Secure Key Management for Roaming Protected Content

US 20160080149A1
Filed: 09/17/2014
Published: 03/17/2016
Est. Priority Date: 09/17/2014
Status: Active Grant

First Claim

Patent Images

1. A method implemented in a first computing device, the method comprising:

protecting content using a data protection public key of a data protection public/private key pair corresponding to an identity of a user of the first computing device;

copying the protected content to cloud storage;

obtaining a public key of a public/private key pair of a second computing device, the first and second computing devices being associated with a same user identity;

encrypting the data protection private key using the public key of the second computing device; and

providing the encrypted data protection private key to the second computing device.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Content on a device is encrypted and protected based on a data protection key corresponding to a particular identity of the user of the device. The protected content can then be stored to cloud storage, and from the cloud storage the protected content can be transferred to various other ones of the user'"'"'s devices. A data protection key that is used to retrieve the plaintext content from the protected content is maintained by the user'"'"'s device. This data protection key can be securely transferred to other of the user'"'"'s devices, allowing any of the user'"'"'s devices to access the protected content.

48 Citations

View as Search Results

20 Claims

1. A method implemented in a first computing device, the method comprising:
- protecting content using a data protection public key of a data protection public/private key pair corresponding to an identity of a user of the first computing device;
  
  copying the protected content to cloud storage;
  
  obtaining a public key of a public/private key pair of a second computing device, the first and second computing devices being associated with a same user identity;
  
  encrypting the data protection private key using the public key of the second computing device; and
  
  providing the encrypted data protection private key to the second computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method as recited in claim 1, the providing comprising providing the encrypted data protection private key to the second computing device via a removable drive.
  - 3. The method as recited in claim 1, the protecting the content comprising:
    - encrypting the content with a file encryption key; and
      
      encrypting the file encryption key with the data protection public key.
  - 4. The method as recited in claim 1, the protecting the content comprising encrypting the content with the data protection public key.
  - 5. The method as recited in claim 1, the providing comprising storing the encrypted data protection private key to the cloud storage.
  - 6. The method as recited in claim 1, the cloud storage being an untrusted cloud storage that is not relied on to keep the protected content or the encrypted data protection private key secure.
  - 7. The method as recited in claim 1, further comprising:
    - receiving additional protected data from the cloud storage, the additional protected data having been protected by a third computing device using the data protection public key; and
      
      storing the additional protected data in a content store of the first computing device.
  - 8. The method as recited in claim 1, further comprising:
    - displaying a prompt for user consent to transfer the data protection private key to the second computing device; and
      
      performing the encrypting and providing only in response to a user input indicating the transfer is consented to.
  - 9. The method as recited in claim 8, the displaying the prompt for user consent including displaying, at the first computing device, an identification of the second computing device.
  - 10. The method as recited in claim 1, further comprising:
    - protecting the data protection private key for recovery; and
      
      recovering the data protection private key in response to the data protection private key no longer being available from the first computing device.
  - 11. The method as recited in claim 10, the protecting the data protection private key for recovery further comprising:
    - encrypting the data protection private key based on one or both of biometric data of the user and answers from a secret-question-secret-answer technique; and
      
      storing the encrypted data protection private key to the cloud storage.

12. A first computing device comprising:
- an encryption module configured to protect content by encrypting, using a data protection public key of a data protection public/private key pair corresponding to an identity of a user of the first computing device, the content or a file encryption key that is used to encrypt the content;
  
  one or more programs configured to copy the protected content to a cloud storage; and
  
  a key transfer module configured to;
  
  obtain a public key of a public/private key pair of a second computing device, the first and second computing devices being associated with a same user identity on the cloud storage;
  
  facilitate the encryption module encrypting the data protection private key using the public key of the second computing device; and
  
  provide the encrypted data protection private key to the second computing device.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The first computing device as recited in claim 12, the cloud storage comprising a cloud service from which the data protection private key is protected.
  - 14. The first computing device as recited in claim 12, the key transfer module being further configured to:
    - display a prompt for user consent to transfer the data protection private key to the second computing device; and
      
      facilitate the encryption module encrypting the data protection private key and provide the encrypted data protection private key to the second computing device only in response to a user input indicating the transfer is consented to.
  - 15. The first computing device as recited in claim 12, the key transfer module being further configured to:
    - protect the data protection private key for recovery using biometric data of the user; and
      
      subsequently recover the data protection private key, using newly obtained biometric data of the user, in response to the data protection private key no longer being available from the first computing device.
  - 16. The first computing device as recited in claim 12, being further configured to display a QR code that encodes the data protection private key for capture by a camera of a phone of the user.

17. A computer-readable storage medium having stored thereon multiple instructions that, responsive to execution by one or more processors of a computing device, cause the one or more processors to perform operations comprising:
- protecting content by encrypting a file encryption key using a data protection public key of a data protection public/private key pair corresponding to an identity of a user of the computing device, the content being encrypted using the file encryption key;
  
  copying the protected content to a cloud storage;
  
  obtaining a public key of a public/private key pair of an additional computing device, the computing device and the additional computing device both accessing the cloud storage for protected content stored to the cloud storage by the other;
  
  encrypting the data protection private key using the public key of the additional computing device; and
  
  providing the encrypted data protection private key to the additional computing device.
- View Dependent Claims (18, 19, 20)
- - 18. The computer-readable storage medium as recited in claim 17, the providing comprising storing the encrypted data protection private key to the cloud storage.
  - 19. The computer-readable storage medium as recited in claim 17, the cloud storage being an untrusted cloud storage that is not relied on to keep the protected content or the encrypted data protection private key secure.
  - 20. The computer-readable storage medium as recited in claim 17, further comprising:
    - protecting the data protection private key for recovery; and
      
      recovering the data protection private key in response to the data protection private key no longer being available from the computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Mehta, Yogesh A., Basmov, Innokentiy, Ureche, Octavian T., Novotney, Peter J., Adam, Preston Derek, Lakhani, Mugdha, Sinha, Saurav, Acharya, Narendra S., Singh, Karanbir

Granted Patent

US 9,853,812 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/62   Protecting access to data v...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

H04L 63/0442   wherein the sending and rec...

H04L 9/08   Key distribution or managem...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/0897   involving additional device...

H04L 9/30   Public key, i.e. encryption...

H04W 12/02   Protecting privacy or anony...

H04W 12/037   of the control plane, e.g. ...

H04W 12/08   Access security

Secure Key Management for Roaming Protected Content

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

48 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure Key Management for Roaming Protected Content

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links