Data security

US 7,711,965 B2
Filed: 10/20/2004
Issued: 05/04/2010
Est. Priority Date: 10/20/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

requesting, at a host, at least one key from a remote authority located in a remote server over a communication network, the at least one key being generated and authorized by the remote authority;

performing cryptographic operations on data using the at least one key, the cryptographic operations being performed in response, at least in part, to a request to store the data in storage of the host or to retrieve the data from the storage;

receiving, from the remote authority, an indication of revoking the at least one key;

subsequent to receipt of the indication, receiving an additional request to access the data in the storage; and

in response to the additional request, issuing a message to indicate that the additional request is unauthorizedwherein the encrypting and/or the decrypting is performed, at least in part, by circuitry in the host, the circuitry being geographically remote from and communicatively coupled to the remote authority in the remote server, the circuitry periodically requesting that the remote authority indicate whether the at least one key has been revoked.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a method is provided that may include one or more operations. One of these operations may include, in response, at least in part, to a request to store input data in storage, encrypting, based least in part upon one or more keys, the input data to generate output data to store in the storage. The one or more keys may be authorized by a remote authority. Alternatively or additionally, another of these operations may include, in response, at least in part, to a request to retrieve the input data from the storage, decrypting, based at least in part upon the at least one key, the output data. Many modifications, variations, and alternatives are possible without departing from this embodiment.

Citations

28 Claims

1. A method comprising:
- requesting, at a host, at least one key from a remote authority located in a remote server over a communication network, the at least one key being generated and authorized by the remote authority;
  
  performing cryptographic operations on data using the at least one key, the cryptographic operations being performed in response, at least in part, to a request to store the data in storage of the host or to retrieve the data from the storage;
  
  receiving, from the remote authority, an indication of revoking the at least one key;
  
  subsequent to receipt of the indication, receiving an additional request to access the data in the storage; and
  
  in response to the additional request, issuing a message to indicate that the additional request is unauthorizedwherein the encrypting and/or the decrypting is performed, at least in part, by circuitry in the host, the circuitry being geographically remote from and communicatively coupled to the remote authority in the remote server, the circuitry periodically requesting that the remote authority indicate whether the at least one key has been revoked.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - issuing from the remote authority to the communication network the at least one key; and
      
      receiving, via the communication network, the at least one key by circuitry capable of performing the encrypting and/or the decrypting.
  - 3. The method of claim 1, further comprising:
    - after the at least one key has been authorized by the remote authority, authorizing by the remote authority at least one other key; and
      
      encrypting and/or decrypting other data based, at least in part, upon the at least one other key.
  - 4. The method of claim 1, wherein:
    - the revoking being in response, at least in part, to failure of a user to supply one or more valid authorization credentials.
  - 5. The method of claim 1, further comprising:
    - authorizing by the remote authority, based at least in part upon one or more credentials provided by a user, the at least one key.
  - 6. The method of claim 1, wherein:
    - the circuitry is comprised in an integrated circuit, the integrated circuit being geographically remote from and communicatively coupled to the remote authority; and
      
      the storage comprises mass storage.
  - 7. The method of claim 6, further comprising:
    - prior to the encrypting and/or the decrypting, determining whether the circuitry is able to communicate with the remote authority;
      
      if the circuitry is able to communicate with the remote authority, requesting by the circuitry authorization by the remote authority of the at least one key; and
      
      if the circuitry is unable to communicate with the remote authority, determining by the circuitry whether to permit the encrypting and/or the decrypting.
  - 8. The method of claim 6, wherein:
    - the host comprises the integrated circuit, the host being capable of executing an operating system; and
      
      the circuitry is capable of requesting, independent of the operating system, the authorization by the remote authority of the at least one key.

9. An apparatus comprising:
- a host to send a first request for at least one key from a remote authority located in a remote server over a communication link, the at least one key generated and authorized by the remote authority; and
  
  circuitry coupled to the host to perform cryptographic operations on data with the at least one key, the circuitry to perform the cryptographic operations in response, at least in part, to a second request to store the data in storage of the host or to retrieve the data from the storage,wherein the circuitry is to receive a third request to access the data in the storage, the third request received subsequent to an indication from the remote authority that the at least one key has been revoked, in response to the third request, the circuitry is to issue a message to indicate that the third request is unauthorizedwherein the circuitry is geographically remote from and communicatively coupled to the remote authority in the remote server, the circuitry to periodically request that the remote authority indicate whether the at least one key has been revoked.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus of claim 9, wherein:
    - the remote authority is capable of issuing to the communication network the at least one key; and
      
      the circuitry is capable of receiving, via the communication network, the at least one key.
  - 11. The apparatus of claim 9, wherein:
    - the remote authority is capable of, after the at least one key has been authorized by the remote authority, authorizing at least one other key; and
      
      the circuitry is capable of encrypting and/or decrypting other data based, at least in part, upon the at least one other key.
  - 12. The apparatus of claim 9, wherein:
    - the remote authority is capable of revoking the authorization of the at least one key, in response, at least in part, to failure of a user to supply one or more valid authorization credentials.
  - 13. The apparatus of claim 9, wherein:
    - the remote authority is capable of authorizing the at least one key, based at least in part upon one or more credentials provided by a user.
  - 14. The apparatus of claim 9, wherein:
    - an integrated circuit comprises the circuitry, the integrated circuit being geographically remote from and communicatively coupled to the remote authority; and
      
      the storage comprises mass storage.
  - 15. The apparatus of claim 14, wherein:
    - the circuitry is capable of determining, prior to the encrypting and/or the decrypting, whether the circuitry is able to communicate with the remote authority;
      
      if the circuitry determines that the circuitry is able to communicate with the remote authority, the circuitry is capable of requesting authorization by the remote authority of the at least one key; and
      
      if the circuitry determines that the circuitry is unable to communicate with the remote authority, the circuitry is capable of determining whether to permit the encrypting and/or the decrypting.
  - 16. The apparatus of claim 14, wherein:
    - the host comprises the integrated circuit, the host being capable of executing an operating system; and
      
      the circuitry is capable of requesting, independent of the operating system, the authorization by the remote authority of the at least one key.

