Protected storage of core data secrets
First Claim
1. A system for storing data items, comprising:
- a storage server that receives data items from application programs and that returns such data items in response to requests from application programs;
at least one data protection provider that stores the data items on a storage medium and protects the data items from unauthorized access;
wherein a plurality of different data protection providers can be registered for use by the storage server, the different data protection providers protecting the data items using different data protection technologies based on user authentication;
wherein the storage server provides the data items to one of the data protection providers for protected storage of the data items in accordance with the protection technology used by said one of the data protection providers; and
wherein the storage server returns the data items only to authorized requestors.
2 Assignments
0 Petitions
Accused Products
Abstract
The invention provides central storage for core data secrets, referred to as data items. The architecture includes a storage server, a plurality of installable storage providers, and one or more authentication providers. Programming interfaces are exposed so that application programs can utilize the services provided by the invention without having to actually implement the features. When storing a data item using the protected storage services, an application program can specify rules that determine when to allow access to the data item. Access can, if desired, be limited to the current computer user. Access can similarly be limited to specified application programs or to certain classes of application programs. The storage server authenticates requesting application programs before returning data to them. A default authentication provider authenticates users based on their computer or network logon. A default storage provider allows storage of data items on magnetic media such as a hard disk or a floppy disk. Data items are encrypted before they are stored. The encryption optionally uses a key that is derived from the previous authentication of the user. Specifically, the key is derived from the user'"'"'s password, supplied during logon. In addition, an application program or the user can specify that certain items require another password that is entered whenever access to the data is requested. The default storage provider implements a multi-level encryption scheme to minimize the amount of encryption that has to be re-done when the user changes a password. Each data item is encrypted using an item key that is generated randomly by the system. The item key is in turn encrypted with a master key that is itself encrypted with a key derived from the user-supplied password (such as the user'"'"'s logon password).
489 Citations
45 Claims
-
1. A system for storing data items, comprising:
-
a storage server that receives data items from application programs and that returns such data items in response to requests from application programs;
at least one data protection provider that stores the data items on a storage medium and protects the data items from unauthorized access;
wherein a plurality of different data protection providers can be registered for use by the storage server, the different data protection providers protecting the data items using different data protection technologies based on user authentication;
wherein the storage server provides the data items to one of the data protection providers for protected storage of the data items in accordance with the protection technology used by said one of the data protection providers; and
wherein the storage server returns the data items only to authorized requestors. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
encrypting individual data items with item keys;
encrypting the item keys with a master key;
encrypting the master key with a user key that is derived from a user-supplied code;
storing the encrypted individual data items, the encrypted item keys, and the encrypted master key.
-
-
14. A system as recited in claim 1, wherein said plurality of different data protection providers include a data protection provider that stores data items in accordance with the following steps:
-
encrypting individual data items with item keys;
generating item authentication codes for individual data items using item authentication keys;
encrypting the item keys and the item authentication keys with a master key;
generating key authentication codes for item keys and item authentication keys using a master authentication key;
encrypting the master key and the master authentication key with a user key that is derived from a user-supplied code;
storing the encrypted individual data items, the item authentication codes, the encrypted item keys, the encrypted item authentication keys, the key authentication codes, the encrypted master key, and the encrypted master authentication key.
-
-
15. A system as recited in claim 1, wherein said plurality of different data protection providers include a data protection provider that retrieves data items in accordance with the Is following steps:
-
retrieving encrypted individual data items, encrypted item keys corresponding to the encrypted individual data items, and an encrypted master key;
decrypting the encrypted master key with a user key that is derived from a user-supplied code;
decrypting the encrypted item keys with the decrypted master key;
decrypting the encrypted individual data items with the corresponding decrypted item keys.
-
-
16. A system as recited in claim 1, wherein the storage server allows access to individual data items depending on the current computer user.
-
17. A system as recited in claim 1, wherein the storage server returns requested data items only to authorized requesting application programs.
-
18. A system as recited in claim 1, wherein the storage server returns requested data items only to authorized requesting application programs, and wherein the storage server authenticates requesting application programs before returning individual data items.
-
19. A system as recited in claim 1, wherein the storage server returns requested data items only to authorized requesting application programs, and wherein the storage server authenticates the requesting application program using public key cryptography before returning individual data items.
-
20. A system as recited in claim 1, wherein the storage server is responsive to application program requests to present user dialogs allowing the current computer user to specify passwords to be used by the storage provider to securely store and retrieve data items.
-
21. A system as recited in claim 1, wherein the storage server, the data protection providers, and the authentication providers are individually signed by a private cryptographic key that corresponds to a public cryptographic key;
- the storage server, the data protection providers, and the authentication providers being configured to verify each others'"'"' signatures using the public cryptographic key.
-
22. A system as recited in claim 1, wherein the storage server implements a set of interface methods that are exposed to application programs, the interface methods performing respective functions comprising:
-
opening a specified data item;
closing a specified data item;
creating a data item type;
deleting a data item type;
p1 creating a data item subtype;
deleting a data item subtype;
deleting a data item;
retrieving a structure that corresponds to a specified data item subtype;
retrieving a structure that corresponds to a specified data item type;
establishing an access rule set for a specified data item subtype;
returning an access rule set for a specified data item subtype;
returning a specified data item;
writing a specified data item with a specified name as a specified data item type and data item subtype.
