Patent application number | Description | Published |
20110088025 | USE OF SOFTWARE UPDATE POLICIES - A portable device may be roamed from one host to another. In one example, the portable device stores software that is to be executed by a host. The host may maintain a policy that governs which software may be executed on the host. When the portable device is connected to a host, the host checks the software version installed on the guest to determine whether that software version is compatible with the host's policy. If the guest's software does not comply with the host's policy, then the host installs a compatible version. If the guest's version complies with the policy and is newer than the host's version, then the host copies the guest's version to the host and propagates it to other guests. In this way, newer versions of software propagate between hosts and guests, while also respecting specific execution policies of the various hosts. | 04-14-2011 |
20110296238 | DATA ENCRYPTION CONVERSION FOR INDEPENDENT AGENTS - The re-encryption of data can be performed with independent cryptographic agents that can automatically encrypt and decrypt data in accordance with cryptographic regions, such that data within a single cryptographic region is encrypted and decrypted with the same cryptographic key. An “in-place” re-encryption can be performed by reading data from a chunk in an existing cryptographic region, shrinking the existing cryptographic region past the chunk, expanding a replacement cryptographic region over the chunk, and then writing the data back to the same location, which is now part of the replacement cryptographic region. An “out-of-place” re-encryption can be performed by reading data from a chunk in an existing cryptographic region and then writing the data back to a location immediately adjacent that is part of a replacement cryptographic region. After the re-encrypted data is “shifted”, the cryptographic regions can be expanded and contracted appropriately, and another chunk can be selected. | 12-01-2011 |
20110302398 | KEY PROTECTORS BASED ON ONLINE KEYS - An online key stored by a remote service is generated or otherwise obtained, and a storage media (as it applies to the storage of data on a physical or virtual storage media) master key for encrypting and decrypting a physical or virtual storage media or encrypting and decrypting one or more storage media encryption keys that are used to encrypt a physical or virtual storage media is encrypted based at least in part on the online key. A key protector for the storage media is stored, the key protector including the encrypted master key. The key protector can be subsequently accessed, and the online key obtained from the remote service. The master key is decrypted based on the online key, allowing the one or more storage media encryption keys that are used to decrypt the storage media to be decrypted. | 12-08-2011 |
20110314279 | Single-Use Authentication Methods for Accessing Encrypted Data - Single-use authentication methods for accessing encrypted data stored on a protected volume of a computer are described, wherein access to the encrypted data involves decrypting a key protector stored on the computer that holds a volume-specific cryptographic key needed to decrypt the protected volume. Such single-use authentication methods rely on the provision of a key protector that can only be used once and/or that requires a new access credential for each use. In certain embodiments, a challenge-response process is also used as part of the authentication method to tie the issuance of a key protector and/or access credential to particular pieces of information that can uniquely identify a user. | 12-22-2011 |
20120275596 | CRYPTOGRAPHIC KEY ATTACK MITIGATION - Cryptographic keys and, subsequently, the data they are intended to protect, are safeguarded from unwarranted attacks utilizing various systems and methodologies designed to minimize the time period in which meaningful versions of cryptographic keys exist in accessible memory, and therefore, are vulnerable. Cryptographic keys, and consequently the data they are intended to protect, can alternatively, or also, be protected from attackers utilizing systems and a methodology that employs a removable storage device for providing authentication factors used in the encryption and decryption processing. Cryptographic keys and protected data can alternatively, or also, be protected with a system and methodology that supports data separation on the storage device(s) of a computing device. Cryptographic keys and the data they are intended to protect can alternatively, or also, be protected employing a system and methodology of virtual compartmentalization that effectively segregates key management from protected data. | 11-01-2012 |
20130054977 | ENCRYPTED CHUNK-BASED RAPID DATA ENCRYPTION POLICY COMPLIANCE - To comply with a policy for a computing device indicating that data written by the computing device to the storage volume after activation of the policy be encrypted, an encrypted chunks map is accessed. The encrypted chunks map identifies whether, for each chunk of sectors of a storage volume, the sectors in the chunk are unencrypted. In response to a request to write content to a sector, the encrypted chunks map is checked to determine whether a chunk that includes the sector is unencrypted. If the chunk that includes the sector is unencrypted, then the sectors in the chunk are encrypted, and the content is encrypted and written to the sector. If the chunk that includes the sector is encrypted or not in use, then the content is encrypted and written to the sector. | 02-28-2013 |
20130054979 | SECTOR MAP-BASED RAPID DATA ENCRYPTION POLICY COMPLIANCE - To comply with a policy for a computing device indicating that data written by the computing device to the storage volume after activation of the policy be encrypted, a sector map is accessed. The sector map identifies one or more sectors of a storage volume and also identifies, for each of the one or more sectors of the storage volume, a signature of the content of the sector. In response to a request to read the content of a sector, the content of the sector is returned without decrypting the content if the sector is one of the one or more sectors and the signature of the content of the sector matches the signature of the sector identified in the sector map. Otherwise, the content of the sector is decrypted and the decrypted content is returned. | 02-28-2013 |
