Search

EP-4220459-B1 - BALANCING PUBLIC AND PERSONAL SECURITY NEEDS

EP4220459B1EP 4220459 B1EP4220459 B1EP 4220459B1EP-4220459-B1

Inventors

  • BRICKELL, ERNEST

Dates

Publication Date
20260506
Application Date
20161110

Claims (6)

  1. A computing device (1) operated by a user of the computing device (1), said computing device (1) comprising: an access control module (330) configured to verify a digital signature, using an access verification key (335), on a request (318) to execute an authorized external access payload (339) on the computing device (1) by an authorized external access entity (500), where the authorized external access entity (500) is a different entity than the user and is external to the computing device (1); the access control module (330) further configured to store information (337) regarding the authorized external access payload (339); an output module (336) executing on the computer device (1) and configured to provide the stored information (337) regarding the authorized external access payload (339) to a main partition (205) of the computing device (1); an authorized access unlock module (368) configured to unlock the computing device (1) when the computing device (1) is in a locked state and when a request to unlock the computing device (1) contained by the authorized external access payload (339) is received by the authorized access unlock module (368), wherein the unlocking gives the authorized external access entity (500) access to the main partition (205) of the computing device (1).
  2. The computing device of claim 1, wherein the digital signature (318) verified using the access verification key (335) is generated externally to the computing device (1).
  3. The computing device of claim 1 or 2, wherein the storing of the information (337) regarding the authorized external access payload (339) is performed after the passage of some specified time.
  4. A method for allowing an authorized external access entity (500) to execute an authorized external access payload (339) on a computing device (1) operated by a user of the computing device (1), said method comprising the steps of: verifying in an access control module (330) of the computing device (1), using an access verification key (335) a digital signature, on a request by an authorized external access entity (500) to execute an authorized external access payload (339) on the computing device (1), wherein the authorized external access entity (500) is a different entity than the user and is external to the computing device (1); storing in the access control module (330) information (337) regarding the authorized external access payload (339); providing, by an output module (336) executing on the computer device (1), the stored information (337) regarding the authorized external access payload (339) to a main partition 205 of the computing device (1); unlocking, by an authorized access unlock module (368) of the computing device (1), the computing device (1) when the computing device (1) is in a locked state and when a request to unlock the computing device (1) contained by the authorized external access payload (339) is received by the authorized access unlock module (368), wherein the unlocking gives the authorized external access entity (500) access to the main partition (205) of the computing device (1).
  5. The method of claim 4, wherein the digital signature (318) verified using the access verification key (335) is generated externally to the computing device (1).
  6. The method of claim 4 or 5, wherein storing in the access control module (330) information (337) regarding the authorized external access payload (339) is performed after the passage of some specified time.

Description

Technical Field The present invention relates generally to computer security for individuals and corporations, and the often competing requirements of law enforcement to sometimes request access to personal information stored on computers. Background Art There is prior art disclosing the design and implementation of partitions in a computing device. One example is an Operating System that creates separate partitions for different users, and separate partitions for different applications used by one user. Virtualization is a second example of a technique used to create partitions. A virtual machine monitor creates separate partitions that can each execute a separate operating system such that applications executing in one virtual machine cannot access applications executing in another virtual machine. Virtual machines can be configured so that different users have access to different virtual machines, thus protecting a user of one virtual machine from accessing data of another user using a different virtual machine. There are numerous applications of virtualization for adding security to a computing device, such as US published patent application 2014/317667 to Vaidya et al and US patent 8,756,696 to Miller where virtual machines are used deploy endpoint security services such as isolating software that may contain malware from other virtual machines on the system. A third example of a technique used to create partitions consists of two separate microprocessors, each executing different software, with hardware to separate resources as required by the device. This third example is the case with Intel devices containing the Intel Management Engine (ME, later renamed Converged Security Manageability Engine), which is a separate microprocessor from the main microprocessor. The ME can get input from the user and produce a display that cannot be viewed by any software executing on the main microprocessor. A fourth example of a technique used to create partitions is illustrated by the ARM TrustZone technology, which provides for a normal OS and a secure OS to execute on the same processor, with the property that the execution in the secure OS is protected from the normal OS. ARM has also implemented trusted input and display capabilities for Trust Zone, as described in Trusted Execution Environment documents. A fifth example of a technique used to create partitions is the Intel Software Guard Extensions (SGX). SGX provides an enclave to execute an application protected from all other software and firmware on the device. U.S. published patent application 20150086012 describes a method to add protected display to SGX and U.S. published patent application 20140359305 describes a method to add protected input to SGX. SGX provides a method for providing an application specific protected key to partitioned application that is dependent upon the security version number of firmware launched at boot. This provides more security for applications than other methods for producing a key based on firmware that is not application specific, such as US published patent application 2006/0005046 to Hars. Thus, there are five different approaches that provide for partitions for executing software that is protected from other software on the system, and provide secure input, output, and storage to the protected partition. However, none of these approaches meet all the requirements laid out in this invention. In particular, they do not provide for a computing device to require authorized access by law enforcement, while allowing the user to launch only approved applications that cannot be accessed by law enforcement. There is prior art, for example US published patent application 2004/0015724, disclosing a system available to remote users who login to the system to get access to data on the system. In this system, there are administrators of the system that have the capability to determine which users are allowed access to the system, and what data and resources on the system are available to each user, and in addition to add or delete administrators of the system. Such a system would not be useful for providing authorized access by law enforcement, since an administrator of the system could simply turn off the access of law enforcement. There is prior art, for example US published patent application 2007/0271592, disclosing a system for managing access to documents, in which a log is kept of the access requests to the system, and also requires a user logon and password to provide access to the log. However, there is no prior art disclosing a system in which law enforcement is allowed authorized access to a device that cannot be blocked by any user of the device, and for which there is a log kept of any access made by law enforcement for which the user can access at some future time that is set by law enforcement. There is prior art disclosing the design and implementation of key escrow systems, wherein a key escrow agent is provided wi