System and method for protecting master encryption keys
First Claim
1. A method of protecting master transport encryption keys stored on a first computing device, wherein at least one master transport encryption key is used to secure confidentiality of data communications between the first computing device and a second computing device, wherein data to be stored on the first computing device is encryptable using a content protection key when a content protection mode is enabled on the first computing device, wherein the method comprises, at the first computing device:
- generating a copy of a single grand master encryption key in decrypted form;
encrypting each individual encryption key of the at least one master transport encryption key using the grand master encryption key;
storing each individual encryption key encrypted using the grand master encryption key in a non-volatile store;
storing the copy of the single grand master encryption key in decrypted form in a volatile store; and
when the first computing device is locked using the device password to prevent unauthorized use thereof while the content protection mode is enabled, retaining the copy of the single grand master encryption key in decrypted form in the volatile store for use in decrypting at least one of the individual encryption keys, encrypted using the grand master encryption key, to decrypt data received at the first computing device from the second computing device while the first computing device is locked.
5 Assignments
0 Petitions
Accused Products
Abstract
A system and method for protecting master transport encryption keys stored on a computing device. Master transport encryption keys are used to secure data communications between computing devices. In one example embodiment, there is provided a method in which a copy of a master transport encryption key is generated and stored in a volatile store of a first computing device (e.g. a mobile device). This copy of the master transport encryption key can be used to facilitate the decryption of data received at the first computing device from a second computing device (e.g. a data server), even while the first computing device is locked. The method also comprises encrypting the master transport encryption key, with a content protection key for example, and storing the encrypted master transport encryption key in a non-volatile store of the first computing device.
117 Citations
18 Claims
-
1. A method of protecting master transport encryption keys stored on a first computing device, wherein at least one master transport encryption key is used to secure confidentiality of data communications between the first computing device and a second computing device, wherein data to be stored on the first computing device is encryptable using a content protection key when a content protection mode is enabled on the first computing device, wherein the method comprises, at the first computing device:
-
generating a copy of a single grand master encryption key in decrypted form; encrypting each individual encryption key of the at least one master transport encryption key using the grand master encryption key; storing each individual encryption key encrypted using the grand master encryption key in a non-volatile store; storing the copy of the single grand master encryption key in decrypted form in a volatile store; and when the first computing device is locked using the device password to prevent unauthorized use thereof while the content protection mode is enabled, retaining the copy of the single grand master encryption key in decrypted form in the volatile store for use in decrypting at least one of the individual encryption keys, encrypted using the grand master encryption key, to decrypt data received at the first computing device from the second computing device while the first computing device is locked. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A non-transitory computer-readable storage medium upon which a plurality of instructions is stored, the instructions for causing a first computing device to perform the steps of a method of protecting master transport encryption keys stored on the first computing device, wherein at least one master transport encryption key is used to secure confidentiality of data communications between the first computing device and a second computing device, wherein data to be stored on the first computing device is encryptable using a content protection key when a content protection mode is enabled on the first computing device, wherein the method comprises:
-
generating a copy of a single grand master encryption key in decrypted form; encrypting each individual encryption key of the at least one master transport encryption key using the grand master encryption key; storing each individual encryption key encrypted using the grand master encryption key in a non-volatile store; storing the copy of the single grand master encryption key in decrypted form in a volatile store; and when the first computing device is locked using the device password to prevent unauthorized use thereof while the content protection mode is enabled, retaining the copy of the single grand master encryption key in decrypted form in the volatile store for use in decrypting at least one of the individual encryption keys, encrypted using the grand master encryption key, to decrypt data received at the first computing device from the second computing device while the first computing device is locked.
-
-
13. A system for protecting master transport encryption keys stored on a first computing device, the system comprising the first computing device and a second computing device, wherein at least one master transport encryption key is used to secure confidentiality of data communications between the first computing device and the second computing device, and wherein data to be stored on the first computing device is encryptable using a content protection key when a content protection mode is enabled on the first computing device, and wherein a processor of the first computing device is configured to:
-
generate a copy of a single grand master encryption key in decrypted form; encrypt each individual encryption key of the at least one master transport encryption key using the grand master encryption key; store each individual encryption key encrypted using the grand master encryption key in a non-volatile store; store the copy of the single grand master encryption key in decrypted form in a volatile store; and when the first computing device is locked using the device password to prevent unauthorized use thereof while the content protection mode is enabled, retain the copy of the single grand master encryption key in decrypted form in the volatile store for use in decrypting at least one of the individual encryption keys, encrypted using the grand master encryption key, to decrypt data received at the first computing device from the second computing device while the first computing device is locked. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification