US2013311786A1PendingUtilityA1

Cryptographic Key Attack Mitigation

50
Assignee: MICROSOFT CORPPriority: Apr 28, 2011Filed: Jul 3, 2013Published: Nov 21, 2013
Est. expiryApr 28, 2031(~4.8 yrs left)· nominal 20-yr term from priority
H04L 9/002H04L 9/0822H04L 9/0897H04L 9/0877G06F 21/60
50
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Cryptographic keys and, subsequently, the data they are intended to protect, are safeguarded from unwarranted attacks utilizing various systems and methodologies designed to minimize the time period in which meaningful versions of cryptographic keys exist in accessible memory, and therefore, are vulnerable. Cryptographic keys, and consequently the data they are intended to protect, can alternatively, or also, be protected from attackers utilizing systems and a methodology that employs a removable storage device for providing authentication factors used in the encryption and decryption processing. Cryptographic keys and protected data can alternatively, or also, be protected with a system and methodology that supports data separation on the storage device(s) of a computing device. Cryptographic keys and the data they are intended to protect can alternatively, or also, be protected employing a system and methodology of virtual compartmentalization that effectively segregates key management from protected data.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A processor-based methodology for minimizing the time period in which at least one cryptographic key for locking at least one volume of a computing device is maintained in the accessible memory of the computing device, wherein the computing device comprises a processor cache, the methodology comprising:
 storing a cryptographic key for use in locking at least one volume of the computing device within the processor cache of the computing device and removing the cryptographic key from accessible memory of the computing device when the cryptographic key is not in use by the computing device for locking a volume of the computing device;   retrieving the cryptographic key stored in the processor cache and accessing it in the accessible memory of the computing device upon the computing device preparing to go into sleep mode;   utilizing the cryptographic key in accessible memory of the computing device to lock at least one volume of the computing device prior to the computing device going into sleep mode; and   removing the cryptographic key from accessible memory of the computing device subsequent to locking at least one volume of the computing device and prior to the computing device going into sleep mode.   
     
     
         2 . The processor-based methodology for minimizing the time period in which at least one cryptographic key for locking at least one volume of a computing device is maintained in the accessible memory of the computing device of  claim 1 , further comprising utilizing the cryptographic key in accessible memory of the computing device to lock all the volumes of the computing device that are to be locked upon the computing device going into sleep mode prior to the computing device going into sleep mode. 
     
     
         3 . The processor-based methodology for minimizing the time period in which at least one cryptographic key for locking at least one volume of a computing device is maintained in the accessible memory of the computing device of  claim 2 , further comprising accessing the cryptographic key in the accessible memory of the computing device for a minimum amount of time comprising the time required for utilizing the cryptographic key in accessible memory of the computing device to lock the volumes of the computing device that are to be locked prior to the computing device going into sleep mode. 
     
     
         4 . The processor-based methodology for minimizing the time period in which at least one cryptographic key for locking at least one volume of a computing device is maintained in the accessible memory of the computing device of  claim 1 , wherein the cryptographic key for use in locking at least one volume of the computing device comprises the capability to unlock at least one volume of the computing device; further comprising:
 storing the cryptographic key within the processor cache of the computing device and removing the cryptographic key from accessible memory of the computing device when the cryptographic key is not in use by the computing device for locking a volume of the computing device and when the cryptographic key is not in use by the computing device for unlocking a volume of the computing device;   retrieving the cryptographic key stored in the processor cache and accessing it in the accessible memory of the computing device upon the computing device awakening from sleep mode;   utilizing the cryptographic key in accessible memory of the computing device to unlock at least one volume of the computing device subsequent to the computing device awakening from sleep mode; and   removing the cryptographic key from accessible memory of the computing device subsequent to unlocking at least one volume of the computing device.   
     
     
         5 . The processor-based methodology for minimizing the time period in which at least one cryptographic key for locking at least one volume of a computing device is maintained in the accessible memory of the computing device of  claim 4 , further comprising utilizing the cryptographic key in accessible memory of the computing device to unlock all the volumes of the computing device that are locked upon the computing device awakening from sleep mode. 
     
