Entity authentication for pre-authenticated links
US-2024396898-A1 · Nov 28, 2024 · US
Device-based PIN authentication process to protect encrypted data
US9639710B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9639710-B2 |
| Application number | US-201314139204-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 23, 2013 |
| Priority date | Dec 23, 2013 |
| Publication date | May 2, 2017 |
| Grant date | May 2, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques are disclosed for providing a device-based PIN authentication process used to protect encrypted data stored on a computing system, such as a tablet or mobile device. A client component and a server component each store distinct cryptographic keys needed to access encrypted data on the client. The mobile device stores a vault encryption key used to decrypt encrypted sensitive data stored on the mobile device. The vault key is encrypted using a first encryption key and stored on the mobile device. The first encryption key is itself encrypted using a second encryption key. The second encryption key is derived from the PIN value.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method for securely storing encrypted data on a computing device that includes a microprocessor and memory, the method comprising: receiving a data encryption key derived from a password, wherein the data encryption key is used to encrypt data on the computing device; encrypting the data encryption key using a first encryption key; storing the encrypted data encryption key on the computing device; encrypting the first encryption key using a second encryption key, wherein the second encryption key is derived from a user-supplied value entered on the computing device and a salt input to a password key based derivation function, and wherein the salt is rotated following a request to access the encrypted data on the computing device, and wherein the user-supplied value is different from the password; and sending the encrypted first encryption key to a remote server. 2. The method of claim 1 , further comprising: generating, from the user supplied value, a lookup key; generating a device key; and sending the lookup key and the device key to the remote server, wherein remote server uses the device key and the lookup key as an index to the encrypted first encryption key stored on the server. 3. The method of claim 2 , further comprising: in response to the request to access encrypted data stored on the computing device: regenerating, using the user-supplied value, the lookup key and the second encryption key; sending the regenerated lookup key and the device key to the remote server; in response, receiving the encrypted first encryption key from the remote server; decrypting, using regenerated second encryption key, the encrypted first encryption key received from the remote server to recover the first encryption key; and decrypting, using recovered first encryption key, the encrypted data encryption key stored on the client device. 4. The method of claim 1 , wherein the user-supplied value is a PIN value. 5. The method of claim 1 , wherein the computing device is a mobile computing device. 6. A non-transitory computer-readable storage medium storing instructions, which, when executed on a microprocessor, performs an operation for securely storing encrypted data on a computing device that includes memory and the microprocessor, the operation comprising: receiving a data encryption key derived from a password, wherein the data encryption key is used to encrypt data on the computing device; encrypting the data encryption key using a first encryption key; storing the encrypted data encryption key on the computing device; encrypting the first encryption key using a second encryption key, wherein the second encryption key is derived from a user-supplied value entered on the computing device and a salt input to a password key based derivation function, and wherein the salt is rotated following a request to access the encrypted data on the computing device, and wherein the user-supplied value is different from the password; and sending the encrypted first encryption key to a remote server. 7. The computer-readable storage medium of claim 6 , wherein the operation further comprises: generating, from the user supplied value, a lookup key; generating a device key; and sending the lookup key and the device key to the remote server, wherein remote server uses the device key and the lookup key as an index to the encrypted first encryption key stored on the server. 8. The computer-readable storage medium of claim 7 , wherein the operation further comprises: in response to the request to access encrypted data stored on the computing device: regenerating, using the user-supplied value, the lookup key and the second encryption key; sending the regenerated lookup key and the device key to the remote server; in response, receiving the encrypted first encryption key from the remote server; decrypting, using regenerated second encryption key, the encrypted first encryption key received from the remote server to recover the first encryption key; and decrypting, using recovered first encryption key, the encrypted data encryption key stored on the client device. 9. The computer-readable storage medium of claim 6 , wherein the user-supplied value is a PIN value. 10. The computer-readable storage medium of claim 6 , wherein the computing device is a mobile computing device. 11. A computing device, comprising: a microprocessor and a memory hosting an application, which, when executed on the microprocessor, performs an operation for securely storing encrypted data on the computing device, the operation comprising: receiving a data encryption key derived from a password, wherein the data encryption key is used to encrypt data on the computing device, encrypting the data encryption key using a first encryption key, storing the encrypted data encryption key on the computing device, encrypting the first encryption key using a second encryption key, wherein the second encryption key is derived from a user-supplied value entered on the computing device and a salt input to a password key based derivation function, and wherein the salt is rotated following a request to access the encrypted data on the computing device, and wherein the user-supplied value is different from the password, and sending the encrypted first encryption key to a remote server. 12. The computing device of claim 11 , wherein the operation further comprises: generating, from the user supplied value, a lookup key; generating a device key; and sending the lookup key and the device key to the remote server, wherein remote server uses the device key and the lookup key as an index to the encrypted first encryption key stored on the server. 13. The computing device of claim 12 , wherein the operation further comprises: in response to the request to access encrypted data stored on the computing device: regenerating, using the user-supplied value, the lookup key and the second encryption key; sending the regenerated lookup key and the device key to the remote server; in response, receiving the encrypted first encryption key from the remote server; decrypting, using regenerated second encryption key, the encrypted first encryption key received from the remote server to recover the first encryption key; and decrypting, using recovered first encryption key, the encrypted data encryption key stored on the client device. 14. The computing device of claim 11 , wherein the user-supplied value is a PIN value.
Assignees
Inventors
Classifications
User authentication · CPC title
wherein the data content is protected, e.g. by encrypting or encapsulating the payload · CPC title
- G06F21/6218Primary
to a system of files or objects, e.g. local or distributed file system or database · CPC title
for supporting key management in a packet data network (cryptographic mechanisms or cryptographic arrangements for key management H04L9/08) · CPC title
using passwords (cryptographic mechanisms or cryptographic arrangements for entity authentication using a predetermined code H04L9/3226) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9639710B2 cover?
- Techniques are disclosed for providing a device-based PIN authentication process used to protect encrypted data stored on a computing system, such as a tablet or mobile device. A client component and a server component each store distinct cryptographic keys needed to access encrypted data on the client. The mobile device stores a vault encryption key used to decrypt encrypted sensitive data sto…
- Who is the assignee on this patent?
- Symantec Corp
- What technology area does this patent fall under?
- Primary CPC classification G06F21/6218. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue May 02 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).