Saving and retrieving data based on public key encryption
First Claim
Patent Images
1. A method comprising:
- receiving data from a calling program;
generating a ciphertext by encrypting, using public key encryption, multiple values that include both the data and multiple target program identifiers, wherein each of the multiple target program identifiers identifies a different one of multiple target programs that are to be able to obtain the data from the ciphertext, and wherein the multiple target programs are identified by the calling program; and
returning the ciphertext to the calling program.
2 Assignments
0 Petitions
Accused Products
Abstract
In accordance with certain aspects, data is received from a calling program. Ciphertext that includes the data is generated, using public key encryption, in a manner that allows only one or more target programs to be able to obtain the data from the ciphertext. In accordance with another aspect, a bit string is received from a calling program. An identifier of the calling program is checked to determine whether the calling program is allowed to access data encrypted in ciphertext of the bit string. The data is decrypted using public key decryption and returned to the calling program only if the calling program is allowed to access the data.
195 Citations
34 Claims
-
1. A method comprising:
-
receiving data from a calling program; generating a ciphertext by encrypting, using public key encryption, multiple values that include both the data and multiple target program identifiers, wherein each of the multiple target program identifiers identifies a different one of multiple target programs that are to be able to obtain the data from the ciphertext, and wherein the multiple target programs are identified by the calling program; and returning the ciphertext to the calling program. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method comprising:
-
receiving a bit string from a calling program; checking an identifier of the calling program to determine whether the calling program is one of multiple programs allowed to access data encrypted in ciphertext of the bit string, the ciphertext including both the encrypted data and multiple encrypted identifiers each identifying a different one of the multiple programs, and the checking comprising checking whether the identifier of the calling program is included as one of the multiple encrypted identifiers of the multiple programs included in the ciphertext; and returning the data, decrypted using public key decryption, to the calling program only if the calling program is one of the multiple programs allowed to access the data. - View Dependent Claims (7, 8, 9)
-
-
10. One or more computer storage media having stored thereon a plurality of instructions that, when executed by one or more processors of a computing device, causes the one or more processors to:
-
receive data from a calling program; generate, using public key encryption, a ciphertext that includes multiple values, the multiple values including the data and multiple target program identifiers, each of the multiple target program identifiers identifying a different one of multiple target programs; after the ciphertext is generated, receive a bit string from a second calling program; check an identifier of the second calling program to determine whether an identifier of the second calling program is included as one of the multiple target program identifiers in the ciphertext; and return the data, decrypted using public key decryption, to the second calling program only if the identifier of the second calling program is included as one of the multiple target program identifiers in the ciphertext. - View Dependent Claims (11)
-
-
12. One or more computer storage media having stored thereon a plurality of instructions to implement a PKSeal operation, wherein the plurality of instructions, when executed by one or more processors of a computing device, causes the one or more processors to:
-
obtain data to be encrypted; and generate a ciphertext by encrypting, using public key encryption, multiple values that include the data and a set of multiple target program identifiers wherein each of the multiple target program identifiers identifies a different one of multiple target of programs that are allowed to decrypt the data. - View Dependent Claims (13, 14)
-
-
15. One or more computer storage media having stored thereon a plurality of instructions to implement a PKUnseal operation, wherein the plurality of instructions, when executed by one or more processors of a computing device, causes the one or more processors to:
-
receive, from a calling program, a bit string including ciphertext; decrypt, using public key decryption, the ciphertext to generate plaintext; return the plaintext data to the calling program only if the calling program is one of a set of programs to which the plaintext data can be revealed, wherein the set of programs is identified by a set of multiple program identifiers included in the ciphertext, each of the multiple program identifiers identifying a different program of the set of programs. - View Dependent Claims (16)
-
-
17. A system comprising:
-
means for receiving data from a calling program; and means for generating a ciphertext by encrypting, using public key encryption, multiple values that include the data and a set of multiple target program identifiers, wherein each of the multiple target program identifiers identifies a different one of multiple target programs that are allowed to obtain the data from the ciphertext.
-
-
18. A device comprising a plurality of hardware means, the plurality of hardware means including:
-
means for receiving a bit string from a calling program; means for checking an identifier of the calling program to determine whether the calling program is one of a plurality of programs allowed to access data encrypted in ciphertext of the bit string, the ciphertext including both the encrypted data and multiple encrypted identifiers each identifying a different one of the plurality of programs, and the means for checking comprising means for checking whether the identifier of the calling program is included as one of the multiple encrypted identifiers of the multiple programs included in the ciphertext; and means for returning the data, decrypted using public key decryption, to the calling program only if the calling program is one of the plurality of programs allowed to access the data.
