Sealing secret data with a policy that includes a sensor-based constraint

US 10,693,887 B2
Filed: 07/12/2016
Issued: 06/23/2020
Est. Priority Date: 08/19/2011
Status: Active Grant

First Claim

Patent Images

1. A mobile computing device comprising:

a sensor;

at least one processor; and

memory that has computer-readable instructions stored therein, wherein the at least one processor, when executing the computer-readable instructions, is configured to perform acts comprising;

receiving, from an application executing on the mobile computing device, a request for secret data, wherein the secret data is stored in computer-readable storage of the mobile computing device;

responsive to receiving the request for the secret data, identifying a policy that is assigned to the application, wherein the policy comprises a constraint that identifies the sensor and further identifies acceptable readings, wherein the policy prevents the application from accessing the secret data unless the sensor identified in the constraint returns a reading that is amongst the acceptable readings;

acquiring at least one reading from the sensor in response to receipt of the request for the secret data, the at least one reading being indicative of location of the mobile computing device;

based upon the at least one reading, determining that the at least one reading is amongst the acceptable readings, and thus the constraint in the policy has been satisfied; and

responsive to determining that the constraint in the policy has been satisfied, providing the secret data to the application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technologies pertaining to limiting access to secret data through utilization of sensor-based constraints are described herein. A sensor-based constraint is a constraint that can only be satisfied by predefined readings that may be output by at least one sensor on a mobile computing device. If the sensor on the mobile computing device outputs a reading that satisfies the sensor-based constraint, secret data is provided to a requesting application. Otherwise, the requesting application is prevented from accessing the secret data.

57 Citations

View as Search Results

20 Claims

1. A mobile computing device comprising:
- a sensor;
  
  at least one processor; and
  
  memory that has computer-readable instructions stored therein, wherein the at least one processor, when executing the computer-readable instructions, is configured to perform acts comprising;
  
  receiving, from an application executing on the mobile computing device, a request for secret data, wherein the secret data is stored in computer-readable storage of the mobile computing device;
  
  responsive to receiving the request for the secret data, identifying a policy that is assigned to the application, wherein the policy comprises a constraint that identifies the sensor and further identifies acceptable readings, wherein the policy prevents the application from accessing the secret data unless the sensor identified in the constraint returns a reading that is amongst the acceptable readings;
  
  acquiring at least one reading from the sensor in response to receipt of the request for the secret data, the at least one reading being indicative of location of the mobile computing device;
  
  based upon the at least one reading, determining that the at least one reading is amongst the acceptable readings, and thus the constraint in the policy has been satisfied; and
  
  responsive to determining that the constraint in the policy has been satisfied, providing the secret data to the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The mobile computing device of claim 1, wherein the application is a text messaging application, wherein the at least one reading is additionally indicative of velocity of the mobile computing device, and the secret data is a key that, when acquired by the text messaging application, enables the text messaging application to send and receive text messages.
  - 3. The mobile computing device of claim 2, the sensor being a geolocation sensor.
  - 4. The mobile computing device of claim 1, wherein the application is an operating system of the mobile computing device, wherein the acceptable readings define a geographic region, the at least one reading indicates that the location of the mobile computing device is within the geographic region, and further wherein the secret data is data that authorizes the operating system to mount a drive.
  - 5. The mobile computing device of claim 1, wherein the application is a banking application, wherein the acceptable readings define a geographic region, the at least one reading indicates that the location of the mobile computing device is within the geographic region, and further wherein the secret data is a password useable to access banking information by way of the banking application.
  - 6. The mobile computing device of claim 1, wherein the application facilitates resetting a password of a user, wherein the acceptable readings define a geographic region, the at least one reading indicates that the location of the mobile computing device is within the geographic region, and further wherein the secret data is a key that, when received by the application, allows the application to reset the password of the user.
  - 7. The mobile computing device of claim 1, wherein determining that the constraint in the policy has been satisfied comprises determining that the at least one reading has been signed with a signature, the signature verifies that the at least one reading was output by the sensor identified in the constraint and has not been modified since being output by the sensor.
  - 8. The mobile computing device of claim 1 being a mobile telephone.
  - 9. The mobile computing device of claim 1, wherein the policy is encrypted, the acts further comprising:
    - in response to receipt of the request for the secret data from the application and prior to acquiring the at least one reading, decrypting the policy.

