Distributed encryption and access control scheme in a cloud environment
First Claim
1. A method for selectively assisting a decryption process of an encrypted file entity, the method comprises:
- receiving, from a computerized system, a first encrypted file entity key and signed access metadata,wherein the first encrypted file entity key is created by encrypting a file entity key using a first encryption key;
wherein the signed access metadata is signed by the file entity key;
wherein the encrypted file entity is created by encrypting a file entity using the file entity key;
determining whether to facilitate the decryption of the encrypted file entity by the computerized system;
sending a second encrypted file entity key to the computerized system if it is determined to facilitate the decryption, wherein the second encrypted file entity key is created by (a) decrypting the first encrypted file entity key to provide the file entity key, and (b) encrypting the file entity key with an encryption key of the computerized system; and
preventing the computerized system to decrypt the encrypted file entity if it is determined not to facilitate the decryption of the encrypted file entity by the computerized system.
9 Assignments
0 Petitions
Accused Products
Abstract
An approach is proposed that contemplates systems, methods, and computer-readable storage mediums to support receiving, from a computerized system, a first encrypted file entity key and signed access metadata, wherein the first encrypted file entity key is created by encrypting a file entity key using a first encryption key, the signed access metadata is signed by the file entity key and the encrypted file entity is created by encrypting a file entity using the file entity key. The approach then determines whether to facilitate the decryption of the encrypted file entity by the computerized system and sends a second encrypted file entity key to the computerized system if it is determined to facilitate the decryption. The approach prevents the computerized system to decrypt the encrypted file entity if it is determined not to facilitate the decryption of the encrypted file entity by the computerized system.
35 Citations
20 Claims
-
1. A method for selectively assisting a decryption process of an encrypted file entity, the method comprises:
-
receiving, from a computerized system, a first encrypted file entity key and signed access metadata, wherein the first encrypted file entity key is created by encrypting a file entity key using a first encryption key; wherein the signed access metadata is signed by the file entity key; wherein the encrypted file entity is created by encrypting a file entity using the file entity key; determining whether to facilitate the decryption of the encrypted file entity by the computerized system; sending a second encrypted file entity key to the computerized system if it is determined to facilitate the decryption, wherein the second encrypted file entity key is created by (a) decrypting the first encrypted file entity key to provide the file entity key, and (b) encrypting the file entity key with an encryption key of the computerized system; and preventing the computerized system to decrypt the encrypted file entity if it is determined not to facilitate the decryption of the encrypted file entity by the computerized system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method for selectively assisting a decryption process of an encrypted file entity, the method comprises:
-
receiving, from a computerized system, a double encrypted file entity key and signed access metadata; wherein the first encrypted file entity key is created by encrypting a file entity key using a first encryption key; wherein the double encrypted file entity key is created by encrypting a first encrypted file entity key using a second encryption key; wherein the signed access metadata is signed by the file entity key; wherein the encrypted file entity is created by encrypting a file entity using the file entity key; determining whether the computerized system is entitled to decrypt the file entity; preventing from assisting the computerized system to decrypt the encrypted file entity if it is determined that the computerized system is not entitled to decrypt the file entity; decrypting the double encrypted file entity key to provide the first encrypted file entity key if it is determined that the computerized system is entitled to decrypt the file entity; sending a second encrypted file entity key to the computerized system, wherein the second encrypted file entity key is created by (a) decrypting the first encrypted file entity key to provide the file entity key, and (b) encrypting the file entity key with an encryption key of the computerized system. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. At least one computer-readable storage medium having computer-executable instructions embodied thereon, wherein, when executed by at least one processor, the computer-executable instructions cause the at least one processor to:
-
receive, from a computerized system, a first encrypted file entity key and signed access metadata, wherein the first encrypted file entity key is created by encrypting a file entity key using a first encryption key; wherein the signed access metadata is signed by the file entity key; wherein the encrypted file entity is created by encrypting a file entity using the file entity key; determine whether to facilitate the decryption of the encrypted file entity by the computerized system; send a second encrypted file entity key to the computerized system if it is determined to facilitate the decryption, wherein the second encrypted file entity key is created by (a) decrypting the first encrypted file entity key to provide the file entity key, and (b) encrypting the file entity key with an encryption key of the computerized system; and prevent the computerized system to decrypt the encrypted file entity if it is determined not to facilitate the decryption of the encrypted file entity by the computerized system.
-
-
18. At least one computer-readable storage medium having computer-executable instructions embodied thereon, wherein, when executed by at least one processor, the computer-executable instructions cause the at least one processor to:
-
receive a double encrypted file entity key and signed access metadata; wherein the double encrypted file entity key is created by encrypting a first encrypted file entity key using a second encryption key; wherein the first encrypted file entity key is created by encrypting a file entity key using a first encryption key; wherein the signed access metadata is signed by the file entity key; wherein the encrypted file entity is created by encrypting a file entity using the file entity key; determine whether the computerized system is entitled to decrypt the file entity; prevent from assisting the computerized system to decrypt the encrypted file entity if it is determined that the computerized system is not entitled to decrypt the file entity; decrypt the double encrypted file entity key to provide the first encrypted file entity key if it is determined that the computerized system is entitled to decrypt the file entity; send a second encrypted file entity key to the computerized system, wherein the second encrypted file entity key is created by (a) decrypting the first encrypted file entity key to provide the file entity key, and (b) encrypting the file entity key with an encryption key of the computerized system.
-
-
19. A computer, comprising:
a processor configured to receive, from a computerized system, a first encrypted file entity key and signed access metadata; wherein the first encrypted file entity key is created by encrypting a file entity key using a first encryption key; wherein the signed access metadata is signed by the file entity key; wherein the encrypted file entity is created by encrypting a file entity using the file entity key; determine whether to facilitate the decryption of the encrypted file entity by the computerized system; send a second encrypted file entity key to the computerized system if it is determined to facilitate the decryption, wherein the second encrypted file entity key is created by (a) decrypting the first encrypted file entity key to provide the file entity key, and (b) encrypting the file entity key with an encryption key of the computerized system; and prevent the computerized system to decrypt the encrypted file entity if it is determined not to facilitate the decryption of the encrypted file entity by the computerized system.
-
20. A computer, comprising:
a processor configured to receive, from a computerized system, a double encrypted file entity key and signed access metadata; wherein the double encrypted file entity key is created by encrypting a first encrypted file entity key using a second encryption key; wherein the first encrypted file entity key is created by encrypting a file entity key using a first encryption key; wherein the signed access metadata is signed by the file entity key; wherein the encrypted file entity is created by encrypting a file entity using the file entity key; determine whether the computerized system is entitled to decrypt the file entity; prevent from assisting the computerized system to decrypt the encrypted file entity if it is determined that the computerized system is not entitled to decrypt the file entity; decrypt the double encrypted file entity key to provide the first encrypted file entity key if it is determined that the computerized system is entitled to decrypt the file entity; send a second encrypted file entity key to the computerized system, wherein the second encrypted file entity key is created by (a) decrypting the first encrypted file entity key to provide the file entity key, and (b) encrypting the file entity key with an encryption key of the computerized system.
Specification