     
         6 . The processor-based methodology for minimizing the time period in which at least one cryptographic key for locking at least one volume of a computing device is maintained in the accessible memory of the computing device of  claim 5 , further comprising accessing the cryptographic key in the accessible memory of the computing device for a minimum amount of time comprising the time required for utilizing the cryptographic key in accessible memory of the computing device to unlock the volumes of the computing device that are to be unlocked upon the computing device awakening from sleep mode. 
     
     
         7 . The processor-based methodology for minimizing the time period in which at least one cryptographic key for locking at least one volume of a computing device is maintained in the accessible memory of the computing device of  claim 1 , wherein the cryptographic key comprises a VMK (Volume Master Key). 
     
     
         8 . The processor-based methodology for minimizing the time period in which at least one cryptographic key for locking at least one volume of a computing device is maintained in the accessible memory of the computing device of  claim 1 , further comprising:
 storing every cryptographic key for use in locking any volume of the computing device within the processor cache of the computing device and removing the cryptographic keys from accessible memory of the computing device when the cryptographic keys are not in use by the computing device for locking a volume of the computing device;   retrieving each cryptographic key stored in the processor cache and accessing it in the accessible memory of the computing device upon the computing device preparing to go into sleep mode and when the cryptographic key is to be utilized to lock a volume of the computing device;   utilizing the cryptographic key in accessible memory of the computing device to lock at least one volume of the computing device prior to the computing device going into sleep mode; and   removing each cryptographic key from accessible memory of the computing device subsequent to utilizing the cryptographic key to lock at least one volume of the computing device and prior to the computing device going into sleep mode.   
     
     
         9 . The processor-based methodology for minimizing the time period in which at least one cryptographic key for locking at least one volume of a computing device is maintained in the accessible memory of the computing device of  claim 1 , wherein the cryptographic key for use in locking at least one volume of the computing device that is stored within the processor cache comprises an encrypted version of the cryptographic key comprising the encrypted cryptographic key, the processor-based methodology further comprising:
 unencrypting the encrypted cryptographic key to generate the cryptographic key for use in locking at least one volume of the computing device subsequent to retrieving the cryptographic key comprising the encrypted cryptographic key from the processor cache and accessing it in accessible memory; and   removing the encrypted cryptographic key from accessible memory of the computing device subsequent to generating the cryptographic key from the encrypted cryptographic key and prior to the computing device going into sleep mode.   
     
     
         10 . A computing-device system comprising the capability to mitigate attacks thereto, the computing-device system comprising:
 at least one volume for storing at least data thereon that is to be protected when the computing device is in sleep mode;   at least one cryptographic key for locking at least one volume of the computing device upon the computing device processing to go into sleep mode;   a processor cache that stores at least one cryptographic key for use in locking at least one volume of the computing device; and   accessible memory
 wherein at least one cryptographic key is retrieved from the processor cache and accessed in the accessible memory upon the computing device processing to go into sleep mode, 
 a cryptographic key in the accessible memory is utilized to lock at least one volume of the computing device prior to the computing device going into sleep mode, and 
 the cryptographic key in the accessible memory is removed from the accessible memory subsequent to the cryptographic key being utilized to lock at least one volume of the computing device and prior to the computing device going into sleep mode. 
   
     
     
         11 . The computing-device system comprising the capability to mitigate attacks thereto of  claim 10 , wherein the cryptographic key for locking at least one volume of the computing device can be utilized, when in accessible memory of the computing device, to lock all the volumes of the computing device that are to be locked upon the computing device going into sleep mode prior to the computing device going into sleep mode. 
     
     
         12 . The computing-device system comprising the capability to mitigate attacks thereto of  claim 11 , wherein the cryptographic key is accessed in the accessible memory of the computing device for a minimum amount of time comprising the time required for utilizing the cryptographic key in accessible memory of the computing device to lock the volumes of the computing device that are to be locked prior to the computing device going into sleep mode. 
     