10. A method executed by at least one processor on a mobile computing device, the method comprising:
- receiving, from an application executing on the mobile computing device, a request for secret data that is retained in computer-readable memory of the mobile computing device;
  
  in response to receipt of the request, identifying a constraint in a policy for the application, the policy prevents the application from obtaining secret data unless the constraint is satisfied, wherein the constraint identifies a sensor on the mobile computing device and acceptable readings from the sensor, wherein the constraint in the policy is satisfied only when the sensor identified in the constraint outputs a reading that is amongst the acceptable readings;
  
  upon the constraint being identified, acquiring at least one reading from the sensor identified in the constraint, wherein the at least one reading is signed to indicate that the at least one reading has not been modified subsequent to the sensor outputting the at least one reading;
  
  determining that the constraint in the policy has been satisfied based upon the at least one reading acquired from the sensor, wherein determining that the constraint in the policy has been satisfied comprises determining that the at least one reading is amongst the acceptable readings identified in the constraint; and
  
  responsive to determining that the constraint in the policy has been satisfied, providing the application with the secret data.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, the acts of identifying, acquiring, determining, and providing performed by a first virtual processor, and wherein a second virtual processor executes the application.
  - 12. The method of claim 10, the acts of identifying, acquiring, determining, and providing are performed by an operating system of the mobile computing device when the at least one processor of the mobile computing device executes the operating system.
  - 13. The method of claim 10, wherein the secret data is encrypted, and further wherein providing the application with the secret data comprises decrypting the secret data.
  - 14. The method of claim 13, wherein decrypting the secret data comprises:
    - retrieving a key from a trusted platform module on the mobile computing device; and
      
      decrypting the secret data using the key.
  - 15. The method of claim 10, wherein the policy is encrypted, and further wherein identifying the constraint in the policy comprises decrypting the policy.
  - 16. The method of claim 10, wherein the application is a text messaging application, the at least one reading is indicative of velocity of the mobile computing device, and the secret data is a key that, when provided to the text messaging application, enables the text messaging application to send and receive text messages.
  - 17. The method of claim 10, wherein the application is an operating system of the mobile computing device, the at least one reading is indicative of a geographic location of the mobile computing device, and the secret data is data that, when provided to the operating system, causes the operating system to mount a drive.
  - 18. The method of claim 10, wherein the at least one reading is indicative of a proximity of a user to the mobile computing device, and the secret data is data that causes the at least one processor to execute the application.

19. A mobile telephone comprising a computer-readable medium, the computer-readable medium comprises instructions that, when executed by at least one processor, cause the at least one processor to perform acts comprising:
- receiving a request for secret data from an application executing on the mobile telephone, wherein the secret data is retained in computer-readable storage of the mobile telephone;
  
  in response to receipt of the request for the secret data, identifying a policy assigned to the application, wherein the policy includes a constraint that identifies a sensor on the mobile telephone and further identifies an acceptable reading from the sensor, wherein the policy prevents the application from acquiring the secret data unless the constraint is satisfied, wherein the constraint is satisfied when the sensor identified by the constraint outputs a reading that matches the acceptable reading;
  
  responsive to identifying the policy, acquiring at least one sensor reading from the sensor identified in the constraint;
  
  determining that the constraint has been satisfied based upon the at least one sensor reading, wherein determining that the constraint has been satisfied comprises determining that the at least one reading matches the acceptable reading; and
  
  responsive to determining that the constraint has been satisfied, providing the secret data to the application.
- View Dependent Claims (20)
- - 20. The mobile telephone of claim 19, wherein the application is a text messaging application, the at least one reading is indicative of velocity of the mobile computing device, and the secret data is a key that, when provided to the text messaging application, enables the text messaging application to send and receive text messages.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Saroiu, Stefan, Wolman, Alastair, Raj, Himanshu, Liu, He
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Pan, Peiliang

Application Number

US15/208,570
Publication Number

US 20160323293A1
Time in Patent Office

1,442 Days
Field of Search

726 1, 726 2, 726 30
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/6209   to a single file or object,...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 9/45558   Hypervisor-specific managem...

G06Q 40/02   Banking, e.g. interest calc...

H04L 63/0435   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/102   Entity profiles

H04L 63/107   wherein the security polici...

H04L 63/168   above the transport layer

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3247   involving digital signatures

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 12/128   Anti-malware arrangements, ...

H04W 12/68   Gesture-dependent or behavi...

H04W 4/021 : Services related to particu...

View All

Sealing secret data with a policy that includes a sensor-based constraint

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

57 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Sealing secret data with a policy that includes a sensor-based constraint

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

57 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links