Streaming authenticated encryption
First Claim
Patent Images
1. A system comprising:
- a computer-readable memory storing executable instructions; and
one or more processors in communication with the computer-readable memory and programmed by the executable instructions to at least;
receive, from a first user device, a data file associated with a user profile;
determine, based at least partly on a size of the data file, to store the data file as a plurality of encrypted portions;
generate a first encrypted portion of the plurality of encrypted portions using a first portion of the data file, a file-level key, and a first portion-level initialization vector, wherein the first encrypted portion is associated with a first sequence identifier and first authentication data;
generate a second encrypted portion of the plurality of encrypted portions using a second portion of the data file, the file-level key, and a second portion-level initialization vector, wherein the second portion-level initialization vector is different than the first portion-level initialization vector, and wherein the second encrypted portion is associated with a second sequence identifier and second authentication data;
store the first encrypted portion and the second encrypted portion in a persistent storage system;
receive, from a second user device, a request for the data file, wherein the request is associated with the user profile;
obtain the first encrypted portion from the persistent storage system based at least partly on the first sequence identifier;
determine, using the first authentication data, that the first encrypted portion is a valid encrypted version of the first portion;
provide, to the second user device, the first sequence identifier and a first decrypted portion based at least partly on the first encrypted portion;
obtain the second encrypted portion from the persistent storage system based at least partly on the second sequence identifier;
determine, using the second authentication data, that the second encrypted portion is an invalid encrypted version of the second portion; and
terminate a response to the request based at least partly on the second decrypted portion being an invalid encrypted version.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems are provided for the streamlining authentication of encrypted data. In streaming authentication, the authentication and decryption of a data file is performed in a streaming manner. The data file can be stored as a collection of discrete encrypted portions. When the data file is to be accessed, it can be authenticated in a streaming manner, as discrete portions of the large file are loaded from storage or transmitted to other systems.
-
Citations
20 Claims
-
1. A system comprising:
-
a computer-readable memory storing executable instructions; and one or more processors in communication with the computer-readable memory and programmed by the executable instructions to at least; receive, from a first user device, a data file associated with a user profile; determine, based at least partly on a size of the data file, to store the data file as a plurality of encrypted portions; generate a first encrypted portion of the plurality of encrypted portions using a first portion of the data file, a file-level key, and a first portion-level initialization vector, wherein the first encrypted portion is associated with a first sequence identifier and first authentication data; generate a second encrypted portion of the plurality of encrypted portions using a second portion of the data file, the file-level key, and a second portion-level initialization vector, wherein the second portion-level initialization vector is different than the first portion-level initialization vector, and wherein the second encrypted portion is associated with a second sequence identifier and second authentication data; store the first encrypted portion and the second encrypted portion in a persistent storage system; receive, from a second user device, a request for the data file, wherein the request is associated with the user profile; obtain the first encrypted portion from the persistent storage system based at least partly on the first sequence identifier; determine, using the first authentication data, that the first encrypted portion is a valid encrypted version of the first portion; provide, to the second user device, the first sequence identifier and a first decrypted portion based at least partly on the first encrypted portion; obtain the second encrypted portion from the persistent storage system based at least partly on the second sequence identifier; determine, using the second authentication data, that the second encrypted portion is an invalid encrypted version of the second portion; and terminate a response to the request based at least partly on the second decrypted portion being an invalid encrypted version. - View Dependent Claims (2, 3)
-
-
4. A computer-implemented method comprising:
-
as performed by a computing system configured to execute specific instructions, receiving a data object to be securely stored, the data object comprising a first portion and a second portion; generating a first encrypted portion of the data object using the first portion, a file-level key, and a first portion-level initialization vector, wherein the first encrypted portion is associated with first authentication data; generate a second encrypted portion of the data object using the second portion, the file-level key, and a second portion-level initialization vector, wherein the second portion-level initialization vector is different than the first portion-level initialization vector, and wherein the second encrypted portion is associated with second authentication data; receiving, from a user device, a request for the data object; obtaining the first encrypted portion of the data object from a storage system based at least partly on first sequence data associated with the first encrypted portion; determining an authenticity of the first encrypted portion using the first authentication data; generating a first decrypted portion from the first encrypted portion; transmitting the first decrypted portion to the user device; obtaining the second encrypted portion of the data object from the storage system based at least partly on second sequence data associated with the second encrypted portion; determining an authenticity of the second encrypted portion using the second authentication data; generating a second decrypted portion from the second encrypted portion; and transmitting the second decrypted portion to the user device. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A system comprising:
-
a first computing device configured to at least; receive, from a user device, a first portion of a data file to be securely stored remote from the user device, wherein the first portion is associated with first sequence data; and generate a first encrypted portion of the data file using the first portion, a file-level key, and a first portion-level initialization vector, wherein the first encrypted portion is associated with first authentication data; a second computing device configured to at least; receive, from the user device, a second portion of the data file, wherein the second portion is associated with second sequence data; and generate a second encrypted portion of the data file using the second portion, the file-level key, and a second portion-level initialization vector, wherein the second portion-level initialization vector is different than the first portion-level initialization vector, and wherein the second encrypted portion is associated with second authentication data; and a third computing device configured to at least; receive, from the user device, a request for the data file; authenticate the first encrypted portion; transmit, to the user device, the first portion and the first sequence data; authenticate the second encrypted portion; and transmit, to the user device, the second portion and the second sequence data, wherein the user device is configured to generate the data file using the first portion and the second portion. - View Dependent Claims (18, 19, 20)
-
Specification