Two-party storage of encrypted sensitive information

US 8,335,933 B2
Filed: 02/13/2009
Issued: 12/18/2012
Est. Priority Date: 02/13/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-readable storage device containing instructions for controlling a computing device to store information securely, by a method comprising:

securing the information by encrypting with a first key the information to generate first-key encrypted data and encrypting with a second key the first key to generate a second-key encrypted first key;

directing storage of a first portion of the first-key encrypted data and the second-key encrypted first key at a first location and a second portion of the first-key encrypted data at a second location, the first location and the second location being separate storage devices; and

when the secured information is to be used,receiving the first portion of the first-key encrypted data and the second-key encrypted first key from the first location and the second portion of the first-key encrypted data from the second location;

unsecuring the secured information by decrypting with the second key the second-key encrypted first key to extract the first key and decrypting with the extracted first key the received first portion and the received second portion to extract the information,wherein after the information is secured and until the secured information needs to be unsecured, the first location and the second location each store only a portion of the first-key encrypted data and neither the first location nor the second location stores a complete copy of both the first key and the second key.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure storage system secures information of a client by first encrypting the information with a first key to generate first-key encrypted data. The secure storage system then encrypts with a second key the first-key encrypted data and the first key to generate second-key encrypted data. The system provides the client with a first portion of the second-key encrypted data. The system stores a second portion of the second-key encrypted data and the second key. When the confidential information is needed, the client provides the first portion. The system retrieves the second portion. The system then decrypts with the second key the first portion and the second portion to generate the first-key encrypted data and the first key. The system then decrypts with the first key the first-key encrypted data to generate the unsecure confidential information.

65 Citations

View as Search Results

20 Claims

1. A computer-readable storage device containing instructions for controlling a computing device to store information securely, by a method comprising:
- securing the information by encrypting with a first key the information to generate first-key encrypted data and encrypting with a second key the first key to generate a second-key encrypted first key;
  
  directing storage of a first portion of the first-key encrypted data and the second-key encrypted first key at a first location and a second portion of the first-key encrypted data at a second location, the first location and the second location being separate storage devices; and
  
  when the secured information is to be used,receiving the first portion of the first-key encrypted data and the second-key encrypted first key from the first location and the second portion of the first-key encrypted data from the second location;
  
  unsecuring the secured information by decrypting with the second key the second-key encrypted first key to extract the first key and decrypting with the extracted first key the received first portion and the received second portion to extract the information,wherein after the information is secured and until the secured information needs to be unsecured, the first location and the second location each store only a portion of the first-key encrypted data and neither the first location nor the second location stores a complete copy of both the first key and the second key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer-readable storage device of claim 1 wherein the information to be secured is provided by a client to a server and the server secures the information for storage of the first portion under control of the client and storage of the second portion under control of the server.
  - 3. The computer-readable storage device of claim 2 wherein the server generates the first key for use in encrypting the information of the client.
  - 4. The computer-readable storage device of claim 1 wherein the directing of storage of the first portion includes using a cookie mechanism to store the first portion.
  - 5. The computer-readable storage device of claim 1 wherein at least one of the first location and the second location is a secure storage server separate from a server that secures the information.
  - 6. The computer-readable storage device of claim 1 including generating an identifier and directing storage of the identifier at the first location and the second location so that the first portion and the second portion can be matched when the information is be unsecured.
  - 7. The computer-readable storage device of claim 1 whereinthe first portion is generated by encrypting with the first key a first part of the information to generate the first portion of the first-key encrypted data;
    - andthe second portion is generated by encrypting with the first key a second part of the information to generate the second portion of the first-key encrypted datawherein the first portion and the second portion include all of the information.
  - 8. The computer-readable storage device of claim 7 wherein the second portion is generated by further encrypting with the second key the second part of the first-key encrypted data.
  - 9. The computer-readable storage device of claim 1 wherein the first portion and the second portion are generated byencrypting with the first key the information to generate the first-key encrypted data;
    - andgenerating the first portion by encrypting with the second key a first part of the first-key encrypted data and the first key;
      
      wherein the second portion comprises a second part of the first-key encrypted data such that the first part and the second part include all of the first-key encrypted data.
  - 10. The computer-readable storage device of claim 9 wherein the second part is further encrypted with the second key to form the second portion.
  - 11. The computer-readable storage device of claim 1 wherein the first portion and the second portion are generated by:
    - encrypting with the first key the information to generate the first-key encrypted data;
      
      encrypting with the second key the first-key encrypted data and the first key to generate the second-key encrypted data,wherein the first portion comprises a first part of the second-key encrypted data and the second portion comprises a remainder of the second-key encrypted data.

