Secure Data Synchronization

US 20130067243A1
Filed: 09/12/2011
Published: 03/14/2013
Est. Priority Date: 09/12/2011
Status: Active Grant

First Claim

Patent Images

1. One or more computer-readable hardware storage media comprising computer-readable instructions which, when executed, implement:

a synchronization host configured to;

receive at a device encrypted data from an external low cost storage and request that the encrypted data be decrypted; and

request that sensitive data from the device be encrypted before the sensitive data is stored on the external low cost storage; and

a security module configured to;

receive one or more security keys from an external high cost storage that is separate from the low cost storage;

decrypt the encrypted data using a decryption key from the one or more security keys; and

encrypt the sensitive data using an encryption key from the one or more security keys to generate encrypted sensitive data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for secure data synchronization are described. In one or more implementations, techniques may be employed to conserve high cost data storage by storing larger portions of encrypted data in low cost storage, while storing relatively smaller encryption keys in higher cost storage. A device that is granted access to the encryption keys can retrieve the encrypted data from the low cost storage and use the encryption keys to decrypt the encrypted data.

97 Citations

View as Search Results

20 Claims

1. One or more computer-readable hardware storage media comprising computer-readable instructions which, when executed, implement:
- a synchronization host configured to;
  
  receive at a device encrypted data from an external low cost storage and request that the encrypted data be decrypted; and
  
  request that sensitive data from the device be encrypted before the sensitive data is stored on the external low cost storage; and
  
  a security module configured to;
  
  receive one or more security keys from an external high cost storage that is separate from the low cost storage;
  
  decrypt the encrypted data using a decryption key from the one or more security keys; and
  
  encrypt the sensitive data using an encryption key from the one or more security keys to generate encrypted sensitive data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The one or more computer-readable hardware storage media of claim 1, wherein the external high cost storage comprises a data storage that meets a higher level of compliance with security standards than does the external low cost storage.
  - 3. The one or more computer-readable hardware storage media of claim 1, wherein one or more of the external high cost storage or the external low cost storage are implemented as part of a cloud computing system.
  - 4. The one or more computer-readable hardware storage media of claim 1, wherein the sensitive data comprises user credentials that may be used to access one or more resources associated with a user of the device.
  - 5. The one or more computer-readable hardware storage media of claim 1, wherein said encrypted data is received in response to a user of the device logging on to a user account associated with the external low cost storage, and wherein said one or more security keys are received in response to a separate authentication procedure that enables access to the external high cost storage.
  - 6. The one or more computer-readable hardware storage media of claim 1, wherein the synchronization host is further configured to enable the encrypted sensitive data from the device to be synchronized with at least one other device such that application states for an application on the device and an application on the at least one other device are synchronized.
  - 7. The one or more computer-readable hardware storage media of claim 1, wherein the computer-readable instructions, when executed, further implement a data settings handler configured to mark the encrypted sensitive data with an application identifier for an application that resides on the device such that access to the encrypted sensitive data can be controlled using the application identifier.
  - 8. The one or more computer-readable hardware storage media of claim 7, wherein the synchronization host is further configured to submit the encrypted sensitive data marked with the application identifier for communication to the external low cost storage.
  - 9. The one or more computer-readable hardware storage media of claim 1, wherein the computer-readable instructions, when executed, further implement a data settings handler configured to:
    - determine that an application is requesting access to the encrypted sensitive data; and
      
      allow the application to access the encrypted sensitive data if an application identifier associated with the application matches an application identifier used to mark the encrypted sensitive data.
  - 10. The one or more computer-readable hardware storage media of claim 1, wherein the security module is further configured to:
    - receive an indication that a trusted status of the device has been revoked; and
      
      responsive to receiving said indication, prevent the device from receiving one or more additional security keys.

11. A method comprising:
- receiving a request for encrypted data from an application executing on a device;
  
  ascertaining whether an application identifier for the application matches an application identifier used to mark the encrypted data; and
  
  if the application identifier for the application matches the application identifier used to mark the encrypted data, retrieving and decrypting the encrypted data for the application.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. A method as described in claim 11, wherein said encrypted data comprises encrypted user credentials that, when decrypted, enable access to one or more resources associated with a user of the device.
  - 13. A method as described in claim 11, wherein said ascertaining comprises querying an operating system of the device for the application identifier for the application.
  - 14. A method as described in claim 11, wherein said encrypted data is received from a low cost storage, and wherein one or more security keys that are used to decrypt the encrypted data are received from a high cost storage that is separate from the low cost storage.
  - 15. A method as described in claim 14, wherein said request for encrypted data is received as part of a synchronization operation between the device and the low cost storage.
  - 16. A method as described in claim 14, wherein said encrypted data is received in response to a user of the device authenticating with a service associated with the low cost storage, and wherein said one or more security keys are received in response to a separate authentication transaction associated with the high cost storage.
  - 17. A method as described in claim 11, further comprising, if the application identifier for the application does not match the application identifier used to mark the encrypted data, denying the application access to the encrypted data.

18. A method comprising:
- determining that enterprise data is stored locally on a device;
  
  ascertaining whether the enterprise data may be propagated to a different device based at least in part on whether the different device is an enterprise device or a non-enterprise device; and
  
  in an event that the device is a non-enterprise device, preventing the enterprise data from being propagated to the non-enterprise device unless a permission associated with the enterprise device indicates that the enterprise data may be propagated to the non-enterprise device.
- View Dependent Claims (19, 20)
- - 19. A method as described in claim 18, further comprising automatically propagating the enterprise data to the different device in response to an indication that the different device is an enterprise device.
  - 20. A method as described in claim 18, further comprising allowing the enterprise data to be propagated to the non-enterprise device in response to an indication that a type for the enterprise data corresponds to a type for other data that was previously transmitted from the non-enterprise device to the enterprise device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Sinha, Saurav, Kannan, Gopinathan, Bharadwaj, Vijay G., Fleischman, Eric, Tamayo-Rios, Matthew Z., Ovechkin, Ruslan, Macaulay, Christopher R., Ide, Nathan J., Liu, Kun

Granted Patent

US 9,424,439 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/193
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/6218   to a system of files or obj...

G06F 21/6245   Protecting personal data, e...

G06F 21/6272   by registering files or doc...

G06F 2221/2107   File encryption

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 67/1095   Replication or mirroring of...

H04L 67/1097   for distributed storage of ...

Secure Data Synchronization

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

97 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure Data Synchronization

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

97 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links