US20150350172A1 - Encryption on computing device - Google Patents
Encryption on computing device Download PDFInfo
- Publication number
- US20150350172A1 US20150350172A1 US14/822,269 US201514822269A US2015350172A1 US 20150350172 A1 US20150350172 A1 US 20150350172A1 US 201514822269 A US201514822269 A US 201514822269A US 2015350172 A1 US2015350172 A1 US 2015350172A1
- Authority
- US
- United States
- Prior art keywords
- user
- component
- cryptographic key
- computing device
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G09—EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
- G09C—CIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
- G09C1/00—Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0492—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload by using a location-limited connection, e.g. near-field communication or limited proximity of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/2866—Architectures; Arrangements
- H04L67/30—Profiles
- H04L67/306—User profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2117—User registration
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2153—Using hardware token as a secondary aspect
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Storage Device Security (AREA)
Abstract
A first component of a cryptographic key is received from a user via a user interface of a user computing device. A second component of the cryptographic key is received via a short-range communication interface that communicatively couples the user computing device to a physically separate storage device. The cryptographic key is generated based at least on the first component and the second component. The cryptographic key is then used to encrypt and/or decrypt data.
Description
- This application is a continuation of U.S. patent application Ser. No. 14/273,883, entitled “Encryption On Computing Device,” filed May 7, 2014, which is hereby incorporated herein by reference in its entirety.
- This disclosure relates generally to providing data protection for a computing device and more particularly providing data protection for data contained on the computing device with using encryption of the data to block unauthorized access to the data.
- One embodiment of the techniques of this disclosure is a method for generating cryptographic keys for encrypting and decrypting data, which can be executed by one or more processors. The method includes (i) receiving a first component of a cryptographic key from a user via a user interface of a user computing device, (ii) receiving a second component of the cryptographic key via a short-range communication interface that communicatively couples the user computing device to a physically separate storage device, (iii) generating the cryptographic key based at least on the first component and the second component; and (iv) using the cryptographic key to encrypt and/or decrypt data, by the one or more processors.
- Another embodiment of these techniques is a network server including a communication interface to communicatively couple the network server to a user computing device via a communication network and a processing hardware. The processing hardware is configured to receive a request for a cryptographic key from the user computing device, where the request includes a first component of the cryptographic key, the first component having been specified by a user of the user computing device. The processing hardware is further configured to automatically generate a second component of the cryptographic key in response to the request, and provide the second component of the cryptographic key to the user device for storage on a storage device physically separate from the user computing device. The user computing device is configured to (i) generate the cryptographic key based at least on the first component and the second component of the cryptographic key and (ii) encrypt and/or decrypt user-selected data using the cryptographic key.
- Yet another embodiment of these techniques is a method in a user computing device for efficiently encrypting and/or decrypting data, which can be executed on or more processors. The method includes (i) receiving an indication that a storage device physically separate from the user computing device is now communicatively coupled to the user computing device via a short-range communication interface, (ii) receiving, by the one or more processors, a first component of a cryptographic key from a user via a user interface, (iii) retrieving, from the storage device, (i) a second component of the cryptographic key, (ii) first control data, and (iii) second control data corresponding to the first control data encrypted using a correct version of the cryptographic key, (iv) generating the cryptographic key based at least on the first component and the second component; and (v) determining whether the generated cryptographic key is correct using the first control data and the second control data.
- Still another embodiment of these techniques is a network server including a communication interface to communicatively couple the network to a user computing device via a communication network, a non-transitory computer-readable medium storing instructions that implement a data protection software module, and processing hardware. The data protection software module, when executed on one or more processors of the user computing device, causes the user device to (i) receive a first component of a cryptographic key from a user via a user interface of the user computing device, (ii) receive a second component of the cryptographic key via a short-range communication interface that communicatively couples the user computing device to a physically separate storage device, and (iii) generate a cryptographic key based at least on the first component and the second component, for use in encrypting and/or decrypting user-selected data. The processing hardware configured to provide an instance of the data protection software module to the client device.
-
FIG. 1A is a block diagram that schematically illustrates a method for encryption and decryption of data using two keys, where one of the two keys is stored on a removable peripheral storage device; -
FIG. 1B is a block diagram that schematically illustrates a method for verification of a removable peripheral storage device using control input and control output stored on the removable peripheral storage device; -
FIG. 2 is a block diagram of an example computing system in which encryption, decryption, and key management techniques of this disclosure can be implemented; -
FIG. 3A is a block diagram of an example user device that can operate in the computing system ofFIG. 2 ; -
FIG. 3B is a block diagram of an example software module that can be implemented in the user device ofFIG. 3A to encrypt and decrypt data using two keys; -
FIG. 4A is a block diagram of an example server that can operate in the computing system ofFIG. 2 ; -
FIG. 4B is a block diagram of an example software system that can be implemented in the server ofFIG. 4A to manage keys and provide other functions related to encryption and decryption techniques of this disclosure; -
FIG. 5 is a flow diagram of an example method for creating a pair of keys and generating authentication information for a removable storage device, which can be implemented in the user device ofFIG. 3A ; -
FIG. 6 is a flow diagram of an example method for encrypting data using one component of a key stored on a removable storage device and another component of a key submitted by a user, which can be implemented in the user computing device ofFIG. 3A ; -
FIG. 7 is a flow diagram of an example method for generating authentication information for a removable storage device, which can be implemented in the server ofFIG. 4A ; and -
FIG. 8 is a flow diagram of an example method for authenticating a removable storage device storing a key. - Through use of computing devices with respect to business or social interaction, people today are being inundated with business, technological and social related data and information. This data, as a result, is often stored on one's computing device(s). Since much of this information may be considered sensitive and/or confidential, no one wants the information accessible to unauthorized persons that may come into possession of their computing device. One approach to protecting this information is to encrypt the information on the computing device with the use of encryption/decryption techniques such as, Advanced Encryption Standard (AES) or the like. The encryption/decryption software will encrypt the sensitive and/or confidential information stored on the computing device and, in turn, permit access to the information by the authorized user using the software to decrypt the information when access to the information is needed.
- Data files that will often be encrypted will include, for example, audio, video and text files and the like and will be often stored in an encrypted state on the computing device. As mentioned above, the software employed to encrypt and decrypt these files will include AES, another commonly known encryption/decryption algorithms which utilize a key, or a customized software designed to operate on the devices discussed below. The key is typically a parameter associated with the encryption/decryption software that when employed in association with the encryption/decryption software will transform the data into an encrypted state, one that is not understandable to a viewer. It will also transform that encrypted data back to its original unencrypted state so as to be easily understood by the viewer. In the unfortunate instance of an unauthorized person coming into possession of another's computing device, the unauthorized person is only separated from using the encryption and decryption software successfully to transform the stored data into an understandable state by not having the correct key. The key is typically created or set by the authorized user of the computing device in the form of a password.
- These passwords can be compromised in any number of ways which include obtaining the password from the authorized user who has not properly secured the identity of the password. Once in possession of the password or key, in this example, the unauthorized user will have complete access to correctly use the encryption/decryption software stored on the computing device and thereby be able to successfully decrypt encrypted files and access the data of those decrypted files. An object to this disclosure is to provide additional layers of security or depth of security as to preventing an unauthorized user from acquiring the identity of a key. By further securing the identity of the key the unauthorized user will not be able to access the encrypted confidential and/or sensitive data stored on the computing device.
- In this disclosure, the key for correctly running the encryption/decryption software must first be fully assembled from component parts which originate from separate sources. One component part of the key will be stored on a peripheral storage device. This one component, as will be discussed in more detail below, will have been previously randomly generated by an online security service and downloaded onto the user's peripheral storage device via the user's computing device at a time in which the user registers with the online security service. The peripheral storage device can be used within a short range of the computing device. With the computing device interfacing with the peripheral storage device, the computing device will automatically read the one component portion of the key stored on the peripheral device. In using the peripheral storage device after the initial registering with an online security service, the one component of the key is transferred to the computing device from the storage device without user interaction. Additionally, this peripheral storage device, at the time of user registration with the online security service, will also download additional data from the online security service in order to authenticate itself, which will be discussed in more detail below.
- In this disclosure, another component part of the key will be needed to add to the one component of the key that has already been contributed by the peripheral storage device in order to assemble a complete and operable key. A complete key is needed: otherwise the encryption/decryption software stored on the computing device will not properly encrypt and decrypt data. The other component of the key will be one generated or created by the user also at the time the user registers their computing device with the online security service. For purposes of successfully operating the encryption/decryption software on the computing device, the user will have to input this other component of the key, typically a password, into the computing device through an input device, such as a keyboard or other commonly known input device.