-
-
23. A system for storing data items, comprising:
-
a storage server that receives data items from application programs and that returns such data items in response to requests from application programs, wherein the storage server executes in a different address space than the application programs and is called via remote procedure calls;
at least one data protection provider that stores the data items on a storage medium and protects the data items from unauthorized access;
wherein a plurality of different data protection providers can be registered for use by the storage server, the different data protection providers protecting the data items using different data protection technologies;
wherein said at least one data protection provider encrypts data items before storing them using one or more keys that are derived from authentication of the current computer user, the data protection provider verifying the integrity of data items when retrieving them;
wherein the storage server provides the data items to one of the data protection providers for protected storage of the data items in accordance with the protection technology used by said one of the data protection providers;
an authentication provider that is called by the storage server to identify current computer users, wherein the authentication provider identifies users based on a previous operating system logon procedure; and
wherein the storage server returns the data items only to authorized requesters. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
encrypting individual data items with item keys;
encrypting the item keys with a master key;
encrypting the master key with a user key that is derived from a user-supplied code;
storing the encrypted individual data items, the encrypted item keys, and the encrypted master key.
-
-
27. A system as recited in claim 23, wherein the data protection provider stores data items in accordance with the following steps:
-
encrypting individual data items with item keys;
generating item authentication codes for individual data items using item authentication keys;
encrypting the item keys and the item authentication keys with a master key;
generating key authentication codes for item keys and item authentication keys using a master authentication key;
encrypting the master key and the master authentication key with a user key that is derived from a user-supplied code;
storing the encrypted individual data items, the item authentication codes, the encrypted item keys, the encrypted item authentication keys, the key authentication codes, the encrypted master key, and the encrypted master authentication key.
-
-
28. A system as recited in claim 23, wherein the data protection provider retrieves data items in accordance with the following steps:
-
retrieving encrypted individual data items, encrypted item keys corresponding to the encrypted individual data items, and an encrypted master key;
decrypting the encrypted master key with a user key that is derived from a user-supplied code;
decrypting the encrypted item keys with the decrypted master key;
decrypting the encrypted individual data items with the corresponding decrypted item keys.
-
-
29. A system as recited in claim 23, wherein the storage server returns requested data items only to authorized requesting application programs.
-
30. A system as recited in claim 23, wherein the storage server authenticates requesting application programs before returning individual data items.
-
31. A system as recited in claim 23, wherein the storage server authenticates requesting application programs using public key cryptography before returning individual data items.
-
32. A system as recited in claim 23, wherein the storage server is responsive to application program requests to present user dialogs allowing the current computer user to specify passwords to be used by the data protection provider to securely store and retrieve data items.
-
33. A system as recited in claim 23, wherein the storage server and the data protection providers are individually signed by a private cryptographic key that corresponds to a public cryptographic key;
- the storage server and the data protection providers being configured to verify each others'"'"' signatures using the public cryptographic key.
-
34. A method of storing user and application secrets and for protecting them from unauthorized access, comprising the following steps:
-
receiving individual data items from application programs;
encrypting the data items using one or more keys that are derived from one or more user-supplied passwords;
storing the encrypted data items;
retrieving and decrypting the stored encrypted data items in response to requests from application programs;
returning requested data items only to authorized requesting application programs;
exposing a set of interface methods, the interface methods performing respective functions comprising;
opening a specified data item;
closing a specified data item;
creating a data item type;
deleting a data item type;
creating a data item subtype;
deleting a data item subtype;
deleting a data item;
retrieving a structure that corresponds to a specified data item subtype;
retrieving a structure that corresponds to a specified data item type;
establishing an access rule set for a specified data item subtype;
returning an access rule set for a specified data item subtype;
returning a specified data item;
writing a specified data item with a specified name as a specified data item type and data item subtype.
-
-
35. A method of storing user and application secrets and for protecting them from unauthorized access, comprising the following steps:
-
receiving individual data items from different application programs;
encrypting the data items;
storing the encrypted data items from the different application programs in a common storage area;
exposing a set of interface methods, the interface methods performing respective functions comprising;
opening a specified data item;
closing a specified data item;
creating a data item type;
deleting a data item type;
creating a data item subtype;
deleting a data item subtype;
deleting a data item;
retrieving a structure that corresponds to a specified data item subtvpe;
retrieving a structure that corresponds to a specified data item type;
establishing an access rule set for a specified data item subtype;
returning an access rule set for a specified data item subtype;
returning a specified data item;
writing a specified data item with a specified name as a specified data item type and data item subtype. - View Dependent Claims (36, 37, 38, 39, 40, 41, 42)
returning requested data items only to authorized requesting application programs;
authenticating requesting application programs before returning individual data items.
-
-
39. A method as recited in claim 35, comprising a further step of presenting user dialogs in response to application program requests for data items, the user dialogs allowing the current computer user to specify passwords to be used to decrypt data items.
-
40. A method as recited in claim 35, wherein the encrypting step is based on one or more keys that are derived from authentication of the current computer user.
-
41. A method as recited in claim 35, wherein the encrypting step is based on one or more keys that are derived from a user-supplied code.
-
42. A method as recited in claim 35, wherein the encrypting step is based on one or more keys that are derived from a computer logon code supplied by the current computer user.
-
43. A computer-readable storage medium comprising computerexecutable instructions that implement interface methods, the interface methods performing respective functions comprising:
-
opening a specified data item;
closing a specified data item;
creating a data item type;
deleting a data item type;
creating a data item subtype;
deleting a data item subtype;
deleting a data item;
retrieving a structure that corresponds to a specified data item subtype;
retrieving a structure that corresponds to a specified data item type;
establishing an access rule set for a specified data item subtype;
returning an access rule set for a specified data item subtype;
returning a specified data item;
writing a specified data item with a specified name as a specified data item type and data item subtype. - View Dependent Claims (44, 45)
enumerating available data protection providers.
-
-
45. A computer-readable storage medium as recited in claim 43, the interface methods performing flirter respective functions comprising:
-
enumerating types of data items maintained by a data protection provider;
enumerating subtypes of data items maintained by the data protection provider;
enumerating data items maintained by the data protection provider.
-
Specification