Entity authentication for pre-authenticated links
US-2024396898-A1 · Nov 28, 2024 · US
Security policy for device data
US9811682B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9811682-B2 |
| Application number | US-201615005260-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jan 25, 2016 |
| Priority date | Feb 9, 2012 |
| Publication date | Nov 7, 2017 |
| Grant date | Nov 7, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques for providing security policy for device data are described. In implementations, data on a device is stored in an encrypted form. To protect the encrypted data from being decrypted by an unauthorized entity, techniques enable a decryption key to be occluded if an attempt to gain unauthorized access to device data is detected. In implementations, a decryption key can be occluded in a variety of ways, such as by deleting the decryption key, overwriting the encryption key in memory, encrypting the encryption key, and so on. Embodiments enable an occluded decryption key to be recovered via a recovery experience. For example, a recovery experience can include an authentication procedure that requests a recovery password. If a correct recovery password is provided, the occluded decryption key can be provided.
First claim
Opening claim text (preview).
What is claimed is: 1. A system comprising: one or more processors; and one or more computer-readable storage media storing instructions that, responsive to execution by the one or more processors, cause the system to perform operations including: detecting a violation of a security policy for a device; occluding, in response to said detecting, a security key usable to decrypt encrypted data for the device; initiating a reboot of the device in response to the security key being occluded; launching a recovery experience that requests a recovery key for recovering the occluded security key in response to detecting that an encrypted operating system for the device is not available for the reboot based on said occluding of the security key; determining whether a correct recovery key is provided as part of the recovery experience; enabling the security key to be recovered in response to determining that the correct recovery key is provided; and causing the operating system to be decrypted for the reboot using the security key. 2. A system as described in claim 1 , wherein the security policy specifies a threshold number of failed logon attempts for the device, and wherein said detecting comprises detecting that a number of logon attempts for the device that have failed has reached the threshold number. 3. A system as described in claim 1 , wherein the security policy specifies a threshold number of failed logon attempts for the device, wherein said detecting comprises detecting that a number of logon attempts for the device that have failed has reached the threshold number, and wherein the number of logon attempts for the device that have failed are based on two or more different types of authentication factors. 4. A system as described in claim 1 , wherein said detecting comprises detecting that a trusted status of the device has been revoked. 5. A system as described in claim 1 , wherein said detecting comprises detecting that the device has failed to check-in with a remote security service. 6. A system as described in claim 1 , wherein said detecting comprises detecting a variation in a state of the device, the state comprising one or more of a hardware state, a software state, or a network state. 7. A system as described in claim 1 , wherein said detecting comprises detecting a time-related variation for the device. 8. A system as described in claim 1 , wherein said security policy is associated with a geographic location of the device. 9. One or more computer-readable storage media having instructions stored thereon that, responsive to execution by a computing device, cause the computing device to perform operations comprising: occluding, in response to detecting a violation of a security policy for the computing device, a security key configured usable to decrypt encrypted data for the computing device; initiating a reboot of the computing device in response to the security key being occluded; launching a recovery experience that requests a recovery key for recovering the occluded security key in response to detecting that an encrypted operating system for the computing device is not available for the reboot based on said occluding of the security key; enabling the security key to be recovered in response to determining that the correct recovery key is provided; and causing the operating system to be decrypted for the reboot using the security key. 10. One or more computer-readable storage media as described in claim 9 , wherein the encrypted data comprises operating system data that is usable by the computing device to boot an operating system. 11. One or more computer-readable storage media as described in claim 9 , wherein said occluding comprises one or more of erasing or overwriting a portion of memory that stores the at least one decryption key. 12. One or more computer-readable storage media as described in claim 9 , wherein the operations further comprise: occluding the security key by encrypting the security key with an intermediate security key; and enabling the security key to be decrypted as part of the recovery experience in response to an input of either the intermediate security key or a private key associated with the intermediate key. 13. One or more computer-readable storage media as described in claim 9 , wherein said detecting occurs in response to a variation in a state of the computing device. 14. A computer-implemented method, comprising: occluding, in response to detecting a violation of a security policy for a computing device, a security key usable to decrypt encrypted data for the computing device; initiating a reboot of the computing device in response to the security key being occluded; launching a recovery experience that requests a recovery key for recovering the occluded security key in response to detecting that an encrypted operating system for the computing device is not available for the reboot based on said occluding of the security key; enabling the security key to be recovered in response to determining that the correct recovery key is provided; and causing the operating system to be decrypted for the reboot using the security key. 15. A method as described in claim 14 , wherein the security policy specifies a threshold number of failed logon attempts for the device, and wherein said detecting comprises detecting that a number of logon attempts for the device that have failed has reached the threshold number. 16. A method as described in claim 14 , wherein the security policy specifies a threshold number of failed logon attempts for the device, wherein said detecting comprises detecting that a number of logon attempts for the device that have failed has reached the threshold number, and wherein the number of logon attempts for the device that have failed are based on two or more different types of authentication factors. 17. A method as described in claim 14 , wherein said detecting comprises detecting that a trusted status of the device has been revoked. 18. A method as described in claim 14 , wherein said detecting comprises detecting that the device has failed to check-in with a remote security service. 19. A method as described in claim 14 , wherein said detecting comprises detecting a time-related variation for the device. 20. A method as described in claim 14 , wherein said security policy is associated with a geographic location of the device.
Assignees
Inventors
Classifications
- G06F21/6218Primary
to a system of files or objects, e.g. local or distributed file system or database · CPC title
Detecting or preventing theft or loss · CPC title
Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9811682B2 cover?
- Techniques for providing security policy for device data are described. In implementations, data on a device is stored in an encrypted form. To protect the encrypted data from being decrypted by an unauthorized entity, techniques enable a decryption key to be occluded if an attempt to gain unauthorized access to device data is detected. In implementations, a decryption key can be occluded in a …
- Who is the assignee on this patent?
- Microsoft Technology Licensing Llc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/6218. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Nov 07 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).