Transparent client-side cryptography for network applications
First Claim
1. A method of storing encrypted data instead of plaintext data at a remote server designed to store plaintext data, the method comprising:
- as implemented by one or more computing devices configured with specific computer-executable instructions,intercepting data addressed to a local network application, the data comprising first data and second data;
accessing metadata at a remote network application hosted by the remote server to determine whether a data field used to store data at the remote network application is capable of accepting encrypted data;
obtaining an indication that the data field does not natively accept encrypted data;
encrypting the first data with a first key to produce first encrypted data and encrypting the second data with a second key to produce second encrypted data;
encrypting a plurality of copies of the first key, using one or more key-encryption keys associated with a first set of users who are authorized to access the first data, to produce a plurality of encrypted first keys and encrypting a plurality of copies of the second key using one or more key-encryption keys associated with a second set of users who are authorized to access the second data, to produce a plurality of encrypted second keys, wherein at least one user from the first set of users is included in the second set of users;
generating a message that includes the first encrypted data and the second encrypted data, the plurality of encrypted first keys, and the plurality of encrypted second keys; and
overriding, at the remote server, native functionality of the remote network application to not store encrypted data in the data field by storing the message in the data field.
0 Assignments
0 Petitions
Accused Products
Abstract
In one embodiment, a system and associated processes for transparent client-side cryptography are provided. In this system, some or all of a user'"'"'s private data can be encrypted at a client device operated by the user. The client can transmit the encrypted user data to a content site that hosts a network application, such as a social networking application, financial application, or the like. The content site can store the private data in its encrypted form instead of the actual private data. When the content site receives a request for the private data from the user or optionally from other users (such as social networking friends), the server can send the encrypted user data to a client associated with the requesting user. This client, if operated by an authorized user, can decrypt the private data and present it to the authorized user.
39 Citations
19 Claims
-
1. A method of storing encrypted data instead of plaintext data at a remote server designed to store plaintext data, the method comprising:
as implemented by one or more computing devices configured with specific computer-executable instructions, intercepting data addressed to a local network application, the data comprising first data and second data; accessing metadata at a remote network application hosted by the remote server to determine whether a data field used to store data at the remote network application is capable of accepting encrypted data; obtaining an indication that the data field does not natively accept encrypted data; encrypting the first data with a first key to produce first encrypted data and encrypting the second data with a second key to produce second encrypted data; encrypting a plurality of copies of the first key, using one or more key-encryption keys associated with a first set of users who are authorized to access the first data, to produce a plurality of encrypted first keys and encrypting a plurality of copies of the second key using one or more key-encryption keys associated with a second set of users who are authorized to access the second data, to produce a plurality of encrypted second keys, wherein at least one user from the first set of users is included in the second set of users; generating a message that includes the first encrypted data and the second encrypted data, the plurality of encrypted first keys, and the plurality of encrypted second keys; and overriding, at the remote server, native functionality of the remote network application to not store encrypted data in the data field by storing the message in the data field. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
8. A system comprising:
an interactive computing system comprising computer hardware, the interactive computing system configured to at least; intercept data addressed to a local network application by a first user, the data comprising first data and second data; determine whether a data field used to store data at a remote network application hosted by a remote network system is capable of accepting encrypted data; obtain an indication that the data field is designated as not accepting encrypted data; provide the first user with an option to override the designation that the data field does not accept encrypted data; and in response to receiving from the first user an indication to override the designation that the data field does not accept encrypted data; encrypt the first data with a first key to obtain first encrypted data and encrypt the second data with a second key to produce second encrypted data; generate an encrypted first key by at least encrypting a copy of the first key with a third key associated with a second user whom the first user has authorized to access the first data at the remote network application; generate an encrypted second key by at least encrypting a copy of the second key with a fourth key associated with a third user whom the first user has authorized to access the second data; generate a message comprising the first encrypted data, the second encrypted data, the encrypted first key, and the encrypted second key; and provide the message for storage in the data field to the remote network application. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
15. A computer-readable, non-transitory storage medium storing computer executable instructions that, when executed by one or more computing devices, configure the one or more computing devices to perform operations comprising:
-
intercepting data of a first user addressed to a local network application, the data comprising first data and second data; determining whether a data field used to store data at a remote network application hosted by a remote network server is capable of accepting encrypted data; obtaining an indication that the data field does not natively accept encrypted data; encrypting first data with a first key to obtain first encrypted data and encrypting the second data with a second key to produce second encrypted data; generating an encrypted first key by at least encrypting a copy of the first key with a third key associated with a second user whom the first user has authorized to access the first data at the remote network application; generating an encrypted second key by at least encrypting a copy of the second key with a fourth key associated with a third user whom the first user has authorized to access the second data; and storing the first encrypted data, the second encrypted data, the encrypted first key, and the encrypted second key at the data field. - View Dependent Claims (16, 17, 18, 19)
-
Specification