20130311786 | Cryptographic Key Attack Mitigation - Cryptographic keys and, subsequently, the data they are intended to protect, are safeguarded from unwarranted attacks utilizing various systems and methodologies designed to minimize the time period in which meaningful versions of cryptographic keys exist in accessible memory, and therefore, are vulnerable. Cryptographic keys, and consequently the data they are intended to protect, can alternatively, or also, be protected from attackers utilizing systems and a methodology that employs a removable storage device for providing authentication factors used in the encryption and decryption processing. Cryptographic keys and protected data can alternatively, or also, be protected with a system and methodology that supports data separation on the storage device(s) of a computing device. Cryptographic keys and the data they are intended to protect can alternatively, or also, be protected employing a system and methodology of virtual compartmentalization that effectively segregates key management from protected data. | 11-21-2013 |
20130346757 | ROLLBACK PROTECTION FOR LOGIN SECURITY POLICY - In one embodiment, an encryption system may protect user login metadata from hammering attacks. A data storage | 12-26-2013 |
20140344570 | Data Protection For Organizations On Computing Devices - An application on a device can communicate with organization services. The application accesses a protection system on the device, which encrypts data obtained by the application from an organization service using an encryption key, and includes with the data an indication of a decryption key usable to decrypt the encrypted data. The protection system maintains a record of the encryption and decryption keys associated with the organization. The data can be stored in various locations on at least the device, and can be read by various applications on at least the device. If the organization determines that data of the organization stored on a device is to no longer be accessible on the device (e.g., is to be revoked from the device), a command is communicated to the device to revoke data associated with the organization. In response to this command, the protection system deletes the decryption key. | 11-20-2014 |
20140344571 | Data Protection For Organizations On Computing Devices - An application on a device can communicate with organization services. The application accesses a protection system on the device, which encrypts data obtained by the application from an organization service using an encryption key, and includes with the data an indication of a decryption key usable to decrypt the encrypted data. The protection system maintains a record of the encryption and decryption keys associated with the organization. The data can be stored in various locations on at least the device, and can be read by various applications on at least the device. If the organization determines that data of the organization stored on a device is to no longer be accessible on the device (e.g., is to be revoked from the device), a command is communicated to the device to revoke data associated with the organization. In response to this command, the protection system deletes the decryption key. | 11-20-2014 |
20140372740 | SECURELY OBTAINING MEMORY CONTENT AFTER DEVICE MALFUNCTION - One or more techniques and/or systems are provided for securely obtaining memory content after a device malfunction. For example, applications, components, and/or an operating system of a device may maintain information within volatile memory in a secure manner (e.g., using encryption). When the device malfunctions, such information may be useful for diagnosing what caused the malfunction. Accordingly, memory content within volatile memory may be securely retrieved, encrypted, and/or stored before such memory content is flushed/removed from volatile memory. For example, a warm reset is performed to initially reboot the device without removing memory content from volatile memory. The memory content may be retrieved and encrypted to create encrypted memory content that may be stored within nonvolatile memory for later access. After a second reboot, device malfunction information may be obtained by decrypting the encrypted memory content using a private key matching a public key used to encrypt the memory content. | 12-18-2014 |
20140373132 | GESTURE-BASED AUTHENTICATION WITHOUT RETAINED CREDENTIALING GESTURES - This document describes techniques and apparatuses enabling gesture-based authentication without retained credentialing gestures. The techniques are capable of determining an identifier for a credentialing gesture where the identifier can be reproduced on receiving a similar authentication gesture at a later time. The identifier for the credentialing gesture can be encrypted, sent to a secure authentication entity, and then, when an authentication gesture is received, an identifier for the authentication gesture can also be determined, encrypted, and sent to the secure authentication entity. If the secure authentication entity determines that the encrypted identifiers match, the user is authenticated. | 12-18-2014 |
20150033039 | SECTOR MAP-BASED RAPID DATA ENCRYPTION POLICY COMPLIANCE - To comply with a policy for a computing device indicating that data written by the computing device to the storage volume after activation of the policy be encrypted, a sector map is accessed. The sector map identifies one or more sectors of a storage volume and also identifies, for each of the one or more sectors of the storage volume, a signature of the content of the sector. In response to a request to read the content of a sector, the content of the sector is returned without decrypting the content if the sector is one of the one or more sectors and the signature of the content of the sector matches the signature of the sector identified in the sector map. Otherwise, the content of the sector is decrypted and the decrypted content is returned. | 01-29-2015 |