-
-
19. One or more computer storage media having stored thereon a plurality of instructions that, when executed by one or more processors of a computing device, causes the one or more processors to:
-
identify data to be sealed; invoke a PKSeal operation, passing the data as an input to the PKSeal operation and identifying multiple target programs that are allowed to unseal the data; and receive, in response to the PKSeal operation, a ciphertext including both the data and multiple encrypted target program identifiers, wherein each of the multiple encrypted target program identifiers identifies a different one of the multiple target programs, and wherein the data and identifiers of the multiple target programs are encrypted using public key encryption. - View Dependent Claims (20, 21, 22)
-
-
23. One or more computer storage media having stored thereon a plurality of instructions that, when executed by one or more processors of a computing device, causes the one or more processors to:
-
obtain data to be sealed and one or more conditions that are to be satisfied in order for the data to be unsealed; and encrypt, using public key encryption, both the data and the one or more conditions to generate a ciphertext that includes both the encrypted data and the encrypted one or more conditions, wherein one of the one or more conditions comprises a time constraint for when the data can be unsealed, and wherein the data is not unsealed if the one or more conditions are not satisfied.
-
-
24. One or more computer storage media having stored thereon a plurality of instructions that, when executed by one or more processors of a computing device, causes the one or more processors to:
-
obtain data to be sealed and one or more conditions that are to be satisfied in order for the data to be unsealed; and encrypt, using public key encryption, both the data and the one or more conditions to generate a ciphertext that includes both the encrypted data and the encrypted one or more conditions, wherein the data is not unsealed if the one or more conditions are not satisfied, wherein one of the one or more conditions comprises a logical formula to be evaluated, and wherein the data can be unsealed only if the logical formula evaluates true.
-
-
25. One or more computer storage media having stored thereon a plurality of instructions that, when executed by one or more processors of a computing device, causes the one or more processors to:
-
obtain data to be sealed and one or more conditions that are to be satisfied in order for the data to be unsealed; and encrypt, using public key encryption, both the data and the one or more conditions to generate a ciphertext that includes both the encrypted data and the encrypted one or more conditions, wherein the data is not unsealed if the one or more conditions are not satisfied, wherein one of the one or more conditions comprises a program to be executed, and wherein the data can be unsealed only if execution of the program returns an indication of true.
-
-
26. One or more computer storage media having stored thereon a plurality of instructions that, when executed by one or more processors of a computing device, causes the one or more processors to:
-
invoke a PKUnseal operation in order to have a bit string decrypted, passing the bit string as an input to the PKUnseal operation; and receive, in response to invoking the PKUnseal operation, at least a portion of the decrypted bit string only if the plurality of instructions are one of multiple programs allowed to unseal the bit string, the multiple programs being identified by a set of multiple program identifiers in the bit string, wherein each of the set of multiple program identifiers identifies a different one of the multiple programs allowed to unseal the bit string, and wherein the bit string is decrypted using public key encryption. - View Dependent Claims (27, 28)
-
-
29. One or more computer storage media having stored thereon a plurality of instructions that, when executed by one or more processors of a computing device, causes the one or more processors to:
-
invoke a PKUnseal operation in order to obtain data from a bit string sealed in response to invocation of a PKSeal operation; receive, in response to invoking the PKUnseal operation, the data from the sealed bit string only if conditions that are to be satisfied in order for the data to be unsealed are satisfied, the conditions being included in the sealed bit string, and one of the conditions comprising multiple encrypted program identifiers, each of the multiple encrypted program identifiers identifying one of multiple programs that are allowed to receive the data; and otherwise not receive the data from the sealed bit string if the conditions that are to be satisfied in order for the data to be unsealed are not satisfied. - View Dependent Claims (30, 31, 32)
-
-
33. A computing device implementing a system comprising:
-
a plurality of hierarchical layers including a lowest layer that guards a root resource; wherein the plurality of hierarchical layers further includes one or more intermediate layers that each act as principals that request access to the root resource from the next lower layer and that each act as guards to the root resource toward principals in the next higher layers, and wherein the plurality of hierarchical layers comprises four layers including the lowest layer comprising a security kernel layer, a next lowest layer comprising a basic input/output system layer, a next lowest layer comprising an operating system layer, and a highest layer comprising an application layer; and each layer of the plurality of hierarchical layers allowing access to the root resource only to programs in the next higher layer that are authorized to access the root resource, wherein the allowing comprises using a PKSeal operation to encrypt the root resource along with digests of multiple principals that are allowed to access the root resource, and using a PKUnseal operation to decrypt and return the root resource only to principals having a digest that is the same as a digest of one of the multiple principals that are allowed to access the root resource and that is encrypted with the root resource. - View Dependent Claims (34)
-
Specification