Data security

US 9,654,464 B2
Filed: 06/22/2015
Issued: 05/16/2017
Est. Priority Date: 10/20/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

requesting, at a system, at least one encryption key from a remote authority located in a remote server over a communication network, the at least one encryption key being generated and permitted by the remote authority, the system being geographically remote from and communicatively coupled to the remote authority in the remote server;

performing, at the system, a cryptographic operation on data using the at least one encryption key, the cryptographic operation being performed in response, at least in part, to a request to store the data in storage of the system or to retrieve data from the storage;

prior to performing the cryptographic operation, determining whether the system is able to communicate with the remote authority;

if the system is able to communicate with the remote authority, requesting by the system, permission from the remote authority to use the at least one encryption key;

if the system is unable to communicate with the remote authority, determining by the system not to permit the cryptographic operation;

periodically requesting, at the system, that the remote authority indicate whether the at least one encryption key has been revoked; and

upon receipt, from the remote authority, an indication of revoking the at least one encryption key;

ceasing performing, at the system, the cryptographic operation on data using the at least one encryption key, andupon receiving additional data for the cryptographic operation, issuing a message indicating an error or indicating that the requested operation is unauthorized.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a method is provided that may include one or more operations. One of these operations may include, in response, at least in part, to a request to store input data in storage, encrypting, based least in part upon one or more keys, the input data to generate output data to store in the storage. The one or more keys may be authorized by a remote authority. Alternatively or additionally, another of these operations may include, in response, at least in part, to a request to retrieve the input data from the storage, decrypting, based at least in part upon the at least one key, the output data. Many modifications, variations, and alternatives are possible without departing from this embodiment.

49 Citations

22 Claims

1. A method comprising:
- requesting, at a system, at least one encryption key from a remote authority located in a remote server over a communication network, the at least one encryption key being generated and permitted by the remote authority, the system being geographically remote from and communicatively coupled to the remote authority in the remote server;
  
  performing, at the system, a cryptographic operation on data using the at least one encryption key, the cryptographic operation being performed in response, at least in part, to a request to store the data in storage of the system or to retrieve data from the storage;
  
  prior to performing the cryptographic operation, determining whether the system is able to communicate with the remote authority;
  
  if the system is able to communicate with the remote authority, requesting by the system, permission from the remote authority to use the at least one encryption key;
  
  if the system is unable to communicate with the remote authority, determining by the system not to permit the cryptographic operation;
  
  periodically requesting, at the system, that the remote authority indicate whether the at least one encryption key has been revoked; and
  
  upon receipt, from the remote authority, an indication of revoking the at least one encryption key;
  
  ceasing performing, at the system, the cryptographic operation on data using the at least one encryption key, andupon receiving additional data for the cryptographic operation, issuing a message indicating an error or indicating that the requested operation is unauthorized.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising:
    - receiving, via the communication network, the at least one encryption key issued from the remote authority, by logic capable of performing the cryptographic operations.
  - 3. The method of claim 1, further comprising:
    - after use of the at least one encryption key has been permitted by the remote authority, receiving permission from the remote authority to use at least one other encryption key; and
      
      performing cryptographic operations on other data based, at least in part, upon the at least one other encryption key.
  - 4. The method of claim 1, wherein:
    - the revoking of the at least one encryption key being in response, at least in part, to one or more of a request for revocation of one or more encryption keys or failure of a user to supply one or more valid authorization credentials.
  - 5. The method of claim 1, further comprising:
    - receiving permission from the remote authority, based at least in part upon one or more credentials provided by a user, to use the at least one encryption key.

6. An apparatus comprising:
- a first circuitry to request at least one encryption key from a remote authority located in a remote server over a communication network, the at least one encryption key being generated and permitted by the remote authority, the first circuitry being geographically remote from and communicatively coupled to the remote authority in the remote server;
  
  a second circuitry to perform a cryptographic operation on data using the at least one encryption key, the cryptographic operation being performed in response, at least in part, to a request to store the data in local storage or to retrieve data from the local storage; and
  
  a third circuitry to periodically request that the remote authority indicate whether the at least one encryption key has been revoked;
  
  wherein;
  
  prior to performance of the cryptographic operation, the apparatus to determine whether the apparatus is able to communicate with the remote authority;
  
  if the apparatus is able to communicate with the remote authority, the apparatus to request, permission from the remote authority to use the at least one encryption key;
  
  if the apparatus is unable to communicate with the remote authority, the apparatus to determine not to permit the cryptographic operation; and
  
  upon receipt, from the remote authority, an indication of revoking the at least one encryption key;
  
  the second circuitry to cease performing, at the apparatus, the cryptographic operation on data using the at least one encryption key, andupon receiving additional data for the cryptographic operation, the apparatus to issue a message indicating an error or indicating that the requested operation is unauthorized.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The apparatus of claim 6, wherein the second circuitry to receive, via the communication network, the at least one encryption key issued from the remote authority.
  - 8. The apparatus of claim 6, wherein the second circuitry to perform cryptographic operations on other data based, at least in part, upon at least one other encryption key permitted for use by the remote authority.
  - 9. The apparatus of claim 6, wherein the revoking of the at least one encryption key being in response, at least in part, to one or more of a request for revocation of one or more encryption keys or failure of a user to supply one or more valid authorization credentials.
  - 10. The apparatus of claim 6, wherein the remote authority to permit use of the at least one encryption key, based at least in part upon one or more credentials provided by a user.
  - 11. The apparatus of claim 6, further comprising logic, the logic to determine whether the logic can communicate with the remote authority prior to performance of the cryptographic operation, wherein:
    - if the logic can communicate with the remote authority, the first circuitry to request permission from the remote authority to use the at least one encryption key; and
      
      if the logic cannot communicate with the remote authority, the second circuitry to determine not to permit the cryptographic operation.

