Saving and retrieving data based on symmetric key encryption
First Claim
1. A method, implemented in a computing device, the method comprising:
- receiving a bit string from a calling program;
checking an identifier of the calling program to determine whether the calling program is allowed to access data encrypted in ciphertext of the bit string, the checking comprising;
obtaining, from the bit string, identifiers of multiple target programs that are allowed to access the data;
checking whether one of the identifiers of the multiple target programs is the same as the identifier of the calling program;
determining that the calling program is allowed to access the data if one of the identifiers of the multiple target programs is the same as the identifier of the calling program; and
determining that the calling program is not allowed to access the data if none of the identifiers of the multiple target programs is the same as the identifier of the calling program;
verifying the integrity of the data;
decrypting the data using a symmetric key; and
returning the data to the calling program only if the calling program is allowed to access the data and if the integrity of the data is successfully verified.
2 Assignments
0 Petitions
Accused Products
Abstract
In accordance with certain aspects, data is received from a calling program. Ciphertext that includes the data is generated, using a symmetric cipher, in a manner that allows only one or more target programs to be able to obtain the data from the ciphertext. In accordance with other aspects, a bit string is received from a calling program. An identifier of the calling program is checked to determine whether the calling program is allowed to access data encrypted in ciphertext of the bit string. The integrity of the data is also verified, and the data is decrypted using a symmetric key. The data is returned to the calling program only if the calling program is allowed to access the data and if the integrity of the data is successfully verified.
179 Citations
70 Claims
-
1. A method, implemented in a computing device, the method comprising:
-
receiving a bit string from a calling program; checking an identifier of the calling program to determine whether the calling program is allowed to access data encrypted in ciphertext of the bit string, the checking comprising; obtaining, from the bit string, identifiers of multiple target programs that are allowed to access the data; checking whether one of the identifiers of the multiple target programs is the same as the identifier of the calling program; determining that the calling program is allowed to access the data if one of the identifiers of the multiple target programs is the same as the identifier of the calling program; and determining that the calling program is not allowed to access the data if none of the identifiers of the multiple target programs is the same as the identifier of the calling program; verifying the integrity of the data; decrypting the data using a symmetric key; and returning the data to the calling program only if the calling program is allowed to access the data and if the integrity of the data is successfully verified. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. One or more computer storage media having stored thereon a plurality of instructions that, when executed by one or more processors of a computing device, causes the one or more processors to:
-
receive data from a calling program; generate, using a symmetric cipher, ciphertext that includes the data and identifiers of multiple target programs that are allowed to access the data; after the ciphertext is generated, receive a bit string from another calling program; check an identifier of the other calling program to determine whether the other calling program is one of the multiple target programs; verify the integrity of the data; decrypt the data using a symmetric key; and return the data to the other calling program only if the other calling program is one of the multiple target programs and if the integrity of the data is successfully verified. - View Dependent Claims (13, 14)
-
-
15. One or more computer storage media having stored thereon a plurality of instructions that, when executed by one or more processors of a computing device, causes the one or more processors to:
-
obtain an identifier of a calling application; generate a bit string including the identifier of the calling application, data to be sealed for the calling application, and identifiers of multiple target applications that are allowed to unseal the data; generate a message authentication code (MAC) value for the bit string; encrypt the bit string using a symmetric key and a symmetric cipher; and return the MAC value and the encrypted bit string to the calling application. - View Dependent Claims (16, 17, 18, 19)
-
-
20. One or more computer storage media having stored thereon a plurality of instructions that, when executed by one or more processors of a computing device, causes the one or more processors to:
-
receive, from a calling program, a bit string including ciphertext and a message authentication code (MAC) value; decrypt the ciphertext in the bit string using a symmetric key to generate plaintext data; generate a message authentication code (MAC) value for at least a portion of the plaintext data; check whether the MAC value in the bit string is equal to the generated MAC value; check whether an identifier of the calling program is included as one of multiple target program identifiers in the plaintext data, the multiple target program identifiers identifying multiple target programs that are allowed to unseal the plaintext data; and return the plaintext data to the calling program only if the MAC value in the bit string is equal to the generated MAC value and if the identifier of the calling program is included as one of the multiple target program identifiers in the plaintext data. - View Dependent Claims (21, 22)
-
-
23. A device comprising a plurality of hardware means, the plurality of hardware means including:
-
means for receiving a bit string from a calling program; means for checking an identifier of the calling program to determine whether the calling program is allowed to access data encrypted in ciphertext of the bit string, the means for checking determining that the calling program is allowed to access the data if the identifier of the calling program is included as one of multiple target program identifiers in the ciphertext; means for verifying the integrity of the data; means for decrypting the data using a symmetric key; and means for returning the data to the calling program only if the calling program is allowed to access the data and if the integrity of the data is successfully verified.
