Providing security services on the cloud

US 9,059,856 B2
Filed: 06/20/2013
Issued: 06/16/2015
Est. Priority Date: 12/15/2010
Status: Active Grant

First Claim

Patent Images

1. In a computer networking environment that includes a cloud computing environment accessed by plurality of computing systems and at least one publisher computer system, a computer program product comprising at least one storage device having stored computer-executable instructions which, when executed by one or more processors perform a computer-implemented method which, when implemented by the publisher computer system, provides secure storage for a selected software package in the cloud computing environment, the computer-implemented method comprising acts of:

generating at the publisher computing system a hash for a selected software package;

sending from the publisher computing system a signing request that includes the hash of the selected software package, the signing request being sent to a keying and signing service located at the cloud computing environment and the signing request requesting that the selected software package be signed;

receiving at the publisher computing system the digitally signed hash signed with a public key from a public/private key pair generated for the selected software package of the publisher computing system at the keying and signing service;

attaching the digitally signed hash to the selected software package at the publisher computing system;

the publisher computing system encrypting the selected software package with a symmetric key; and

sending from the publisher computing system the symmetric key to the keying and signing service at the cloud computing environment, wherein the symmetric key is encrypted and stored at a secure data store of the cloud computing environment with an encrypted version of the private key from said public/private key pair generated for the selected software package.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to the providing a cloud keying and signing service and to securing software package distribution on the cloud. In an embodiment, a computer system instantiates a signing service configured to sign software packages. The computer system receives a signing request from a computer user requesting that a selected software package be signed. The signing request includes a computed hash of the selected software package. The computer system generates a private and public key pair on behalf of the computer user and stores the private key of the generated key pair in a secure data store.

12 Citations

View as Search Results

19 Claims

1. In a computer networking environment that includes a cloud computing environment accessed by plurality of computing systems and at least one publisher computer system, a computer program product comprising at least one storage device having stored computer-executable instructions which, when executed by one or more processors perform a computer-implemented method which, when implemented by the publisher computer system, provides secure storage for a selected software package in the cloud computing environment, the computer-implemented method comprising acts of:
- generating at the publisher computing system a hash for a selected software package;
  
  sending from the publisher computing system a signing request that includes the hash of the selected software package, the signing request being sent to a keying and signing service located at the cloud computing environment and the signing request requesting that the selected software package be signed;
  
  receiving at the publisher computing system the digitally signed hash signed with a public key from a public/private key pair generated for the selected software package of the publisher computing system at the keying and signing service;
  
  attaching the digitally signed hash to the selected software package at the publisher computing system;
  
  the publisher computing system encrypting the selected software package with a symmetric key; and
  
  sending from the publisher computing system the symmetric key to the keying and signing service at the cloud computing environment, wherein the symmetric key is encrypted and stored at a secure data store of the cloud computing environment with an encrypted version of the private key from said public/private key pair generated for the selected software package.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer program product of claim 1, wherein a public key certificate prepared for the public key of the public/private key pair corresponding to the selected software package is sent to one or more targeted computing systems of the computer networking environment.
  - 3. The computer program product of claim 1, wherein the keying and signing service is an isolated, secure service provided at the cloud computing environment.
  - 4. The computer program product of claim 1 wherein the computer-implemented method further comprises receiving the signed hash with a counter-signed timestamp signature.
  - 5. The computer program product of claim 4 wherein the computer-implemented method further comprises applying the hash signed with the public key and timestamp signature to the selected software package at the publisher computer system.
  - 6. The computer program product of claim 5, wherein a public key certificate corresponding to the selected package is sent to both the publisher computing system and one or more targeted computer systems of the computer networking environment.
  - 7. The computer program product of claim 6 wherein the computer-implemented method further comprises publishing the selected software package encrypted with the symmetric key and signed with the private key.
  - 8. The computer program product of claim 7, wherein each targeted computer system has a stored public key that allows verification that the published software package is from the publisher computer system.