- With the user having the peripheral storage device interface with the computing device contributing one component of the key and the user in putting the password, the other component of the key, the key is fully assembled. As mentioned above, the user's computing device will run an authentication or verification routine that will determine if the storage device is the proper one with a correct one component of the key and will also further verify whether the user has input the correct password or other component of the key thereby verifying the correct completion of the assembly of the key. If the key is verified, the user will be able to use the key successfully with the encryption/decryption software on the computing device to encrypt and decrypt data files on the computing device for that session.
- Depending on the embodiment, a session during which an assembled key is valid can stay active while the user is logged in, while the peripheral storage device is connected to the computing device, while the computing device is powered on, while a timer is running, or subject to any other suitable condition(s). The session accordingly can end when the users logs out, shuts down the computing device, removes the peripheral storage device, etc.
- During an active session, the encryption/decryption software of this disclosure can access the assembled key in a volatile (non-persistent) memory such as RAM. The encryption/decryption software does not store the assembled key in a persistent memory. In general, the assembled key is not stored anywhere in a persistent memory except in a database maintained by the online security service, as discussed in more detail below. When the session is no longer active, the assembled key is purged from the non-persistent memory, so that the encryption/decryption software can no longer encrypt or decrypt data. To start a new session, the user will once again need to provide login/password information defining one of the component parts of the key.
- If the user fails to successfully establish a session for failure to supply the proper password (corresponding to one of the component parts of the key), insert the correct peripheral device, etc., the encryption/decryption software cannot properly encrypt data or decrypt previously encrypted files. In one embodiment, the encryption/decryption software does not prevent the user from operating the computing device when a session fails. However, the user in this case cannot decrypt previously encrypted files or encrypt new data. The user still can, for example, use the other functionality of the computing device. Further, if the user chooses to create new files, he or she cannot protect these files using the encryption techniques of this disclosure.
- An embodiment of assembling the component parts of the decryption and encryption key from separate sources would include using a Universal Serial Bus (USB) flash drive as the peripheral storage device that will store the one component or portion of the key. The USB flash drive will be inserted into the USB port of the computing device and will automatically interface with the computing device uploading the one component of the key to the computing device. The other component or portion of the key that will be needed to complete a functional key will be a password created by the authorized user also during the registration process with the security online security service. The user will be prompted to enter this other component of the key onto the computing device and the user will enter it through an input device of the computing device such as a keyboard. The software downloaded onto the user's computing device by the online security service at the time of registration will run a verification process of the assembled key now that one component and the other component have been entered onto the computing device. The verification will generally include utilizing a test file and applying the complete key with the encryption/decryption software to decrypt the test file that was previously encrypted and downloaded onto the peripheral device during registration. That encrypted test file was encrypted with the correct complete key and the encryption/decryption software or using the same encryption/decryption technique. The unencrypted version of this test file was also downloaded on the peripheral storage device at the time of registration. The encrypted test file is now subjected to the complete key assembled from one component stored on the peripheral device and the other component input by the user along with the encryption/decryption software that had been downloaded by the online security service onto the computing device during registration. The encrypted file is thusly transformed and compared to see if it matches the unencrypted test file. If there is a match, the peripheral storage device is the correct one carrying one component of the key and the password input by the user was correct completing the assembling of the complete key. This authentication process will be discussed in more detail below. Should the test result be a successful match the user is informed the proper key has been assembled and the user can now proceed to utilize the encryption/decryption software with the completed key to successfully encrypt and decrypt data on their computing device.
- Thus, to gain access to the encrypted information on the computing device the user must be in possession of the computing device, the correct peripheral storage device containing one component of the key and the other component or password portion of the key which had been created by the authorized user. Thus, additional security is provided herein with the user having to not only be in possession of the computing device but also, in this embodiment, the proper USB flash drive device carrying the one component of the key and of the password which comprises the other component of the key in order to fully assemble a complete key and be able to successfully operate the encryption/decryption software on that computing device. The user is then capable of successfully carrying out decryption and encryption functions with the encryption/decryption software which had been stored on the computing device during the user's registration process with the online security service.
- As will be discussed in more detail herein, a user that wishes to protect the data stored on their computing device will register with an online security service. At that time the user will be asked to provide the online security service information identifying the user, credit card information and the identity of the computing device. During this registration process the online security service will install on the user's computing device the encryption/decryption software for encrypting and decrypting information to be stored on the computing device. As mentioned above, this encryption/decryption software for this embodiment will be AES; however, any other higher level known standard encryption/decryption algorithm may be used. During the installation of this software onto the computing device, the user will be asked to insert a peripheral storage device, or in this embodiment a USB flash drive, into the USB port of the computing device. The online security service will install onto the USB flash drive one component of the key for the encryption/decryption software which the online security service randomly generated. The online security service will also provide the user's computing device with a software module for authenticating the USB drive. Additionally, the user will be asked to create a password, in this embodiment, which will be the other component to assembling a complete key. The password created by the user will allow the online security service to use this password along with the one component of the key it had randomly generated to complete the key. These two components of the key will need to be assembled through actions of the user on occasions when the user needs to successfully encrypt and decrypt data on their computing device. In this embodiment, in the subscription and registering process with the key being completed and the encryption/decryption software installed, the user will be asked whether all of the stored data files shall be encrypted or whether data files will be encrypted as selected by the user. This registration process will be discussed in more detail herein.
- Once the user has registered with the online security service by registering themselves, the computing device, downloading the encryption software, uploading their peripheral storage device with one component of the key and authentication software and has created a password that comprises the other component for completing the key, the user has taken the steps they need to protect confidential and/or sensitive data files stored on their computing device. An unauthorized user being in possession of the computing device but not having access to the external peripheral storage device, such as the USB flash drive which carries in this embodiment one component of the key or access to the authorized user's password, the other component to the key, or both, the unauthorized user will not be able to successfully access or view the confidential and/or sensitive stored encrypted data on the computing device.
- Encryption and decryption appears seamless to the user of the computing device. In particular, the user at some point selects a certain set of files, such as for example the entire hard drive, one or several folders, all text files, etc. The user subsequently accesses these files during active sessions (see above) without being notified or prompted about every encryption or decryption operation. For example, when the user opens or saves of these files saves one of these files, the encryption/decryption software automatically performs the encryption or decryption operation in a seamless manner, without distracting the user. To this end, as illustrated in
FIG. 3A , the encryption/decryption software can operate in a kernel model, for example, to reside as a software layer between applications (e.g., text editors, graphics editors, browsers) and operating system calls for accessing hardware components such as the hard disk. - In another embodiment, with the authorized user having assembled the key with inserting the USB flash drive and entering the password, the user can select a particular file and decrypt it. The file can be closed out and the data will remain stored as an encrypted file. New data may be entered into a decrypted file or a new file can be created and with saving either, the file with the new data is encrypted. Thus, using the saving function will encrypt the file.
- At the time of registration the online security service will securely store the registration data including the identity of the user and of the computing device, along with the randomly generated one component of the key for that user and the user's other component of the key or password. As a result, the user will be able to subsequently contact the online security service for a number of services related to maintaining the security of their computing device. These services could include assistance in retrieving a password that was forgotten or changing it. The user may have broken, destroyed or lost their peripheral storage device. Under those circumstances, the online security service will also assist the user in replacing the one component of the key or providing a new one component of the key with respect to that which was stored on the peripheral storage device at the time of original subscription and registration. These services will be provided by the online security service with the normal security measures taken to assure the requester is the authorized user of the registered computing device. These measures can include requiring the user to respond to a question to provide very private personal information to the online security service at the time of registration and ask the current requester the same question and match the answer to the original answer provided at the time of registration and if there is a match the online security service will provide the requested services.
