System and method for secure storage of data using public and private keys

US 7,543,336 B2
Filed: 05/07/2003
Issued: 06/02/2009
Est. Priority Date: 10/26/1998
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

receiving a data structure to be encrypted, wherein the data structure includes content along with a statement of conditions under which the content may be decrypted, wherein the content comprises an arbitrary block of data, wherein the statement of conditions comprises an operating system identity that an operating system executing on a device must have in order for the content to be decrypted, and wherein the operating system identity is identified in a signed certificate from an operating system vendor; and

encrypting the content using a public key of a pair of public and private keys of the device that is to decrypt the content.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one aspect, a data structure to be encrypted is received, the data structure including content along with a statement of conditions under which the content may be decrypted. The content is encrypted using a public key of a pair of public and private keys of a device that is to decrypt the data structure. In another aspect, a data structure is decrypted using a private key of a pair of public and private keys. A statement of conditions under which content in the data structure can be decrypted is obtained, and testing is performed as to whether the conditions are satisfied. The decrypted content is returned only if the conditions are satisfied.

Citations

49 Claims

1. A method comprising:
- receiving a data structure to be encrypted, wherein the data structure includes content along with a statement of conditions under which the content may be decrypted, wherein the content comprises an arbitrary block of data, wherein the statement of conditions comprises an operating system identity that an operating system executing on a device must have in order for the content to be decrypted, and wherein the operating system identity is identified in a signed certificate from an operating system vendor; and
  
  encrypting the content using a public key of a pair of public and private keys of the device that is to decrypt the content.
- View Dependent Claims (2, 3, 4)
- - 2. A method as recited in claim 1, wherein the pair of public and private keys are keys of a processor of the device.
  - 3. A method as recited in claim 1, wherein the operating system identity is for an operating system that is different than an operating system executing when the data structure to be encrypted is received.
  - 4. A method as recited in claim 1, wherein a processor that is to decrypt the content is different than a processor that encrypts the data structure.

5. One or more computer readable memories having stored thereon a plurality of instructions that, when executed by one or more processors, causes the one or more processors to:
- receive a data structure to be encrypted, wherein the data structure includes content along with a statement of conditions under which the content may be decrypted, wherein the statement of conditions comprises an operating system identity that an operating system executing on the device must have in order for the content to be decrypted, and wherein the operating system identity is identified in a signed certificate from an operating system vendor; and
  
  encrypt the content using a public key of a pair of public and private keys of a device that is to decrypt the content.
- View Dependent Claims (6, 7, 8, 9)
- - 6. One or more computer readable memories as recited in claim 5, wherein the pair of public and private keys are keys of a processor of the device.
  - 7. One or more computer readable memories as recited in claim 5, wherein the operating system identity is maintained in a software identity register (SIR).
  - 8. One or more computer readable memories as recited in claim 5, wherein the operating system identity is for an operating system that is different than an operating system executing when the content to be encrypted is received.
  - 9. One or more computer readable memories as recited in claim 5, wherein the one or more processors to encrypt the content are part of a different device than the device that is to decrypt the content.

10. A method comprising:
- decrypting a data structure using a private key of a pair of public and private keys;
  
  obtaining a statement of conditions under which content in the data structure can be decrypted, wherein the statement of conditions comprises an operating system identity that an operating system executing on a device including a processor must have in order for the content to be decrypted, wherein the operating system identity is identified in a signed certificate from an operating system vendor, and wherein the operating system identity is maintained in a software identity register (SIR);
  
  testing whether the conditions are satisfied; and
  
  returning the decrypted content only if the conditions are satisfied.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. A method as recited in claim 10, wherein the pair of public and private keys are keys of the processor.
  - 12. A method as recited in claim 10, wherein obtaining the statement of conditions comprises obtaining the statement of conditions from the data structure.
  - 13. A method as recited in claim 10, further comprising returning an error if the conditions are not satisfied.
  - 14. A method as recited in claim 10, further comprising receiving the data structure from a device other than the device that includes the processor.
  - 15. A method as recited in claim 10, wherein the processor is different than a processor that encrypted the data structure.

