System and method for protecting master encryption keys

US 8,572,389 B2
Filed: 12/22/2005
Issued: 10/29/2013
Est. Priority Date: 10/14/2005
Status: Active Grant

First Claim

Patent Images

1. A method of protecting master transport encryption keys stored on a first computing device, wherein at least one master transport encryption key is used to secure confidentiality of data communications between the first computing device and a second computing device, wherein data to be stored on the first computing device is encryptable using a content protection key when a content protection mode is enabled on the first computing device, wherein the method comprises, at the first computing device:

generating a copy of a single grand master encryption key in decrypted form;

encrypting each individual encryption key of the at least one master transport encryption key using the grand master encryption key;

storing each individual encryption key encrypted using the grand master encryption key in a non-volatile store;

storing the copy of the single grand master encryption key in decrypted form in a volatile store; and

when the first computing device is locked using the device password to prevent unauthorized use thereof while the content protection mode is enabled, retaining the copy of the single grand master encryption key in decrypted form in the volatile store for use in decrypting at least one of the individual encryption keys, encrypted using the grand master encryption key, to decrypt data received at the first computing device from the second computing device while the first computing device is locked.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for protecting master transport encryption keys stored on a computing device. Master transport encryption keys are used to secure data communications between computing devices. In one example embodiment, there is provided a method in which a copy of a master transport encryption key is generated and stored in a volatile store of a first computing device (e.g. a mobile device). This copy of the master transport encryption key can be used to facilitate the decryption of data received at the first computing device from a second computing device (e.g. a data server), even while the first computing device is locked. The method also comprises encrypting the master transport encryption key, with a content protection key for example, and storing the encrypted master transport encryption key in a non-volatile store of the first computing device.

117 Citations

18 Claims

1. A method of protecting master transport encryption keys stored on a first computing device, wherein at least one master transport encryption key is used to secure confidentiality of data communications between the first computing device and a second computing device, wherein data to be stored on the first computing device is encryptable using a content protection key when a content protection mode is enabled on the first computing device, wherein the method comprises, at the first computing device:
- generating a copy of a single grand master encryption key in decrypted form;
  
  encrypting each individual encryption key of the at least one master transport encryption key using the grand master encryption key;
  
  storing each individual encryption key encrypted using the grand master encryption key in a non-volatile store;
  
  storing the copy of the single grand master encryption key in decrypted form in a volatile store; and
  
  when the first computing device is locked using the device password to prevent unauthorized use thereof while the content protection mode is enabled, retaining the copy of the single grand master encryption key in decrypted form in the volatile store for use in decrypting at least one of the individual encryption keys, encrypted using the grand master encryption key, to decrypt data received at the first computing device from the second computing device while the first computing device is locked.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - receiving data from the second computing device, decrypting the data received from the second computing device using the decrypted at least one of the individual encryption keys, and storing at least a subset of the decrypted data in the non-volatile store.
  - 3. The method of claim 2, further comprising encrypting at least a subset of the stored data using the content protection key.
  - 4. The method of claim 2, further comprising encrypting the grand master encryption key with the content protection key, storing the encrypted grand master key in the non-volatile store, and encrypting at least a subset of the stored data using a different content protection key than the content protection key used to encrypt the grand master encryption key.
  - 5. The method of claim 1, further comprising verifying that a mode to protect master transport encryption keys is enabled, and wherein the encrypting each individual encryption key of the at least one master transport encryption key and the storing each individual encryption key encrypted using the grand master encryption key in a non-volatile store are performed after verifying that the mode to protect master transport encryption keys is enabled.
  - 6. The method of claim 5, wherein the mode to protect master transport encryption keys is enabled when an item in a policy file that dictates the mode to protect master transport encryption keys is to be enabled is downloaded to the first computing device.
  - 7. The method of claim 1, wherein the generating a copy of the single grand master encryption key in decrypted form and the storing the copy of the single grand master encryption key in decrypted form in a volatile store are repeated after the first computing device is restarted.
  - 8. The method of claim 1, wherein the generating a copy of the single grand master encryption key in decrypted form and the storing the copy of the single grand master encryption key in decrypted form in a volatile store are repeated after the first computing is restarted and the first computing device is unlocked, wherein data communications between the first and second computing devices are prevented after the first computing device is restarted until the first computing device is unlocked.
  - 9. The method of claim 1, wherein the content protection key is encryptable with an ephemeral key that is derived from a device password.
  - 10. The method of claim 1, wherein each of the at least one master transport encryption key is used to decrypt data received from a different data server.
  - 11. The method of claim 1, wherein the at least one master transport encryption key consists of a plurality of master transport encryption keys.