- In referring to
FIG. 1A , a block diagram is shown that schematically illustrates an embodiment of the method of the present disclosure to encrypt and decrypt data stored on a computing device. In order to carry out this method, encryption and decryption software will have been downloaded on the computing device and will be executable by one or more processors on the computing device. The software will operate in conjunction with a complete key associated with that software, on data stored or being stored on the computing device. The step of encryption and decryption of data stored on a computing device is represented bybox 100. In this embodiment, the encryption anddecryption step 100 will only be able to be successfully carried out to encrypt and decrypt data on the computing device, as mentioned above, with a complete key assembled and working in conjunction with the encryption and decryption software. - One
component 102, which is stored onperipheral storage device 104, automatically downloads onto theperipheral storage device 104 interfacing with the computing device. In this embodiment,device 104 is a USB flash drive and it interfaces with computing device by inserting the USB flash drive into the USB port of the computing device. This onecomponent 102 of the key was previously randomly generated and uploaded to the USB flash drive by an online security service during the subscription and registration process with the user. The other component of the key 106 will be input into the computing device by way ofuser input 108. In this embodiment, theother component 106 of the key will be a password that was created by the user during the registration process between the user and the online security service and is input into the computing device with a keyboard connected to the computing device; however, other inputs can be employed. - The
components components component 106 is relatively short (e.g., six characters occupying six bytes) whilecomponent 106 is relatively long (e.g., 26 characters occupying 26 bytes). - With the two components of the key 102 and 106 present on the computing device, the complete key has been assembled and is an operable parameter that works in conjunction with the encryption and decryption software. The software can now be executed successfully on the data on the computing device to carry out the step of encryption/
decryption 100 of the data the user has selected. - As will later be described in more detail, when the user initially subscribes and registers their computing device with the online security service, the complete key will be assembled at that time and the encryption/decryption software having been uploaded onto the computing device, the user will, in this embodiment, be asked to elect to proceed with the encryption of all files stored on the computing device or to elect to proceed to encrypt those files selected by the user that are stored files on the computing device. In either case, the user will be permitting the encryption/decryption software to operate on stored data in the step of encryption and
decryption 100 resulting in the step of creatingencrypted data 110. - Subsequent to the initial registration process the user will be able to create
encrypted data 110 on their computing device in the presence of a fully assembled key and the encryption/decryption software that is executable by a processor on the computing device, by selecting file(s) that are not encrypted and saving the file(s). This will result in the operation of the software of the encryption/decryption step 100 thereby encrypting that data creatingencrypted data 110. Also, the user can save edited versions of unencrypted data they are working on their computing device or save new stand alone data they have created or placed on their computing device, thereby operating the software of the encryption/decryption step 100 which will also result inencrypted data 110. - On the other hand, in the presence of the fully assembled or complete key on the computing device and the encryption and decryption software executable on the computing device, the user can decrypt previously encrypted information or data files stored on the computing device. The user can select a previously encrypted stored data file on the computing device to view, for example, and the step of encryption/
decryption 100 will operate on the encrypted data and accordingly transform the data, thereby creating decrypteddata 112. In some embodiments, the decryption is seamless, and the user does not notice the file is being decrypted. For example, the user can simply select the file for reading, and the step of encryption/decryption 100 executes automatically. - In referring to
FIG. 1B , a block diagram is shown that schematically illustrates a method for verification of the removableperipheral storage device 104. This verification process includes acontrol input 114,control output 116 and onecomponent 102 being stored on theremovable storage device 104 during the registration process with the online security service. In this embodiment, authenticatingperipheral storage device 104 is a step taken before any decryption or encryption of data takes place on the computing device. In this embodiment, at a time the user wants to decrypt a particular data file stored on their computing device or wants to encrypt data, the user will need, to connect theperipheral storage device 104 to interface with the computing device. As mentioned earlier, in this example, this will be accomplished by inserting USB flash drive into USB port of the computing device. In one embodiment, this will automatically trigger execution of a peripheral device authentication software on the computing device, which will retrieve onecomponent 102 of the key from peripheral storage device 104 (that was earlier randomly generated by the online security service at the time the user registered and subscribed to the security service). - In this embodiment, the
control input file 114 and thecontrol output file 116 that were downloaded onto theperipheral storage device 104 are text files but can be any data that can be encrypted and decrypted with encryption/decryption software such as AES or other encryption and decryption algorithms. During the registration process as will be discussed in more detail below, a complete key was assembled that operates as a parameter in conjunction with the encryption/decryption software the online security service also downloaded onto the computing device during the registration process.Control input file 114 is a text file, in this example, that was encrypted with the complete key and the encryption/decryption software before it was downloaded onto the memory of theperipheral storage device 104 in the registration process. Thecontrol output file 116 is the unencrypted version of thecontrol input file 114 which was stored in the memory of theperipheral storage device 104 as well. - With the
USB flash drive 104 inserted into the USB port of the computing device, the onecomponent 102 of the key is automatically uploaded onto the computing device. The user will be prompted by the computing device by way of the encryption/decryption software on the computing device to enter theother component 106 of the key by way ofuser interface 108, or in this example, the computing device keyboard. With both components ofkey input file 114 is forwarded from the memory of theperipheral storage device 104 to the computing device and subjected to the encryption/decryption software and the step of encryption/decryption 100 is executed oncontrol input file 114, thereby encryptingcontrol input file 114. The result of this decryption ofcontrol input file 114 is forwarded to acomparator 118 of the verification software downloaded by the online security service during the registration process. The decryptedcontrol input file 114 is compared to thecontrol output file 116 which has also been forwarded from the memory of theperipheral storage device 104 and if the comparison of decryptedcontrol input file 114 equates or is the same ascontrol output file 116, the verification of theperipheral storage device 104 has been accomplished. At this point the user can proceed to encrypt and decrypt data on the computing device. If the comparison of the decryptedcontrol input file 114 andcontrol output file 116 results in them not equating or being the same, the user will not be able to exercise successful encryption and decryption operations on the computing device. In either case, the peripheral device authentication software can provide an appropriate notification via the user interface of the computing device. - In another embodiment,
comparator 118 can compare two encrypted versions of a same file. In other words, controlinput file 114 can be unencrypted, andcontrol output file 116 encrypted, versions of a same file. Encryption/decryption step 100 in this case performs to encryption rather than decryption. - In referring to
FIG. 2 , it is a block diagram of an example computing system in which encryption, decryption, and key management techniques of this disclosure can be implemented. In the embodiment shown inFIG. 2 , a security providingservice system 120 operates throughdata protection server 122 providing the user of a computing device 126 a service as described herein for protecting the data stored on the user'scomputing device 126 from access by an unauthorized user in possession of thecomputing device 126. - It will be understood by those skilled in the art that
data protection server 122 could include a single server that performs all of the functions described below or could be divided into any number of servers as desired. Thisserver 122 is connected to thenetwork 124 which could be a variety of network types such as the Internet, a LAN, a WAN, cellular, WiFi, etc. The user that wishes to subscribe to the security service for securing data stored on their computing device that is provided bydata protection server 122, will access thedata protection server 122 throughnetwork 124 with theirpersonal computing device 126 also being connected tonetwork 124.Personal computing device 126 could comprise a wide variety of devices, such as a desk top computer, lap top computer, notebook, tablet computer, smart phone, etc. Thesecurity service system 120 of the present embodiment will accommodate and be operable with the operating system ofcomputing device 126, which can be Windows®, Mac OS®, Android®, etc. -
Server 122 will support a web service that will exchange data with common formats such as XML, JSON and the like. As will be appreciated by those skilled in the art, this embodiment will utilize one of C and C++ language for driver programming. Also, in this embodiment, C# will be combined with C/C++ for use with Windows Platform for example on thepersonal computing device 126. The web service supported bydata protection server 122 can be accessed from computing devices via a web site that includes instructions in HTML or another suitable language. The website supported bydata protection server 122 will work on common browsers such as Internet Explorer®, Firefox®, Chrome®, Opera®, Safari® and others. - The user seeking a security service will connect to the website through use of their browser. The website will provide the user an array of security packages to select from, as for example: one user with one computing device to secure; one user with multiple computing devices to secure; or family subscription with multiple devices to secure. The user will select the appropriate plan that will suit for them and proceed with the registration process for that plan.