16. One or more computer readable memories having stored thereon a plurality of instructions that, when executed by a processor, causes the processor to:
- decrypt a data structure using a private key of a pair of public and private keys;
  
  obtain a statement of conditions under which content in the data structure can be decrypted, wherein the statement of conditions comprises an operating system identity that an operating system executing on a device including the processor must have in order for the content to be decrypted, and wherein the operating system identity is identified in a signed certificate from an operating system vendor;
  
  test whether the conditions are satisfied; and
  
  return the decrypted content only if the conditions are satisfied.
- View Dependent Claims (17, 18, 19)
- - 17. One or more computer readable memories as recited in claim 16, wherein the pair of public and private keys are keys of the processor.
  - 18. One or more computer readable memories as recited in claim 16, wherein the operating system identity is maintained in a software identity register (SIR).
  - 19. One or more computer readable memories as recited in claim 16, wherein the processor is different than a processor that encrypted the data structure.

20. One or more computer readable memories having stored thereon a plurality of instructions that, when executed by one or more processors, causes the one or more processors to:
- obtain content to be encrypted; and
  
  invoke a seal operation, inputting both the content and a statement of conditions under which the content may be decrypted, to have the content encrypted using a public key of a pair of public and private keys of a device that may decrypt the data structure, wherein the statement of conditions comprises an operating system identity that an operating system executing on the device must have in order for the content to be decrypted, and wherein the operating system identity is identified in a signed certificate from an operating system vendor.
- View Dependent Claims (21, 22, 23)
- - 21. One or more computer readable memories as recited in claim 20, wherein the public and private keys are keys of a processor of the device.
  - 22. One or more computer readable memories as recited in claim 20, wherein the operating system identity is for an operating system that is different than an operating system invoking the seal operation.
  - 23. One or more computer readable memories as recited in claim 20, wherein the device is a different device than a device that includes the one or more processors.

24. One or more computer readable memories having stored thereon a plurality of instructions that, when executed by a processor of a device, causes the processor to:
- make a seal operation and a reveal operation available for invoking;
  
  wherein the seal operation causes content to be encrypted with a public key of a pair of public and private keys of the processor along with a statement of the conditions under which it may be decrypted, wherein the statement of conditions comprises an operating system identity that an operating system executing on the device must have in order for the content to be decrypted, and wherein the operating system identity is identified in a signed certificate from an operating system vendor; and
  
  wherein the reveal operation causes the content to be returned to a requester if the conditions are satisfied.
- View Dependent Claims (25)
- - 25. One or more computer readable memories as recited in claim 24, wherein the seal operation and reveal operation collectively provide the ability to seal secrets only for subsequent use on the device.

26. A method comprising:
- receiving a data structure to be encrypted, wherein the data structure includes content along with a statement of conditions under which the content may be decrypted, wherein the statement of conditions comprises an operating system identity that an operating system executing on a device must have in order for the content to be decrypted, wherein the operating system identity is for an operating system that is different than an operating system executing when the data structure to be encrypted is received, and wherein the operating system identity is maintained in a software identity register (SIR); and
  
  encrypting the content using a public key of a pair of public and private keys of the device that is to decrypt the content.
- View Dependent Claims (27, 28)
- - 27. A method as recited in claim 26, wherein the pair of public and private keys are keys of a processor of the device.
  - 28. A method as recited in claim 26, wherein a processor that is to decrypt the content is different than a processor that encrypts the data structure.

29. A method comprising:
- receiving a data structure to be encrypted, wherein the data structure includes content along with a statement of conditions under which the content may be decrypted, wherein the statement of conditions comprises an operating system identity that an operating system executing on the device must have in order for the content to be decrypted, and wherein the operating system identity is identified in a signed certificate from an operating system vendor; and
  
  encrypting the content using a public key of a pair of public and private keys of a device that is to decrypt the content.
- View Dependent Claims (30, 31, 32, 33)
- - 30. A method as recited in claim 29, wherein the pair of public and private keys are keys of a processor of the device.
  - 31. A method as recited in claim 29, wherein the operating system identity is maintained in a software identity register (SIR).
  - 32. A method as recited in claim 29, wherein the operating system identity is for an operating system that is different than an operating system executing when the data structure to be encrypted is received.
  - 33. A method as recited in claim 29, wherein a processor that is to decrypt the content is different than a processor that encrypts the data structure.