17. One or more storage media storing instructions that when executed by one or more machines result in the following:
- requesting, at a host, at least one key from a remote authority located in a remote server over a communication network, the at least one key being generated and authorized by the remote authority and used for both encryption and decryption of data; and
  
  performing cryptographic operations on data using the at least one key, the cryptographic operations being performed in response, at least in part, to a request to store the data in storage of the host or to retrieve the data from the storage;
  
  receiving, from the remote authority, an indication of revoking the at least one key;
  
  subsequent to receipt of the indication, receiving an additional request to access the data in the storage; and
  
  in response to the additional request, issuing a message to indicate that the additional request is unauthorized,wherein the encrypting and/or the decrypting is performed, at least in part, by circuitry in the host, the circuitry being geographically remote from and communicatively coupled to the remote authority in the remote server, the circuitry periodically requesting that the remote authority indicate whether the at least one key has been revoked.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The one or more storage media of claim 17, wherein the instructions when executed also result in:
    - issuing from the remote authority to the communication network the at least one key; and
      
      receiving, via the communication network, the at least one key by circuitry capable of performing the encrypting and/or the decrypting.
  - 19. The one or more storage media of claim 17, wherein the instructions when executed also result in:
    - after the at least one key has been authorized by the remote authority, authorizing by the remote authority at least one other key; and
      
      encrypting and/or decrypting other data based, at least in part, upon the at least one other key.
  - 20. The one or more storage media of claim 17, wherein:
    - the revoking is in response, at least in part, to failure of a user to supply one or more valid authorization credentials.
  - 21. The one or more storage media of claim 17, wherein the instructions when executed result in:
    - authorizing by the remote authority, based at least in part upon one or more credentials provided by a user, the at least one key.
  - 22. The one or more storage media of claim 17, wherein:
    - the circuitry is comprised in an integrated circuit, the integrated circuit being geographically remote from and communicatively coupled to the remote authority; and
      
      the storage comprises mass storage.
  - 23. The one or more storage media of claim 22, wherein the instructions when executed also result in:
    - prior to the encrypting and/or the decrypting, determining whether the circuitry is able to communicate with the remote authority;
      
      if the circuitry is able to communicate with the remote authority, requesting by the circuitry authorization by the remote authority of the at least one key; and
      
      if the circuitry is unable to communicate with the remote authority, determining by the circuitry whether to permit the encrypting and/or the decrypting.
  - 24. The one or more storage media of claim 22, wherein:
    - the host comprises the integrated circuit, the host being capable of executing an operating system; and
      
      the circuitry is capable of requesting, independent of the operating system, the authorization by the remote authority of the at least one key.

25. A system comprising:
- a host to send a first request for at least one key from a remote authority over a communication network, the at least one key generated and authorized by the remote authority and used for both encryption and decryption of data; and
  
  a circuit board coupled to the host, the circuit board comprising a circuit card slot and a circuit card that is capable of being inserted into the circuit card slot, the circuit card comprising circuitry to;
  
  perform cryptographic operations on data with the at least one key, the circuitry to perform the cryptographic operations in response, at least in part, to a second request to store the data in storage of the host or to retrieve the data from the storage;
  
  receive a third request to access the data in the storage, the third request received subsequent to an indication from the remote authority that the at least one key has been revoked; and
  
  in response to the third request, issue a message to indicate that the third request is unauthorized,wherein the circuitry is geographically remote from and communicatively coupled to the remote authority in the remote server, the circuitry to periodically request that the remote authority indicate whether the at least one key has been revoked.
- View Dependent Claims (26, 27, 28)
- - 26. The system of claim 25, wherein the circuit board comprises:
    - memory to store basic input/output system (BIOS) instructions and the at least one key; and
      
      an integrated circuit coupled to the storage and to the circuit card, the integrated circuit being capable of controlling, at least in part, operation of the storage;
      
      the circuitry being capable of transmitting to and/or receiving from the integrated circuit the input data and/or the output data.
  - 27. The system of claim 26, wherein the circuit board further comprises:
    - a bus coupling the integrated circuit to the circuit card slot.
  - 28. The system of claim 26, wherein:
    - the host comprises the circuit board and the circuit card;
      
      the storage comprises mass storage; and
      
      the system further comprises the communication network coupling the server to the host.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Zimmer, Vincent J., Rothman, Michael A.
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Rahim; Monjour

Application Number

US10/970,405
Publication Number

US 20060085652A1
Time in Patent Office

2,022 Days
Field of Search

380/193, 380/255, 380/278, 713/161, 713/193, 711/164
US Class Current

713/193
CPC Class Codes

G06F 13/4068   Electrical coupling

G06F 21/575   Secure boot

G06F 21/71   to assure secure computing ...

G06F 21/72   in cryptographic circuits

G06F 21/80   in storage media based on m...

G06F 2221/2107   File encryption

G06F 2221/2115   Third party

H04L 63/0435   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 9/3268   using certificate validatio...

Data security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Data security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links