12. A non-transitory computer-readable storage medium upon which a plurality of instructions is stored, the instructions for causing a first computing device to perform the steps of a method of protecting master transport encryption keys stored on the first computing device, wherein at least one master transport encryption key is used to secure confidentiality of data communications between the first computing device and a second computing device, wherein data to be stored on the first computing device is encryptable using a content protection key when a content protection mode is enabled on the first computing device, wherein the method comprises:
- generating a copy of a single grand master encryption key in decrypted form;
  
  encrypting each individual encryption key of the at least one master transport encryption key using the grand master encryption key;
  
  storing each individual encryption key encrypted using the grand master encryption key in a non-volatile store;
  
  storing the copy of the single grand master encryption key in decrypted form in a volatile store; and
  
  when the first computing device is locked using the device password to prevent unauthorized use thereof while the content protection mode is enabled, retaining the copy of the single grand master encryption key in decrypted form in the volatile store for use in decrypting at least one of the individual encryption keys, encrypted using the grand master encryption key, to decrypt data received at the first computing device from the second computing device while the first computing device is locked.

13. A system for protecting master transport encryption keys stored on a first computing device, the system comprising the first computing device and a second computing device, wherein at least one master transport encryption key is used to secure confidentiality of data communications between the first computing device and the second computing device, and wherein data to be stored on the first computing device is encryptable using a content protection key when a content protection mode is enabled on the first computing device, and wherein a processor of the first computing device is configured to:
- generate a copy of a single grand master encryption key in decrypted form;
  
  encrypt each individual encryption key of the at least one master transport encryption key using the grand master encryption key;
  
  store each individual encryption key encrypted using the grand master encryption key in a non-volatile store;
  
  store the copy of the single grand master encryption key in decrypted form in a volatile store; and
  
  when the first computing device is locked using the device password to prevent unauthorized use thereof while the content protection mode is enabled, retain the copy of the single grand master encryption key in decrypted form in the volatile store for use in decrypting at least one of the individual encryption keys, encrypted using the grand master encryption key, to decrypt data received at the first computing device from the second computing device while the first computing device is locked.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, wherein the first computing device comprises a mobile device.
  - 15. The system of claim 14, wherein the non-volatile store comprises a flash memory.
  - 16. The system of claim 14, wherein the volatile store comprises RAM.
  - 17. The system of claim 14, wherein the second computing device comprises a data server.
  - 18. The system of claim 17, wherein the data server comprises a message management server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malikie Innovations Limited (Key Patent Innovations Limited)
Original Assignee
Blackberry Limited
Inventors
Little, Herbert A.
Primary Examiner(s)
Orgad, Edan
Assistant Examiner(s)
SCHMIDT, KARI L

Application Number

US11/313,657
Publication Number

US 20070165844A1
Time in Patent Office

2,868 Days
Field of Search

713/150, 713/179, 713/155, 713/156, 713/165, 713/166, 713/170, 713/168, 713/192, 713/193, 380/30, 380270-284, 726/3, 726/5, 726/26, 726/27
US Class Current

713/179
CPC Class Codes

G06F 21/6245   Protecting personal data, e...

G06F 2221/2153   Using hardware token as a s...

H04L 2209/60   Digital content management,...

H04L 2209/80   Wireless network architectu...

H04L 2463/061   applying further key deriva...

H04L 2463/062   applying encryption of the ...

H04L 63/06   for supporting key manageme...

H04L 9/0822   using key encryption key

H04L 9/0894   Escrow, recovery or storing...

System and method for protecting master encryption keys

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

117 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for protecting master encryption keys

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

117 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links