Entity authentication for pre-authenticated links
US-2024396898-A1 · Nov 28, 2024 · US
Security policy for device data
US9245143B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9245143-B2 |
| Application number | US-201213370232-A |
| Country | US |
| Kind code | B2 |
| Filing date | Feb 9, 2012 |
| Priority date | Feb 9, 2012 |
| Publication date | Jan 26, 2016 |
| Grant date | Jan 26, 2016 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques for providing security policy for device data are described. In implementations, data on a device is stored in an encrypted form. To protect the encrypted data from being decrypted by an unauthorized entity, techniques enable a decryption key to be occluded if an attempt to gain unauthorized access to device data is detected. In implementations, a decryption key can be occluded in a variety of ways, such as by deleting the decryption key, overwriting the encryption key in memory, encrypting the encryption key, and so on. Embodiments enable an occluded decryption key to be recovered via a recovery experience. For example, a recovery experience can include an authentication procedure that requests a recovery password. If a correct recovery password is provided, the occluded decryption key can be provided.
First claim
Opening claim text (preview).
What is claimed is: 1. A system comprising: one or more hardware processors; and one or more computer-readable storage devices having instructions stored thereon that, responsive to execution by the one or more hardware processors, cause the one or more hardware processors to: maintain at least one decryption key for the computing device; attempt to check-in with a remote security service; ascertain that the computing device cannot contact the remote security service; cause the at least one decryption key to be occluded in response to said ascertaining that the computing device cannot contact the remote security service; and present in response to occlusion of the decryption key a graphical user interface on the computing device that includes a prompt to provide a recovery key for recovering the decryption key. 2. A system as described in claim 1 , wherein the instructions are further executable by the one or more hardware processors to decrypt operating system data to enable the computing device to boot an operating system. 3. A system as described in claim 1 , wherein the instructions are further executable by the one or more hardware processors to maintain the at least one decryption key by storing one portion of the decryption key in a first sector of memory, and storing another portion of the decryption key in a second, different sector of memory. 4. A system as described in claim 1 , wherein the instructions are further executable by the one or more hardware processors to decrypt the at least one decryption key in response to an input of either an intermediate security key or a private key associated with the intermediate key. 5. A system as described in claim 1 , wherein the instructions are further executable by the one or more hardware processors to monitor one or more states of the computing device such that a variation in the one or more states triggers a violation of one or more of the security policies. 6. A system as described in claim 1 , wherein the instructions are further executable by the one or more hardware processors to launch a recovery experience that enables the decryption key to be recovered in response to the recovery key being provided as part of the recovery experience. 7. A system as described in claim 1 , wherein the instructions are further executable by the one or more hardware processors to: cause the at least one decryption key to be occluded in response to the device entering a mode comprising at least one of a locked mode, a sleep mode, or a hibernation mode; and enable the decryption key to be recovered when the device emerges from the mode by checking the remote security service for a security status of the device. 8. A computer-implemented method, comprising: detecting a violation of a security policy for a device; occluding, by one or more hardware processors and in response to said detecting, a security key of the device by encrypting the security key with an intermediate security key; causing, in response to said occluding, a graphical user interface to be displayed on the computing device that enables a user to specify a location of the intermediate security key includes a prompt to provide a recovery key for recovering the security key; receiving user input to the graphical user interface identifying a protected location where the intermediate security key is located; retrieving the intermediate security key from the protected location; and decrypting the security key using the intermediate security key. 9. A method as described in claim 8 , wherein the security policy specifies a threshold number of failed logon attempts for the device, and wherein said detecting comprises detecting that a number of logon attempts for the device that have failed has reached the threshold number. 10. A method as described in claim 9 , wherein the number of logon attempts for the device that have failed are based on two or more different types of authentication factors. 11. A method as described in claim 8 , wherein said detecting comprises detecting that a trusted status of the device has been revoked. 12. A method as described in claim 8 , wherein said detecting comprises detecting that the device has failed to check-in with a remote security service. 13. A method as described in claim 8 , wherein said detecting comprises detecting a variation in a state of the device, the state comprising one or more of a hardware state, a software state, or a network state. 14. A method as described in claim 8 , wherein said detecting comprises detecting a time-related variation for the device. 15. A method as described in claim 8 , wherein said security policy is associated with a geographic location of the device. 16. A computer-implemented method, comprising: causing, by one or more hardware processors, a security key residing on a computing device to be occluded in response to receiving an indication that the computing device has failed to check in with a remote security service; launching, by the one or more hardware processors, a recovery experience in response to an indication that the security key is occluded, the recovery experience requesting a recovery key for recovering the occluded security key; determining whether a correct recovery key is provided as part of the recovery experience; and enabling the security key to be recovered if the correct recovery key is provided. 17. A computer-implemented method as described in claim 16 , wherein the indication that the security key is occluded comprises an indication that operating system data for the device is not available. 18. A computer-implemented method as described in claim 16 , wherein the security key is occluded by encrypting the security key, and wherein, if the correct recovery key is provided, the security key is decrypted for the device using an intermediate security key. 19. A system as described in claim 1 , wherein the instructions are further executable by the one or more hardware processors to attempt, by the computing device, periodic check-ins with the remote security service. 20. A computer-implemented method as described in claim 16 , further comprising attempting periodic check-ins with the remote security service.
Assignees
Inventors
Classifications
Detecting or preventing theft or loss · CPC title
- G06F21/6218Primary
to a system of files or objects, e.g. local or distributed file system or database · CPC title
Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9245143B2 cover?
- Techniques for providing security policy for device data are described. In implementations, data on a device is stored in an encrypted form. To protect the encrypted data from being decrypted by an unauthorized entity, techniques enable a decryption key to be occluded if an attempt to gain unauthorized access to device data is detected. In implementations, a decryption key can be occluded in a …
- Who is the assignee on this patent?
- Ingalls Dustin Michael, Ide Nathan J, Macaulay Christopher R, and 5 more
- What technology area does this patent fall under?
- Primary CPC classification G06F21/6218. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Jan 26 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).