12. A system comprising:
- a storage device;
  
  a first circuitry to request at least one encryption key from a remote authority located in a remote server over a communication network, the at least one key being generated and permitted for use by the remote authority, the first circuitry being geographically remote from and communicatively coupled to the remote authority in the remote server;
  
  a second circuitry to perform a cryptographic operation on data using the at least one encryption key, the cryptographic operation being performed in response, at least in part, to a request to store the data in the storage device or to retrieve data from the storage device; and
  
  a third circuitry to periodically request that the remote authority indicate whether the at least one encryption key has been revoked;
  
  wherein;
  
  prior to performance of the cryptographic operation, the system to determine whether the system is able to communicate with the remote authority;
  
  if the system is able to communicate with the remote authority, the system to request permission from the remote authority to use the at least one encryption key;
  
  if the system is unable to communicate with the remote authority, the system to determine not to permit the cryptographic operation; and
  
  upon receipt, from the remote authority, an indication of revoking the at least one encryption key;
  
  the second circuitry to cease performing, at the apparatus, the cryptographic operation on data using the at least one encryption key, andupon receiving additional data for the cryptographic operation, the system to issue a message indicating an error or indicating that the requested operation is unauthorized.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The system of claim 12, wherein the second circuitry to receive, via the communication network, the at least one encryption key issued from the remote authority.
  - 14. The system of claim 12, wherein the second circuitry to perform cryptographic operations on other data based, at least in part, upon at least one other encryption key permitted for use by the remote authority.
  - 15. The system of claim 12, wherein the revoking being in response, at least in part, to failure of a user to supply one or more valid authorization credentials.
  - 16. The system of claim 12, wherein the remote authority to permit use of the at least one encryption key, based at least in part upon one or more credentials provided by a user.
  - 17. The system of claim 12, further comprising logic, the logic to determine whether the logic can communicate with the remote authority prior to performance of the cryptographic operation, wherein:
    - if the logic can communicate with the remote authority, the first circuitry to request permission by the remote authority to use the at least one encryption key; and
      
      if the logic cannot communicate with the remote authority, the second circuitry to determine not to permit the cryptographic operation.

18. At least one non-transitory computer-readable storage medium having stored thereon data representing sequences of instructions that, when executed by one or more processors, cause the one or more processors to perform operations comprising:
- requesting, at a system, at least one encryption key from a remote authority located in a remote server over a communication network, the at least one encryption key being generated and permitted by the remote authority, the system being geographically remote from and communicatively coupled to the remote authority in the remote server;
  
  performing, at the system, a cryptographic operation on data using the at least one encryption key, the cryptographic operation being performed in response, at least in part, to a request to store the data in storage of the system or to retrieve data from the storage;
  
  prior to performing the cryptographic operation, determining whether the system is able to communicate with the remote authority;
  
  if the system is able to communicate with the remote authority, requesting by the system, permission from the remote authority to use the at least one encryption key;
  
  if the system is unable to communicate with the remote authority, determining by the system not to permit the cryptographic operation;
  
  periodically requesting, at the system, that the remote authority indicate whether the at least one encryption key has been revoked; and
  
  upon receipt, from the remote authority, an indication of revoking the at least one encryption key;
  
  ceasing performing, at the system, the cryptographic operation on data using the at least one encryption key, andupon receiving additional data for the cryptographic operation, issuing a message indicating an error or indicating that the requested operation is unauthorized.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The medium of claim 18, further comprising instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising:
    - receiving, via the communication network, the at least one encryption key issued from the remote authority, by logic capable of performing the cryptographic operations.
  - 20. The medium of claim 18, further comprising instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising:
    - after use of the at least one encryption key has been permitted by the remote authority, receiving permission from the remote authority to use at least one other encryption key; and
      
      performing cryptographic operations on other data based, at least in part, upon the at least one other encryption key.
  - 21. The medium of claim 18, wherein:
    - the revoking of the at least one encryption key being in response, at least in part, to one or more of a request for revocation of one or more encryption keys or failure of a user to supply one or more valid authorization credentials.
  - 22. The medium of claim 18, further comprising instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising:
    - receiving permission from the remote authority, based at least in part upon one or more credentials provided by a user, to use the at least one encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Zimmer, Vincent J., Rothman, Michael A.
Primary Examiner(s)
Rahim, Monjour

Application Number

US14/746,469
Publication Number

US 20160021099A1
Time in Patent Office

694 Days
Field of Search

713158
US Class Current
CPC Class Codes

G06F 13/4068   Electrical coupling

G06F 21/575   Secure boot

G06F 21/71   to assure secure computing ...

G06F 21/72   in cryptographic circuits

G06F 21/80   in storage media based on m...

G06F 2221/2107   File encryption

G06F 2221/2115   Third party

H04L 63/0435   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 9/3268   using certificate validatio...

Data security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

49 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Data security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links