SERVICE-BASED KEY ESCROW AND SECURITY FOR DEVICE DATA

US 20100266132A1
Filed: 04/15/2009
Published: 10/21/2010
Est. Priority Date: 04/15/2009
Status: Abandoned Application

First Claim

Patent Images

1. A method for extracting data from at least one encrypted data store storing at least one encrypted data set, comprising:

requesting decryption of an encrypted target data set of the at least one encrypted data set by a portable device;

requesting at least one decryption key from at least one escrow agent data service that at least partly decrypts the encrypted target data set from the at least one encrypted data set including transmitting identity data to the at least one escrow agent data service;

decrypting the encrypted target data set with the at least one decryption key received from the at least one escrow agent data service to provide access to the target data set by the portable device; and

deleting the at least one decryption key from the memory if at least one pre-defined condition of potential compromise or non-use of the target data set is satisfied.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data protection services for portable, handheld, or mobile device are provided in part by one or more cooperating network or data service(s), such as a cloud service, that provide volatile encryption/decryption key information to the device(s). Decryption key(s) are retrieved on demand by a device or application of the device from a network service or other data service based on an analysis of device and user credential(s). Retrieval of keys can be triggered automatically by meeting a set of pre-conditions by the device or application, or explicitly or implicitly requested by input to the device or application. Thus, decryption keys are provided to the mobile device in real time, on-demand, explicitly or implicitly defining a volatile lifetime prior to expiration of the decryption keys.

186 Citations

21 Claims

1. A method for extracting data from at least one encrypted data store storing at least one encrypted data set, comprising:
- requesting decryption of an encrypted target data set of the at least one encrypted data set by a portable device;
  
  requesting at least one decryption key from at least one escrow agent data service that at least partly decrypts the encrypted target data set from the at least one encrypted data set including transmitting identity data to the at least one escrow agent data service;
  
  decrypting the encrypted target data set with the at least one decryption key received from the at least one escrow agent data service to provide access to the target data set by the portable device; and
  
  deleting the at least one decryption key from the memory if at least one pre-defined condition of potential compromise or non-use of the target data set is satisfied.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the deleting includes deleting the at least one decryption key from the memory substantially immediately after use of the at least one decryption key.
  - 3. The method of claim 1, further comprising:
    - after the deleting, requesting and receiving auxiliary user identity data identifying a current user of the device;
      
      requesting access to at least a subset of the target data set; and
      
      denying access to at least the subset if the auxiliary user identity data fails a verification test conducted by the at least one escrow agent network service.
  - 4. The method of claim 3, wherein the requesting and receiving of auxiliary user identity data includes receiving biometric user identity data.
  - 5. The method of claim 1, wherein the deleting includes deleting the at least one decryption key from the memory if an application or process accessing the target data set is terminated.
  - 6. The method of claim 1, wherein the deleting includes deleting the at least one decryption key from the memory if an application or process terminates a portion of its operation accessing the target data set.
  - 7. The method of claim 1, wherein the deleting includes deleting the at least one decryption key from the memory if location information of the device identifying a geographical position of the device is out of a pre-defined geographical area.
  - 8. The method of claim 1, wherein the deleting includes deleting the at least one decryption key from the memory if at least one potentially malicious process is detected on the device.
  - 9. The method of claim 1, wherein the deleting includes deleting the at least one decryption key from the memory if a screensaver program for a display of a device is initiated.
  - 10. The method of claim 1, wherein the deleting includes deleting the at least one decryption key from the memory if a screen lock program for a display of a device is initiated requiring a password or personal identification number (PIN) to unlock.
  - 11. The method of claim 1, wherein the deleting includes deleting the at least one decryption key from the memory if a sleep mode, hibernation mode or power off mode of the device is initiated.
  - 12. The method of claim 1, further comprising:
    - receiving the at least one decryption key from the at least one escrow agent data service in memory of the portable device after a verification process verifies the portable device is authorized to receive the at least one decryption key at least based on an analysis of the device identity data and the user identity data.
  - 13. The method of claim 1, wherein the requesting of at least one decryption key includes transmitting at least one of device identity data identifying the device or user identity data identifying the user to the at least one escrow agent.

14. A server computer for providing key escrow agent services for the provision of volatile key information to individual computing devices, comprising:
- at least one memory for storing data and computer executable instructions; and
  
  at least one processor for executing computer executable instructions stored in the memory to perform the following acts;
  
  receiving, from a computing device, a request for at least one decryption key that at least partly decrypts data on the computing device including receiving encrypted device identification data identifying the computing device when decrypted and encrypted user identification data identifying a user of the computing device when decrypted;
  
  decrypting the encrypted device identification data to form decrypted device identification data and decrypted user identification data; and
  
  verifying, based on at least one of the decrypted device identification data or the decrypted user identification data, whether the request for the at least one decryption key is an authorized request.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The server computer of claim 14, wherein the at least one processor carries out computer executable instructions to perform the receiving of the request for at least one decryption key that decrypts all of the data on the computing device.
  - 16. The server computer of claim 14, wherein the at least one processor further carries out computer executable instructions stored in the memory to perform the act of:
    - initiating an unlock of memory of the computing device including transmitting at least one unlock command to the computing device if the request for the at least one decryption key is an authorized request, where the unlock removes a lock inhibiting memory access on the computing device.
  - 17. The server computer of claim 14, wherein the at least one processor further carries out computer executable instructions stored in the memory to perform the acts of:
    - retrieving the at least one decryption key from the at least one memory if the request for the at least one decryption key is an authorized request; and
      
      transmitting the at least one decryption key to the computing device.
  - 18. The server computer of claim 14, wherein the at least one processor further carries out computer executable instructions stored in the memory to perform the acts of:
    - generating the at least one decryption key based on at least one cryptographic algorithm if the request for the at least one decryption key is an authorized request; and
      
      transmitting the at least one decryption key to the computing device.
  - 19. The server computer of claim 14, wherein the at least one processor carries out computer executable instructions to perform the verifying including determining whether the computing device is reported lost or stolen based on data matching the decrypted device identification data.
  - 20. The server computer of claim 14, wherein the at least one processor carries out computer executable instructions to perform the verifying including determining whether the computing device is currently being operated by an unauthorized user based on data matching the decrypted user identification data.

21. A handheld computing system, comprising:
- at least one encrypted data store storing encrypted data for which decryption cryptographic key information is a pre-requisite for access;
  
  at least one processor configured to carry out computer executable instructions that transmit a request for the decryption cryptographic key information from an escrow agent network service at a time in response to a request for access of target data of the at least one encrypted data store, receive the decryption cryptographic key information if the escrow agent network service verifies at least one of a device condition associated with an identity of the handheld computing device or a user condition associated with an identity of a user of the handheld computing device and lock the at least one encrypted data store if the escrow agent network service does not verify the device condition or user condition.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Bablani, Girish, Cottrille, Scott Colin, Batchelder, Dennis, Panasyuk, Anatoliy

Application Number

US12/424,151
Publication Number

US 20100266132A1
Time in Patent Office

Days
Field of Search
US Class Current

380/286
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 9/0894   Escrow, recovery or storing...

H04W 12/04   Key management, e.g. using ...

H04W 12/082   using revocation of authori...

H04W 12/126   Anti-theft arrangements, e....

H04W 12/128   Anti-malware arrangements, ...

SERVICE-BASED KEY ESCROW AND SECURITY FOR DEVICE DATA

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

186 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

SERVICE-BASED KEY ESCROW AND SECURITY FOR DEVICE DATA

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

186 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links