Backup system with multiple recovery keys

US 9,904,629 B2
Filed: 09/30/2015
Issued: 02/27/2018
Est. Priority Date: 05/31/2015
Status: Active Grant

First Claim

Patent Images

1. For a particular device in a set of related devices, each device in the set of related devices having a public key and a private key, a method for backing up data items synchronized between the set of related devices, the method comprising:

storing the backup data items encrypted with a set of data encryption keys;

storing the set of data encryption keys encrypted with a master recovery key; and

storing a copy of master recovery key data for each device in the set of related devices, each copy of the master recovery key data encrypted using a respective public key of a respective related device, wherein after a loss of access to the synchronized data by one of the related devices, said related device restores the backup data items by (i) decrypting a respective copy of the master recovery key data using the private key of said related device and (ii) decrypting the encrypted backup data item using the decrypted master recovery key data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments provide, for a particular device in a set of related devices, a method for backing up data synchronized between the set of related devices. The method stores the backup data encrypted with a set of data encryption keys. The method also stores the set of data encryption keys encrypted with a master recovery key. The method also stores several copies of master recovery key data, each copy of the master recovery key data encrypted with a public key of a different one of the related devices. The backup data is only recoverable by accessing a private key of any one of the related devices.

Citations

22 Claims

1. For a particular device in a set of related devices, each device in the set of related devices having a public key and a private key, a method for backing up data items synchronized between the set of related devices, the method comprising:
- storing the backup data items encrypted with a set of data encryption keys;
  
  storing the set of data encryption keys encrypted with a master recovery key; and
  
  storing a copy of master recovery key data for each device in the set of related devices, each copy of the master recovery key data encrypted using a respective public key of a respective related device, wherein after a loss of access to the synchronized data by one of the related devices, said related device restores the backup data items by (i) decrypting a respective copy of the master recovery key data using the private key of said related device and (ii) decrypting the encrypted backup data item using the decrypted master recovery key data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the set of data encryption keys are encrypted with a public master recovery key of a public/private master recovery key pair.
  - 3. The method of claim 2, wherein the master recovery key data comprises one of (i) a private master recovery key of the public/private master recovery key pair and (ii) random data from which the public/private master recovery key pair is generated.
  - 4. The method of claim 1, wherein the master recovery key is generated based on random data generated by the particular device.
  - 5. The method of claim 1, wherein the master recovery key is not stored on any of the related devices.
  - 6. The method of claim 1 further comprising:
    - encrypting the private key of the particular device, with a public escrow key of a public/private key pair generated by the particular device based on user-entered data, to create a first secure object;
      
      encrypting the first secure object, with a public key of a set of secure servers, to create a second secure object; and
      
      storing the second secure object with the set of secure servers.
  - 7. The method of claim 6, wherein storing the second secure object with the set of secure servers comprises storing the second secure object with a proxy server for the set of secure servers.
  - 8. The method of claim 6, wherein the first secure object comprises (i) the encrypted private key of the particular device and (ii) a set of verification data generated from a private escrow key of the public/private key pair generated by the particular device based on the user-entered data.
  - 9. The method of claim 1, wherein the backup data items synchronized between the related devices comprise at least one of passwords for a plurality of web domains, cryptographic keys, and account numbers.
  - 10. The method of claim 1, wherein the particular device receives the respective public key from each of the other related devices in order to enable the data synchronization with the other related devices.
  - 11. The method of claim 1, wherein the encrypted backup data items, the encrypted set of data encryption keys, and the plurality of encrypted copies of the master recovery key data are stored in a cloud storage associated with a particular user account.
  - 12. The method of claim 1, wherein the encrypted backup data items, the encrypted set of data encryption keys, and the plurality of encrypted copies of the master recovery key data are stored on a drive external to the set of related devices.

13. An electronic device that is one of a set of related devices, each device in the set of related devices having a public key and a private key, the electronic device comprising:
- a set of processing units; and
  
  a non-transitory machine readable medium storing a program which when executed by at least one of the processing units backs up data synchronized between the electronic device and the set of related devices, the program comprising sets of instructions for;
  
  storing the backup data items encrypted with a set of data encryption keys;
  
  storing the set of data encryption keys encrypted with a master recovery key; and
  
  storing a copy of master recovery key data for each device in the set of related devices, each copy of the master recovery key data encrypted using a respective public key of a respective related device, wherein after a loss of access to the synchronized data by one of the related devices, said related device restores the backup data items by (i) decrypting a respective copy of the master recovery key data using the private key of said related device and (ii) decrypting the encrypted backup data item using the decrypted master recovery key data.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The electronic device of claim 13, wherein the set of data encryption keys are encrypted with a public master recovery key of a public/private master recovery key pair.
  - 15. The electronic device of claim 14, wherein the master recovery key data comprises one of (i) a private master recovery key of the public/private master recovery key pair and (ii) random data from which the public/private master recovery key pair is generated.
  - 16. The electronic device of claim 13, wherein the master recovery key is generated based on random data generated by the particular device.
  - 17. The electronic device of claim 13, wherein the master recovery key is not stored on any of the related devices.

18. A non-transitory machine readable medium storing a program which when executed by at least one processing unit of a particular device in a set of related devices backs up data synchronized between the set of related devices, each device in the set of related devices having a public key and a private key, the program comprising sets of instructions for:
- storing the backup data items encrypted with a set of data encryption keys;
  
  storing the set of data encryption keys encrypted with a master recovery key; and
  
  storing a copy of the master recovery key data for each device in the set of related devices, each copy of the master recovery key data encrypted using a respective public key of a respective related device, wherein after a loss of access to the synchronized data by one of the related devices, said related device restores the backup data items by (i) decrypting a respective copy of the master recovery key data using the private key of said related device and (ii) decrypting the encrypted backup data item using the decrypted master recovery key data.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The non-transitory machine readable medium of claim 18, wherein the program further comprises sets of instructions for:
    - encrypting the private key of the particular device, with a public escrow key of a public/private key pair generated by the particular device based on user-entered data, to create a first secure object;
      
      encrypting the first secure object, with a public key of a set of secure servers, to create a second secure object; and
      
      storing the second secure object with the set of secure servers.
  - 20. The non-transitory machine readable medium of claim 19, wherein the set of instructions for storing the second secure object with the set of secure servers comprises a set of instructions for storing the second secure object with a proxy server for the set of secure servers.
  - 21. The non-transitory machine readable medium of claim 19, wherein the first secure object comprises (i) the encrypted private key of the particular device and (ii) a set of verification data generated from a private escrow key of the public/private key pair generated by the particular device based on the user-entered data.
  - 22. The non-transitory machine readable medium of claim 18, wherein the particular device receives the respective public key from each of the other related devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Ford, Michael D., Hauck, Jerrold V., Watson, Matthew G., Adler, Mitchell D., De Atley, Dallas B., Wilson, James
Primary Examiner(s)
Shepperd, Eric W

Application Number

US14/871,498
Publication Number

US 20160352518A1
Time in Patent Office

881 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/1448   Management of the data invo...

G06F 12/1408   by using cryptography for d...

G06F 21/6218   to a system of files or obj...

G06F 2201/80   Database-specific techniques

G06F 2212/1052   Security improvement

H04L 9/006   involving public key infras...

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/088   Usage controlling of secret...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/0897   involving additional device...

Backup system with multiple recovery keys

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Backup system with multiple recovery keys

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links