Self-contained encrypted data and decryption application for third party data storage and data dissemination
US-2024273221-A1 · Aug 15, 2024 · US
Theft and tamper resistant data protection
US2019007204A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2019007204-A1 |
| Application number | US-201715639698-A |
| Country | US |
| Kind code | A1 |
| Filing date | Jun 30, 2017 |
| Priority date | Jun 30, 2017 |
| Publication date | Jan 3, 2019 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Systems and methods are provided for adding security to client data by maintaining decryption keys at a server that provide access to encrypted keys that are maintained at a client system with encrypted client data. A specialized protocol is utilized for accessing the decryption keys from the server. Once obtained, the decryption key is used to decrypt the encrypted key at the client and then the newly decrypted decryption key is used to decrypt the encrypted data. A server can also perform policy checks or trigger additional authentication such as SMS, phone, or email notification before allowing access to the server decryption key. Furthermore, in some instances, the server can also prevent access to the server decryption keys in response to anomalies, such as decommissioning and other asset management events.
First claim
Opening claim text (preview).
1 . A method implemented by a client system for keeping encrypted data tamper resistant, comprising: encrypting a cluster of data using an encryption key; creating a unique key identifier of the cluster of encrypted data; encrypting the decryption key using a new cryptography key, wherein the decryption key is interrelated to the encryption key and configured for decrypting the cluster of encrypted data; storing the encrypted decryption key and the unique key identifier in the cluster of encrypted data as metadata; sending data associated with the new cryptography key, along with the unique key identifier, to a server that has access to a key ID database that stores a plurality of unique key identifiers along with the decryption key that is associated with the cryptograph key; initiating boot of the client system; sending a communication request to a server that has access to the key ID database; receiving a response from the server granting the request; sending the unique key identifier and the data associated with the new cryptography key to the server; receiving the decryption key from the server, which was accessed by the server using the unique key identifier and the data associated with the cryptograph key; and decrypting the encrypted cluster of data. 2 . The method of claim 1 , wherein the data associated with the cryptograph key is an asymmetric key. 3 . The method of claim 1 , wherein the data associated with the cryptograph key is a symmetric key. 4 . A method implemented by a client system for keeping encrypted data tamper resistant, comprising: encrypting a cluster of data using an encryption key; creating a unique key identifier of the cluster of encrypted data; encrypting the decryption key using a public key, wherein the decryption key is interrelated to the encryption key and configured for decrypting the cluster of encrypted data; storing the encrypted decryption key and the unique key identifier in the cluster of encrypted data as metadata; sending a private key and the unique key identifier to a server that has access to a key ID database that stores private keys and unique key identifiers, wherein the private key is interrelated to the public key and configured for decrypting the encrypted decryption key; initiating boot of the client system; sending a communication request to a server that has access to the key ID database; receiving a response from the server granting the request; sending the unique key identifier and the encrypted decryption key to the server; receiving a decrypted decryption key from the server; and decrypting the cluster of encrypted data using the decrypted decryption key. 5 . The method of claim 4 , wherein the unique key identifier is certificate thumbprint. 6 . The method of claim 4 , wherein the server is a PXE server, wherein the communication request is a PXE discover, and wherein the communication response is a response to the PXE discover. 7 . The method of claim 4 , wherein the request for boot code is a request for boot code via TFTP. 8 . The method of claim 4 , wherein the unique key identifier includes a hash value of the cluster of encrypted data. 9 . The method of claim 4 , wherein the unique key identifier includes a hash value of the cluster of encrypted data and the public key. 10 . A method implemented by a client system for keeping encrypted data tamper resistant, comprising: encrypting the cluster of data using an encryption key; creating a unique key identifier of the cluster of encrypted data; sending the decryption key and the unique key identifier to a server that has access to a key ID database that stores the symmetric key and the unique key identifier, wherein the decryption key is interrelated to the encryption key and configured for decrypting the cluster of encrypted data; receiving the encrypted decryption key that was encrypted using a symmetric key from the server; storing the encrypted decryption key and the unique key identifier in the cluster of data as metadata; initiating boot of a client system; sending a communication request to a server that has access to the key ID database; receiving a response from the server granting the request; sending the unique key identifier and encrypted decryption key to the server; and receiving the decrypted decryption key from the server; and decrypting the cluster of encrypted data using the decrypted decryption key. 11 . A method implemented by a server for managing access to encrypted data at a client system, comprising: receiving a unique key identifier and a private key that is configured for decrypting an encrypted decryption key, wherein the decryption key is configured for decrypting a cluster of encrypted data, and the decryption key is further encrypted using a public key; storing the private key and the unique key identifier in a key ID database; receiving a communication request from a client system; sending a communication response to the client system; receiving a unique key identifier and an encrypted decryption key stored in metadata of the cluster of encrypted data that a client system requests to access; searching the key ID database for a match unique key identifier; in response to finding a match, retrieving a private key that is associated with the unique key identifier; decrypting the encrypted decryption key using the private key; and sending the decrypted decryption key to the client system, wherein the decrypted decryption key is configured for decrypting the cluster of encrypted data. 12 . A method implemented by a server for managing access to encrypted data at a client system, comprising: receiving a unique key identifier and a decryption key that is configured for decrypting a cluster of encrypted data; encrypting the decryption key using a symmetric key; sending the encrypted decryption key to the client system that stores the encrypted symmetric key and the unique key identifier in the cluster of encrypted data as metadata; storing the symmetric key and the unique key identifier in a key ID database; receiving a communication request from a client system; sending a communication response to the client system; receiving a unique key identifier and an encrypted decryption key stored in metadata of the cluster of encrypted data that the client system requests to access; searching the key ID database for a match; in response to finding a match, retrieving a symmetric key associated with the unique key identifier; decrypting the encrypted decryption key using the symmetric key; sending the decrypted decryption key to the client system, wherein the symmetric key is configured for decrypting the cluster of encrypted data. 13 . The method of claim 12 , further comprising authenticating a user's credential. 14 . The method of claim 12 , wherein the server is a PXE server, wherein the communication request is a PXE discover, and wherein the communication response is a response to the PXE discover. 15 . The method of claim 12 , wherein the request for boot code is a request for boot code via TFTP. 16 . The method of claim 12 , further comprising: detecting asset management anomalies; and in response to an asset management anomaly, deleting the symmetric key from the key ID database. 17 . The method of claim 16 , wherein the detecting asset management anomalies includes detecting a threshold number of false data access requests. 18 . The method of claim 16 , wherein the detecting asset management anomalies includes detect
Assignees
Inventors
Classifications
using a plurality of keys or algorithms · CPC title
using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates · CPC title
to a system of files or objects, e.g. local or distributed file system or database · CPC title
using a predetermined code, e.g. password, passphrase or PIN (network architectures or network communication protocols for supporting authentication of entities using passwords in a packet data network H04L63/083) · CPC title
Secure boot · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2019007204A1 cover?
- Systems and methods are provided for adding security to client data by maintaining decryption keys at a server that provide access to encrypted keys that are maintained at a client system with encrypted client data. A specialized protocol is utilized for accessing the decryption keys from the server. Once obtained, the decryption key is used to decrypt the encrypted key at the client and then t…
- Who is the assignee on this patent?
- Microsoft Technology Licensing Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L9/0822. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Jan 03 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).