公开(公告)号：US10972445B2

公开(公告)日：2021-04-06

申请号：US15800625

申请日：2017-11-01

Applicant: Citrix Systems, Inc.

Inventor： Benjamin Elliot Tucker ,  Timothy Ray Gaylor

IPC: H04L29/06 ,  H04L9/08 ,  H04W12/04

Abstract: Aspects of the disclosure relate to dynamic crypto key management for mobility in a cloud environment. A computing platform may receive a request to generate a new tenant master key and a new server recovery key. Subsequently, the computing platform may send to a cloud-based key vault server, the new tenant master key and the new server recovery key. The computing platform may send to a tenant database, the encrypted server recovery key. As a result, the computing platform may provision the enrollment servers with the encrypted server recovery key. In some embodiments, the enrollment servers are configured to manage enrollment of policy-managed devices in a policy enforcement scheme and to authenticate with the key update service based on the encrypted server recovery key.

公开(公告)号：US09690954B2

公开(公告)日：2017-06-27

申请号：US14855824

申请日：2015-09-16

Applicant: Citrix Systems, Inc.

Inventor： Joseph Nord ,  Timothy Gaylor ,  Benjamin Elliot Tucker

IPC: H04L9/14 ,  G06F21/79 ,  G06F21/60 ,  G06F21/78 ,  G06F21/80 ,  H04L9/18 ,  G06F3/06 ,  H04L9/08 ,  H04L29/06

CPC classification number: G06F21/79 ,  G06F3/0623 ,  G06F3/0664 ,  G06F21/602 ,  G06F21/78 ,  G06F21/80 ,  G06F2221/2107 ,  H04L9/0822 ,  H04L9/0861 ,  H04L9/0886 ,  H04L9/0894 ,  H04L9/14 ,  H04L9/3234 ,  H04L63/0428

Abstract: Securing encrypted virtual hard disks may include a variety of processes. In one example, a virtual hard disk is created for a user and encrypted with a volume key, and the volume key placed in an administrator header. The administrator header may be encrypted with a protection key, the protection key created from a user identifier corresponding to the user, a volume identifier corresponding to the virtual hard disk, and two cryptographic secrets. The protection key may then destroyed after encrypting the administrator header and therefore, might never leave the encryption engine. The two cryptographic secrets may be stored in separate storage locations, one accessible to the user and the other accessible to administrators. Accordingly, the protection key might never transmitted or can be intercepted, and no single entity may be compromised to gain access to all of the information needed to recreate the protection key.

公开(公告)号：US09805210B2

公开(公告)日：2017-10-31

申请号：US14632601

申请日：2015-02-26

Applicant: Citrix Systems, Inc.

Inventor： Joseph Nord ,  Benjamin Elliot Tucker ,  Timothy Gaylor

IPC: H04L29/06 ,  G06F21/62 ,  G06F21/60 ,  G06F9/00 ,  H04L9/12 ,  G06F17/30 ,  H04L9/08

CPC classification number: G06F21/6218 ,  G06F9/00 ,  G06F17/30 ,  G06F21/602 ,  H04L9/0861 ,  H04L9/0869 ,  H04L9/12 ,  H04L63/064 ,  H04L63/0807 ,  H04L63/083 ,  H04L63/105

Abstract: Encryption-based data access management may include a variety of processes. In one example, a device may transmit a user authentication request for decrypting encrypted data to a data storage server storing the encrypted data. The computing device may then receive a validation token associated with the user's authentication request, the validation token indicating that the user is authenticated to a domain. Subsequently, the computing device may transmit the validation token to a first key server different from the data storage server. Then, in response to transmitting the validation token the computing device may receive, from the first key server, a key required for decrypting the encrypted data. The device may then decrypt at least a portion of the encrypted data using the key.

公开(公告)号：US20210218722A1

公开(公告)日：2021-07-15

申请号：US17219972

申请日：2021-04-01

Applicant: Citrix Systems, Inc.

Inventor： Timothy Ray Gaylor ,  Benjamin Elliot Tucker

IPC: H04L29/06 ,  H04L9/08 ,  H04W12/0431

Abstract: Aspects of the disclosure relate to dynamic crypto key management for mobility in a cloud environment. A computing platform may receive a request to generate a new tenant master key and a new server recovery key. Subsequently, the computing platform may send to a cloud-based key vault server, the new tenant master key and the new server recovery key. The computing platform may send to a tenant database, the encrypted server recovery key. As a result, the computing platform may provision the enrollment servers with the encrypted server recovery key. In some embodiments, the enrollment servers are configured to manage enrollment of policy-managed devices in a policy enforcement scheme and to authenticate with the key update service based on the encrypted server recovery key.

公开(公告)号：US09166787B2

公开(公告)日：2015-10-20

申请号：US14178598

申请日：2014-02-12

Applicant: Citrix Systems, Inc.

