Secure data synchronization
First Claim
Patent Images
1. One or more computer-readable hardware storage media storing computer-readable instructions which are executable to perform operations comprising:
- receiving at a device and via a network encrypted data from a first external data storage in response to a user of the device logging on to a user account associated with the first external data storage;
receiving a request from an application that resides on the device that the encrypted data be decrypted;
requesting that sensitive data from the device be encrypted before the sensitive data is stored on the first external data storage;
receiving via the network one or more security keys from a second external data storage that is separate from the first external data storage, the one or more security keys being received in response to a separate authentication procedure that enables access to the second external data storage;
decrypting the encrypted data using a decryption key from the one or more security keys received from the second external data storage;
encrypting the sensitive data using an encryption key from the one or more security keys received from the second external data storage to generate encrypted sensitive data; and
marking the encrypted sensitive data with an application identifier associated with the application that resides on the device to grant access to the encrypted sensitive data to one or more applications having an associated application identifier that matches the application identifier used to mark the encrypted sensitive data, the application identifier associated with the application including a same identifier that is associable with multiple instances of the application across multiple devices.
2 Assignments
0 Petitions
Accused Products
Abstract
Techniques for secure data synchronization are described. In one or more implementations, techniques may be employed to conserve high cost data storage by storing larger portions of encrypted data in low cost storage, while storing relatively smaller encryption keys in higher cost storage. A device that is granted access to the encryption keys can retrieve the encrypted data from the low cost storage and use the encryption keys to decrypt the encrypted data.
22 Citations
20 Claims
-
1. One or more computer-readable hardware storage media storing computer-readable instructions which are executable to perform operations comprising:
-
receiving at a device and via a network encrypted data from a first external data storage in response to a user of the device logging on to a user account associated with the first external data storage; receiving a request from an application that resides on the device that the encrypted data be decrypted; requesting that sensitive data from the device be encrypted before the sensitive data is stored on the first external data storage; receiving via the network one or more security keys from a second external data storage that is separate from the first external data storage, the one or more security keys being received in response to a separate authentication procedure that enables access to the second external data storage; decrypting the encrypted data using a decryption key from the one or more security keys received from the second external data storage; encrypting the sensitive data using an encryption key from the one or more security keys received from the second external data storage to generate encrypted sensitive data; and marking the encrypted sensitive data with an application identifier associated with the application that resides on the device to grant access to the encrypted sensitive data to one or more applications having an associated application identifier that matches the application identifier used to mark the encrypted sensitive data, the application identifier associated with the application including a same identifier that is associable with multiple instances of the application across multiple devices. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method comprising:
-
marking encrypted data with an application identifier for an application executing on a device to grant access to the encrypted data to one or more applications having an application identifier that matches the application identifier used to mark the encrypted data, the application identifier for the application including a same application identifier that is associable with multiple instances of the application across multiple devices; receiving, from the application executing on the device, a request for the encrypted data; ascertaining whether the application identifier for the application matches the application identifier used to mark the encrypted data; and if the application identifier for the application matches the application identifier used to mark the encrypted data, retrieving and decrypting the encrypted data for the application, the encrypted data being retrieved via a network from a first data storage and decrypted using one or more security keys stored in a second data storage that is separate from the first data storage, the encrypted data being retrieved in response to a user of the device authenticating with a service associated with the first data storage, and the one or more security keys received in response to a separate authentication transaction associated with the second data storage. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A system comprising:
-
one or more processors; and one or more computer-readable hardware storage media storing computer-executable instructions which are executable by the one or more processors to cause the system to perform operations including; receiving, at a computing device and via a network, encrypted data from a first data storage that is separate from a second data storage that stores security keys, the encrypted data being received in response to a user of the computing device logging on to a user account associated with the first data storage, the security keys being that are usable to; decrypt data that is stored in the first data storage; and encrypt data that is to be stored in the first data storage; receiving, along with the encrypted data, a request to decrypt the encrypted data; receiving via the network one or more of the security keys from the second data storage in response to a separate authentication procedure that enables access to the second data storage; encrypting user data from the computing device using an encryption key from the one or more security keys received from the second data storage to generate encrypted user data; marking the encrypted user data with a first application identifier associated with an application that resides on the computing device to grant access to the encrypted user data to one or more applications having a second application identifier that matches the first application identifier used to mark the encrypted user data, the second application identifier being associable with multiple instances of the application across multiple devices; and decrypting the encrypted data from the first data storage to provide decrypted data using a decryption key from one or more additional security keys received from the second data storage. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification