:
    - implement at least one heuristic method of detecting unauthorized activity in the node.
  - 16. The theft management module in claim 15, wherein the heuristic method is to:
    - monitor a number of unsuccessful login attempts to the node; and
      
      generate the trigger when the number of unsuccessful login attempts exceeds a threshold.
  - 17. The theft management module in claim 15, wherein the heuristic method is to:
    - set a timer that runs for a configurable interval in the node;
      
      reset and restart the timer when contact is maintained between the node and the central authority; and
      
      generate the trigger when the timer expires.
  - 18. The node in claim 9, wherein the theft management module is to:
    - send the trigger to the SFSM module when the trigger is received.

19. A computer readable medium having instructions stored thereon which, when executed in a node, cause a host processor, having data encrypted using an encryption algorithm with a cryptographic key-material, and a security module, to perform the following steps:
- receiving a trigger, wherein the trigger indicates suspicious activity performed on the node or indicates theft of the node;
  
  sending the trigger to a central authority, wherein the central authority has a policy setting for preventing access to the encrypted data;
  
  verifying the validity of the trigger;
  
  receiving an acknowledgement of the trigger from the central authority;
  
  updating a theft status of the node when the trigger is verified;
  
  requesting an approval from the central authority for preventing access to the encrypted data after updating the theft status;
  
  receiving the approval from the central authority; and
  
  preventing access to the encrypted data based on the policy setting, responsive to receiving the approval.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The medium in claim 19 further comprising obtaining the policy setting from the central authority.
  - 21. The medium in claim 19, wherein preventing access to the encrypted data comprises:
    - deleting the cryptographic key-material or concealing the cryptographic key-material.
  - 22. The medium in claim 19, wherein requesting the approval comprises:
    - notifying an authorized user of the node before preventing access of the encrypted data.
  - 23. The medium in claim 19 further comprising storing the cryptographic key-material in a secure non-volatile storage memory.
  - 24. The medium in claim 19, wherein receiving the trigger comprises:
    - implementing at least one heuristic method of detecting unauthorized activity in the node.
  - 25. The medium in claim 24, wherein the heuristic method comprises:
    - monitoring a number of unsuccessful login attempts to the node; and
      
      generating the trigger when the number of unsuccessful login attempts exceeds a threshold.
  - 26. The medium in claim 24, wherein the heuristic method comprises:
    - setting a timer that runs for a configurable interval in the node;
      
      resetting and restarting the timer when contact is maintained between the node and the central authority; and
      
      generating the trigger by the node when the timer expires.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Prakash, Gyan, Chhabra, Jasmeet, Aissi, Selim

Application Number

US12/116,743
Publication Number

US 20090282265A1
Time in Patent Office

Days
Field of Search
US Class Current

713/193
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/88   Detecting or preventing the...

G06F 2221/2143   Clearing memory, e.g. to pr...

METHOD AND APPARATUS FOR PREVENTING ACCESS TO ENCRYPTED DATA IN A NODE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

20 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR PREVENTING ACCESS TO ENCRYPTED DATA IN A NODE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links