-
-
24. One or more computer storage media having stored thereon a plurality of instructions that, when executed by one or more processors of a computing device, causes the one or more processors to:
-
receive a bit string from a calling program; check an identifier of the calling program to determine whether the calling program is allowed to access data encrypted in ciphertext of the bit string, wherein to check the identifier is to; obtain, from the bit string, identifiers of multiple target programs that are allowed to access the data; check whether one of the identifiers of the multiple target programs is the same as the identifier of the calling program; determine that the calling program is allowed to access the data if one of the identifiers of the multiple target programs is the same as the identifier of the calling program; and determine that the calling program is not allowed to access the data if none of the identifiers of the multiple target programs is the same as the identifier of the calling program; verify the integrity of the data; decrypt the data using a symmetric key; and return the data to the calling program only if the calling program is allowed to access the data and if the integrity of the data is successfully verified. - View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
-
-
35. A computing device comprising:
-
a processor; and a memory, coupled to the processor, storing a plurality of instructions causing the processor to perform acts comprising; receiving a bit string from a calling program; checking an identifier of the calling program to determine whether the calling program is allowed to access data encrypted in ciphertext of the bit string, the checking comprising; obtaining, from the bit string, identifiers of multiple target programs that are allowed to access the data; checking whether one of the identifiers of the multiple target programs is the same as the identifier of the calling program; determining that the calling program is allowed to access the data if one of the identifiers of the multiple target programs is the same as the identifier of the calling program; and determining that the calling program is not allowed to access the data if none of the identifiers of the multiple target programs is the same as the identifier of the calling program; verifying the integrity of the data; decrypting the data using a symmetric key; and returning the data to the calling program only if the calling program is allowed to access the data and if the integrity of the data is successfully verified. - View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
-
-
46. A method, implemented in a computing device, the method comprising:
-
receiving data from a calling program; generating, using a symmetric cipher, ciphertext that includes the data and identifiers of multiple target programs that are allowed to access the data; after the ciphertext is generated, receiving a bit string from another calling program; checking an identifier of the other calling program to determine whether the other calling program is one of the multiple target programs; verifying the integrity of the data; decrypting the data using a symmetric key; and returning the data to the other calling program only if the other calling program is one of the multiple target programs and if the integrity of the data is successfully verified. - View Dependent Claims (47, 48)
-
-
49. A computing device comprising:
-
a processor; and a memory, coupled to the processor, storing a plurality of instructions that cause the processor to; receive data from a calling program; generate, using a symmetric cipher, ciphertext that includes the data and identifiers of multiple target programs that are allowed to access the data; after the ciphertext is generated, receive a bit string from another calling program; check an identifier of the other calling program to determine whether the other calling program is one of the multiple target programs; verify the integrity of the data; decrypt the data using a symmetric key; and return the data to the other calling program only if the other calling program is one of the multiple target programs and if the integrity of the data is successfully verified. - View Dependent Claims (50, 51)
-
-
52. A method, implemented in a computing device, the method comprising:
-
obtaining an identifier of a calling application; generating a bit string including the identifier of the calling application, data to be sealed for the calling application, and identifiers of multiple target applications that are allowed to unseal the data; generating a message authentication code (MAC) value for the bit string; encrypting the bit string using a symmetric key and a symmetric cipher; and returning the MAC value and the encrypted bit string to the calling application. - View Dependent Claims (53, 54, 55, 56)
-
-
57. A computing device comprising:
-
