Data storage apparatus, data updating system, data processing method, and computer readable medium

US 10,116,442 B2
Filed: 02/20/2015
Issued: 10/30/2018
Est. Priority Date: 02/20/2015
Status: Active Grant

First Claim

Patent Images

1. A data storage apparatus comprising processing circuitry to:

store encrypted data that has been encrypted, while remaining in an encrypted state, and to store a decryption condition being a parameter to control permitted decryption of the encrypted data, where a decryption-permission user who is permitted to decrypt the encrypted data is defined in the decryption condition that does not require decryption of said encrypted data in order to read;

in a case where revocation information which identifies a revoked user who is no longer the decryption-permission user, has been added to the decryption condition when update timing to update the encrypted data and the decryption condition arrives, process the revocation information to remove the revoked user from the decryption condition while the encrypted data remains in an encrypted state, to transmit the encrypted data and the decryption condition from which the revocation information has been removed, to a re-encryption apparatus that performs re-encryption in a proxy re-encryption scheme, the transmission to the re-encryption apparatus being performed prior to decryption, and to receive from the re-encryption apparatus, the encrypted data that has been re-encrypted in the proxy re-encryption scheme using the decryption condition from which the revocation information has been removed; and

update the encrypted data that has been re-encrypted and received, and the decryption condition from which the revocation information has been removed.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data storage unit (202) stores encrypted data while remaining in an encrypted state, and stores decryption conditions to define a user attribute of a decryption-permission user who is permitted to decrypt the encrypted data. In a case wherein revocation information to indicate a user attribute of a revoked user who is no longer the decryption-permission user has been added to the decryption condition when update timing arrives, a revocation information removing unit (206) removes the revocation information from the decryption condition while the encrypted data remains in the encrypted state. Further, the revocation information removing unit (206) transmits the encrypted data and the decryption conditions from which the revocation information has been removed to a re-encryption apparatus that performs re-encryption in a proxy re-encryption scheme, and receives, from the re-encryption apparatus, the encrypted data that has be re-encrypted in the proxy re-encryption scheme using the decryption condition from which the revocation information has been removed. A refresh processing unit (205) updates the encrypted data that has been re-encrypted and the decryption condition from which the revocation information has been removed.

12 Citations

10 Claims

1. A data storage apparatus comprising processing circuitry to:
- store encrypted data that has been encrypted, while remaining in an encrypted state, and to store a decryption condition being a parameter to control permitted decryption of the encrypted data, where a decryption-permission user who is permitted to decrypt the encrypted data is defined in the decryption condition that does not require decryption of said encrypted data in order to read;
  
  in a case where revocation information which identifies a revoked user who is no longer the decryption-permission user, has been added to the decryption condition when update timing to update the encrypted data and the decryption condition arrives, process the revocation information to remove the revoked user from the decryption condition while the encrypted data remains in an encrypted state, to transmit the encrypted data and the decryption condition from which the revocation information has been removed, to a re-encryption apparatus that performs re-encryption in a proxy re-encryption scheme, the transmission to the re-encryption apparatus being performed prior to decryption, and to receive from the re-encryption apparatus, the encrypted data that has been re-encrypted in the proxy re-encryption scheme using the decryption condition from which the revocation information has been removed; and
  
  update the encrypted data that has been re-encrypted and received, and the decryption condition from which the revocation information has been removed.
- View Dependent Claims (2, 3)
- - 2. The data storage apparatus as defined in claim 1, wherein the processing circuitryupdates the encrypted data that has been re-encrypted and received, and the decryption condition from which the revocation information has been removed, using update information used for update of a master public key being a master key of an encryption key used for encryption of the encrypted data, and a master secret key being a master key of a decryption key used for decryption of the encrypted data, and for update of the decryption key.
  - 3. The data storage apparatus as defined in claim 2, wherein the processing circuitryupdates the encrypted data that has been re-encrypted and received, and the decryption condition from which the revocation information has been removed, using update information that is generated for updating the master public key and the master secret key by a key generation apparatus that updates the master public key and the master secret key.

