System and method for content protection based on a combination of a user pin and a device specific identifier
US-2016330024-A1 · Nov 10, 2016 · US
System and method for wiping encrypted data on a device having file-level content protection
US10025597B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10025597-B2 |
| Application number | US-201614992798-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jan 11, 2016 |
| Priority date | Apr 7, 2010 |
| Publication date | Jul 17, 2018 |
| Grant date | Jul 17, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Disclosed herein are systems, methods, and non-transitory computer-readable storage media for erasing user data stored in a file system. The method includes destroying all key bags containing encryption keys on a device having a file system encrypted on a per file and per class basis, erasing and rebuilding at least part of the file system associated with user data, and creating a new default key bag containing encryption keys. Also disclosed herein is a method of erasing user data stored in a remote file system encrypted on a per file and per class basis. The method includes transmitting obliteration instructions to a remote device, which cause the remote device to destroy all key bags containing encryption keys on the remote device, erase and rebuild at least part of the file system associated with user data, and create on the remote device a new default key bag containing encryption keys.
First claim
Opening claim text (preview).
What is claimed is: 1. A method for performing a data backup at a mobile device having an encrypted file system, the method comprising: at the mobile device: receiving a backup ticket from a remote device; decrypting encrypted class keys using the backup ticket to produce decrypted class keys, wherein each class key corresponds to a respective protection class that defines particular file access rights; decrypting encrypted file keys using the decrypted class keys to produce decrypted file keys; generating a set of backup keys; backing up a subset of files included in the file system; encrypting, using the set of backup keys, the decrypted file keys for the subset of files to produce new encrypted file keys; and providing, to the remote device, the new encrypted file keys and the set of backup keys, wherein the remote device is prevented from using the set of backup keys to restore any files that are associated with a protection class comprising a unique identifier that corresponds to the mobile device. 2. The method of claim 1 , further comprising, prior to receiving the backup ticket from the remote device: generating a backup secret; and providing the backup secret to the remote device. 3. The method of claim 2 , wherein the backup ticket includes a public key and a private key that are encrypted using the backup secret. 4. The method of claim 3 , wherein the encrypted class keys are encrypted using the public key, and the encrypted class keys are decrypted using the private key. 5. The method of claim 1 , wherein encrypting the decrypted file keys for the subset of files comprises, for each file included in the subset of files: retrieving a decrypted file key for the file; and encrypting the decrypted file key to produce a new encrypted file key for the file. 6. The method of claim 1 , wherein the remote device is a server device configured to provide backup services for a plurality of remote devices that includes the remote device. 7. The method of claim 1 , wherein the protection class indicates that the files are tied to the mobile device and should not be migrated to any other device. 8. A non-transitory computer readable storage medium configured to store instructions that, when executed by a processor included in a mobile device having an encrypted file system, cause the mobile device to perform a data backup at the mobile device, by carrying out steps that include: receiving a backup ticket from a remote device; decrypting encrypted class keys using the backup ticket to produce decrypted class keys, wherein each class key corresponds to a respective protection class that defines particular file access rights; decrypting encrypted file keys using the decrypted class keys to produce decrypted file keys; generating a set of backup keys; backing up a subset of files included in the file system; encrypting, using the set of backup keys, the decrypted file keys for the subset of files to produce new encrypted file keys; and providing, to the remote device, the new encrypted file keys and the set of backup keys, wherein the remote device is prevented from using the set of backup keys to restore any files that are associated with a protection class comprising a unique identifier that corresponds to the mobile device. 9. The non-transitory computer readable storage medium of claim 8 , wherein the steps further include, prior to receiving the backup ticket from the remote device: generating a backup secret; and providing the backup secret to the remote device. 10. The non-transitory computer readable storage medium of claim 9 , wherein the backup ticket includes a public key and a private key that are encrypted using the backup secret. 11. The non-transitory computer readable storage medium of claim 10 , wherein the encrypted class keys are encrypted using the public key, and the encrypted class keys are decrypted using the private key. 12. The non-transitory computer readable storage medium of claim 8 , wherein encrypting the decrypted file keys for the subset of files comprises, for each file included in the subset of files: retrieving a decrypted file key for the file; and encrypting the decrypted file key to produce a new encrypted file key for the file. 13. The non-transitory computer readable storage medium of claim 8 , wherein the remote device is a server device configured to provide backup services for a plurality of remote devices that includes the remote device. 14. The non-transitory computer readable storage medium of claim 8 , wherein the protection class indicates that the files are tied to the mobile device and should not be migrated to any other device. 15. A mobile device configured to perform a data backup of an encrypted file system implemented at the mobile device, the mobile device comprising: a processor; and a memory storing instructions that, when executed by the processor, cause the mobile device to carry out steps that include: receiving a backup ticket from a remote device; decrypting encrypted class keys using the backup ticket to produce decrypted class keys, wherein each class key corresponds to a respective protection class that defines particular file access rights; decrypting encrypted file keys using the decrypted class keys to produce decrypted file keys; generating a set of backup keys; backing up a subset of files included in the file system; encrypting, using the set of backup keys, the decrypted file keys for the subset of files to produce new encrypted file keys; and providing, to the remote device, the new encrypted file keys and the set of backup keys, wherein the remote device is prevented from using the set of backup keys to restore any files that are associated with a protection class comprising a unique identifier that corresponds to the mobile device. 16. The mobile device of claim 15 , wherein the steps further include, prior to receiving the backup ticket from the remote device: generating a backup secret; and providing the backup secret to the remote device. 17. The mobile device of claim 16 , wherein the backup ticket includes a public key and a private key that are encrypted using the backup secret. 18. The mobile device of claim 17 , wherein the encrypted class keys are encrypted using the public key, and the encrypted class keys are decrypted using the private key. 19. The mobile device of claim 15 , wherein encrypting the decrypted file keys for the subset of files comprises, for each file included in the subset of files: retrieving a decrypted file key for the file; and encrypting the decrypted file key to produce a new encrypted file key for the file. 20. The mobile device of claim 15 , wherein the protection class indicates that the files are tied to the mobile device and should not be migrated to any other device.
Assignees
Inventors
Classifications
Transmitting and receiving encryption devices synchronised or initially set up in a particular manner · CPC title
Authentication · CPC title
Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII] · CPC title
Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage · CPC title
using a predetermined code, e.g. password, passphrase or PIN (network architectures or network communication protocols for supporting authentication of entities using passwords in a packet data network H04L63/083) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10025597B2 cover?
- Disclosed herein are systems, methods, and non-transitory computer-readable storage media for erasing user data stored in a file system. The method includes destroying all key bags containing encryption keys on a device having a file system encrypted on a per file and per class basis, erasing and rebuilding at least part of the file system associated with user data, and creating a new default k…
- Who is the assignee on this patent?
- Apple Inc, Apple Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F9/4406. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Jul 17 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).