a processor; and a memory, coupled to the processor, storing a plurality of instructions that cause the processor to; obtain an identifier of a calling application; generate a bit string including the identifier of the calling application, data to be sealed for the calling application, and identifiers of multiple target applications that are allowed to unseal the data; generate a message authentication code (MAC) value for the bit string; encrypt the bit string using a symmetric key and a symmetric cipher; and return the MAC value and the encrypted bit string to the calling application. - View Dependent Claims (58, 59, 60, 61)
-
-
62. A method, implemented in a computing device, the method comprising:
-
receiving, from a calling program, a bit string including ciphertext and a message authentication code (MAC) value; decrypting the ciphertext in the bit string using a symmetric key to generate plaintext data; generating a message authentication code (MAC) value for at least a portion of the plaintext data; checking whether the MAC value in the bit string is equal to the generated MAC value; checking whether an identifier of the calling program is included as one of multiple target program identifiers in the plaintext data, the multiple target program identifiers identifying multiple target programs that are allowed to unseal the plaintext data; and returning the plaintext data to the calling program only if the MAC value in the bit string is equal to the generated MAC value and if the identifier of the calling program is included as one of the multiple target program identifiers in the plaintext data. - View Dependent Claims (63, 64)
-
-
65. A computing device comprising:
-
a processor; and a memory, coupled to the processor, storing a plurality of instructions that cause the processor to; receive, from a calling program, a bit string including ciphertext and a message authentication code (MAC) value; decrypt the ciphertext in the bit string using a symmetric key to generate plaintext data; generate a message authentication code (MAC) value for at least a portion of the plaintext data; check whether the MAC value in the bit string is equal to the generated MAC value; check whether an identifier of the calling program is included as one of multiple target program identifiers in the plaintext data, the multiple target program identifiers identifying multiple target programs that are allowed to unseal the plaintext data; and return the plaintext data to the calling program only if the MAC value in the bit string is equal to the generated MAC value and if the identifier of the calling program is included as one of the multiple target program identifiers in the plaintext data. - View Dependent Claims (66, 67)
-
-
68. A method, implemented in a computing device, the method comprising:
-
receiving a bit string from a calling program; checking an identifier of the calling program to determine whether the calling program is allowed to access data encrypted in ciphertext of the bit string, the checking determining that the calling program is allowed to access the data if the identifier of the calling program is included as one of multiple target program identifiers in the ciphertext; verifying the integrity of the data; decrypting the data using a symmetric key; and returning the data to the calling program only if the calling program is allowed to access the data and if the integrity of the data is successfully verified.
-
-
69. One or more computer storage media having stored thereon a plurality of instructions that, when executed by one or more processors of a computing device, causes the one or more processors to:
-
receive a bit string from a calling program; check an identifier of the calling program to determine whether the calling program is allowed to access data encrypted in ciphertext of the bit string, wherein to check the identifier is to determine that the calling program is allowed to access the data if the identifier of the calling program is included as one of multiple target program identifiers in the ciphertext; verify the integrity of the data; decrypt the data using a symmetric key; and return the data to the calling program only if the calling program is allowed to access the data and if the integrity of the data is successfully verified.
-
-
70. A computing device comprising:
-
a processor; and a memory, coupled to the processor, storing a plurality of instructions that cause the processor to; receive a bit string from a calling program; check an identifier of the calling program to determine whether the calling program is allowed to access data encrypted in ciphertext of the bit string, wherein to check the identifier is to determine that the calling program is allowed to access the data if the identifier of the calling program is included as one of multiple target program identifiers in the ciphertext; verify the integrity of the data; decrypt the data using a symmetric key; and return the data to the calling program only if the calling program is allowed to access the data and if the integrity of the data is successfully verified.
-
Specification