Inventor： Joseph Harry Nord ,  Timothy Gaylor ,  Benjamin Elliot Tucker

IPC: G06F21/62 ,  G06F21/78 ,  H04L9/14 ,  G06F21/60 ,  G06F21/80 ,  G06F3/06 ,  H04L9/08 ,  H04L29/06

CPC classification number: G06F21/79 ,  G06F3/0623 ,  G06F3/0664 ,  G06F21/602 ,  G06F21/78 ,  G06F21/80 ,  G06F2221/2107 ,  H04L9/0822 ,  H04L9/0861 ,  H04L9/0886 ,  H04L9/0894 ,  H04L9/14 ,  H04L9/3234 ,  H04L63/0428

Abstract: Securing encrypted virtual hard disks may include a variety of processes. In one example, a virtual hard disk is created for a user and encrypted with a volume key, and the volume key placed in an administrator header. The administrator header may be encrypted with a protection key, the protection key created from a user identifier corresponding to the user, a volume identifier corresponding to the virtual hard disk, and two cryptographic secrets. The protection key may then destroyed after encrypting the administrator header and therefore, might never leave the encryption engine. The two cryptographic secrets may be stored in separate storage locations, one accessible to the user and the other accessible to administrators. Accordingly, the protection key might never transmitted or can be intercepted, and no single entity may be compromised to gain access to all of the information needed to recreate the protection key.

Abstract translation: 保护加密的虚拟硬盘可能包括各种进程。 在一个示例中，为用户创建虚拟硬盘，并使用卷密钥进行加密，并将卷密钥放置在管理员头文件中。 可以使用保护密钥来加密管理员头部，从与用户对应的用户标识符创建的保护密钥，对应于虚拟硬盘的卷标识符以及两个密码秘密。 然后，在加密管理员头文件后，保护密钥可能会被破坏，因此可能永远不会离开加密引擎。 两个加密秘密可以存储在单独的存储位置，一个可访问用户，另一个可访问的管理员。 因此，保护​​密钥可能永远不会被传输或被拦截，并且没有一个实体可能被泄露以获得对重新创建保护密钥所需的所有信息的访问。

公开(公告)号：US11627120B2

公开(公告)日：2023-04-11

申请号：US17219972

申请日：2021-04-01

Applicant: Citrix Systems, Inc.

Inventor： Timothy Ray Gaylor ,  Benjamin Elliot Tucker

IPC: H04L9/40 ,  H04L9/08 ,  H04W12/0431

Abstract: Aspects of the disclosure relate to dynamic crypto key management for mobility in a cloud environment. A computing platform may receive a request to generate a new tenant master key and a new server recovery key. Subsequently, the computing platform may send to a cloud-based key vault server, the new tenant master key and the new server recovery key. The computing platform may send to a tenant database, the encrypted server recovery key. As a result, the computing platform may provision the enrollment servers with the encrypted server recovery key. In some embodiments, the enrollment servers are configured to manage enrollment of policy-managed devices in a policy enforcement scheme and to authenticate with the key update service based on the encrypted server recovery key.

公开(公告)号：US20150169892A1

公开(公告)日：2015-06-18

申请号：US14632601

申请日：2015-02-26

Applicant: Citrix Systems, Inc.

Inventor： Joseph Nord ,  Benjamin Elliot Tucker ,  Timothy Gaylor

IPC: G06F21/62 ,  H04L9/08 ,  H04L29/06

CPC classification number: G06F21/6218 ,  G06F9/00 ,  G06F17/30 ,  G06F21/602 ,  H04L9/0861 ,  H04L9/0869 ,  H04L9/12 ,  H04L63/064 ,  H04L63/0807 ,  H04L63/083 ,  H04L63/105

Abstract: Encryption-based data access management may include a variety of processes. In one example, a device may transmit a user authentication request for decrypting encrypted data to a data storage server storing the encrypted data. The computing device may then receive a validation token associated with the user's authentication request, the validation token indicating that the user is authenticated to a domain. Subsequently, the computing device may transmit the validation token to a first key server different from the data storage server. Then, in response to transmitting the validation token the computing device may receive, from the first key server, a key required for decrypting the encrypted data. The device may then decrypt at least a portion of the encrypted data using the key.

Abstract translation: 基于加密的数据访问管理可以包括各种过程。 在一个示例中，设备可以向存储加密数据的数据存储服务器发送用于将加密数据解密的用户认证请求。 然后，计算设备可以接收与用户的认证请求相关联的验证令牌，指示用户被认证到域的验证令牌。 随后，计算设备可以将验证令牌发送到与数据存储服务器不同的第一密钥服务器。 然后，响应于发送验证令牌，计算设备可以从第一密钥服务器接收解密加密数据所需的密钥。 然后，设备可以使用密钥对加密数据的至少一部分进行解密。

公开(公告)号：US20140164774A1

公开(公告)日：2014-06-12

申请号：US13712333

申请日：2012-12-12

Applicant: CITRIX SYSTEMS, INC.

