Method and apparatus for hardware based file/document expiry timer enforcement

US 10,581,617 B2
Filed: 12/23/2015
Issued: 03/03/2020
Est. Priority Date: 12/23/2015
Status: Active Grant

First Claim

Patent Images

1. A machine readable storage device or storage disc comprising instructions which, when executed, cause a machine to at least:

request, from a remote key manager in a second remote network storage device, (A) expiry information for an encrypted document and (B) an encryption key for the encrypted document, the expiry information and the encryption key associated with a certificate generated in a trusted execution environment, the certificate associated with a document identification of the encrypted document, the encrypted document from a first remote network storage device, the expiry information indicating a time period for which the encryption key is valid to perform a decryption operation on the encrypted document, the first remote network storage device being separate from the second remote network storage device, and (i) the encrypted document, (ii) the expiry information, and (iii) the encryption key associated with the document identification;

in response to obtaining the expiry information and the encryption key, compare a current time to the time period of the expiry information to determine whether the decryption of the encrypted document is prohibited; and

when the decryption is prohibited, prevent access to the encrypted document.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique for secure network storage includes generating, by a trusted execution environment in a first device, an encryption key and a certificate for a document, wherein the certificate comprises expiry information for the document and the encryption key, encrypting, by a general execution environment in the first device, the document with the encryption key, transmitting the encryption key to a remote key manager, and transmitting the document to a remote network storage device, wherein a second device is allowed to decrypt the document based on the expiry information.

12 Citations

View as Search Results

15 Claims

1. A machine readable storage device or storage disc comprising instructions which, when executed, cause a machine to at least:
- request, from a remote key manager in a second remote network storage device, (A) expiry information for an encrypted document and (B) an encryption key for the encrypted document, the expiry information and the encryption key associated with a certificate generated in a trusted execution environment, the certificate associated with a document identification of the encrypted document, the encrypted document from a first remote network storage device, the expiry information indicating a time period for which the encryption key is valid to perform a decryption operation on the encrypted document, the first remote network storage device being separate from the second remote network storage device, and (i) the encrypted document, (ii) the expiry information, and (iii) the encryption key associated with the document identification;
  
  in response to obtaining the expiry information and the encryption key, compare a current time to the time period of the expiry information to determine whether the decryption of the encrypted document is prohibited; and
  
  when the decryption is prohibited, prevent access to the encrypted document.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The machine readable storage device or storage disc of claim 1, wherein the instructions cause the machine to access a system clock to determine the current time.
  - 3. The machine readable storage device or storage disc of claim 2, wherein the system clock resides in the trusted execution environment on the machine.
  - 4. The machine readable storage device or storage disc of claim 1, wherein the instructions cause the machine to, when decryption is allowed, decrypt the encrypted document using the encryption key.
  - 5. The machine readable storage device or storage disc of claim 1, wherein the instructions cause the machine to:
    - prior to the request, determine the document identification of the encrypted document; and
      
      include the document identification in the request.

6. A system comprising:
- a general execution environment to request, from a remote key manager in a second remote network storage device, (A) expiry information for an encrypted document and (B) an encryption key for the encrypted document, the expiry information and the encryption key associated with a certificate generated in a trusted execution environment, the certificate associated with a document identification of the encrypted document, the encrypted document from a first remote network storage device, the expiry information indicating a time period for which the encryption key is valid to perform a decryption operation on the encrypted document, the first remote network storage device being separate from the second remote network storage device, and (i) the encrypted document, (ii) the expiry information, and (iii) the encryption key associated with the document identification; and
  
  the trusted execution environment to;
  
  in response to obtaining the expiry information and the encryption key, compare a current time to the time period of the expiry information to determine whether decryption of the encrypted document is prohibited; and
  
  when the decryption is prohibited, prevent access to the encrypted document.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6, wherein the trusted execution environment is to access a system clock to determine the current time.
  - 8. The system of claim 7, wherein the system clock resides in the trusted execution environment.
  - 9. The system of claim 6, wherein the general execution environment is to decrypt the encrypted document using the encryption key when the decryption is allowed.
  - 10. The system of claim 6, wherein the general execution environment is to:
    - prior to the request, determine the document identification of the encrypted document; and
      
      include the document identification in a request.

11. A method of encrypting a document, the method comprising:
- requesting, from a remote key manager in a second remote network storage device, (A) expiry information for an encrypted document and (B) an encryption key for the encrypted document, the expiry information and the encryption key associated with a certificate generated in a trusted execution environment, the certificate associated with a document identification of the encrypted document, the encrypted document from a first remote network storage device, the expiry information indicating a time period for which the encryption key is valid to perform a decryption operation on the document, the first remote network storage device being separate from the second remote network storage device, and (i) the encrypted document, (ii) the expiry information, and (iii) the encryption key associated with the document identification;
  
  in response to obtaining the expiry information and the encryption key, comparing a current time to the time period of the expiry information to determine whether decryption of the encrypted document is prohibited; and
  
  when the decryption is prohibited, preventing decryption of the encrypted document.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, further including accessing a system clock to determine the current time.
  - 13. The method of claim 12, wherein the system clock resides in the trusted execution environment.
  - 14. The method of claim 11, further including decrypting the encrypted document using the encryption key when the decryption is allowed.
  - 15. The method of claim 11, further including:
    - prior to the requesting, determining the document identification of the encrypted document; and
      
      including the document identification in a request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Khosravi, Hormuzd M., Nayshtut, Alex, Muttik, Igor
Primary Examiner(s)
Lwin, Maung T
Assistant Examiner(s)
Debnath, Suman

Application Number

US14/757,600
Publication Number

US 20170185789A1
Time in Patent Office

1,532 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 2221/2137   Time limited access, e.g. t...

H04L 63/0435   wherein the sending and rec...

H04L 63/068   using time-dependent keys, ...

H04L 63/0823   using certificates cryptogr...

H04L 63/108   when the policy decisions a...

H04L 67/1097   for distributed storage of ...

H04L 9/3263   involving certificates, e.g...

Method and apparatus for hardware based file/document expiry timer enforcement

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for hardware based file/document expiry timer enforcement

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links