-
Data protection server 122 will store and implement software for the security service. This software can be in one or more modules, downloadable onto thepersonal computing device 126 or another suitable computing device. Some of the modules can be configured to execute on personal computers and other user devices as client components of the authentication system. In this embodiment, there are two modules,password management system 128 anddata protection module 130 that will be used to implement some of functionality the security service on user computing devices. Once the user has selected the desired plan or package they wish to subscribe to, passwordmanagement system module 128 will be used to provide the user web pages to be populated by the user in order to collect information in registering the new user and their computing device to the security service. The information requested will include, in this embodiment, their name, address, e-mail address and banking information such as a credit card information. The user will be asked to execute a payment for the package or plan they had selected. With the payment transaction successfully completed, thepassword management system 128 will provide the new user queries for creating a user name and password for logging into the security service web site. - With the user name and password completed, password
management system module 128, in this embodiment, will assign a user identification (UID) number with the data collected above from the new user.Module 128 will transmit the UID and the data collected above ascustomer subscription data 134 todatabase 132, which comprises one or more computing devices with non-transitory memory readable by one or more processors. Thedatabase 132 can be, for example, a relational database in whichcustomer subscription data 134 is accessible using SQL queries. - The new user will then be asked by the web page provided by
module 128 to identify the computing device(s) 126 to be protected by the security service. In some embodiments, this information in this embodiment will include the make, model and serial number of the computing device(s) 126. This data will likewise be stored indatabase 132 under the UID number ascustomer subscription data 134. A customer account has now been created. Module 28 will also manage and interface with the subscriber/new user to provide the new user services related to implementing the security service to the user's computing device(s) 126 and to provide services related to supporting and maintaining the security service for the user. - With the user now registered, the password
management system module 128 will randomly generate onecomponent 102 of a key that will be used to assist in assembling a complete key used in conjunction to successfully operate encryption/decryption software with this service. Throughpassword module 128 the website will inform the user encryption/decryption software will be downloaded ontocomputing device 126 and will cause an instance ofdata protection module 130 to be downloaded ontocomputing device 126. With the downloading of the encryption/decryption software commenced, thepassword module 128 informs user through a web page to connectperipheral storage device 104 tocomputing device 126, as mentioned previously in this embodiment, to plug in USB flash drive into the USB port of thecomputing device 126. Thepassword module 128 sends onecomponent key 102 that was randomly generated bypassword module 128 tocomputing device 126 wherein the onecomponent 102 is stored onperipheral storage device 104 and at the same time, in this embodiment,password module 128 transmits this onecomponent 102 of the key todata base 132 to be stored as part of encryptionkey information 135 associated with the UID number of this particular user. - During the downloading process of the encryption/decryption software onto
computing device 126,password module 128 will request by way of a web page sent to the new subscriber to create a password. This password will operate as theother component 106 of the key. This password will be transmitted fromcomputing device 126 todata protection server 122 whereinpassword module 128 will transmit this password orother component 106 of the key todatabase 132 to be stored as encryptionkey information 135 in association with this user's UID. At this point,password module 128 will assemble a complete key from onecomponent 102 andother component 106. This complete key which is now associated with this particular user is used bypassword module 128 in conjunction with the encryption/decryption software ofdata protection module 130 to encrypt a file that was randomly generated bypassword module 128. As mentioned above, this file could take many forms of information that can be encrypted and decrypted by the software. In this embodiment it is a text file. The encrypted text file is downloaded toperipheral storage device 104 throughcomputing device 126. This encrypted file iscontrol input file 114. The unencrypted version of this file is transmitted toperipheral storage device 114 frompassword module 128 throughcomputing device 126 ascontrol output file 116. - During the registration process, with encryption/decryption software downloaded as
data protection module 130 and completely assembled key present from onecomponent 102 fromperipheral storage device 104 and the other component orpassword 106 present oncomputing device 126, the user will provided a query as to whether they want all stored files oncomputing device 126 or select files stored oncomputing device 126 encrypted. The user will make a selection and the process will commence to encrypt stored files resulting inencrypted files 136. The user can choose to log off and will have now armed theircomputing device 126 to be able to more securely protect stored files oncomputing device 126. At that point, user can then separate theirperipheral storage device 114 fromcomputing device 126 andsecure device 114. The next time user wishes to usecomputing device 126 to access stored encrypted data or to receive or create data that it wishes to encrypt, user plugs USB flash drive orperipheral storage device 114 into connection withcomputing device 126 such as USB port and goes through theperipheral storage device 114 verification process as described earlier. Withstorage device 114 authenticated, the user can commence decrypting and encrypting files oncomputing device 126. -
Password management module 128 will also allow a user who will access the web site supported bydata protection server 122 to request a retrieval of theirpassword 106 from encryptionkey information 135 stored indatabase 132. This may occur with thepassword 106 of the user having been lost, forgotten or compromised. Additionally,password management module 128 will also permit a user to change theirpassword 106 for similar reasons. Each of these steps of retrieval and changing of passwords will be accompanied by security steps to assure the user to be associated with the particular customer account prior to going through either of these processes as discussed above. -
Password management module 128 will operate to authenticate the requester. As mentioned earlier, at the time of registration the user will have been asked at least one question so as to provide certain very private information related to the user. This information will be stored bymodule 128 intodata base 132 ascustomer subscription data 134 in association with the UID. At the time the request is made by the user, the user will be provided the same question asked at the time of registration and the user will provide an answer that will be compared bypassword management module 128 to the answer provided by user at the time of registration that is stored incustomer subscription data 134. If there is a match,password management module 128 will proceed to retrieve or allow the user to change the password. A changed password will be forwarded bymodule 128 todatabase 132 and stored in encryptionkey information 135 in association with the UID of the user in replacement of the former password. - Password
management system module 128, as mentioned above, will, at the time of registration, randomly generate onecomponent 102 for the key for the user. This onecomponent 102 is transmitted frommodule 128 bydata protection server 122 toperipheral storage device 104 throughcomputing device 126 and stored onperipheral storage device 104. Onecomponent 102 is also transmitted frommodule 128 todata base 132 as encryptionkey information 135 in association with the user UID at the time of registration. Thus, for example, if a user loses or breaks theirperipheral storage device 104, the user will contact the web page supported bydata protection server 122 andmodule 128 and request either a retrieval or new onecomponent 102. With the matching of very private information as described above with respect topassword 106,password module 128 will proceed to retrieve or generate a new, as requested, onecomponent 102. The user will be instructed through a web page to connect theirperipheral storage device 104 so thatmodule 128 can transmit onecomponent 102 data throughcomputing device 126 and store it ontoperipheral storage device 104. Depending on the circumstances, authentication software frompassword module 128 along withinput control file 114 and output control file 116 can also be downloaded frommodule 128 throughcomputing device 126 and stored ontoperipheral storage device 104. Thus, the online security service can provide services to the user to enable the user to continue to secure their data on theircomputing device 126. - It is noted that
peripheral storage device 104 can be a dedicated storage device (such as a USB flash drive discussed above) or any other device having storage capability that can be communicatively coupled topersonal computing device 126. For example, a user can storefiles personal computing device 126 can set up a USB connection or a wireless connection as a Wireless Personal Area Network (WPAN), for example. As another example, a wearable computer (e.g., a “smart watch”) can store thefiles personal computing device 126. - Now referring to
FIG. 3A , it is a block diagram of an exampleuser computing device 126 that can operate in the computing system ofFIG. 2 .Personal computing device 126 as mentioned earlier can comprise a desk top computer, lap top computer or notebook or the like.Computing device 126 has auser interface 136 such as a graphical user interface (GUI) which in this embodiment would comprise a screen, a keyboard, a mouse, speakers, etc. Anetwork interface 138 is also provided to permitcomputing device 126 to interconnect withnetwork 124 in a wired or wireless manner.Computing device 126 further includes aperipheral device interface 140 that will permit other devices such as a USB flash drive or keyboard to be connected tocomputing device 126 and communicate therewith. One ormore processors 142 are provided to execute the software stored on non-persistent memory of thecomputing device 126 such as on Random-Access Memory orRAM 144 which stores such software programs asdevice driver software 146,web browser 148,data protection module 130 which in this example carries the encryption/decryption module andoperating system software 152 which may include systems such as DOS, OS/2, Windows, Linux, Mac etc.Computing device 126 further includespersistent memory 154, such as a hard disk, flash drive, etc., which will store files and in this embodiment will storeencrypted files 164 that have been encrypted by encryption/decryption software withindata protection module 130, as shown inFIG. 3B and will also store unencrypted files of user. - As schematically illustrated in
FIG. 3A ,data protection module 130 can operate similar to adevice driver 146 in a kernel mode unlikeweb browser 148, for example, which runs in user mode. In this manner, the encryption and decryption can be achieved more seamlessly, as various software applications (such as text editing software) can invoke the encryption/decryption functionality of this disclosure similar to the functionality ofOS 152. - In an embodiment,
RAM 144 also stores acomplete key 155 generated based oncomponents Complete key 155 can be purged fromRAM 144 once the user shuts downcomputing device 126, logs off, or issues an explicit command. In this manner,data protection module 130 can usecomplete key 155 to encrypt and decrypt files while the current user session is active. - In general,
peripheral device interface 140 can support any wired or wireless short-range communication link via whichpersonal computing device 126 can communicate with a peripheral storage device. Some of the examples of a suitable interface include a serial RS232 connection, USB, IEEE 802.15 (Bluetooth®), IEEE 802.11n (WiFi Direct™), etc. - In referring to