Inventor： Joseph Nord ,  Benjamin Elliot Tucker ,  Timothy Gaylor

IPC: H04L9/08

CPC classification number: G06F21/6218 ,  G06F9/00 ,  G06F17/30 ,  G06F21/602 ,  H04L9/0861 ,  H04L9/0869 ,  H04L9/12 ,  H04L63/064 ,  H04L63/0807 ,  H04L63/083 ,  H04L63/105

Abstract: Encryption-based data access management may include a variety of processes. In one example, a device may transmit a user authentication request for decrypting encrypted data to a data storage server storing the encrypted data. The computing device may then receive a validation token associated with the user's authentication request, the validation token indicating that the user is authenticated to a domain. Subsequently, the computing device may transmit the validation token to a first key server different from the data storage server. Then, in response to transmitting the validation token the computing device may receive, from the first key server, a key required for decrypting the encrypted data. The device may then decrypt at least a portion of the encrypted data using the key.

Abstract translation: 基于加密的数据访问管理可以包括各种过程。 在一个示例中，设备可以向存储加密数据的数据存储服务器发送用于将加密数据解密的用户认证请求。 然后，计算设备可以接收与用户的认证请求相关联的验证令牌，指示用户被认证到域的验证令牌。 随后，计算设备可以将验证令牌发送到与数据存储服务器不同的第一密钥服务器。 然后，响应于发送验证令牌，计算设备可以从第一密钥服务器接收解密加密数据所需的密钥。 然后，设备可以使用密钥对加密数据的至少一部分进行解密。

公开(公告)号：US20190132299A1

公开(公告)日：2019-05-02

申请号：US15800625

申请日：2017-11-01

Applicant: Citrix Systems, Inc.

Inventor： Benjamin Elliot Tucker ,  Timothy Ray Gaylor

IPC: H04L29/06 ,  H04L9/08

Abstract: Aspects of the disclosure relate to dynamic crypto key management for mobility in a cloud environment. A computing platform may receive a request to generate a new tenant master key and a new server recovery key. Subsequently, the computing platform may send to a cloud-based key vault server, the new tenant master key and the new server recovery key. The computing platform may send to a tenant database, the encrypted server recovery key. As a result, the computing platform may provision the enrollment servers with the encrypted server recovery key. In some embodiments, the enrollment servers are configured to manage enrollment of policy-managed devices in a policy enforcement scheme and to authenticate with the key update service based on the encrypted server recovery key.

公开(公告)号：US20160004885A1

公开(公告)日：2016-01-07

申请号：US14855824

申请日：2015-09-16

Applicant: Citrix Systems, Inc.

Inventor： Joseph Nord ,  Timothy Gaylor ,  Benjamin Elliot Tucker

IPC: G06F21/79 ,  G06F21/60 ,  H04L9/08 ,  H04L9/14

CPC classification number: G06F21/79 ,  G06F3/0623 ,  G06F3/0664 ,  G06F21/602 ,  G06F21/78 ,  G06F21/80 ,  G06F2221/2107 ,  H04L9/0822 ,  H04L9/0861 ,  H04L9/0886 ,  H04L9/0894 ,  H04L9/14 ,  H04L9/3234 ,  H04L63/0428

Abstract: Securing encrypted virtual hard disks may include a variety of processes. In one example, a virtual hard disk is created for a user and encrypted with a volume key, and the volume key placed in an administrator header. The administrator header may be encrypted with a protection key, the protection key created from a user identifier corresponding to the user, a volume identifier corresponding to the virtual hard disk, and two cryptographic secrets. The protection key may then destroyed after encrypting the administrator header and therefore, might never leave the encryption engine. The two cryptographic secrets may be stored in separate storage locations, one accessible to the user and the other accessible to administrators. Accordingly, the protection key might never transmitted or can be intercepted, and no single entity may be compromised to gain access to all of the information needed to recreate the protection key.

Abstract translation: 保护加密的虚拟硬盘可能包括各种进程。 在一个示例中，为用户创建虚拟硬盘，并使用卷密钥进行加密，并将卷密钥放置在管理员头文件中。 可以使用保护密钥来加密管理员头部，从与用户对应的用户标识符创建的保护密钥，对应于虚拟硬盘的卷标识符以及两个密码秘密。 然后，在加密管理员头文件后，保护密钥可能会被破坏，因此可能永远不会离开加密引擎。 两个加密秘密可以存储在单独的存储位置，一个可访问用户，另一个可访问的管理员。 因此，保护​​密钥可能永远不会被传输或被拦截，并且没有一个实体可能被泄露以获得对重新创建保护密钥所需的所有信息的访问。