Transparent client-side cryptography for network applications

US 10,007,797 B1
Filed: 07/24/2015
Issued: 06/26/2018
Est. Priority Date: 12/29/2010
Status: Active Grant

First Claim

Patent Images

1. A method of storing encrypted data instead of plaintext data at a remote server designed to store plaintext data, the method comprising:

as implemented by one or more computing devices configured with specific computer-executable instructions,intercepting data addressed to a local network application, the data comprising first data and second data;

accessing metadata at a remote network application hosted by the remote server to determine whether a data field used to store data at the remote network application is capable of accepting encrypted data;

obtaining an indication that the data field does not natively accept encrypted data;

encrypting the first data with a first key to produce first encrypted data and encrypting the second data with a second key to produce second encrypted data;

encrypting a plurality of copies of the first key, using one or more key-encryption keys associated with a first set of users who are authorized to access the first data, to produce a plurality of encrypted first keys and encrypting a plurality of copies of the second key using one or more key-encryption keys associated with a second set of users who are authorized to access the second data, to produce a plurality of encrypted second keys, wherein at least one user from the first set of users is included in the second set of users;

generating a message that includes the first encrypted data and the second encrypted data, the plurality of encrypted first keys, and the plurality of encrypted second keys; and

overriding, at the remote server, native functionality of the remote network application to not store encrypted data in the data field by storing the message in the data field.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a system and associated processes for transparent client-side cryptography are provided. In this system, some or all of a user'"'"'s private data can be encrypted at a client device operated by the user. The client can transmit the encrypted user data to a content site that hosts a network application, such as a social networking application, financial application, or the like. The content site can store the private data in its encrypted form instead of the actual private data. When the content site receives a request for the private data from the user or optionally from other users (such as social networking friends), the server can send the encrypted user data to a client associated with the requesting user. This client, if operated by an authorized user, can decrypt the private data and present it to the authorized user.

39 Citations

View as Search Results

19 Claims

1. A method of storing encrypted data instead of plaintext data at a remote server designed to store plaintext data, the method comprising:
- as implemented by one or more computing devices configured with specific computer-executable instructions,intercepting data addressed to a local network application, the data comprising first data and second data;
  
  accessing metadata at a remote network application hosted by the remote server to determine whether a data field used to store data at the remote network application is capable of accepting encrypted data;
  
  obtaining an indication that the data field does not natively accept encrypted data;
  
  encrypting the first data with a first key to produce first encrypted data and encrypting the second data with a second key to produce second encrypted data;
  
  encrypting a plurality of copies of the first key, using one or more key-encryption keys associated with a first set of users who are authorized to access the first data, to produce a plurality of encrypted first keys and encrypting a plurality of copies of the second key using one or more key-encryption keys associated with a second set of users who are authorized to access the second data, to produce a plurality of encrypted second keys, wherein at least one user from the first set of users is included in the second set of users;
  
  generating a message that includes the first encrypted data and the second encrypted data, the plurality of encrypted first keys, and the plurality of encrypted second keys; and
  
  overriding, at the remote server, native functionality of the remote network application to not store encrypted data in the data field by storing the message in the data field.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising sending the message to the local network application, wherein the local network application is configured to route the message to the remote network application for storage.
  - 3. The method of claim 1, further comprising sending the message to the remote network application for storage without providing the message to the local network application.
  - 4. The method of claim 1, wherein the message is formatted based on a storage format of the remote network application so as to be storable at the remote content site in place of the intercepted data.
  - 5. The method of claim 4, wherein the storage format comprises a data encoding type supported by the remote network application.
  - 6. The method of claim 3, further comprising:
    - receiving an identifier of a new user who is authorized to access at least the first data at the remote network application;
      
      obtaining access to a key encryption-key of the new user;
      
      encrypting another copy of the first key using the key-encryption key of the new user to obtain an encrypted first key associated with the new user;
      
      generating a second message comprising the first encrypted data and the second encrypted data, the plurality of encrypted first keys, the plurality of encrypted second keys, and the encrypted first key associated with the new user; and
      
      causing the message at the remote network application to be replaced with the second message.
  - 7. The method of claim 1, further comprising sending test data to the remote network application to confirm whether a storage format is supported by the remote network application.

