SEALING SECRET DATA WITH A POLICY THAT INCLUDES A SENSOR-BASED CONSTRAINT

US 20130047197A1
Filed: 08/19/2011
Published: 02/21/2013
Est. Priority Date: 08/19/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a request to access secret data from an application executing on a mobile computing device;

responsive to receiving the request, retrieving a policy that defines whether the user is authorized to access the secret data, the policy comprising at least one value that is tied to at least one sensor on the mobile computing device;

retrieving a sensor reading from the at least one sensor on the mobile computing device of the user;

causing a processor on the mobile computing device to determine whether the policy has been satisfied based at least in part upon a comparison between the at least one value that is tied to the at least one sensor and the sensor reading from the at least one sensor; and

if and only if the policy is satisfied, providing the application with the secret data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technologies pertaining to limiting access to secret data through utilization of sensor-based constraints are described herein. A sensor-based constraint is a constraint that can only be satisfied by predefined readings that may be output by at least one sensor on a mobile computing device. If the sensor on the mobile computing device outputs a reading that satisfies the sensor-based constraint, secret data is provided to a requesting application. Otherwise, the requesting application is prevented from accessing the secret data.

Citations

20 Claims

1. A method, comprising:
- receiving a request to access secret data from an application executing on a mobile computing device;
  
  responsive to receiving the request, retrieving a policy that defines whether the user is authorized to access the secret data, the policy comprising at least one value that is tied to at least one sensor on the mobile computing device;
  
  retrieving a sensor reading from the at least one sensor on the mobile computing device of the user;
  
  causing a processor on the mobile computing device to determine whether the policy has been satisfied based at least in part upon a comparison between the at least one value that is tied to the at least one sensor and the sensor reading from the at least one sensor; and
  
  if and only if the policy is satisfied, providing the application with the secret data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the at least one sensor is a global positioning system sensor.
  - 3. The method of claim 1, wherein the at least one sensor is one of a thermometer, an accelerometer, a velocity sensor, a proximity sensor, or a gyroscope.
  - 4. The method of claim 1, wherein the policy further restricts access to the secret data solely to the mobile computing device.
  - 5. The method of claim 1, further comprising:
    - receiving a request to generate the policy;
      
      generating the policy responsive to receipt of the request; and
      
      sealing the secret data with the policy responsive to receipt of the request such that the application is unable to access the secret data unless the sensor reading from the at least one sensor corresponds to the at least one value of the policy.
  - 6. The method of claim 5, wherein the generating of the policy and the sealing of the secret data with the policy is undertaken on the mobile computing device of the user.
  - 7. The method of claim 5, wherein the generating of the policy and the sealing of the secret data with the policy is undertaken on a server that is in communication with the mobile computing device.
  - 8. The method of claim 1, wherein the sensor reading is signed to verify that the sensor reading has been output by the at least one sensor and has not been modified by a user or malicious software.
  - 9. The method of claim 1, wherein the secret data is sealed with the policy, and further comprising unsealing the secret data from the policy if and only if the policy is satisfied.
  - 10. The method of claim 1, wherein the unsealing of the secret data from the policy is undertaken on a first portion of the mobile computing device that is logically separate from a second portion of the mobile computing device that executes the application.
  - 11. The method of claim 1, wherein the mobile computing device is one of a portable telephone, a tablet, a netbook, or a laptop, and the at least one sensor is a global positioning system sensor.
  - 12. The method of claim 1, wherein the secret data is one of a password or a key, and wherein a web browser executing on the mobile computing device requests the policy.

13. A system, comprising:
- a retriever component that receives, from an application executing on a computing device, a request to unseal secret data from a policy, the retriever component retrieving a sensor reading from a sensor on the computing device responsive to receipt of the request to unseal the secret data from the policy, the policy defining access rights to the secret data and comprising at least one sensor-based constraint, the sensor-based constraint satisfiable only by data output by the sensor; and
  
  an unsealer component that unseals the secret data from the policy and outputs the secret data to the application if and only if the sensor reading from the sensor satisfies the sensor-based constraint.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The system of claim 13, the secret data being a password.
  - 15. The system of claim 13, wherein the computing device is a mobile computing device.
  - 16. The system of claim 13, further comprising:
    - a receiver component that receives;
      
      the policy;
      
      the secret data; and
      
      a request to seal the secret data with the policy; and
      
      a sealer component that seals the secret data with the policy responsive to the receiver component receiving the request to seal the secret data with the policy.
  - 17. The system of claim 13 comprised by one of a hardware trusted platform module, a software trusted platform module, a firmware trusted platform module, or an emancipated virtual machine.
  - 18. The system of claim 13 comprised by a first virtual machine, wherein the application executing on the computing device executes in a second virtual machine that is separate from the first virtual machine.
  - 19. The system of claim 13, further comprising a signer component that signs the sensor reading to validate that the sensor reading is an actual value generated by the sensor and has not been modified by a user or malicious software.

20. A computer-readable medium comprising instructions that, when executed by a processor, cause the processor to perform acts comprising:
- receiving one of a password or a key that is utilized to access a web-based service by way of a browser;
  
  receiving a policy that comprises a sensor-based constraint that is only satisfiable by a reading from a GPS sensor that indicates that a mobile telephone that comprises the GPS sensor is within a certain geographic region;
  
  receiving a request to seal the one of the password or the key with the policy, the request received from the web-based service by way of the browser;
  
  responsive to receiving the request to seal the one of the password or the key, sealing the one of the password or the key with the policy;
  
  subsequent to sealing the one of the password or the key with the policy, receiving a request from the browser to unseal the one of the password or the key from the policy;
  
  responsive to receiving the request to unseal the one of the password or the key from the policy, causing the GPS sensor on the mobile computing device to output a reading that indicates a current location of the mobile computing device, the reading signed to indicate that the reading is from the GPS sensor and has not been modified by a user or an application;
  
  comparing the reading with the sensor-based constraint; and
  
  outputting the one of the password or the key to the browser if and only if the sensor-based constraint is satisfied by the reading from the GPS sensor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Saroiu, Stefan, Wolman, Alastair, Raj, Himanshu, Liu, He

Granted Patent

US 9,411,970 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/6209   to a single file or object,...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 9/45558   Hypervisor-specific managem...

G06Q 40/02   Banking, e.g. interest calc...

H04L 63/0435   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/102   Entity profiles

H04L 63/107   wherein the security polici...

H04L 63/168   above the transport layer

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3247   involving digital signatures

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 12/128   Anti-malware arrangements, ...

H04W 12/68   Gesture-dependent or behavi...

H04W 4/021 : Services related to particu...

View All

SEALING SECRET DATA WITH A POLICY THAT INCLUDES A SENSOR-BASED CONSTRAINT

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SEALING SECRET DATA WITH A POLICY THAT INCLUDES A SENSOR-BASED CONSTRAINT

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links