12. A computer system with a processor and memory for securing information, comprising:
- a component that encrypts with a first key the information to generate first-key encrypted data;
  
  a component that encrypts with a second key the first key to generate second-key encrypted first key; and
  
  a component that directs storage of a first portion of the first-key encrypted data and the second-key encrypted first key at a first location and a second portion of the first-key encrypted data at a second location, the first location and the second location being separate storage devices,wherein the components are implemented as computer-readable instructions stored in memory for execution by the processor.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The computer system of claim 12, further comprising:
    - a component that receives the first portion of the first-key encrypted data and the second-key encrypted first key from the first location and the second portion of the first-key encrypted data from the second location;
      
      a component that decrypts with the second key the second-key encrypted first key to extract the first key; and
      
      a component that decrypts with the extracted first key the first-key encrypted data to extract the information.
  - 14. The computer system of claim 12 whereinthe first portion is generated by a component that encrypts with the first key a first part of the information to generate the first portion of the first-key encrypted data;
    - andthe second portion is generated by a component that encrypts with the first key a second part of the information to generate the second portion of the first-key encrypted data,wherein the first part and the second part include all of the information.
  - 15. The computer system of claim 14 wherein the second portion is generated by further encrypting with the second key the second part of the first-key encrypted data.
  - 16. The computer system of claim 12 wherein the first portion and the second portion are generated by a component thatencrypts with the first key the information to generate the first-key encrypted data;
    - andgenerates the first portion by encrypting with the second key a first part of the first-key encrypted data,wherein the second portion comprises a second part of the first-key encrypted data such that the first part and the second part include all of the first-key encrypted data.
  - 17. The computer system of claim 12 wherein the first portion and the second portion are generated by a component thatencrypts with the first key the information to generate the first-key encrypted data;
    - andencrypts with the second key the first-key encrypted data to generate the second-key encrypted data,wherein the first portion comprises a first part of the second-key encrypted data and the second portion comprises a remainder of the second-key encrypted data.

18. A computer system with a processor and memory for unsecuring information, comprising:
- a component that receives a first portion of first-key encrypted data and a second-key encrypted first key from a first location and a second portion of the first-key encrypted data from a second location, the first location and the second location being separate storage devices;
  
  a component that decrypts with a second key the received second-key encrypted first key to extract the first key; and
  
  a component that decrypts with the first key the first-key encrypted data to extract the information,wherein the components are implemented as computer-readable instructions stored in memory for execution by the processor.
- View Dependent Claims (19, 20)
- - 19. The computer system of claim 18 including:
    - a component that encrypts with the first key the information to generate the first-key encrypted data;
      
      a component that encrypts with the second key the first-key encrypted data and the first key to generate second-key encrypted data; and
      
      a component that directs storage of the first portion of the second-key encrypted data at the first location and the second portion of the second-key encrypted data at the second location.
  - 20. The computer system of claim 18 including:
    - a component that encrypts with the first key the information to generate the first-key encrypted data;
      
      a component that divides the first-key encrypted data into a first part and a second part;
      
      a component that encrypts with the second key a combination of the first part and the first key to generate a first portion of a second-key encrypted data;
      
      a component that encrypts with the second key the second part to generate a second portion of the second-key encrypted data;
      
      a component that decrypts with the second key the first portion and the second portion of the second-key encrypted data; and
      
      a component that combines into the first-key encrypted data the first part of the decrypted first portion and the second part of the decrypted second portion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Humphrey, Matthew G., Mathew, Ashvin J., Wilde, Michael A., Radu, Costel
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Hailu, Teshome

Application Number

US12/371,496
Publication Number

US 20100208889A1
Time in Patent Office

1,404 Days
Field of Search

713/193
US Class Current

713/193
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

H04L 2209/56   Financial cryptography, e.g...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

H04N 21/2347   involving video stream encr...

Two-party storage of encrypted sensitive information

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

65 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Two-party storage of encrypted sensitive information

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

65 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links