9. In a computer networking environment that includes a cloud computing environment accessed by plurality of computing systems and at least one publisher computer system, a computer-implemented method which, when implemented by the publisher computer system, provides secure storage for a selected software package in the cloud computing environment, the computer-implemented method comprising acts of:
- generating at the publisher computing system a hash for a selected software package;
  
  sending from the publisher computing system a signing request that includes the hash of the selected software package, the signing request being sent to a keying and signing service located at the cloud computing environment and the signing request requesting that the selected software package be signed;
  
  receiving at the publisher computing system the digitally signed hash signed with a public key from a public/private key pair generated for the selected software package of the publisher computing system at the keying and signing service;
  
  attaching the digitally signed hash to the selected software package at the publisher computing system;
  
  the publisher computing system encrypting the selected software package with a symmetric key; and
  
  sending from the publisher computing system the symmetric key to the keying and signing service at the cloud computing environment, wherein the symmetric key is encrypted and stored at a secure data store of the cloud computing environment with an encrypted version of the private key from said public/private key pair generated for the selected software package.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The computer-implemented method of claim 9, wherein the keying and signing service is an isolated, secure service provided at the cloud computing environment.
  - 11. The computer-implemented method of claim 9, further comprising receiving the signed hash with a counter-signed timestamp signature.
  - 12. The computer-implemented method of claim 11, further comprising applying the hash signed with the public key and timestamp signature to the selected software package at the publisher computer system.
  - 13. The computer-implemented method of claim 12, wherein a public key certificate corresponding to the selected package is sent to both the publisher computing system and one or more targeted computer systems of the computer networking environment.
  - 14. The computer-implemented method of claim 13, further comprising publishing the selected software package encrypted with the symmetric key and signed with the private key.

15. In a computer networking environment that includes a cloud computing environment accessed by plurality of computing systems and at least one publisher computer system a computer-implemented method that provides secure access to the selected software package stored in the cloud computing environment by one or more targeted computing systems of the computer networking environment, the computer-implemented method comprising acts of:
- instantiating at the cloud computing environment a keying and signing service;
  
  receiving at the keying and signing service a request from a publisher computer system requesting that a selected software package be signed, wherein the signing request includes a computed hash of the selected software package;
  
  the keying and signing service generating a private and public key pair for the selected software package, and digitally signing the hash with the public key;
  
  the keying and signing service returning the digitally signed hash to the publisher computer system, wherein the digitally signed hash is subsequently attached to the selected software package;
  
  the keying and signing service receiving, subsequent to returning the digitally signed hash to the publisher computer system, a symmetric key from the publisher computer system, wherein the symmetric key is used by the publisher computer system to encrypt the selected software package, and the signing service encrypting the symmetric key;
  
  the keying and signing service storing the encrypted symmetric key and an encrypted version of the private key of the generated key pair in a secure data store at the cloud computing environment; and
  
  one or more targeted computing systems of the computing network environment obtaining the encrypted symmetric key for the selected software package for the secure data store of the cloud computing environment, and the one or more targeted computing systems then sending the encrypted symmetric key for decryption by the keying and signing service using the private key of the private and public key pair so that thereafter the one or more targeted computing systems can decrypt and access the selected software package using the decrypted symmetric key.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer-implemented method of claim 15, wherein the one or more targeted computing systems are each provided with a public key certificate that can be used with the decrypted symmetric key to access the selected software package.
  - 17. The computer-implemented method of claim 16, wherein the one or more targeted computing systems each have a stored public key that allows each of the one or more targeted computing systems to use the public key certificate to verify that the published software package is from the identified publisher, and wherein the public key is revocable according to a determined policy.
  - 18. The computer-implemented method of claim 15, wherein the keying and signing service is an isolated, secure service provided at the cloud computing environment.
  - 19. The computer-implemented method of claim 15, further wherein the keying and signing service sends the digitally signed hash with a counter-signed timestamp signature to the publisher computer system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Lin, Jian, Liokumovich, Igor, Reus, Edward F.
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Sanders, Stephen

Application Number

US13/923,138
Publication Number

US 20130283056A1
Time in Patent Office

726 Days
Field of Search

713/176
US Class Current

1/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 63/045   wherein the sending and rec...

H04L 63/065   for group communications cr...

H04L 63/123   received data contents, e.g...

H04L 9/3247   involving digital signatures

Providing security services on the cloud

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Providing security services on the cloud

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links