FIG. 3B , it is a block diagram of an example software module that can be implemented in the user device ofFIG. 3A to encrypt and decrypt data using twocomponent keys Data protection module 130, in this embodiment will include akey management module 156, a peripheral storagedevice authentication module 157, and encryption/decryption engine 158. Encryption/decryption engine 158 in this embodiment comprises AES; however, it may comprise any comparable or higher level known standard encryption/decryption software may be used. With bothcomponents component 102 orKey 1 is the component of the key that was randomly generated by the online security service at the time the user registered with the online security service wherein onecomponent 102 was stored on USB flash drive. Onecomponent 102 of the key is stored onto USB flash drive plugged into the USB port ofcomputing device 126 during the registration process. Theother component 106 of the key or Key 2 is provided by the user as a password inputted into computing device, such as through use of a keyboard ofcomputing device 126. This password was created at the time of registration with the online security service as well. With bothKey 1 and Key 2 102, 106 provided tokey management module 156 the complete key is assembled and is provided as an operative parameter to encryption/decryption engine 158. Withcomplete key 155 present with encryption/decryption engine 158, a user can select a file or save afile 162 and the file will be encoded 164. Similarly, with a fully assembledkey 155 and the encryption/decryption engine 158 in the presence of anencrypted file 164,encrypted file 164 can be properly decrypted. -
Authentication module 157 can receiveKey 1 and Key 2, assemble a complete key, verify that the assembled key is correct using the techniques discussed in more detail below, and store the complete key inRAM 144 if the complete key is correct. - Although
data protection module 130 in the illustrated embodiments is downloaded fromdata protection server 122, in general a user can obtaindata protection module 130 from any suitable source via any suitable carrier of computer software (e.g., CD, DVD, flash drive). In one example embodiment, the user can downloaddata protection module 130 from a server associated with an online application (“app”) store. This server can operate independently and separately fromserver 122.Data protection module 130 can be platform-specific, so that the online app store can provide one version for a computing device that executes Windows®, another version that executes Mac OS®, etc. In another embodiment, the user installsdata protection module 130 from a compact disc (CD). - Further, the security system of this disclosure need not provide all components that make
data protection module 130 in all embodiments. Thus, encryption/decryption engine 158 can be provided as a service of an operating system of the computing device.Key management module 156 in these cases can interface with this service using an appropriate application programming interface (API) exposed by the operating system. - In one example embodiment,
key management module 156 generates a complete key by simply appending Key 2 to the end ofKey 1. Thus, ifKey 1 is an user-selected alphanumeric string and Key 2 is a sequence of hexadecimal values,key management module 156 can assemble the complete key by appending the sequence of hexadecimal values defining Key 2 to the sequence of hexadecimal values corresponding toKey 1. More generally,Key 1 and Key 2 can be combined in any suitable manner, such as by interleaving the sequences ofvalues defining Key 1 and Key 2, respectively. - In referring to
FIG. 4A is a block diagram of an exampledata protection server 122 that can operate in the computing system ofFIG. 2 . As mentioned earlierdata protection server 122 may comprise one or more servers.Server 122 will comprise one or more processor (s) 166,network interface 168 andRAM 170 much likecomputing device 126 described earlier.RAM 170 will store, in this example, two software modulespassword management system 128 anddata protection module 130.Processor 166 will be used to executemodule 128 and operatenetwork interface 168 permittingserver 122 to communicate withnetwork 124. - In referring to
FIG. 4B is a block diagram of an example software system that can be implemented in the server ofFIG. 4A to manage keys and provide other functions related to encryption and decryption techniques of this disclosure. The user of the security service, as described earlier, must first register with the online security service. The user communicates withserver 122 usingcomputing device 126 wherein, in this example, both are connected to theinternet network 124. As mentioned earlier,user contacts server 122 which along withpassword management system 128 supports a web page for thesecurity providing system 120. By way ofuser input 172 andnetwork interface 168 user is in communication withpassword management system 128. - In the first instance of communicating with the web page provided, the new user registers with online security service by way of new user registration module 174 of
password management system 128. The new user will be asked to select from different packages offered by the online security service as discussed earlier. The user will provideinput 172 selecting the package the user desires to obtain. The new user will be provided questions to answer from a web page provided such as in this embodiment, the name of the new user, their address, their e-mail address and banking information such as a credit card of the new user. The new user will be asked by new user registration module 174, in this embodiment, to execute a payment to the online security service for the package they had selected. At that point, with a satisfactory payment received by the online security service, module 174 will provide new user queries for creating a user name and a password for entering the system. With user name and password completed, module 174 assigns a user identification (UID) number along with the selection of the package and all information at this point collected from the user and forwards the UID and data collected to customer data &password database interface 176 and it is all then forwarded todatabase 132 and is stored ascustomer subscription data 134. - The new user will receive further queries by way of a web page in this embodiment from new device registration module 178. The web page will ask the new user to register the device(s) that are under the package or plan the user chose. In this embodiment the user will be asked to provide some information about the computing device such as the make, model and serial number of
computing device 126 that will protected under this security service. This information will be sent tocustomer database interface 176 and forwarded todatabase 132 and stored ascustomer subscription data 134. In this embodiment this data is sent along with the UID and is stored in association with the previous data stored with the same UID. A new customer account has been created. - With the user registered,
key generation module 180 ofpassword management system 128 randomly generates onecomponent 102 of the key. This onecomponent 102 is transmitted to thecustomer data interface 176 and todatabase 132 and stored under the UID of the new customer ascustomer subscription data 134. In this embodimentkey generation module 180 through a web page will inform the user the encryption/decryption software will be downloaded ontocomputing device 126 and will commence downloading an instance of thedata protection module 130. With the downloading of the encryption/decryption software commenced,system 128 informs user though a web page to connectperipheral storage device 104 tocomputing device 126. In this example USB flash drive is plugged into USB port ofcomputing device 126.Key generation module 180 sends onecomponent key 102 tocomputing device 126 wherein the onecomponent 102 is stored onperipheral storage device 104 and at the same time, in this embodiment,key generation module 180 transmits the onecomponent 102 of the key todata base 132 to be stored as encryptionkey information 135 associated with the UID number of this particular user. In some embodiments,data protection module 130, once downloaded and installed onpersonal computing device 126, automatically attempts to locate a peripheral storage device, communicates withsystem 128 to obtain a key, and otherwise set up subsequent encryption and decryption onpersonal computing device 126. - While the
data protection module 130 is being downloaded onto the memory ofcomputing device 126, in this embodiment, password change/recovery module 182 will send a web page tocomputing device 126 requesting the subscriber to create theother component 106 of the key or a password for the operation of the security system. Thispassword 106 will be transmitted by thecomputing device 126 of the user toserver 122 whereinpassword module 182 transmits thisother component 106 of the key tocustomer interface 176 and todatabase 132 and enters it intocustomer subscription data 134 associated with the UID number of that particular user. - At this point,
database 132 has stored bothcomponents Password module 182 assemblescomponents Password module 182 transmits the unencrypted file tocomputing device 126 to be stored on peripheral storage device ascontrol output file 116.Password module 182 also transmits tocomputing device 126 the corresponding encrypted file tocomputing device 126 to be stored ascontrol input file 114. -
Password management system 128 also will allow a user to enter the web site of the online security service that is supported byserver 122 and through a web page provided by password change/recovery module 182 request a recovery or retrieval of their password orother component 106 of the key that is stored incustomer subscription data 134. This may occur upon the user forgetting thepassword 106 orpassword 106 has been compromised. As discussed earlier, once the user has logged into the web site of the online security service and has requested such a retrieval, the web page will exercise a security step prior to carrying out the request. The web page will ask at least one question that user had provided the answer to at the time of registration. This information is typically very private in nature as it relates to the user. With a match answer received bymodule 182, password change/recovery module 182 will proceed to retrieve thepassword 106 stored incustomer subscription data 134 and transmit the same tocomputing device 126 to the user. - This same security procedure will be used for the user to be able to change their password or
other component 106 of the key. The procedure for changing the password will require, in this embodiment, the user to forward from computingdevice 126 two copies of thenew password 106 for accuracy verification. Thenew password 106 will be stored ascustomer subscription data 134 indatabase 132. In addition, this new other component orpassword 106 will now have to be used to construct a new key. The user will be asked to connect theirperipheral storage device 104, password change/recovery module 182 will take thenew password 106 and combine it with the onecomponent 102 of the key to assemble a new complete key. This new key will be used to encrypt another file, in this instance a text file and forward it tocomputing device 126 for it to be stored onperipheral storage device 104 ascontrol input file 114 and an unencrypted version of that file will be sent tocomputing device 126 to be stored ascontrol output file 116. As a note, the old complete key could be assembled bymodule 182 and provide user with the correspondingcontrol input file 114 andcontrol output file 116 in order for user to access their stored encrypted files and decrypt them. At that point, the user can utilize the new complete key with the newcontrol input file 114 andcontrol output file 116 and begin encrypting and decrypting files with the new complete key. - To make this procedure appear seamless for the user,
password management system 128 automatically re-encrypts, using the new key, those files that were encrypted using the old key. It is noted, however, that this procedure may consume a noticeable amount of time. - As mentioned above,
