Cloud storage encryption
First Claim
1. A computer-implemented method for securing a plaintext file Fp as an encrypted, ciphertext file Fc in a cloud storage, said method comprising the steps of:
- (a) providing a user U1 using a client device, a network-based access to said cloud storage;
(b) assigning to said plaintext file Fp, a symmetric file-key FK;
(c) using a first authenticated encryption to encrypt each block Mi of said plaintext file Fp with said file-key FK by utilizing a corresponding initialization vector IVi to obtain a corresponding encrypted block Ci and a corresponding authentication tag Ti;
(d) storing in said cloud storage, a corresponding data block *Ci of said encrypted, ciphertext file Fc, said data block *Ci comprising a sequence number of said corresponding block Mi, said corresponding initialization vector IVi, said corresponding encrypted block Ci and said corresponding authentication tag Ti;
(e) using a second authenticated encryption to encrypt said file-key FK by a symmetric wrapping-key WK by utilizing an initialization vector IVFK to obtain a wrapped-file-key WFK and an authentication tag TFK;
(f) storing said wrapping-key WK in a key manager in accordance with a security policy; and
(g) storing a rotation date of said wrapping-key WK, a wrapping-key ID of said wrapping-key WK and said wrapped-file-key WFK in a metadata of said encrypted, ciphertext file Fc.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are disclosed for securing data in a cloud storage. Plaintext files are stored as secured, encrypted files in the cloud. The ciphering scheme employs per-block authenticated encryption and decryption. A unique file-key is used to encrypt each file. The file-key is wrapped by authenticated encryption in a wrapping-key that may be shared between files. A centralized security policy contains policy definitions which determine which files will share the wrapping-key. Wrapping-keys are stored in a KMIP compliant key manager which may be backed by a hardware security module (HSM). File metadata is further protected by a keyed-hash message authentication code (HMAC). A policy engine along with administrative tools enforce the security policy which also remains encrypted in the system.
89 Citations
21 Claims
-
1. A computer-implemented method for securing a plaintext file Fp as an encrypted, ciphertext file Fc in a cloud storage, said method comprising the steps of:
-
(a) providing a user U1 using a client device, a network-based access to said cloud storage; (b) assigning to said plaintext file Fp, a symmetric file-key FK; (c) using a first authenticated encryption to encrypt each block Mi of said plaintext file Fp with said file-key FK by utilizing a corresponding initialization vector IVi to obtain a corresponding encrypted block Ci and a corresponding authentication tag Ti; (d) storing in said cloud storage, a corresponding data block *Ci of said encrypted, ciphertext file Fc, said data block *Ci comprising a sequence number of said corresponding block Mi, said corresponding initialization vector IVi, said corresponding encrypted block Ci and said corresponding authentication tag Ti; (e) using a second authenticated encryption to encrypt said file-key FK by a symmetric wrapping-key WK by utilizing an initialization vector IVFK to obtain a wrapped-file-key WFK and an authentication tag TFK; (f) storing said wrapping-key WK in a key manager in accordance with a security policy; and (g) storing a rotation date of said wrapping-key WK, a wrapping-key ID of said wrapping-key WK and said wrapped-file-key WFK in a metadata of said encrypted, ciphertext file Fc. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A cloud storage encryption system comprising at least one memory device storing computer-readable instructions, at least one microprocessor coupled to said at least one memory device for executing said computer-readable instructions, said system further comprising a client device with network-based access to a cloud storage and said at least one microprocessor configured to:
-
(a) assign a symmetric file-key FK to a plaintext file Fp; (b) use a first authenticated encryption to encrypt each block Mi of said plaintext file Fp with said file-key FK by utilizing a corresponding initialization vector IVi to obtain a corresponding encrypted block Ci and a corresponding authentication tag Ti; (c) store in said cloud storage a corresponding data block *Ci of an encrypted, ciphertext file Fc, said data block *Ci comprising a sequence number of said corresponding block Mi, said corresponding initialization vector IVi, said corresponding encrypted block Ci and said corresponding authentication tag Ti; (d) in accordance with a security policy, use a second authenticated encryption to encrypt said file-key FK by a symmetric wrapping-key WK by utilizing an initialization vector IVFK to obtain a wrapped-file-key WFK and an authentication tag TFK, and store said wrapping-key WK in a key manager; and (e) store a rotation date of said file-key FK, a rotation date of said wrapping-key WK, a wrapping-key ID of said wrapping-key WK and said wrapped-file-key WFK in a metadata of said encrypted, ciphertext file Fc. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
-
Specification