Saving and retrieving data based on symmetric key encryption

US 7,587,589 B2
Filed: 11/08/2006
Issued: 09/08/2009
Est. Priority Date: 04/17/2002
Status: Expired due to Fees

First Claim

Patent Images

1. One or more computer storage media having stored thereon multiple instructions that, when executed by one or more processors of a computing device, cause the one or more processors to:

implement a system having a plurality of hierarchical layers including a lowest layer that guards a root resource, wherein the plurality of hierarchical layers further includes one or more intermediate layers that act as principals that request access to the root resource from the next lower layer and that act as guards to the root resource toward principals in the next higher layer; and

allow access to the root resource only to principals authorized to access the root resource, wherein to allow the access is to;

use a first operation to securely seal the root resource along with identifiers of multiple principals that are allowed to access the root resource; and

use a second operation to retrieve the root resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with certain aspects, data is received from a calling program. Ciphertext that includes the data is generated, using a symmetric cipher, in a manner that allows only one or more target programs to be able to obtain the data from the ciphertext. In accordance with other aspects, a bit string is received from a calling program. An identifier of the calling program is checked to determine whether the calling program is allowed to access data encrypted in ciphertext of the bit string. The integrity of the data is also verified, and the data is decrypted using a symmetric key. The data is returned to the calling program only if the calling program is allowed to access the data and if the integrity of the data is successfully verified.

132 Citations

12 Claims

1. One or more computer storage media having stored thereon multiple instructions that, when executed by one or more processors of a computing device, cause the one or more processors to:
- implement a system having a plurality of hierarchical layers including a lowest layer that guards a root resource, wherein the plurality of hierarchical layers further includes one or more intermediate layers that act as principals that request access to the root resource from the next lower layer and that act as guards to the root resource toward principals in the next higher layer; and
  
  allow access to the root resource only to principals authorized to access the root resource, wherein to allow the access is to;
  
  use a first operation to securely seal the root resource along with identifiers of multiple principals that are allowed to access the root resource; and
  
  use a second operation to retrieve the root resource.
- View Dependent Claims (2, 3)
- - 2. One or more computer storage media as recited in claim 1, wherein the plurality of hierarchical layers comprises four layers, wherein the lowest layer comprises a security kernel layer, wherein a next lowest layer comprises a basic input/output system layer, wherein a next lowest layer comprises an operating system layer, and wherein a highest layer comprises an application layer.
  - 3. One or more computer storage media as recited in claim 1, wherein the root resource comprises a cryptographic key.

4. One or more computer storage media having stored thereon multiple instructions that, when executed by one or more processors of a computing device, cause the one or more processors to:
- implement a system having;
  
  a plurality of hierarchical layers including a lowest layer that guards a root resource, the lowest layer using a first operation to securely seal the root resource, and a second operation to retrieve the root resource and allow a principal in another layer of the plurality of hierarchical layers to access the root resource only if an identifier of the principal is included with the root resource as one of multiple identifiers of principals allowed to access the root resource; and
  
  a plurality of guards included in each of the plurality of hierarchical layers, wherein each guard is a service guard or a disclosure guard;
  
  wherein each service guard allows principals in the next higher layer to request operations to be performed with protected data, and wherein the service guard performs the operation only if a condition is satisfied; and
  
  wherein each disclosure guard allows principals in the next higher layer to request protected data to be disclosed to the principals, and wherein the disclosure guard discloses the protected data only if another condition is satisfied.
- View Dependent Claims (5, 6, 7, 8, 9)
- - 5. One or more computer storage media as recited in claim 4, wherein each of the principals in the next higher layer is a service guard or a disclosure guard.
  - 6. One or more computer storage media as recited in claim 4, wherein one or more guards are implemented by obtaining protected data from a guard in the layer below it.
  - 7. One or more computer storage media as recited in claim 4, wherein one or more guards are implemented by requesting a service from a guard in the layer below it.
  - 8. One or more computer storage media as recited in claim 4, wherein the protected data are cryptographic keys.
  - 9. One or more computer storage media as recited in claim 4, wherein one or more service guards expose, on protected data, one or more of encryption, decryption, digital signing, Message Authentication Code (MAC), and combined digital signing and integrity verification.

10. A computing device comprising:
- a processor;
  
  one or more computer storage media to store multiple instructions that, when executed by the processor, cause the processor to;
  
  implement a plurality of hierarchical layers including a lowest layer that guards a root resource;
  
  wherein the plurality of hierarchical layers further includes one or more intermediate layers that,act as principals that request, from the next lower layer, operations to be performed using the root resource, andact as guards to the root resource toward principals in the next higher layer; and
  
  allow the operations to be performed using the root resource only for principals authorized to access the root resource, identifiers of multiple principals authorized to access the root resource being sealed with the root resource.
- View Dependent Claims (11, 12)
- - 11. A computing device as recited in claim 10, wherein the plurality of hierarchical layers comprises four layers, wherein the lowest layer comprises a security kernel layer, wherein a next lowest layer comprises a basic input/output system layer, wherein a next lowest layer comprises an operating system layer, and wherein a highest layer comprises an application layer.
  - 12. A computing device as recited in claim 10, wherein the root resource comprises a cryptographic key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
England, Paul, Peinado, Marcus
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
RAHIM, MONJUR

Application Number

US11/557,641
Publication Number

US 20070067624A1
Time in Patent Office

1,035 Days
Field of Search

380/287, 713/155
US Class Current

713/155
CPC Class Codes

G06F 21/6218 to a system of files or obj...

Saving and retrieving data based on symmetric key encryption

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

132 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Saving and retrieving data based on symmetric key encryption

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

132 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links