34. One or more computer readable memories having stored thereon a plurality of instructions that, when executed by one or more processors, causes the one or more processors to:
- receive a data structure to be encrypted, wherein the data structure includes content along with a statement of conditions under which the content may be decrypted, wherein the statement of conditions comprises an operating system identity that an operating system executing on the device must have in order for the content to be decrypted, wherein the operating system identity is for an operating system that is different than an operating system executing when the content to be encrypted is received, and wherein the operating system identity is maintained in a software identity register (SIR); and
  
  encrypt the content using a public key of a pair of public and private keys of a device that is to decrypt the content.
- View Dependent Claims (35, 36)
- - 35. One or more computer readable memories as recited in claim 34, wherein the pair of public and private keys are keys of a processor of the device.
  - 36. One or more computer readable memories as recited in claim 34, wherein the one or more processors to encrypt the content are part of a different device than the device that is to decrypt the content.

37. A method comprising:
- decrypting a data structure using a private key of a pair of public and private keys;
  
  obtaining a statement of conditions under which content in the data structure can be decrypted, wherein the statement of conditions comprises an operating system identity that an operating system executing on a device including a processor must have in order for the content to be decrypted, and wherein the operating system identity is identified in a signed certificate from an operating system vendor;
  
  testing whether the conditions are satisfied; and
  
  returning the decrypted content only if the conditions are satisfied.
- View Dependent Claims (38, 39, 40, 41, 42, 43)
- - 38. A method as recited in claim 37, wherein the pair of public and private keys are keys of the processor.
  - 39. A method as recited in claim 37, wherein obtaining the statement of conditions comprises obtaining the statement of conditions from the data structure.
  - 40. A method as recited in claim 37, wherein the operating system identity is identified in a signed certificate from an operating system vendor.
  - 41. A method as recited in claim 37, further comprising returning an error if the conditions are not satisfied.
  - 42. A method as recited in claim 37, further comprising receiving the data structure from a device other than the device that includes the processor.
  - 43. A method as recited in claim 37, wherein the processor is different than a processor that encrypted the data structure.

44. A method comprising:
- obtaining content to be encrypted; and
  
  invoking a seal operation, inputting both the content and a statement of conditions under which the content may be decrypted, to have the content encrypted using a public key of a pair of public and private keys of a device that may decrypt the data structure, wherein the statement of conditions comprises an operating system identity that an operating system executing on the device must have in order for the content to be decrypted, and wherein the operating system identity is identified in a signed certificate from an operating system vendor.
- View Dependent Claims (45, 46, 47)
- - 45. A method as recited in claim 44, wherein the public and private keys are keys of a processor of the device.
  - 46. A method as recited in claim 44, wherein the operating system identity is for an operating system that is different than an operating system invoking the seal operation.
  - 47. A method as recited in claim 44, wherein the device is a different device than a device that includes the one or more processors.

48. A method comprising:
- making a seal operation and a reveal operation available for invoking;
  
  wherein the seal operation causes content to be encrypted with a public key of a pair of public and private keys of the processor along with a statement of the conditions under which it may be decrypted, wherein the statement of conditions comprises an operating system identity that an operating system executing on the device must have in order for the content to be decrypted, and wherein the operating system identity is identified in a signed certificate from an operating system vendor; and
  
  wherein the reveal operation causes the content to be returned to a requester if the conditions are satisfied.
- View Dependent Claims (49)
- - 49. A method as recited in claim 48, wherein the seal operation and reveal operation collectively provide the ability to seal secrets only for subsequent use on the device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
England, Paul, Lampson, Butler W., DeTreville, John D.
Primary Examiner(s)
Moise; Emmanuel L
Assistant Examiner(s)
CALLAHAN, PAUL E

Application Number

US10/431,011
Publication Number

US 20030196099A1
Time in Patent Office

2,218 Days
Field of Search

705/51, 705/54, 705/57, 705/55, 705/56, 713/2, 713/190, 713/187, 713/195, 713/143, 726/4, 726/30, 726/33
US Class Current

726/30
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/575   Secure boot

G06F 2221/2113   Multi-level security, e.g. ...

G06F 9/4406   Loading of operating system

G06F 9/468   Specific access rights for ...

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/166   at the transport layer

System and method for secure storage of data using public and private keys

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

49 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for secure storage of data using public and private keys

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

49 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links