PROVIDING SECURITY SERVICES ON THE CLOUD

US 20120159178A1
Filed: 12/15/2010
Published: 06/21/2012
Est. Priority Date: 12/15/2010
Status: Active Grant

First Claim

Patent Images

1. At a computer system including a processor and a memory, in a computer networking environment including a plurality of computing systems, a computer-implemented method for providing a cloud keying and signing service, the method comprising:

an act of instantiating a signing service configured to sign software packages;

an act of receiving at the signing service a signing request from a publisher requesting that a selected software package be signed, wherein the signing request includes a computed hash of the selected software package;

an act of the signing service generating a private and public key pair on behalf of the publisher; and

an act of the signing service storing the private key of the generated key pair in a secure data store.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to the providing a cloud keying and signing service and to securing software package distribution on the cloud. In an embodiment, a computer system instantiates a signing service configured to sign software packages. The computer system receives a signing request from a computer user requesting that a selected software package be signed. The signing request includes a computed hash of the selected software package. The computer system generates a private and public key pair on behalf of the computer user and stores the private key of the generated key pair in a secure data store.

132 Citations

20 Claims

1. At a computer system including a processor and a memory, in a computer networking environment including a plurality of computing systems, a computer-implemented method for providing a cloud keying and signing service, the method comprising:
- an act of instantiating a signing service configured to sign software packages;
  
  an act of receiving at the signing service a signing request from a publisher requesting that a selected software package be signed, wherein the signing request includes a computed hash of the selected software package;
  
  an act of the signing service generating a private and public key pair on behalf of the publisher; and
  
  an act of the signing service storing the private key of the generated key pair in a secure data store.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising an act of computing a hash of the selected software package on the publisher'"'"'s computer system.
  - 3. The method of claim 1, wherein the private key is further encrypted before being stored in the secure store.
  - 4. The method of claim 1, wherein the signing service is an isolated, secure service provided on the cloud.
  - 5. The method of claim 1, further comprising an act of the signing service sending the generated public key and signed hash with a counter-signed timestamp signature to the publisher.
  - 6. The method of claim 5, further comprising an act of the publisher applying the received public key, signed hash and timestamp signature to the selected software package.
  - 7. The method of claim 6, further comprising an act of the signing service decrypting an encrypted symmetric key.
  - 8. The method of claim 7, further comprising an act of the signing service sending to both the publisher and one or more end-users the public key certificate corresponding to the selected package.
  - 9. The method of claim 8, further comprising an act of the publisher publishing the selected software package encrypted with the symmetric key and signed with private key.
  - 10. The method of claim 1, wherein the public key is wrapped in a software publishing certificate.
  - 11. The method of claim 10, wherein the public key that is wrapped in the software publishing certificate is distributed to one or more end-user computer systems via on-demand retrieval or via policy.
  - 12. The method of claim 9, wherein the public key is revocable according to policy.
  - 13. The method of claim 9, wherein each user'"'"'s computer system has a stored public key that allows the user'"'"'s computer system to verify that the received software package is from the identified publisher.
  - 14. The method of claim 9, wherein the first computer user is the publisher of the software package and wherein the symmetric key used to encrypt the software package is generated by the publisher'"'"'s computer system.
  - 15. The method of claim 9, wherein separate symmetric keys are generated for each software package.

16. A computer program product for implementing a method for securing software package distribution on the cloud, the computer program product comprising one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by one or more processors of the computing system, cause the computing system to perform the method, the method comprising:
- an act of instantiating a signing service configured to decrypt an encrypted symmetric key.an act of the signing service receiving the encrypted symmetric key from a software publisher, wherein the encrypted symmetric key was encrypted using a public key;
  
  an act of the signing service decrypting the symmetric key using a corresponding stored private key; and
  
  an act of the signing service sending a decrypted symmetric key corresponding to the software package to the end-user'"'"'s computer for decryption.
- View Dependent Claims (17, 18, 19)
- - 17. The computer program product of claim 16, further comprising:
    - an act of the end-user computer decrypting the software package using the received decrypted symmetric key; and
      
      an act of the end-user computer installing the decrypted software package.
  - 18. The computer program product of claim 16, wherein each communication between the signing service and each of the publisher and end-user is conducted over encrypted channels with mutual authentication.
  - 19. The computer program product of claim 16, wherein certificate management policies are implemented to synchronize certificates between the signing service and the end-users.

20. A computer system comprising the following:
- one or more processors;
  
  system memory;
  
  one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by the one or more processors, causes the computing system to perform a method for providing a cloud keying and signing service, the method comprising the following;
  
  an act of instantiating a signing service configured to sign software packages;
  
  an act of receiving at the signing service a signing request from a first publisher requesting that a selected software package be signed, wherein the signing request includes a computed hash of the selected software package;
  
  an act of the signing service generating a private and public key pair on behalf of the publisher;
  
  an act of the signing service storing the private key of the generated key pair in a secure data store;
  
  an act of the signing service sending the generated public key and signed hash with a corresponding timestamp signature to the first user;
  
  an act of the publisher applying the received public key, signed hash and timestamp signature to the selected software package;
  
  an act of the signing service sending to one or more of the users the public key certificate; and
  
  an act of the publisher publishing the selected software package.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Lin, Jian, Reus, Edward F., Liokumovich, Igor

Granted Patent

US 8,479,008 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/178
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 63/045   wherein the sending and rec...

H04L 63/065   for group communications cr...

H04L 63/123   received data contents, e.g...

H04L 9/3247   involving digital signatures

PROVIDING SECURITY SERVICES ON THE CLOUD

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

132 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

PROVIDING SECURITY SERVICES ON THE CLOUD

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

132 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others