Cloud storage encryption

US 10,043,029 B2
Filed: 11/15/2017
Issued: 08/07/2018
Est. Priority Date: 04/04/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for securing a plaintext file F_pas an encrypted, ciphertext file F_cin a cloud storage, said method comprising the steps of:

(a) providing a user U₁using a client device, a network-based access to said cloud storage;

(b) assigning to said plaintext file F_p, a symmetric file-key FK;

(c) using a first authenticated encryption to encrypt each block M_iof said plaintext file F_pwith said file-key FK by utilizing a corresponding initialization vector IV_ito obtain a corresponding encrypted block C_iand a corresponding authentication tag T_i;

(d) storing in said cloud storage, a corresponding data block *C_iof said encrypted, ciphertext file F_c, said data block *C_icomprising a sequence number of said corresponding block M_i, said corresponding initialization vector IV_i, said corresponding encrypted block C_iand said corresponding authentication tag T_i;

(e) using a second authenticated encryption to encrypt said file-key FK by a symmetric wrapping-key WK by utilizing an initialization vector IV_FKto obtain a wrapped-file-key WFK and an authentication tag T_FK;

(f) storing said wrapping-key WK in a key manager in accordance with a security policy; and

(g) storing a rotation date of said wrapping-key WK, a wrapping-key ID of said wrapping-key WK and said wrapped-file-key WFK in a metadata of said encrypted, ciphertext file F_c.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for securing data in a cloud storage. Plaintext files are stored as secured, encrypted files in the cloud. The ciphering scheme employs per-block authenticated encryption and decryption. A unique file-key is used to encrypt each file. The file-key is wrapped by authenticated encryption in a wrapping-key that may be shared between files. A centralized security policy contains policy definitions which determine which files will share the wrapping-key. Wrapping-keys are stored in a KMIP compliant key manager which may be backed by a hardware security module (HSM). File metadata is further protected by a keyed-hash message authentication code (HMAC). A policy engine along with administrative tools enforce the security policy which also remains encrypted in the system.

89 Citations

View as Search Results

21 Claims

1. A computer-implemented method for securing a plaintext file F_pas an encrypted, ciphertext file F_cin a cloud storage, said method comprising the steps of:
- (a) providing a user U₁using a client device, a network-based access to said cloud storage;
  
  (b) assigning to said plaintext file F_p, a symmetric file-key FK;
  
  (c) using a first authenticated encryption to encrypt each block M_iof said plaintext file F_pwith said file-key FK by utilizing a corresponding initialization vector IV_ito obtain a corresponding encrypted block C_iand a corresponding authentication tag T_i;
  
  (d) storing in said cloud storage, a corresponding data block *C_iof said encrypted, ciphertext file F_c, said data block *C_icomprising a sequence number of said corresponding block M_i, said corresponding initialization vector IV_i, said corresponding encrypted block C_iand said corresponding authentication tag T_i;
  
  (e) using a second authenticated encryption to encrypt said file-key FK by a symmetric wrapping-key WK by utilizing an initialization vector IV_FKto obtain a wrapped-file-key WFK and an authentication tag T_FK;
  
  (f) storing said wrapping-key WK in a key manager in accordance with a security policy; and
  
  (g) storing a rotation date of said wrapping-key WK, a wrapping-key ID of said wrapping-key WK and said wrapped-file-key WFK in a metadata of said encrypted, ciphertext file F_c.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, implementing said security policy by utilizing a policy engine and administrative tools.
  - 3. The method of claim 2, routing said network-based access via a proxy server residing in the same network as said policy engine.
  - 4. The method of claim 1, storing said initialization vector IV_FKand said authentication tag T_FKin said metadata of said encrypted, ciphertext file F_c.
  - 5. The method of claim 1, using Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) for said first authenticated encryption and said second authenticated encryption.
  - 6. The method of claim 1, performing said step (c) in a shim layer configured above an application programming interface (API) of said cloud storage, said shim layer intercepting and servicing storage requests generated on said client device.
  - 7. The method of claim 6, providing said storage requests to comprise one or more of a Get, a Put and a Copy operation.
  - 8. The method of claim 6, configuring said shim layer to perform authenticated decryption of said encrypted block C_ito obtain corresponding said block M_iof said plaintext file F_p.
  - 9. The method of claim 1, providing a representational state transfer (REST) server to perform said step (c).
  - 10. The method of claim 1, cryptographically protecting said metadata from modification by computing a hash message authentication code (HMAC).
  - 11. The method of claim 1, configuring said key manager to also reside in the same cloud where said cloud storage resides.
  - 12. The method of claim 1, encrypting said wrapping-key WK by a master key stored in a physical and hardened hardware security module (HSM).