4. A data updating system comprising:
- a data storage apparatus including;
  
  first processing circuitry tostore encrypted data which has been encrypted, while remaining in an encrypted state, and to store a decryption condition being a parameter to control permitted decryption of the encrypted data, where a decryption-permission user who is permitted to decrypt the encrypted data is defined in the decryption condition that does not require decryption of said encrypted data in order to read,determine, when update timing to update the encrypted data and the decryption condition arrives, whether revocation information that identifies a revoked user who is no longer the decryption-permission user, has been added to the decryption condition, and in a case wherein the revocation information has been added to the decryption condition, to remove the revoked user from the decryption condition while the encrypted data remains in an encrypted state, to transmit the encrypted data and the decryption condition from which the revocation information has been removed, to a re-encryption apparatus that performs re-encryption in a proxy re-encryption scheme, the transmission to the re-encryption apparatus being performed prior to decryption, and to receive from the re-encryption apparatus, the encrypted data that has been re-encrypted in the proxy re-encryption scheme using the decryption condition from which the revocation information has been removed, andupdate the encrypted data that has been re-encrypted and received, and the decryption condition from which the revocation information has been removed; and
  
  a key update apparatus including second processing circuitry to update a decryption key used for decryption of the encrypted data when the update timing arrives.
- View Dependent Claims (5, 6, 7, 8)
- - 5. The data updating system as defined in claim 4, whereinin the data storage apparatus, the first processing circuitry updates the encrypted data that has been re-encrypted and received, and the decryption condition from which the revocation information has been removed, using update information used for update of a master public key being a master key of an encryption key used for encryption of the encrypted data, and a master secret key being a master key of the decryption key, and whereinin the key update apparatus, the second processing circuitry updates the decryption key using the update information.
  - 6. The data updating system as defined in claim 5,wherein in the key update apparatus, the second processing circuitryreceives the update information from a key generation apparatus that generates the update information and updates the master public key and the master secret key using the update information;
    - andtransmits the update information that has been received, to the data storage apparatus, andupdates the decryption key using the update information received,and wherein, in the data storage apparatus, the first processing circuitry receives the update information from the key update apparatus, and updates the encrypted data that has been re-encrypted and received, and the decryption condition from which the revocation information has been removed, using the update information received.
  - 7. The data updating system as defined in claim 4, whereinin the key update apparatus, the second processing circuitrydetermines whether or not to deem-consider a decryption key to be an object of update, andupdates only a decryption key that has been determined as the object of update.
  - 8. The data updating system as defined in claim 5, whereinin the key update apparatus, in accordance with a date and time when a decryption key has been updated last, the second processing circuitry selects update information used for updating the decryption key, and updates the decryption key using the update information selected.

9. A data processing method, comprisingby a computer that stores encrypted data that has been encrypted, while remaining in an encrypted state, and stores a decryption condition being a parameter to control permitted decryption of the encrypted data, where a decryption-permission user who is permitted to decrypt the encrypted data is defined in a decryption condition that does not require decryption of said encrypted data in order to read,in a case where revocation information which identifies a revoked user who is no longer the decryption-permission user, has been added to the decryption condition when update timing to update the encrypted data and the decryption condition arrives, processing the revocation information to remove the revoked user from the decryption condition while the encrypted data remains in an encrypted state, transmitting the encrypted data and the decryption condition from which the revocation information has been removed, to a re-encryption apparatus that performs re-encryption in a proxy re-encryption scheme prior to decryption, receiving from the re-encryption apparatus, the encrypted data that has been re-encrypted in the proxy re-encryption scheme using the decryption condition from which the revocation information has been removed, andupdating the encrypted data that has been re-encrypted and received, and the decryption condition from which the revocation information has been removed.

10. A non-transitory computer readable medium storing a data processing program that causes a computer that stores encrypted data that has been encrypted while remaining in an encrypted state, and stores a decryption condition being a parameter to control permitted decryption of the encrypted data, where a decryption-permission user who is permitted to decrypt the encrypted data is defined in the decryption condition that does not require decryption of said encrypted data in order to read;
- a revocation information removing processing to remove, in a case where revocation information identifies a revoked user who is no longer the decryption-permission user, has been added to the decryption condition when update timing to update the encrypted data and the decryption condition arrives, processing the revocation information to remove the revoked user from the decryption condition while the encrypted data remains in an encrypted state, to transmit the encrypted data and the decryption condition from which the revocation information has been removed, to a re-encryption apparatus that performs re-encryption in a proxy re-encryption scheme, the transmission to the re-encryption apparatus being performed prior to decryption, and to receive from the re-encryption apparatus, the encrypted data that has been re-encrypted in the proxy re-encryption scheme using the decryption condition from which the revocation information has been removed; and
  
  a refresh processing to update the encrypted data that has been re-encrypted and received by the revocation information removing processing, and the decryption condition from which the revocation information has been removed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mitsubishi Electric Corporation
Original Assignee
Mitsubishi Electric Corporation
Inventors
Mori, Takumi, Kawai, Yutaka, Matsuda, Nori
Primary Examiner(s)
Powers, William S

Application Number

US15/548,071
Publication Number

US 20180026785A1
Time in Patent Office

1,348 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/30   Public key, i.e. encryption...

Data storage apparatus, data updating system, data processing method, and computer readable medium

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

12 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Data storage apparatus, data updating system, data processing method, and computer readable medium

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links