SERVICE-BASED KEY ESCROW AND SECURITY FOR DEVICE DATA
First Claim
1. A method for extracting data from at least one encrypted data store storing at least one encrypted data set, comprising:
- requesting decryption of an encrypted target data set of the at least one encrypted data set by a portable device;
requesting at least one decryption key from at least one escrow agent data service that at least partly decrypts the encrypted target data set from the at least one encrypted data set including transmitting identity data to the at least one escrow agent data service;
decrypting the encrypted target data set with the at least one decryption key received from the at least one escrow agent data service to provide access to the target data set by the portable device; and
deleting the at least one decryption key from the memory if at least one pre-defined condition of potential compromise or non-use of the target data set is satisfied.
2 Assignments
0 Petitions
Accused Products
Abstract
Data protection services for portable, handheld, or mobile device are provided in part by one or more cooperating network or data service(s), such as a cloud service, that provide volatile encryption/decryption key information to the device(s). Decryption key(s) are retrieved on demand by a device or application of the device from a network service or other data service based on an analysis of device and user credential(s). Retrieval of keys can be triggered automatically by meeting a set of pre-conditions by the device or application, or explicitly or implicitly requested by input to the device or application. Thus, decryption keys are provided to the mobile device in real time, on-demand, explicitly or implicitly defining a volatile lifetime prior to expiration of the decryption keys.
-
Citations
21 Claims
-
1. A method for extracting data from at least one encrypted data store storing at least one encrypted data set, comprising:
-
requesting decryption of an encrypted target data set of the at least one encrypted data set by a portable device; requesting at least one decryption key from at least one escrow agent data service that at least partly decrypts the encrypted target data set from the at least one encrypted data set including transmitting identity data to the at least one escrow agent data service; decrypting the encrypted target data set with the at least one decryption key received from the at least one escrow agent data service to provide access to the target data set by the portable device; and deleting the at least one decryption key from the memory if at least one pre-defined condition of potential compromise or non-use of the target data set is satisfied. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A server computer for providing key escrow agent services for the provision of volatile key information to individual computing devices, comprising:
-
at least one memory for storing data and computer executable instructions; and at least one processor for executing computer executable instructions stored in the memory to perform the following acts; receiving, from a computing device, a request for at least one decryption key that at least partly decrypts data on the computing device including receiving encrypted device identification data identifying the computing device when decrypted and encrypted user identification data identifying a user of the computing device when decrypted; decrypting the encrypted device identification data to form decrypted device identification data and decrypted user identification data; and verifying, based on at least one of the decrypted device identification data or the decrypted user identification data, whether the request for the at least one decryption key is an authorized request. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
-
21. A handheld computing system, comprising:
-
at least one encrypted data store storing encrypted data for which decryption cryptographic key information is a pre-requisite for access; at least one processor configured to carry out computer executable instructions that transmit a request for the decryption cryptographic key information from an escrow agent network service at a time in response to a request for access of target data of the at least one encrypted data store, receive the decryption cryptographic key information if the escrow agent network service verifies at least one of a device condition associated with an identity of the handheld computing device or a user condition associated with an identity of a user of the handheld computing device and lock the at least one encrypted data store if the escrow agent network service does not verify the device condition or user condition.
-
Specification