13. A cloud storage encryption system comprising at least one memory device storing computer-readable instructions, at least one microprocessor coupled to said at least one memory device for executing said computer-readable instructions, said system further comprising a client device with network-based access to a cloud storage and said at least one microprocessor configured to:
- (a) assign a symmetric file-key FK to a plaintext file F_p;
  
  (b) use a first authenticated encryption to encrypt each block M_iof said plaintext file F_pwith said file-key FK by utilizing a corresponding initialization vector IV_ito obtain a corresponding encrypted block C_iand a corresponding authentication tag T_i;
  
  (c) store in said cloud storage a corresponding data block *C_iof an encrypted, ciphertext file F_c, said data block *C_icomprising a sequence number of said corresponding block M_i, said corresponding initialization vector IV_i, said corresponding encrypted block C_iand said corresponding authentication tag T_i;
  
  (d) in accordance with a security policy, use a second authenticated encryption to encrypt said file-key FK by a symmetric wrapping-key WK by utilizing an initialization vector IV_FKto obtain a wrapped-file-key WFK and an authentication tag T_FK, and store said wrapping-key WK in a key manager; and
  
  (e) store a rotation date of said file-key FK, a rotation date of said wrapping-key WK, a wrapping-key ID of said wrapping-key WK and said wrapped-file-key WFK in a metadata of said encrypted, ciphertext file F_c.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The cloud storage encryption system of claim 13 wherein said cloud storage is hosted at one of an Amazon Web Services (AWS) data centers, Google Cloud data centers and Microsoft Azure data centers.
  - 15. The cloud storage encryption system of claim 13, wherein a policy engine and administrative tools are utilized to enforce said security policy.
  - 16. The cloud storage encryption system of claim 13, wherein said network-based access of said client device to said cloud storage is routed via a representational state transfer (REST) proxy server.
  - 17. The cloud storage encryption system of claim 13, wherein said first authenticated encryption and said second authenticated encryption are performed using Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM).
  - 18. The cloud storage encryption system of claim 13 wherein said cloud storage is hosted at the data centers of multiple cloud storage vendors.
  - 19. The cloud storage encryption system of claim 13, wherein said first authenticated encryption is performed in a shim layer provided above an application programming interface (API) of said cloud storage, and wherein said shim layer intercepts and services storage requests from said client device, and wherein said storage requests comprise one or more of a Get, a Put and a Copy operation.
  - 20. The cloud storage encryption system of claim 19, wherein said metadata is cryptographically protecting by a hash message authentication code (HMAC).
  - 21. The cloud storage encryption system of claim 20, wherein a physical hardware security module (HSM) is used for storing a master key that is used for encrypting said wrapping-key WK.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zettaset Incorporated
Original Assignee
Zettaset Incorporated
Inventors
Murray, Eric A.
Primary Examiner(s)
WILLIAMS, JEFFERY L

Application Number

US15/813,943
Publication Number

US 20180082076A1
Time in Patent Office

265 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

H04L 2463/062   applying encryption of the ...

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 9/0618   Block ciphers, i.e. encrypt...

H04L 9/0631   Substitution permutation ne...

H04L 9/0637   Modes of operation, e.g. ci...

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/0822   using key encryption key

H04L 9/088   Usage controlling of secret...

H04L 9/0891   Revocation or update of sec...

H04L 9/14   using a plurality of keys o...

H04L 9/3242   involving keyed hash functi...

Cloud storage encryption

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

89 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Cloud storage encryption

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

89 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links