Key protectors based on online keys

US 8,462,955 B2
Filed: 06/03/2010
Issued: 06/11/2013
Est. Priority Date: 06/03/2010
Status: Active Grant

First Claim

Patent Images

1. A method of creating a key protector for a storage media, the method being implemented in a computing device and comprising:

obtaining an online key, wherein the online key is protected by a remote service;

generating one or more local keys;

combining the one or more local keys and the online key to generate a combined key;

encrypting, based at least in part on the combined key, a master key for encrypting and decrypting the storage media or one or more storage media encryption keys that are used to encrypt and decrypt the storage media; and

storing a key protector for the storage media, the key protector including the encrypted master key.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An online key stored by a remote service is generated or otherwise obtained, and a storage media (as it applies to the storage of data on a physical or virtual storage media) master key for encrypting and decrypting a physical or virtual storage media or encrypting and decrypting one or more storage media encryption keys that are used to encrypt a physical or virtual storage media is encrypted based at least in part on the online key. A key protector for the storage media is stored, the key protector including the encrypted master key. The key protector can be subsequently accessed, and the online key obtained from the remote service. The master key is decrypted based on the online key, allowing the one or more storage media encryption keys that are used to decrypt the storage media to be decrypted.

56 Citations

View as Search Results

19 Claims

1. A method of creating a key protector for a storage media, the method being implemented in a computing device and comprising:
- obtaining an online key, wherein the online key is protected by a remote service;
  
  generating one or more local keys;
  
  combining the one or more local keys and the online key to generate a combined key;
  
  encrypting, based at least in part on the combined key, a master key for encrypting and decrypting the storage media or one or more storage media encryption keys that are used to encrypt and decrypt the storage media; and
  
  storing a key protector for the storage media, the key protector including the encrypted master key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method as recited in claim 1, wherein obtaining the online key comprises obtaining the online key from the remote service.
  - 3. A method as recited in claim 1, further comprising encrypting the online key using a public key of the remote service, and including the encrypted online key comprises in the key protector.
  - 4. A method as recited in claim 1, wherein obtaining the online key comprises generating the online key, and the method further comprises storing the online key with the remote service, the online key being stored as associated with the computing device or a user of the computing device.
  - 5. A method as recited in claim 1, wherein the storage media comprises a removable flash memory device.
  - 6. A method as recited in claim 1, further comprising:
    - protecting each of the one or more local keys so that each of the one or more local keys can be retrieved only after a user of the computing device has been authenticated.
  - 7. A method as recited in claim 1, wherein encrypting the master key using the combined key comprises encrypting the master key using a symmetric key cryptography cipher that uses the combined key as a symmetric key.
  - 8. A method as recited in claim 1, further comprising:
    - generating an encrypted combined key by encrypting, based at least in part on the master key and the combined key; and
      
      including the encrypted combined key in the key protector.
  - 9. A method as recited in claim 8, further comprising:
    - obtaining a new master key;
      
      generating a new encrypted master key by encrypting, based at least in part on the combined key, the new master key;
      
      replacing the encrypted master key in the key protector with the new encrypted master key;
      
      generating a new encrypted combined key by encrypting, based at least in part on the new master key, the combined key; and
      
      replacing the encrypted combined key in the key protector with the new encrypted combined key.

10. A method of accessing a user-protected storage media, the method being implemented in a computing device and comprising:
- obtaining, from a remote service, an online key associated with one or both of the computing device and a user of the computing device;
  
  obtaining one or more local keys;
  
  combining the online key and the one or more local keys;
  
  obtaining a key protector including an encrypted master key, wherein the master key is for decrypting the user-protected storage media or decrypting one or more storage media encryption keys that are used to decrypt the user-protected storage media; and
  
  using the online key to decrypt the master key from the encrypted master key in the key protector, wherein using the online key to decrypt the master key comprises using the combined key to decrypt the master key from the encrypted master key in the key protector.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. A method as recited in claim 10, wherein obtaining the key protector comprises obtaining the key protector from the user-protected storage media.
  - 12. A method as recited in claim 10, wherein the online key is encrypted using a public key of the remote service, and wherein obtaining the online key comprises sending the online key encrypted using the public key of the remote service to the remote service and obtaining the online key from the remote service after having been decrypted by the remote service using a private key of the remote service.
  - 13. A method as recited in claim 10, wherein the method is performed in a pre-execution environment of the computing device, and wherein the user-protected storage media comprises a boot volume used to boot the computing device.
  - 14. A method as recited in claim 10, wherein combining the online key and the one or more local keys comprises using the online key and the one or more local keys as inputs to an exclusive-or operation, and using a result of the exclusive-or operation as the combined key.
  - 15. A method as recited in claim 10, wherein using the combined key to decrypt the master key comprises using a symmetric key cryptography cipher to decrypt the master key, and wherein the symmetric key cryptography cipher uses the combined key as a symmetric key.
  - 16. A method as recited in claim 10, wherein obtaining the online key comprises receiving the online key from the remote service in response to the computing device being authenticated by the remote service.
  - 17. A method as recited in claim 10, wherein obtaining the online key comprises receiving the online key from the remote service in response to the user of the computing device being authenticated by the remote service.
  - 18. A method as recited in claim 10, wherein obtaining the online key comprises:
    - receiving a token from the remote service in response to the user of the computing device being authenticated by the remote service; and
      
      applying a hash function to the token to generate a hash value that is the online key.

19. One or more computer storage media devices having stored thereon instructions that, when executed by one or more processors of a computing device, cause the one or more processors to:
- generate one or more local keys;
  
  generate an online key;
  
  combine the one or more local keys and the online key to generate a combined key;
  
  protect the online key by encrypting the online key with a public key of a remote service;
  
  protect each of the one or more local keys so that each of the one or more local keys can be retrieved only after a user of the computing device has been authenticated;
  
  encrypt, using a symmetric key cryptography cipher that uses the combined key as a symmetric key, a master key for encrypting and decrypting one or more storage media encryption keys that are used to encrypt a storage media;
  
  encrypt the combined key based at least in part on the master key; and
  
  store, on the storage media, a key protector for the storage media, the key protector including the encrypted master key, the encrypted combined key, and the online key encrypted with the public key of the remote service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Ureche, Octavian T., Dussart, Nils, Halcrow, Michael A., Jeffries, Charles G., Lewis, Nathan T., Ilac, Cristian M., Basmov, Innokentiy, Nystrm, Magnus Bo Gustaf, Ferguson, Niels T.
Primary Examiner(s)
Laforgia, Christian

Application Number

US12/793,455
Publication Number

US 20110302398A1
Time in Patent Office

1,104 Days
Field of Search

380/281, 380/284, 713/193
US Class Current

380/281
CPC Class Codes

H04L 2463/062   applying encryption of the ...

H04L 63/061   for key exchange, e.g. in p...

H04L 9/0822   using key encryption key

H04L 9/0894   Escrow, recovery or storing...

Key protectors based on online keys

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

56 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Key protectors based on online keys

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links