     
         13 . The computing-device system comprising the capability to mitigate attacks thereto of  claim 10 , further comprising:
 the cryptographic key for locking at least one volume of the computing device upon the computing device processing to go into sleep mode comprising the ability to unlock at least one volume of the computing device upon the computing device awakening from sleep mode; and   the accessible memory further maintains at least one cryptographic key for a time t when the cryptographic key is to be utilized to unlock at least one volume of the computing device upon the computing device awakening from sleep mode
 wherein the at least one cryptographic key is retrieved from the processor cache and accessed in the accessible memory upon the computing device awakening from sleep mode, 
 wherein the cryptographic key in the accessible memory is utilized to unlock at least one volume of the computing device subsequent to the computing device awakening from sleep mode, and 
 wherein the cryptographic key in the accessible memory is removed from the accessible memory subsequent to the cryptographic key being utilized to unlock at least one volume of the computing device. 
   
     
     
         14 . The computing-device system comprising the capability to mitigate attacks thereto of  claim 13 , wherein the cryptographic key for unlocking at least one volume of the computing device can be utilized, when in accessible memory of the computing device, to unlock all the volumes of the computing device that are to be unlocked upon the computing device awakening from sleep mode. 
     
     
         15 . The computing-device system comprising the capability to mitigate attacks thereto of  claim 14 , wherein the cryptographic key is accessed in the accessible memory of the computing device for a minimum amount of time comprising the time required for utilizing the cryptographic key in accessible memory of the computing device to unlock the volumes of the computing device that are to be unlocked when the computing device awakens from sleep mode. 
     
     
         16 . The computing-device system comprising the capability to mitigate attacks thereto of  claim 10 , wherein the cryptographic key comprises a VMK (Volume Master Key). 
     
     
         17 . A computing device for mitigating attacks to data stored on at least one volume associated with the computing device, the computing device comprising:
 at least one volume associated therewith that can store data thereon;   at least one processor comprising the capability to process software code comprising instructions;   at least one cryptographic key for use in locking at least one volume of the computing device;   processor cache comprising storage capability;   accessible memory comprising storage capability;   at least one instruction at least one processor can process for storing at least one cryptographic key for use in locking at least one volume of the computing device within the processor cache wherein a cryptographic key stored in the processor cache comprises a stored cryptographic key;   at least one instruction at least one processor can process for removing the stored cryptographic key from accessible memory when the stored cryptographic key is not in use by the computing device for locking a volume associated therewith;   at least one instruction at least one processor can process for retrieving the stored cryptographic key from the processor cache and accessing it in accessible memory upon the computing device preparing to go into sleep mode;   at least one instruction at least one processor can process for utilizing the stored cryptographic key in accessible memory to lock at least one volume associated with the computing device prior to the computing device going into sleep mode; and   at least one instruction at least one processor can process for removing the stored cryptographic key from accessible memory subsequent to locking at least one volume associated with the computing device and prior to the computing device going into sleep mode.   
     
     
         18 . The computing device of  claim 17 , further comprising at least one instruction at least one processor can process for utilizing the stored cryptographic key in accessible memory to lock all the volumes associated with the computing device that are to be locked upon the computing device going into sleep mode prior to the computing device going into sleep mode. 
     
     
         19 . The computing device of  claim 18 , further comprising at least one instruction at least one processor can process that ensures that the stored cryptographic key in accessible memory is in accessible memory for a minimum amount of time comprising the time required for the stored cryptographic key to be utilized to lock the volumes associated with the computing device that are to be locked prior to the computing device going into sleep mode. 
     
     
         20 . The computing device of  claim 17 , further comprising:
 at least one instruction at least one processor can process for storing the cryptographic key within the processor cache and removing the stored cryptographic key from accessible memory when the stored cryptographic key is not in use for locking a volume associated with the computing device and when the cryptographic key is not in use for unlocking a volume associated with the computing device;   at least one instruction at least one processor can process for retrieving the stored cryptographic key from the processor cache and accessing it in accessible memory upon the computing device awakening from sleep mode;   at least one instruction at least one processor can process for utilizing the stored cryptographic key in accessible memory to unlock at least one volume associated with the computing device subsequent to the computing device awakening from sleep mode; and   at least one instruction at least one processor can process for removing the stored cryptographic key from accessible memory subsequent to unlocking at least one volume associated with the computing device.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.