8. A system comprising:
- an interactive computing system comprising computer hardware, the interactive computing system configured to at least;
  
  intercept data addressed to a local network application by a first user, the data comprising first data and second data;
  
  determine whether a data field used to store data at a remote network application hosted by a remote network system is capable of accepting encrypted data;
  
  obtain an indication that the data field is designated as not accepting encrypted data;
  
  provide the first user with an option to override the designation that the data field does not accept encrypted data; and
  
  in response to receiving from the first user an indication to override the designation that the data field does not accept encrypted data;
  
  encrypt the first data with a first key to obtain first encrypted data and encrypt the second data with a second key to produce second encrypted data;
  
  generate an encrypted first key by at least encrypting a copy of the first key with a third key associated with a second user whom the first user has authorized to access the first data at the remote network application;
  
  generate an encrypted second key by at least encrypting a copy of the second key with a fourth key associated with a third user whom the first user has authorized to access the second data;
  
  generate a message comprising the first encrypted data, the second encrypted data, the encrypted first key, and the encrypted second key; and
  
  provide the message for storage in the data field to the remote network application.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the interactive computing system is further configured to at least generate a second encrypted first key by encrypting a second copy of the first key with a fifth key associated with a fourth user whom the first user has authorized to access the first portion of the intercepted data at the remote network application, the fifth key differing from the third key, wherein the message further comprises the second encrypted first key.
  - 10. The system of claim 8, wherein the interactive computing system is further configured to at least provide the message to the local network application, wherein the local network application is configured to route the message to the remote network application for storage.
  - 11. The system of claim 8, wherein the interactive computing system is further configured to at least provide the message to the remote network application for storage without providing the message to the local network application.
  - 12. The system of claim 8, wherein the interactive computing system is further configured to at least format the message based on a storage format supported by the remote network application enabling the message to be stored in place of the intercepted data at the remote network application.
  - 13. The system of claim 8, wherein the interactive computing system is further configured to at least confirm whether a storage format is supported by the remote network application by at least sending test data to the remote network application.
  - 14. The system of claim 8, wherein, after a copy of the message is provided to the remote network application, the interactive computing system is further configured to at least:
    - receive an identifier of a fourth user who is authorized to access at least the first data at the remote network application;
      
      obtain access to a key encryption-key of the fourth user;
      
      encrypt a second copy of the first key to obtain a second encrypted first key associated with the fourth user;
      
      generate a second message comprising the first encrypted data, the second encrypted data, the encrypted first key, the second encrypted first key associated with the fourth user, and the encrypted second key; and
      
      cause the copy of the message at the remote network application to be replaced with the second message.

15. A computer-readable, non-transitory storage medium storing computer executable instructions that, when executed by one or more computing devices, configure the one or more computing devices to perform operations comprising:
- intercepting data of a first user addressed to a local network application, the data comprising first data and second data;
  
  determining whether a data field used to store data at a remote network application hosted by a remote network server is capable of accepting encrypted data;
  
  obtaining an indication that the data field does not natively accept encrypted data;
  
  encrypting first data with a first key to obtain first encrypted data and encrypting the second data with a second key to produce second encrypted data;
  
  generating an encrypted first key by at least encrypting a copy of the first key with a third key associated with a second user whom the first user has authorized to access the first data at the remote network application;
  
  generating an encrypted second key by at least encrypting a copy of the second key with a fourth key associated with a third user whom the first user has authorized to access the second data;
  
  andstoring the first encrypted data, the second encrypted data, the encrypted first key, and the encrypted second key at the data field.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer-readable, non-transitory storage medium of claim 15, wherein the operations further comprise:
    - generating a second encrypted first key by encrypting a second copy of the first key with a fifth key associated with a fourth user whom the first user has authorized to access the first data at the remote network application, the fifth key differing from the third key; and
      
      storing the second encrypted first key at the data field with the first encrypted data, the second encrypted data, the encrypted first key, and the encrypted second key.
  - 17. The computer-readable, non-transitory storage medium of claim 15, wherein the operations further comprise providing the first encrypted data and the encrypted first key to the local network application, wherein the local network application is configured to route the first encrypted data, the second encrypted data, the encrypted first key, and the encrypted second key to the remote network application for storage.
  - 18. The computer-readable, non-transitory storage medium of claim 15, wherein the operations further comprise providing the first encrypted data, the second encrypted data, the encrypted first key, and the encrypted second key to the remote network application for storage without providing the encrypted data and the encrypted first key to the local network application.
  - 19. The computer-readable, non-transitory storage medium of claim 15, wherein the operations further comprise:
    - receiving an identifier of a fourth user who is authorized to access at least the first data at the remote network application;
      
      obtaining access to a key encryption-key of the fourth user;
      
      encrypting a second copy of the first key to obtain a second encrypted first key associated with the fourth user;
      
      generating a message comprising the first encrypted data, the second encrypted data, the encrypted first key, the second encrypted first key associated with the fourth user, and the encrypted second key; and
      
      causing contents of the data field at the remote network application to be replaced with the message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Miller, Kevin C.
Primary Examiner(s)
Parsons, Theodore C

Application Number

US14/808,988
Time in Patent Office

1,068 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6209   to a single file or object,...

H04L 63/0428   wherein the data content is...

H04L 63/045   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/085   Secret sharing or secret sp...

H04L 9/088   Usage controlling of secret...

H04L 9/14   using a plurality of keys o...

Transparent client-side cryptography for network applications

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

39 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Transparent client-side cryptography for network applications

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links