Distributed encryption and access control scheme in a cloud environment

US 10,083,307 B2
Filed: 05/05/2016
Issued: 09/25/2018
Est. Priority Date: 12/26/2012
Status: Active Grant

First Claim

Patent Images

1. A method for selectively assisting a decryption process of an encrypted file entity, the method comprises:

receiving, from a computerized system, a first encrypted file entity key and signed access metadata,wherein the first encrypted file entity key is created by encrypting a file entity key using a first encryption key;

wherein the signed access metadata is signed by the file entity key;

wherein the encrypted file entity is created by encrypting a file entity using the file entity key;

determining whether to facilitate the decryption of the encrypted file entity by the computerized system;

sending a second encrypted file entity key to the computerized system if it is determined to facilitate the decryption, wherein the second encrypted file entity key is created by (a) decrypting the first encrypted file entity key to provide the file entity key, and (b) encrypting the file entity key with an encryption key of the computerized system; and

preventing the computerized system to decrypt the encrypted file entity if it is determined not to facilitate the decryption of the encrypted file entity by the computerized system.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An approach is proposed that contemplates systems, methods, and computer-readable storage mediums to support receiving, from a computerized system, a first encrypted file entity key and signed access metadata, wherein the first encrypted file entity key is created by encrypting a file entity key using a first encryption key, the signed access metadata is signed by the file entity key and the encrypted file entity is created by encrypting a file entity using the file entity key. The approach then determines whether to facilitate the decryption of the encrypted file entity by the computerized system and sends a second encrypted file entity key to the computerized system if it is determined to facilitate the decryption. The approach prevents the computerized system to decrypt the encrypted file entity if it is determined not to facilitate the decryption of the encrypted file entity by the computerized system.

35 Citations

20 Claims

1. A method for selectively assisting a decryption process of an encrypted file entity, the method comprises:
- receiving, from a computerized system, a first encrypted file entity key and signed access metadata,wherein the first encrypted file entity key is created by encrypting a file entity key using a first encryption key;
  
  wherein the signed access metadata is signed by the file entity key;
  
  wherein the encrypted file entity is created by encrypting a file entity using the file entity key;
  
  determining whether to facilitate the decryption of the encrypted file entity by the computerized system;
  
  sending a second encrypted file entity key to the computerized system if it is determined to facilitate the decryption, wherein the second encrypted file entity key is created by (a) decrypting the first encrypted file entity key to provide the file entity key, and (b) encrypting the file entity key with an encryption key of the computerized system; and
  
  preventing the computerized system to decrypt the encrypted file entity if it is determined not to facilitate the decryption of the encrypted file entity by the computerized system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1 wherein the file entity is a file.
  - 3. The method according to claim 1 wherein the file entity is a first portion of a file.
  - 4. The method according to claim 3, wherein the file further comprises a second file portion that is not encrypted by the file entity key.
  - 5. The method according to claim 1 wherein the first encrypted file entity key and the signed access metadata are received from the computerized system via another computerized system.
  - 6. The method according to claim 1 wherein the first encrypted file entity key, the signed access metadata, and the encrypted file entity are created, signed, and encrypted by one or more computerized systems other than the computerized system.
  - 7. The method according to claim 1 comprising determining not to facilitate the decryption of the encrypted file entity by the computerized system if the signed access data is invalid.
  - 8. The method according to claim 1 comprising determining whether to facilitate the decryption of the encrypted file entity by the computerized system based a content of the signed access data if the signed access data is valid.
  - 9. The method according to claim 1 wherein the signed access metadata comprises information about one or more computerized systems that are entitled to decrypt the encrypted file entity.

10. A method for selectively assisting a decryption process of an encrypted file entity, the method comprises:
- receiving, from a computerized system, a double encrypted file entity key and signed access metadata;
  
  wherein the first encrypted file entity key is created by encrypting a file entity key using a first encryption key;
  
  wherein the double encrypted file entity key is created by encrypting a first encrypted file entity key using a second encryption key;
  
  wherein the signed access metadata is signed by the file entity key;
  
  wherein the encrypted file entity is created by encrypting a file entity using the file entity key;
  
  determining whether the computerized system is entitled to decrypt the file entity;
  
  preventing from assisting the computerized system to decrypt the encrypted file entity if it is determined that the computerized system is not entitled to decrypt the file entity;
  
  decrypting the double encrypted file entity key to provide the first encrypted file entity key if it is determined that the computerized system is entitled to decrypt the file entity;
  
  sending a second encrypted file entity key to the computerized system, wherein the second encrypted file entity key is created by (a) decrypting the first encrypted file entity key to provide the file entity key, and (b) encrypting the file entity key with an encryption key of the computerized system.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method according to claim 10 wherein the file entity is a file.
  - 12. The method according to claim 10 wherein the file entity is a first portion of a file.
  - 13. The method according to claim 12, wherein the file further comprises a second file portion that is not encrypted by the file entity key.
  - 14. The method according to claim 10 wherein one or more of the first encrypted file entity key, the double encrypted file entity key, the second encrypted file entity key, the signed access metadata, and the encrypted file entity are created, signed, and encrypted by one or more computerized systems other than the computerized system.
  - 15. The method according to claim 10 wherein the signed access metadata comprises information about one or more computerized systems that are entitled to decrypt the encrypted file entity.
  - 16. The method according to claim 10 comprising determining not to facilitate the decryption of the encrypted file entity by the computerized system if the signed access data is invalid.