key generation module 180 would randomly generate onecomponent 102 of the key for the user at the time of registration. This onecomponent 102 was stored ascustomer subscription data 134 indatabase 132 and was stored on the user'speripheral storage device 104 as well. Thus, at a time, for example, the user loses theirperipheral storage device 104 or it is broken or stolen the user will not be able to encrypt or decrypt data on theircomputing device 126 without this onecomponent 102 of the key that was stored on theperipheral storage device 104. As a result the user will contact the online security service's web page, log in and request a retrieval of the onecomponent 102 of the key. The user will be security cleared as mentioned above with respect to retrieval or change of theother component 106 of the key or password.Key retrieval module 184 will retrieve onecomponent 102 of the key fromcustomer subscription data 134 ondatabase 132. The user will be asked to connect theirperipheral storage device 104 to theircomputing device 126 andmodule 184 will transmit onecomponent 102 of the key tocomputing device 126 to be stored onperipheral storage device 104. If at that time, it was a new peripheral storage device, user would be asked for receivingcontrol input file 114 that was encrypted bymodule 184 and for the corresponding unencrypted filecontrol output file 116. Should the user need files 114 and 116 they would also be forwarded bymodule 184 tocomputing device 126 to be stored onperipheral storage device 104. The user would be provided the needed authentication software to authenticate theperipheral storage device 104 as would be transmitted to thecomputing device 126 bymodule 184 and stored onperipheral storage device 104. With respect to creating a new onecomponent 102, a new key would need to be assembled and creatingnew control input 114 andcontrol output 116 files would need to be generated and stored onperipheral storage device 104. Also, the user may need to have the previous onecomponent 102 of the key and thecorresponding control input 114 andcontrol output 116 files created in order for the user to operate to decrypt encrypted files under the earlier regimen of a different complete key with its corresponding different authentication set up. - As a result, the online security service can provide various needed services through a web page supported by
server 122. The user can access the web page with itscomputing device 126 through theinternet network 124. In this way the user may changepasswords 106, retrievepasswords 106, retrieve onecomponent 102 of the key, obtaincontrol input file 114,control output file 116 and the needed software to carry out authentication of theperipheral storage device 104. - In referring to
FIG. 5 , it is a flow diagram of an example method for creating a pair of keys and generating authentication information for aremovable storage device 104, which can be implemented in theuser computing device 126 ofFIG. 3A . Withcomputing device 126 connected todata protection server 122 throughinternet network 124 connection, in this embodiment, and the account opened by the user as described above,step 186 commences withdata protection module 130 being downloaded and/or installed ontocomputing device 126.Data protection module 130 can includekey management module 156 and/or encryption/decryption engine 158. Instep 188, the web site of the online security service which is supported byserver 122 will prompt user to insertperipheral storage device 104 into theircomputing device 126.Key generation module 180 will randomly generate onecomponent 102 of the key or first key instep 190. The web site of the online security service will notify user to create a second key or other component 106 (step 192) and forward the same from computingdevice 126 to be received byserver 122 throughnetwork interface 168. In this embodiment,password management system 128 through password change/recovery module 182 will assemble a complete or main key from onecomponent 102 andother component 106 of the key instep 194.Password management system 128 will generate authentication data with using the complete or main key in conjunction with encryption/decryption software ofdata protection module 130 and encrypts a file it randomly generated. This file is an encryptable and decryptable file with respect to the encryption/decryption software. In this embodiment the file is a text file and it is encrypted, while maintaining an unencrypted version of the file as well forstep 196. The encrypted version of the file is forwarded tocomputing device 126 and stored on theperipheral storage device 104 ascontrol input file 114 and the unencrypted version of that file is forwarded tocomputing device 126 and stored onperipheral device 104 ascontrol output file 116 instep 198. - In referring to
FIG. 6 , it is a flow diagram of an example method for encrypting data using onecomponent 102 of a key stored on aremovable storage device 104 and anothercomponent 106 of the key submitted by a user which can be implemented in theuser computing device 126 ofFIG. 3A . In the illustrated embodiment, user login can be detected atblock 200. This event can trigger the creation of a new session during which data is seamlessly encrypted and/or decrypted. More generally, a session can begin in response to any one of suitable events such as connection to a peripheral storage device or a user command, for example. - The encryption/decryption software can commence the process of assembling the encryption key by obtaining one
component 102 of a key for encrypting from aperipheral storage device 104 asstep 202. In this embodiment onecomponent 102 of the key was stored on theperipheral storage device 104 by the online security service randomly generating it at the time of registration. The user then needs to provide anothercomponent 106 of the key (which the user had created at the time of registration by the user) to the encryption/decryption software in putting it intocomputing device 126 through a user interface such as a keyboard as step 204. Thenext step 206 is for the key to be assembled oncomputing device 126 with using onecomponent 102 and anothercomponent 106. - With the complete key assembled and encryption/decryption software stored on the
computing device 126, at the time of registration, an encryption/decryption session begins instep 208. In particular, the assembled key may be stored in volatile memory for the duration of the session. During the session, one or several files that require encryption or decryption are captured instep 210. These files are encrypted or decrypted instep 212 using the key assembled for the session. If an event indicating that the session completed is detected instep 214, the flow returns to block 210 (where additional file(s) may be captured). Otherwise, the flow proceeds to step 216, where the key is removed from the volatile memory. -
FIG. 7 shows a flow diagram of an example method for generating authentication information for aremovable storage device 104, which can be implemented to authenticateperipheral storage device 104 ofFIG. 2 .Password management system 128, stored onserver 122 will generate a random file, one that can be encrypted and decrypted by the encryption/decryption engine 158 ofdata protection module 130 used in conjunction with onecomponent 102 and anothercomponent 106 of the key assembled into a complete key. In this embodiment,password management system 128 will generate this random file as a text file instep 220. With the fully assembled key comprised of onecomponent 102 and anothercomponent 106, both retrieved fromcustomer subscription data 134 fromdatabase 132,module 182 with the complete key and encryption/decryption software fromdata protection module 130 will encrypt the text file instep 222. The encrypted text file is transmitted tocomputing device 126 and stored inperipheral storage device 104 ascontrol input file 114, the corresponding unencrypted randomly generated file is transmitted tocomputing device 126 and stored onperipheral storage device 104 ascontrol output 116 and onecomponent 102 of the key is also transmitted tocomputing device 126 and stored onperipheral storage device 104 asstep 224. This data stored onperipheral storage device 104 will be used as discussed earlier to carry out the authentication function of theperipheral storage device 104. - In referring to
FIG. 8 , it is a flow diagram of an example method for authenticating aremovable storage device 104 storing a key. The method in this embodiment includes a user in operation of theircomputing device 126 wishing to either encrypt/decrypt data on theircomputing device 126. User will request the encryption/decryption of the data which will use onecomponent 102 of the key which is stored onperipheral storage device 104 asstep 226. The user will be prompted to provide theother component 106 of the key instep 228 which as discussed earlier would be a password in this embodiment. At which point, user can enterother component 106 by way of user interface or keyboard ofcomputing device 126, instep 230 in this example. With onecomponent 102 andother component 106 of the key, the main or complete key is assembled instep 232. - With the main key assembled and the encryption/
decryption engine 158 present fromdata protection module 130, a randomly generated file bypassword change module 182 as discussed above, in this embodiment, the randomly generated file is generated bymodule 182 and encrypted. The encrypted version is stored on theperipheral storage device 104 ascontrol input 114 asstep 234, the corresponding unencrypted version of the file is stored on theperipheral storage device 104 ascontrol output 116 and the onecomponent 102 of the key is also stored onperipheral storage device 104. - With the encrypted version of the file or
control input file 114 instep 236 is decrypted by the complete or mainkey comprising components decryption engine 158 and the now decryptedinput control file 114 is compared to correspondingunencrypted file 116 instep 236. If there is a match, “yes”,peripheral storage device 104 is authenticated atstep 238. This means the main key was properly assembled and used with the encryption/decryption engine 158 and user can proceed to encrypt and decrypt files on theircomputing device 126. The main key is stored in RAM (or other type of volatile memory) instep 242 for the duration of the session. However, if there was not a match between the decryptedcontrol input file 114 and thecontrol output file 116, “no”, the peripheral storage device fails to authenticate instep 240 meaning one or both of thecomponents storage device 104 is not the correct device carrying the correct onecomponent 102 of the key or theother component 106 of the key was not correct. In either instance, the user will not be able to successfully proceed to encrypt and decrypt files on thecomputing device 126. Accordingly, instep 244, the session is prevented from being activated, so that previously encrypted files cannot be decrypted and, conversely, new files cannot be encrypted using the techniques of this disclosure. - Throughout this specification, plural instances may implement components, operations, or structures described as a single instance. Although individual operations of one or more methods are illustrated and described as separate operations, one or more of the individual operations may be performed concurrently, and nothing requires that the operations be performed in the order illustrated. Structures and functionality presented as separate components in example configurations may be implemented as a combined structure or component. Similarly, structures and functionality presented as a single component may be implemented as separate components. These and other variations, modifications, additions, and improvements fall within the scope of the subject matter of the present disclosure.
- Additionally, certain embodiments are described herein as including logic or a number of components or modules. Modules may constitute either software modules (e.g., code stored on a non-transitory machine-readable medium) or hardware modules. A hardware module is tangible unit capable of performing certain operations and may be configured or arranged in a certain manner. A hardware module may comprise dedicated circuitry or logic that is permanently configured (e.g., as a special-purpose processor, such as a field programmable gate array (FPGA) or an application-specific integrated circuit (ASIC)) to perform certain operations. A hardware module may also comprise programmable logic or circuitry (e.g., as encompassed within a general-purpose processor or other programmable processor) that is temporarily configured by software to perform certain operations. It will be appreciated that the decision to implement a hardware module in dedicated and permanently configured circuitry or in temporarily configured circuitry (e.g., configured by software) may be driven by cost and time considerations.
