Secure data synchronization

US 9,424,439 B2
Filed: 09/12/2011
Issued: 08/23/2016
Est. Priority Date: 09/12/2011
Status: Active Grant

First Claim

Patent Images

1. One or more computer-readable hardware storage media storing computer-readable instructions which are executable to perform operations comprising:

receiving at a device and via a network encrypted data from a first external data storage in response to a user of the device logging on to a user account associated with the first external data storage;

receiving a request from an application that resides on the device that the encrypted data be decrypted;

requesting that sensitive data from the device be encrypted before the sensitive data is stored on the first external data storage;

receiving via the network one or more security keys from a second external data storage that is separate from the first external data storage, the one or more security keys being received in response to a separate authentication procedure that enables access to the second external data storage;

decrypting the encrypted data using a decryption key from the one or more security keys received from the second external data storage;

encrypting the sensitive data using an encryption key from the one or more security keys received from the second external data storage to generate encrypted sensitive data; and

marking the encrypted sensitive data with an application identifier associated with the application that resides on the device to grant access to the encrypted sensitive data to one or more applications having an associated application identifier that matches the application identifier used to mark the encrypted sensitive data, the application identifier associated with the application including a same identifier that is associable with multiple instances of the application across multiple devices.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for secure data synchronization are described. In one or more implementations, techniques may be employed to conserve high cost data storage by storing larger portions of encrypted data in low cost storage, while storing relatively smaller encryption keys in higher cost storage. A device that is granted access to the encryption keys can retrieve the encrypted data from the low cost storage and use the encryption keys to decrypt the encrypted data.

22 Citations

View as Search Results

20 Claims

1. One or more computer-readable hardware storage media storing computer-readable instructions which are executable to perform operations comprising:
- receiving at a device and via a network encrypted data from a first external data storage in response to a user of the device logging on to a user account associated with the first external data storage;
  
  receiving a request from an application that resides on the device that the encrypted data be decrypted;
  
  requesting that sensitive data from the device be encrypted before the sensitive data is stored on the first external data storage;
  
  receiving via the network one or more security keys from a second external data storage that is separate from the first external data storage, the one or more security keys being received in response to a separate authentication procedure that enables access to the second external data storage;
  
  decrypting the encrypted data using a decryption key from the one or more security keys received from the second external data storage;
  
  encrypting the sensitive data using an encryption key from the one or more security keys received from the second external data storage to generate encrypted sensitive data; and
  
  marking the encrypted sensitive data with an application identifier associated with the application that resides on the device to grant access to the encrypted sensitive data to one or more applications having an associated application identifier that matches the application identifier used to mark the encrypted sensitive data, the application identifier associated with the application including a same identifier that is associable with multiple instances of the application across multiple devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The one or more computer-readable hardware storage media of claim 1, wherein one or more of the second external data storage or the first external data storage are implemented as part of a cloud computing system.
  - 3. The one or more computer-readable hardware storage media of claim 1, wherein the sensitive data comprises user credentials that are usable to access one or more resources associated with the user of the device.
  - 4. The one or more computer-readable hardware storage media of claim 1, wherein the operations include enabling the encrypted sensitive data from the device to be synchronized with at least one other device such that application states for the application on the device and an additional application on the at least one other device are synchronized.
  - 5. The one or more computer-readable hardware storage media of claim 1, wherein the operations include submitting the encrypted sensitive data marked with the application identifier for communication to the first external data storage.
  - 6. The one or more computer-readable hardware storage media of claim 1, wherein the operations include:
    - receiving a request to access the encrypted sensitive data from a requesting application; and
      
      allowing the requesting application to access the encrypted sensitive data if an application identifier associated with the requesting application matches the application identifier used to mark the encrypted sensitive data.
  - 7. The one or more computer-readable hardware storage media of claim 1, wherein the operations include:
    - receiving an indication that a trusted status of the device has been revoked; and
      
      responsive to receiving said indication, preventing the device from receiving one or more additional security keys.

