Method and apparatus for hardware based file/document expiry timer enforcement

US 20170185789A1
Filed: 12/23/2015
Published: 06/29/2017
Est. Priority Date: 12/23/2015
Status: Active Grant

First Claim

Patent Images

1. A machine readable medium on which instructions are stored, comprising instructions that when executed cause a machine to:

request a trusted execution environment to generate an encryption key and a certificate for a document, wherein the certificate comprises expiry information for the document and the encryption key;

encrypt the document with the encryption key;

transmit the certificate to a remote key manager; and

transmit the document to a remote network storage device.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique for secure network storage includes generating, by a trusted execution environment in a first device, an encryption key and a certificate for a document, wherein the certificate comprises expiry information for the document and the encryption key, encrypting, by a general execution environment in the first device, the document with the encryption key, transmitting the encryption key to a remote key manager, and transmitting the document to a remote network storage device, wherein a second device is allowed to decrypt the document based on the expiry information.

22 Citations

View as Search Results

22 Claims

1. A machine readable medium on which instructions are stored, comprising instructions that when executed cause a machine to:
- request a trusted execution environment to generate an encryption key and a certificate for a document, wherein the certificate comprises expiry information for the document and the encryption key;
  
  encrypt the document with the encryption key;
  
  transmit the certificate to a remote key manager; and
  
  transmit the document to a remote network storage device.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The machine readable medium of claim 1, wherein the expiry information indicates a time after which decryption of the document is not allowed.
  - 3. The machine readable medium of claim 1, wherein the instructions that when executed cause the machine to request a trusted execution to generate an encryption key and a certificate for a document comprise instructions that when executed cause the trusted execution environment to generate the expiry information using a clock secured by the trusted execution environment.
  - 4. The machine readable medium of claim 1, wherein the instructions that when executed cause the machine to request a trusted execution to generate an encryption key and a certificate for a document comprise instructions that when executed cause the trusted execution environment to generate the expiry information using a policy directed by the remote key manager.
  - 5. The machine readable medium of claim 1, wherein the instructions that when executed cause the machine to encrypt the document with the encryption key in a general execution environment of the machine.

6. A machine readable medium on which instructions are stored, comprising instructions that when executed cause a machine to:
- obtain an encrypted document from a remote network storage device;
  
  obtain a certificate for the encrypted document from a remote key manager, the certificate comprising expiry information for the encrypted document and an encryption key, wherein the certificate was created in a trusted execution environment;
  
  determine, based on the expiry information, that decryption of the encrypted document is allowed; and
  
  in response to determining that decryption allowed, decrypt the encrypted document.
- View Dependent Claims (7, 8)
- - 7. The machine readable medium of claim 6, wherein the instructions further comprise instructions that when executed cause the machine to access a system clock to determine whether the expiry information indicates an allowed time to decrypt the encrypted document has expired.
  - 8. The machine readable medium of claim 7, wherein the system clock resides in a trusted execution environment on the machine.

9. A system for secure network storage, comprising:
- a trusted execution environment;
  
  one or more processors; and
  
  a memory, coupled to the one or more processors, on which instructions are stored comprising instructions which, when executed cause at least some of the one or more processors to;
  
  obtain an encrypted document;
  
  obtain a certificate for the encrypted document from a remote key manager, the certificate comprising expiry information for the encrypted document and an encryption key, wherein the certificate was created in a trusted execution environment;
  
  determine, based on the expiry information, whether decryption of the encrypted document is allowed; and
  
  in response to determining that decryption is allowed, decrypting the encrypted document.
- View Dependent Claims (10, 11)
- - 10. The system of claim 9, wherein the instructions further comprise instructions that when executed cause at least some of the one or more processors to access a system clock to determine whether the expiry information indicates an allowed time to decrypt the encrypted document has expired.
  - 11. The system of claim 10, wherein the system clock resides in the trusted execution environment.

12. A system for secure network storage, comprising:
- a trusted execution environment;
  
  one or more processors; and
  
  a memory, coupled to the one or more processors, on which instructions are stored comprising instructions which, when executed cause at least some of the one or more processors to;
  
  request a trusted execution environment to generate an encryption key and a certificate for a document, wherein the certificate comprises expiry information for the document and the encryption key;
  
  encrypt the document with the encryption key;
  
  transmit the certificate to a remote key manager; and
  
  transmit the document to a remote network storage device.
- View Dependent Claims (13, 14, 15)
- - 13. The system of claim 12, wherein the expiry information indicates a time after which decryption of the document is not allowed.
  - 14. The system of claim 12, wherein requesting a trusted execution to generate an encryption key and a certificate for a document comprises generating the expiry information using a clock secured by the trusted execution environment.
  - 15. The system of claim 12, wherein requesting a trusted execution to generate an encryption key and a certificate for a document comprises generating the expiry information using a policy directed by the remote key manager.

16. A machine readable medium on which instructions are stored, comprising instructions that when executed cause a machine to:
- receive, from a first device, a certificate, wherein the certificate is associated with an encrypted document, and wherein the certificate comprises expiry information for the encrypted document and an encryption key, wherein the expiry information indicates a time after which decryption of the encrypted document is not allowed;
  
  receive, from a second device, a request for the certificate; and
  
  transmit the certificate to the second device in response to the request.
- View Dependent Claims (17)
- - 17. The machine readable medium on claim 16, wherein the certificate was created in a trusted execution environment of the first device.

18. A method of encrypting a document, comprising:
- requesting a trusted execution environment of a programmable device to generate an encryption key and a certificate for a document, wherein the certificate comprises expiry information for the document and the encryption key;
  
  encrypting the document with the encryption key;
  
  transmitting the certificate to a remote key manager; and
  
  transmitting the document to a remote network storage device.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The method of claim 18, wherein the expiry information indicates a time after which decryption of the document is not allowed.
  - 20. The method of claim 18, wherein requesting a trusted execution to generate an encryption key and a certificate for a document comprises generating the expiry information in the trusted execution environment using a clock secured by the trusted execution environment.
  - 21. The method of claim 18, wherein requesting a trusted execution to generate an encryption key and a certificate for a document comprises generating the expiry information in the trusted execution environment using a policy directed by the key manager.
  - 22. The method of claim 18, wherein encrypting the document with the encryption key comprises encrypting the document with the encryption key in a general execution environment of the programmable device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Nayshtut, Alex, Muttik, Igor, Khosravi, Hormuzd M.

Granted Patent

US 10,581,617 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 2221/2137   Time limited access, e.g. t...

H04L 63/0435   wherein the sending and rec...

H04L 63/068   using time-dependent keys, ...

H04L 63/0823   using certificates cryptogr...

H04L 63/108   when the policy decisions a...

H04L 67/1097   for distributed storage of ...

H04L 9/3263   involving certificates, e.g...

Method and apparatus for hardware based file/document expiry timer enforcement

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for hardware based file/document expiry timer enforcement

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links