- Accordingly, the term hardware should be understood to encompass a tangible entity, be that an entity that is physically constructed, permanently configured (e.g., hardwired), or temporarily configured (e.g., programmed) to operate in a certain manner or to perform certain operations described herein. Considering embodiments in which hardware modules are temporarily configured (e.g., programmed), each of the hardware modules need not be configured or instantiated at any one instance in time. For example, where the hardware modules comprise a general-purpose processor configured using software, the general-purpose processor may be configured as respective different hardware modules at different times. Software may accordingly configure a processor, for example, to constitute a particular hardware module at one instance of time and to constitute a different hardware module at a different instance of time.
- Hardware and software modules can provide information to, and receive information from, other hardware and/or software modules. Accordingly, the described hardware modules may be regarded as being communicatively coupled. Where multiple of such hardware or software modules exist contemporaneously, communications may be achieved through signal transmission (e.g., over appropriate circuits and buses) that connect the hardware or software modules. In embodiments in which multiple hardware modules or software are configured or instantiated at different times, communications between such hardware or software modules may be achieved, for example, through the storage and retrieval of information in memory structures to which the multiple hardware or software modules have access. For example, one hardware or software module may perform an operation and store the output of that operation in a memory device to which it is communicatively coupled. A further hardware or software module may then, at a later time, access the memory device to retrieve and process the stored output. Hardware and software modules may also initiate communications with input or output devices, and can operate on a resource (e.g., a collection of information).
- The performance of certain operations may be distributed among the one or more processors, not only residing within a single machine, but deployed across a number of machines. In some example embodiments, the processor or processors may be located in a single location (e.g., within a home environment, an office environment or as a server farm), while in other embodiments the processors may be distributed across a number of locations.
- Some portions of this specification are presented in terms of algorithms or symbolic representations of operations on data stored as bits or binary digital signals within a machine memory (e.g., a computer memory). These algorithms or symbolic representations are examples of techniques used by those of ordinary skill in the data processing arts to convey the substance of their work to others skilled in the art. As used herein, an “algorithm” or a “routine” is a self-consistent sequence of operations or similar processing leading to a desired result. In this context, algorithms, routines and operations involve physical manipulation of physical quantities. Typically, but not necessarily, such quantities may take the form of electrical, magnetic, or optical signals capable of being stored, accessed, transferred, combined, compared, or otherwise manipulated by a machine. It is convenient at times, principally for reasons of common usage, to refer to such signals using words such as “data,” “content,” “bits,” “values,” “elements,” “symbols,” “characters,” “terms,” “numbers,” “numerals,” or the like. These words, however, are merely convenient labels and are to be associated with appropriate physical quantities.
- Unless specifically stated otherwise, discussions herein using words such as “processing,” “computing,” “calculating,” “determining,” “presenting,” “displaying,” or the like may refer to actions or processes of a machine (e.g., a computer) that manipulates or transforms data represented as physical (e.g., electronic, magnetic, or optical) quantities within one or more memories (e.g., volatile memory, non-volatile memory, or a combination thereof), registers, or other machine components that receive, store, transmit, or display information.
- As used herein any reference to “one embodiment” or “an embodiment” means that a particular element, feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment. The appearances of the phrase “in one embodiment” in various places in the specification are not necessarily all referring to the same embodiment.
- Some embodiments may be described using the expression “coupled” and “connected” along with their derivatives. For example, some embodiments may be described using the term “coupled” to indicate that two or more elements are in direct physical or electrical contact. The term “coupled,” however, may also mean that two or more elements are not in direct contact with each other, but yet still co-operate or interact with each other. The embodiments are not limited in this context.
- As used herein, the terms “comprises,” “comprising,” “includes,” “including,” “has,” “having” or any other variation thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, article, or apparatus that comprises a list of elements is not necessarily limited to only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Further, unless expressly stated to the contrary, “or” refers to an inclusive or and not to an exclusive or. For example, a condition A or B is satisfied by any one of the following: A is true (or present) and B is false (or not present), A is false (or not present) and B is true (or present), and both A and B are true (or present).
- In addition, use of the “a” or “an” are employed to describe elements and components of the embodiments herein. This is done merely for convenience and to give a general sense of the description. This description should be read to include one or at least one and the singular also includes the plural unless it is obvious that it is meant otherwise.
- While particular embodiments of the present invention have been shown and described, it will be obvious to those skilled in the relevant arts that changes and modifications may be made without departing from the invention in its broader aspects. Therefore, the aim in the appended claims is to cover all such changes and modifications that fall within the true spirit and scope of the invention. The matter set forth in the foregoing description and accompanying drawings is offered by way of illustration only and not as a limitation. The actual scope of the invention is intended to be defined in the following claims when viewed in their proper perspective based on the prior art.
Claims (20)
1. A method for generating cryptographic keys for encrypting and decrypting data, the method comprising:
receiving, by one or more processors, a first component of a cryptographic key from a user via a user interface of a user computing device;
receiving, by the one or more processors, a second component of the cryptographic key via a short-range communication interface that communicatively couples the user computing device to a physically separate storage device;
generating, by the one or more processors, the cryptographic key based at least on the first component and the second component; and
using the cryptographic key to encrypt and/or decrypt data, by the one or more processors.
2. The method of claim 1 , wherein using the cryptographic key to encrypt and/or decrypt the data includes:
storing the generated cryptographic key in a volatile memory of the user computing device during an active session,
automatically encrypting and/or decrypting data accessed by the user during the active session, by the one or more processors, and
deleting the cryptographic key from the volatile memory when the active session completes.
3. The method of claim 2 , further comprising:
verifying the cryptographic key using control data stored on the storage device, wherein the generated cryptographic key is stored in the volatile memory only in response to the cryptographic key having been successfully verified.
4. The method of claim 3 , wherein the control data includes first control data and second control data, and wherein verifying the cryptographic key includes:
retrieving the first control data from the storage device,
applying the cryptographic key to the first control data to generate an encryption/decryption result, and
comparing the encryption/decryption result to the second control data, wherein the cryptographic key is successfully verified when the encryption/decryption result matches the second control data.
5. The method of claim 2 , further comprising completing the active session in response to detecting that the storage device has been removed.
6. The method of claim 2 , further comprising completing the active session in response to detecting that the user logged off.
7. The method of claim 1 , wherein using the cryptographic key to encrypt and/or decrypt the data includes automatically applying, by the one or more processors, the cryptographic key to files stored in a persistent memory of the user computing device, which the user accesses during an active session, without prompting the user.
8. The method of claim 7 , wherein applying the cryptographic key to the files stored in a persistent memory of the user computing device including executing a task in a kernel mode on the user computing device.
9. The method of claim 1 , further comprising, prior to receiving the second component via the short-range communication interface:
receiving, by the one or more processors, the second component of the cryptographic key via a long-range communication interface from a network server;
causing, by the one or more processors, the second component of the cryptographic key to be stored in the storage device.
10. The method of claim 8 , further comprising:
providing, by the one or more processors, an interactive menu for receiving registration data from a user; and
sending the registration data to the network server via the long-range communication interface, wherein the second component of the cryptographic key is received from the network server in response to the registration data.
11. The method of claim 1 , wherein the user computing device has a port to removeably couple the user computing device to a peripheral storage device, wherein the second component of the cryptographic key is received via the port from the peripheral storage device.
12. The method of claim 1 , wherein generating the cryptographic key includes appending, by the one or more processors, one of the first and the second component of the cryptographic key to the other one of the first and the second component of the cryptographic key.
13. A network server comprising:
a communication interface to communicatively couple the network server to a user computing device via a communication network; and
processing hardware configured to:
receive a request for a cryptographic key from the user computing device, wherein the request includes a first component of the cryptographic key, the first component having been specified by a user of the user computing device,
in response to the request, automatically generate a second component of the cryptographic key, and
provide the second component of the cryptographic key to the user device for storage on a storage device physically separate from the user computing device,
wherein the user computing device is configured to (i) generate the cryptographic key based at least on the first component and the second component of the cryptographic key and (ii) encrypt and/or decrypt user-selected data using the cryptographic key.
14. The network server of claim 13 , further comprising:
a computer-readable storage in which a database is implemented;
wherein the processing hardware is further configured to:
receive registration data for the user from the user computing device, and
store the registration data, the first component of the cryptographic key, and the second component of the cryptographic key in the database.
15. The network server of claim 14 , wherein the processing hardware is further configured to reset the cryptographic key in response to a user request, including generate a new second component of the cryptographic key.
