Cryptographic key containers on a USB token

US 8,588,421 B2
Filed: 01/26/2007
Issued: 11/19/2013
Est. Priority Date: 01/26/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, in a computer system comprising a processor, a request to access a cryptographic key;

the processor communicating with an application programming interface to automatically conduct a search, without requiring user interaction, for a USB compatible storage device having a first cryptographic key stored thereon in a key container, the searching comprising the processor searching an index of USB compatible storage devices to search for the key container;

if the USB compatible storage device is found, fetching, via a protected cryptographic process, the first cryptographic key from the USB compatible storage device, the protected cryptographic process preventing any user application executed by an operating system on the computer system, from directly accessing the cryptographic key; and

if the USB compatible storage device is not found;

rendering a prompt to provide the USB compatible storage device;

determining if the USB compatible storage device has been provided;

if the USB compatible storage device has been provided, accessing the first cryptographic key on the USB compatible storage device via the protected cryptographic process which prevents any user application executed by an operating system on the computer system from directly accessing the cryptographic key; and

if the USB compatible storage device has not been provided, accessing a second cryptographic key stored in a memory of the computer system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A Universal Serial Bus (USB) compatible storage device is utilized as a security token for storage of cryptographic keys. A cryptographic subsystem of a processor accesses cryptographic keys in containers on the USB compatible storage device. Accessing includes storing and/or retrieving. The processor does not include an infrastructure dedicated to the USB compatible storage device. Cryptographic key storage is redirected from an in-processor container to the USB compatible storage device. No password or PIN is required to access the cryptographic keys, yet enhanced security is provided. Utilizing a USB compatible storage device for a cryptographic key container provides a convenient, portable, mechanism for carrying the cryptographic key, and additional security is provided via physical possession of the device.

26 Citations

View as Search Results

17 Claims

1. A method comprising:
- receiving, in a computer system comprising a processor, a request to access a cryptographic key;
  
  the processor communicating with an application programming interface to automatically conduct a search, without requiring user interaction, for a USB compatible storage device having a first cryptographic key stored thereon in a key container, the searching comprising the processor searching an index of USB compatible storage devices to search for the key container;
  
  if the USB compatible storage device is found, fetching, via a protected cryptographic process, the first cryptographic key from the USB compatible storage device, the protected cryptographic process preventing any user application executed by an operating system on the computer system, from directly accessing the cryptographic key; and
  
  if the USB compatible storage device is not found;
  
  rendering a prompt to provide the USB compatible storage device;
  
  determining if the USB compatible storage device has been provided;
  
  if the USB compatible storage device has been provided, accessing the first cryptographic key on the USB compatible storage device via the protected cryptographic process which prevents any user application executed by an operating system on the computer system from directly accessing the cryptographic key; and
  
  if the USB compatible storage device has not been provided, accessing a second cryptographic key stored in a memory of the computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method in accordance with claim 1, further comprising:
    - storing the second cryptographic key in the memory of the computer system.
  - 3. A method in accordance with claim 1, wherein after fetching, the first cryptographic key is isolated in a protected execution environment of the computer system.
  - 4. A method in accordance with claim 1, wherein the first cryptographic key is fetched by the cryptographic process via a cryptographic programming interface.
  - 5. A method in accordance with claim 1, wherein the USB compatible storage device is a read-only device.
  - 6. A method in accordance with claim 1, further comprising:
    - generating a new cryptographic key based on a registry value, wherein the registry value is indicative of how the new cryptographic key is to be generated.
  - 7. A method in accordance with claim 6, wherein the registry value is indicative of:
    - generation of the new cryptographic key only on a specified USB compatible storage device or generation of the new cryptographic key only on the computer system.
  - 8. A method in accordance with claim 1, the searching further comprising searching paths on USB compatible storage devices coupled to the processor.

9. A computer system comprising:
- a processor; and
  
  memory coupled to the processor, the memory comprising executable instructions that when executed by the processor cause the processor to effectuate operations comprising;
  
  receiving a request to access a cryptographic key;
  
  searching, via an application programming interface to automatically search, without requiring user interaction, for a USB compatible storage device having a first cryptographic key stored thereon in a key container, the searching comprising searching an index of USB compatible storage devices to search for the key container; and
  
  if the USB compatible storage device is found, fetching, via a protected cryptographic process, the first cryptographic key on the USB compatible storage device, the protected cryptographic process preventing any user application executed by an operating system on the computer system, from directly accessing the cryptographic key; and
  
  if the USB compatible storage device is not found;
  
  rendering a prompt to provide the USB compatible storage device;
  
  determining if the USB compatible storage device has been provided;
  
  if the USB compatible storage device has been provided, accessing the first cryptographic key on the USB compatible storage device via the protected cryptographic process which prevents any user application executed by an operating system on the computer system from directly accessing the cryptographic key; and
  
  if the USB compatible storage device has not been provided, accessing a second cryptographic key stored in a memory of the computer system.
- View Dependent Claims (10, 11, 12)
- - 10. A system in accordance with claim 9, the operations further comprising:
    - storing the second cryptographic key in the memory of the computer system.
  - 11. A system in accordance with claim 9, wherein after accessing, the first cryptographic key is isolated in a protected execution environment of the system.
  - 12. A system in accordance with claim 9, wherein the USB compatible storage device comprises a portable device.

13. A computer-readable storage medium that is not a transient signal, the computer-readable storage medium having stored thereon computer-executable instructions that when executed by a processor cause the processor to effectuate operations comprising:
- receiving, in a computer system, a request to access a cryptographic key;
  
  searching, via an application programming interface to automatically search, without requiring user interaction, for a USB compatible storage device having a first cryptographic key stored thereon in a key container, the searching comprising searching an index of USB compatible storage devices to search for the key container; and
  
  if the USB compatible storage device is found, fetching via a protected cryptographic process, the first cryptographic key from the USB compatible storage device, the protected cryptographic process preventing any user application executed by an operating system on the computer system, from directly accessing the cryptographic key; and
  
  if the USB compatible storage device is not found;
  
  rendering a prompt to provide the USB compatible storage device;
  
  determining if the USB compatible storage device has been provided;
  
  if the USB compatible storage device has been provided, accessing the first cryptographic key on the USB compatible storage device via the protected cryptographic process which prevents any user application executed by an operating system on the computer system from directly accessing the cryptographic key; and
  
  if the USB compatible storage device has not been provided, accessing a second cryptographic key stored in a memory of the computer system.
- View Dependent Claims (14, 15, 16, 17)
- - 14. A computer-readable storage medium in accordance with claim 13, the operations further comprising accessing the first cryptographic key via a cryptographic programming interface.
  - 15. A computer-readable storage medium in accordance with claim 13, the operations further comprising:
    - storing the second cryptographic key in the memory of the computer system.
  - 16. A computer-readable storage medium in accordance with claim 13, wherein after fetching, the first cryptographic key is isolated in a protected execution environment of the computer system.
  - 17. A computer-readable storage medium in accordance with claim 13, wherein the USB compatible storage device comprises a portable device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Acar, Tolga, Ellison, Carl M.
Primary Examiner(s)
HOLDER, BRADLEY W

Application Number

US11/627,466
Publication Number

US 20080181412A1
Time in Patent Office

2,489 Days
Field of Search

380/277, 380/278
US Class Current

380/277
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 21/79   in semiconductor storage me...

H04L 9/0897   involving additional device...

Cryptographic key containers on a USB token

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Cryptographic key containers on a USB token

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links