17. At least one computer-readable storage medium having computer-executable instructions embodied thereon, wherein, when executed by at least one processor, the computer-executable instructions cause the at least one processor to:
- receive, from a computerized system, a first encrypted file entity key and signed access metadata,wherein the first encrypted file entity key is created by encrypting a file entity key using a first encryption key;
  
  wherein the signed access metadata is signed by the file entity key;
  
  wherein the encrypted file entity is created by encrypting a file entity using the file entity key;
  
  determine whether to facilitate the decryption of the encrypted file entity by the computerized system;
  
  send a second encrypted file entity key to the computerized system if it is determined to facilitate the decryption, wherein the second encrypted file entity key is created by (a) decrypting the first encrypted file entity key to provide the file entity key, and (b) encrypting the file entity key with an encryption key of the computerized system; and
  
  prevent the computerized system to decrypt the encrypted file entity if it is determined not to facilitate the decryption of the encrypted file entity by the computerized system.

18. At least one computer-readable storage medium having computer-executable instructions embodied thereon, wherein, when executed by at least one processor, the computer-executable instructions cause the at least one processor to:
- receive a double encrypted file entity key and signed access metadata;
  
  wherein the double encrypted file entity key is created by encrypting a first encrypted file entity key using a second encryption key;
  
  wherein the first encrypted file entity key is created by encrypting a file entity key using a first encryption key;
  
  wherein the signed access metadata is signed by the file entity key;
  
  wherein the encrypted file entity is created by encrypting a file entity using the file entity key;
  
  determine whether the computerized system is entitled to decrypt the file entity;
  
  prevent from assisting the computerized system to decrypt the encrypted file entity if it is determined that the computerized system is not entitled to decrypt the file entity;
  
  decrypt the double encrypted file entity key to provide the first encrypted file entity key if it is determined that the computerized system is entitled to decrypt the file entity;
  
  send a second encrypted file entity key to the computerized system, wherein the second encrypted file entity key is created by (a) decrypting the first encrypted file entity key to provide the file entity key, and (b) encrypting the file entity key with an encryption key of the computerized system.

19. A computer, comprising:
- a processor configured toreceive, from a computerized system, a first encrypted file entity key and signed access metadata;
  
  wherein the first encrypted file entity key is created by encrypting a file entity key using a first encryption key;
  
  wherein the signed access metadata is signed by the file entity key;
  
  wherein the encrypted file entity is created by encrypting a file entity using the file entity key;
  
  determine whether to facilitate the decryption of the encrypted file entity by the computerized system;
  
  send a second encrypted file entity key to the computerized system if it is determined to facilitate the decryption, wherein the second encrypted file entity key is created by (a) decrypting the first encrypted file entity key to provide the file entity key, and (b) encrypting the file entity key with an encryption key of the computerized system; and
  
  prevent the computerized system to decrypt the encrypted file entity if it is determined not to facilitate the decryption of the encrypted file entity by the computerized system.

20. A computer, comprising:
- a processor configured toreceive, from a computerized system, a double encrypted file entity key and signed access metadata;
  
  wherein the double encrypted file entity key is created by encrypting a first encrypted file entity key using a second encryption key;
  
  wherein the first encrypted file entity key is created by encrypting a file entity key using a first encryption key;
  
  wherein the signed access metadata is signed by the file entity key;
  
  wherein the encrypted file entity is created by encrypting a file entity using the file entity key;
  
  determine whether the computerized system is entitled to decrypt the file entity;
  
  prevent from assisting the computerized system to decrypt the encrypted file entity if it is determined that the computerized system is not entitled to decrypt the file entity;
  
  decrypt the double encrypted file entity key to provide the first encrypted file entity key if it is determined that the computerized system is entitled to decrypt the file entity;
  
  send a second encrypted file entity key to the computerized system, wherein the second encrypted file entity key is created by (a) decrypting the first encrypted file entity key to provide the file entity key, and (b) encrypting the file entity key with an encryption key of the computerized system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Barracuda Networks Incorporated
Original Assignee
Barracuda Networks Incorporated
Inventors
Cidon, Asaf, Cidon, Israel, Gavish, Lior, Gopal, Prabandham Madan, Shetty, Chandrashekhar
Primary Examiner(s)
LE, UYEN T

Application Number

US15/147,277
Publication Number

US 20160246972A1
Time in Patent Office

873 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 16/13   File access structures, e.g...

G06F 16/182   Distributed file systems

G06F 21/602   Providing cryptographic fac...

G06F 21/62   Protecting access to data v...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

H04L 63/0428   wherein the data content is...

Distributed encryption and access control scheme in a cloud environment

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed encryption and access control scheme in a cloud environment

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links