16. The network server of claim 13 , wherein the processing hardware is further configured to:
generate the cryptographic key based on the first component and the second component,
generate first control data,
apply the cryptographic key to the first control data to generate second control data, and
provide the first control data and the second control data to the user device for storage on the storage device,
wherein the user computing device is configured to verify user input of the first component of the cryptographic key using the first control data, the second control data, and the second component of the cryptographic key.
17. The network server of claim 16 , wherein the processing hardware is configured to generate the first control data randomly.
18. A method in a user computing device for efficiently encrypting and/or decrypting data, the method comprising:
receiving, by one or more processors, an indication that a storage device physically separate from the user computing device is now communicatively coupled to the user computing device via a short-range communication interface;
receiving, by the one or more processors, a first component of a cryptographic key from a user via a user interface;
retrieving, from the storage device, (i) a second component of the cryptographic key, (ii) first control data, and (iii) second control data corresponding to the first control data encrypted using a correct version of the cryptographic key;
generating the cryptographic key based at least on the first component and the second component; and
determining whether the generated cryptographic key is correct using the first control data and the second control data.
19. The method of claim 18 , further comprising:
receiving, by the one or more processors, the second component of the cryptographic key, the first control data, and second control data from a network server via a communication network; and
storing the second component of the cryptographic key, the first control data, and second control data in the storage device.
20. The method of claim 19 , wherein receiving the second component of the cryptographic key, the first control data, and second control data from the network server includes is in response to a user requesting that a new cryptographic key be generated.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/822,269 US20150350172A1 (en) | 2014-05-07 | 2015-08-10 | Encryption on computing device |
US15/710,186 US20180026953A1 (en) | 2014-05-07 | 2017-09-20 | Encryption on computing device |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/271,883 US9104889B1 (en) | 2014-05-07 | 2014-05-07 | Encryption on computing device |
US14/822,269 US20150350172A1 (en) | 2014-05-07 | 2015-08-10 | Encryption on computing device |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/271,883 Continuation US9104889B1 (en) | 2014-05-07 | 2014-05-07 | Encryption on computing device |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/710,186 Continuation US20180026953A1 (en) | 2014-05-07 | 2017-09-20 | Encryption on computing device |
Publications (1)
Publication Number | Publication Date |
---|---|
US20150350172A1 true US20150350172A1 (en) | 2015-12-03 |
Family
ID=53763288
Family Applications (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/271,883 Expired - Fee Related US9104889B1 (en) | 2014-05-07 | 2014-05-07 | Encryption on computing device |
US14/822,269 Abandoned US20150350172A1 (en) | 2014-05-07 | 2015-08-10 | Encryption on computing device |
US15/710,186 Abandoned US20180026953A1 (en) | 2014-05-07 | 2017-09-20 | Encryption on computing device |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/271,883 Expired - Fee Related US9104889B1 (en) | 2014-05-07 | 2014-05-07 | Encryption on computing device |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/710,186 Abandoned US20180026953A1 (en) | 2014-05-07 | 2017-09-20 | Encryption on computing device |
Country Status (1)
Country | Link |
---|---|
US (3) | US9104889B1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018080677A1 (en) * | 2016-10-26 | 2018-05-03 | Intel Corporation | Providing secure data transmission over a universal serial bus (usb) interface |
US10325109B2 (en) * | 2017-09-14 | 2019-06-18 | International Business Machines Corporation | Automatic and dynamic selection of cryptographic modules for different security contexts within a computer network |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9705857B1 (en) * | 2014-10-10 | 2017-07-11 | Sprint Spectrum L.P. | Securely outputting a security key stored in a UE |
US20180047020A1 (en) * | 2015-03-10 | 2018-02-15 | Sniip (Australia) Pty Ltd | Method and system of conducting a transaction |
US10198595B2 (en) * | 2015-12-22 | 2019-02-05 | Walmart Apollo, Llc | Data breach detection system |
IL244557A0 (en) * | 2016-03-13 | 2016-07-31 | Cyber Sepio Systems Ltd | A system and method for protecting a computer system from usb related vulnerabilities e.g.cyber attacks |
US10154037B2 (en) * | 2017-03-22 | 2018-12-11 | Oracle International Corporation | Techniques for implementing a data storage device as a security device for managing access to resources |
IL254573A0 (en) | 2017-09-18 | 2017-11-30 | Cyber Sepio Systems Ltd | System method and computer program product for securing a local area network from threats introduced by rogue or malicious devices |
US11544416B2 (en) | 2017-08-03 | 2023-01-03 | Cyber Sepio Systems Ltd | System and method for securing a computer system from threats introduced by USB devices |
EP3629204B1 (en) * | 2018-09-28 | 2021-02-24 | BlackBerry Limited | Processing data on an electronic device |
US10897351B1 (en) * | 2020-07-02 | 2021-01-19 | Slack Technologies, Inc. | Encryption key management for an automated workflow |
US20220122195A1 (en) * | 2020-10-16 | 2022-04-21 | PF IP Holdings Inc. | Method, system, and medium for social media content monitoring |
NL2027136B1 (en) * | 2020-12-17 | 2022-07-11 | Mindyourpass Holding B V | Password management system, device and method of the same |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050195975A1 (en) * | 2003-01-21 | 2005-09-08 | Kevin Kawakita | Digital media distribution cryptography using media ticket smart cards |
US20060177061A1 (en) * | 2004-10-25 | 2006-08-10 | Orsini Rick L | Secure data parser method and system |
US20060282681A1 (en) * | 2005-05-27 | 2006-12-14 | Scheidt Edward M | Cryptographic configuration control |
US20070067828A1 (en) * | 2005-08-11 | 2007-03-22 | Msystems Ltd. | Extended one-time password method and apparatus |
US20110040971A1 (en) * | 2008-04-21 | 2011-02-17 | Anantharaman Lakshminarayanan | Portable system and method for remotely accessing data |
-
2014
- 2014-05-07 US US14/271,883 patent/US9104889B1/en not_active Expired - Fee Related
-
2015
- 2015-08-10 US US14/822,269 patent/US20150350172A1/en not_active Abandoned
-
2017
- 2017-09-20 US US15/710,186 patent/US20180026953A1/en not_active Abandoned
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050195975A1 (en) * | 2003-01-21 | 2005-09-08 | Kevin Kawakita | Digital media distribution cryptography using media ticket smart cards |
US20060177061A1 (en) * | 2004-10-25 | 2006-08-10 | Orsini Rick L | Secure data parser method and system |
US20060282681A1 (en) * | 2005-05-27 | 2006-12-14 | Scheidt Edward M | Cryptographic configuration control |
US20070067828A1 (en) * | 2005-08-11 | 2007-03-22 | Msystems Ltd. | Extended one-time password method and apparatus |
US20110040971A1 (en) * | 2008-04-21 | 2011-02-17 | Anantharaman Lakshminarayanan | Portable system and method for remotely accessing data |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018080677A1 (en) * | 2016-10-26 | 2018-05-03 | Intel Corporation | Providing secure data transmission over a universal serial bus (usb) interface |
US10715501B2 (en) | 2016-10-26 | 2020-07-14 | Intel Corporation | Providing secure data transmission over a universal serial bus (USB) interface |
US10325109B2 (en) * | 2017-09-14 | 2019-06-18 | International Business Machines Corporation | Automatic and dynamic selection of cryptographic modules for different security contexts within a computer network |
Also Published As
Publication number | Publication date |
---|---|
US9104889B1 (en) | 2015-08-11 |
US20180026953A1 (en) | 2018-01-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20180026953A1 (en) | Encryption on computing device | |
US11381550B2 (en) | Account management using a portable data store | |
US9660982B2 (en) | Reset and recovery of managed security credentials | |
US9177169B2 (en) | Secure digital storage | |
US8555079B2 (en) | Token management | |
US8656180B2 (en) | Token activation | |
US8972719B2 (en) | Passcode restoration | |
US10044695B1 (en) | Application instances authenticated by secure measurements | |
US9448949B2 (en) | Mobile data vault | |
US9104888B2 (en) | Secure data storage | |
US20130208893A1 (en) | Sharing secure data | |
US10484372B1 (en) | Automatic replacement of passwords with secure claims | |
US20100313018A1 (en) | Method and system for backup and restoration of computer and user information | |
CN112771826A (en) | Application program login method, application program login device and mobile terminal | |
CA2970338C (en) | System and method for replacing common identifying data | |
JP2011507414A (en) | System and method for protecting data safety | |
CN112912880A (en) | Container builder for personalized web services | |
JP7422241B2 (en) | Password recovery methods, systems, cloud servers and electronic devices | |
US20080172750A1 (en) | Self validation of user authentication requests | |
JP2021536166A (en) | Verification of peer identification information | |
WO2017091133A1 (en) | Method and system for secure storage of information | |
CN109960945B (en) | Active safety protection method and system for browser | |
US20060075227A1 (en) | Portable information management device | |
JP2009003700A (en) | Program for permitting prescribed processing of application | |
WO2013085666A1 (en) | Token management |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |