Providing security services on the cloud

US 8,479,008 B2
Filed: 12/15/2010
Issued: 07/02/2013
Est. Priority Date: 12/15/2010
Status: Active Grant

First Claim

Patent Images

1. At a computer system including a processor and a memory, in a computer networking environment including a plurality of computing systems, a computer-implemented method for providing a cloud keying and signing service, the method comprising:

an act of instantiating a signing service configured to sign software packages;

an act of receiving at the signing service a signing request from a publisher requesting that a selected software package be signed, wherein the signing request includes a computed hash of the selected software package;

an act of the signing service generating a private and public key pair on behalf of the publisher;

the signing service digitally signing the hash with the public key;

the signing service returning the digitally signed hash to the publisher, wherein the digitally signed hash is subsequently attached to the selected software package;

the signing service receiving, subsequent to returning the digitally signed hash to the publisher, a symmetric key from the publisher, wherein the symmetric key is used by the publisher to encrypt the selected software package;

wherein the symmetric key is encrypted with the public key; and

an act of the signing service storing the private key of the generated key pair in a secure data store.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to the providing a cloud keying and signing service and to securing software package distribution on the cloud. In an embodiment, a computer system instantiates a signing service configured to sign software packages. The computer system receives a signing request from a computer user requesting that a selected software package be signed. The signing request includes a computed hash of the selected software package. The computer system generates a private and public key pair on behalf of the computer user and stores the private key of the generated key pair in a secure data store.

24 Citations

View as Search Results

21 Claims

1. At a computer system including a processor and a memory, in a computer networking environment including a plurality of computing systems, a computer-implemented method for providing a cloud keying and signing service, the method comprising:
- an act of instantiating a signing service configured to sign software packages;
  
  an act of receiving at the signing service a signing request from a publisher requesting that a selected software package be signed, wherein the signing request includes a computed hash of the selected software package;
  
  an act of the signing service generating a private and public key pair on behalf of the publisher;
  
  the signing service digitally signing the hash with the public key;
  
  the signing service returning the digitally signed hash to the publisher, wherein the digitally signed hash is subsequently attached to the selected software package;
  
  the signing service receiving, subsequent to returning the digitally signed hash to the publisher, a symmetric key from the publisher, wherein the symmetric key is used by the publisher to encrypt the selected software package;
  
  wherein the symmetric key is encrypted with the public key; and
  
  an act of the signing service storing the private key of the generated key pair in a secure data store.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the computed hash of the selected software package is computed on the publisher'"'"'s computer system.
  - 3. The method of claim 1, wherein the private key is further encrypted before being stored in the secure store.
  - 4. The method of claim 1, wherein the signing service is an isolated, secure service provided on the cloud.
  - 5. The method of claim 1, further comprising an act of the signing service sending the generated public key and signed hash with a counter-signed timestamp signature to the publisher.
  - 6. The method of claim 5, wherein the publisher applies the received public key, signed hash and timestamp signature to the selected software package.
  - 7. The method of claim 6, further comprising an act of the signing service decrypting the encrypted symmetric key.
  - 8. The method of claim 7, further comprising an act of the signing service sending to both the publisher and one or more end-users a public key certificate corresponding to the selected package.
  - 9. The method of claim 8, wherein the publisher publishes the selected software package encrypted with the symmetric key and signed with the private key.
  - 10. The method of claim 1, wherein the public key is wrapped in a software publishing certificate.
  - 11. The method of claim 9, wherein the public key is revocable according to policy.
  - 12. The method of claim 9, wherein each end-user'"'"'s computer system has a stored public key that allows each end-user'"'"'s computer system to verify that the published software package is from the identified publisher.
  - 13. The method of claim 9, wherein the symmetric key used to encrypt the software package is generated by the publisher'"'"'s computer system.
  - 14. The method of claim 9, wherein separate symmetric keys are generated for each software package and such that the symmetric key is unique to the selected software package.
  - 15. The method recited in claim 1, wherein the method further includes:
    - an act of the signing service decrypting the symmetric key using a corresponding stored private key; and
      
      an act of the signing service sending a decrypted symmetric key corresponding to the software package to an end-user'"'"'s computer for decryption.

16. A computer system comprising the following:
- one or more processors;
  
  system memory;
  
  one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by the one or more processors, causes the computing system to perform a method for providing a cloud keying and signing service, the method comprising the following;
  
  an act of instantiating a signing service configured to sign software packages;
  
  an act of receiving at the signing service a signing request from a first publisher requesting that a selected software package be signed, wherein the signing request includes a computed hash of the selected software package;
  
  an act of the signing service generating a private and public key pair on behalf of the publisher;
  
  the signing service digitally signing the hash with the public key;
  
  the signing service returning the digitally signed hash to the publisher, wherein the digitally signed hash is subsequently attached to the selected software package;
  
  the signing service receiving, subsequent to returning the digitally signed hash to the publisher, a symmetric key from the publisher, wherein the symmetric key is used by the publisher to encrypt the selected software package;
  
  wherein the symmetric key is encrypted with the public key; and
  
  an act of the signing service storing the private key of the generated key pair in a secure data store.
- View Dependent Claims (17)
- - 17. The system of claim 16, wherein the system further includes:
    - an act of the signing service sending the generated public key and signed hash with a corresponding timestamp signature to the first user;
      
      wherein the publisher applies the received public key, signed hash and timestamp signature to the selected software package and publishes the selected software package to one or more end-users; and
      
      an act of the signing service sending the public key certificate to the one or more of end-users.

18. A computer program product for implementing a method for securing software package distribution on the cloud, the computer program product comprising one or more computer-readable storage device distinguished from a transmission media, the computer-readable storage device comprising a recordable-type storage device having stored thereon computer-executable instructions that, when executed by one or more processors of the computing system, cause the computing system to perform the method, the method comprising:
- an act of instantiating a signing service configured to sign software packages;
  
  an act of receiving at the signing service a signing request from a publisher requesting that a selected software package be signed, wherein the signing request includes a computed hash of the selected software package;
  
  an act of the signing service generating a private and public key pair on behalf of the publisher;
  
  the signing service digitally signing the hash with the public key;
  
  the signing service returning the digitally signed hash to the publisher, wherein the digitally signed hash is subsequently attached to the selected software package;
  
  the signing service receiving, subsequent to returning the digitally signed hash to the publisher, a symmetric key from the publisher, wherein the symmetric key is used by the publisher to encrypt the selected software package;
  
  wherein the symmetric key is encrypted with the public key; and
  
  an act of the signing service storing the private key of the generated key pair in a secure data store.
- View Dependent Claims (19, 20, 21)
- - 19. The computer program product of claim 18, wherein the act of the signing service generating the private and public key pair on behalf of the publisher is performed for the first time only after the signing service receives the signing request.
  - 20. The computer program product of claim 18, wherein each communication between the signing service and each of the publisher is conducted over encrypted channels with mutual authentication.
  - 21. The computer program product of claim 18, wherein certificate management policies are implemented to synchronize certificates between the signing service and the end-users.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Lin, Jian, Liokumovich, Igor, Reus, Edward F.
Primary Examiner(s)
Powers, William S.
Assistant Examiner(s)
Sanders, Stephen

Application Number

US12/969,433
Publication Number

US 20120159178A1
Time in Patent Office

930 Days
Field of Search

713/178
US Class Current

713/178
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 63/045   wherein the sending and rec...

H04L 63/065   for group communications cr...

H04L 63/123   received data contents, e.g...

H04L 9/3247   involving digital signatures

Providing security services on the cloud

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

24 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Providing security services on the cloud

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links