8. A method comprising:
- marking encrypted data with an application identifier for an application executing on a device to grant access to the encrypted data to one or more applications having an application identifier that matches the application identifier used to mark the encrypted data, the application identifier for the application including a same application identifier that is associable with multiple instances of the application across multiple devices;
  
  receiving, from the application executing on the device, a request for the encrypted data;
  
  ascertaining whether the application identifier for the application matches the application identifier used to mark the encrypted data; and
  
  if the application identifier for the application matches the application identifier used to mark the encrypted data, retrieving and decrypting the encrypted data for the application, the encrypted data being retrieved via a network from a first data storage and decrypted using one or more security keys stored in a second data storage that is separate from the first data storage, the encrypted data being retrieved in response to a user of the device authenticating with a service associated with the first data storage, and the one or more security keys received in response to a separate authentication transaction associated with the second data storage.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method as described in claim 8, wherein said encrypted data comprises encrypted user credentials that, when decrypted, enable access to one or more resources associated with the user of the device.
  - 10. The method as described in claim 8, wherein said ascertaining comprises querying an operating system of the device for the application identifier for the application.
  - 11. The method as described in claim 8, wherein said request for encrypted data is received as part of a synchronization operation between the device and the first data storage.
  - 12. The method as described in claim 8, further comprising, if the application identifier for the application does not match the application identifier used to mark the encrypted data, denying the application access to the encrypted data.
  - 13. The method as described in claim 8, further comprising:
    - receiving an indication that a previously trusted status of the device has been revoked;
      
      responsive to receiving said indication, preventing the device from receiving one or more additional security keys; and
      
      responsive to receiving said indication, re-encrypting the encrypted data using a new security key that is different than a previously stored security key stored at the device to prevent the device from decrypting the encrypted data with the previously stored security key.
  - 14. The method as described in claim 8, wherein one or more of the first data storage or the second data storage are implemented as part of a cloud computing system.

15. A system comprising:
- one or more processors; and
  
  one or more computer-readable hardware storage media storing computer-executable instructions which are executable by the one or more processors to cause the system to perform operations including;
  
  receiving, at a computing device and via a network, encrypted data from a first data storage that is separate from a second data storage that stores security keys, the encrypted data being received in response to a user of the computing device logging on to a user account associated with the first data storage, the security keys being that are usable to;
  
  decrypt data that is stored in the first data storage; and
  
  encrypt data that is to be stored in the first data storage;
  
  receiving, along with the encrypted data, a request to decrypt the encrypted data;
  
  receiving via the network one or more of the security keys from the second data storage in response to a separate authentication procedure that enables access to the second data storage;
  
  encrypting user data from the computing device using an encryption key from the one or more security keys received from the second data storage to generate encrypted user data;
  
  marking the encrypted user data with a first application identifier associated with an application that resides on the computing device to grant access to the encrypted user data to one or more applications having a second application identifier that matches the first application identifier used to mark the encrypted user data, the second application identifier being associable with multiple instances of the application across multiple devices; and
  
  decrypting the encrypted data from the first data storage to provide decrypted data using a decryption key from one or more additional security keys received from the second data storage.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system as recited in claim 15, wherein the user data comprises user credentials that are usable to access one or more resources associated with the user of the computing device.
  - 17. The system as recited in claim 15, wherein the operations further comprise synchronizing the encrypted user data from the computing device with at least one other device such that application states for a first application on the computing device and a second application on the at least 5 one other device are synchronized.
  - 18. The system as recited in claim 15, wherein the encrypted data is decrypted to generate decrypted data based on:
    - a comparison of the second application identifier (ID) associated with the one or more applications to the first application ID that is used to mark the encrypted data; and
      
      a grant of access for the application requesting access to the decrypted data responsive to the second application ID matching the first application ID and subsequent to the decrypting of the encrypted data.
  - 19. The system as recited in claim 15, wherein the request to decrypt the encrypted data is received as part of a synchronization operation between the computing device and the first data storage.
  - 20. The system as recited in claim 15, wherein the encrypted data comprises user credentials that are usable to access one or more resources associated with the user of the computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Tamayo-Rios, Matthew Z., Sinha, Saurav, Ovechkin, Ruslan, Kannan, Gopinathan, Bharadwaj, Vijay G., Macaulay, Christopher R., Fleischman, Eric, Ide, Nathan J., Liu, Kun
Primary Examiner(s)
King, John B

Application Number

US13/230,121
Publication Number

US 20130067243A1
Time in Patent Office

1,807 Days
Field of Search

713/193, 713/189, 713/150, 713182-186, 380/255, 380/259, 380/277, 726 1- 3, 726 5- 10, 726 26- 28
US Class Current

1/1
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/6218   to a system of files or obj...

G06F 21/6245   Protecting personal data, e...

G06F 21/6272   by registering files or doc...

G06F 2221/2107   File encryption

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 67/1095   Replication or mirroring of...

H04L 67/1097   for distributed storage of ...

Secure data synchronization

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure data synchronization

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links