Streaming authenticated encryption

US 10,268,832 B1
Filed: 06/26/2017
Issued: 04/23/2019
Est. Priority Date: 06/26/2017
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a computer-readable memory storing executable instructions; and

one or more processors in communication with the computer-readable memory and programmed by the executable instructions to at least;

receive, from a first user device, a data file associated with a user profile;

determine, based at least partly on a size of the data file, to store the data file as a plurality of encrypted portions;

generate a first encrypted portion of the plurality of encrypted portions using a first portion of the data file, a file-level key, and a first portion-level initialization vector, wherein the first encrypted portion is associated with a first sequence identifier and first authentication data;

generate a second encrypted portion of the plurality of encrypted portions using a second portion of the data file, the file-level key, and a second portion-level initialization vector, wherein the second portion-level initialization vector is different than the first portion-level initialization vector, and wherein the second encrypted portion is associated with a second sequence identifier and second authentication data;

store the first encrypted portion and the second encrypted portion in a persistent storage system;

receive, from a second user device, a request for the data file, wherein the request is associated with the user profile;

obtain the first encrypted portion from the persistent storage system based at least partly on the first sequence identifier;

determine, using the first authentication data, that the first encrypted portion is a valid encrypted version of the first portion;

provide, to the second user device, the first sequence identifier and a first decrypted portion based at least partly on the first encrypted portion;

obtain the second encrypted portion from the persistent storage system based at least partly on the second sequence identifier;

determine, using the second authentication data, that the second encrypted portion is an invalid encrypted version of the second portion; and

terminate a response to the request based at least partly on the second decrypted portion being an invalid encrypted version.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems are provided for the streamlining authentication of encrypted data. In streaming authentication, the authentication and decryption of a data file is performed in a streaming manner. The data file can be stored as a collection of discrete encrypted portions. When the data file is to be accessed, it can be authenticated in a streaming manner, as discrete portions of the large file are loaded from storage or transmitted to other systems.

18 Citations

View as Search Results

20 Claims

1. A system comprising:
- a computer-readable memory storing executable instructions; and
  
  one or more processors in communication with the computer-readable memory and programmed by the executable instructions to at least;
  
  receive, from a first user device, a data file associated with a user profile;
  
  determine, based at least partly on a size of the data file, to store the data file as a plurality of encrypted portions;
  
  generate a first encrypted portion of the plurality of encrypted portions using a first portion of the data file, a file-level key, and a first portion-level initialization vector, wherein the first encrypted portion is associated with a first sequence identifier and first authentication data;
  
  generate a second encrypted portion of the plurality of encrypted portions using a second portion of the data file, the file-level key, and a second portion-level initialization vector, wherein the second portion-level initialization vector is different than the first portion-level initialization vector, and wherein the second encrypted portion is associated with a second sequence identifier and second authentication data;
  
  store the first encrypted portion and the second encrypted portion in a persistent storage system;
  
  receive, from a second user device, a request for the data file, wherein the request is associated with the user profile;
  
  obtain the first encrypted portion from the persistent storage system based at least partly on the first sequence identifier;
  
  determine, using the first authentication data, that the first encrypted portion is a valid encrypted version of the first portion;
  
  provide, to the second user device, the first sequence identifier and a first decrypted portion based at least partly on the first encrypted portion;
  
  obtain the second encrypted portion from the persistent storage system based at least partly on the second sequence identifier;
  
  determine, using the second authentication data, that the second encrypted portion is an invalid encrypted version of the second portion; and
  
  terminate a response to the request based at least partly on the second decrypted portion being an invalid encrypted version.
- View Dependent Claims (2, 3)
- - 2. The system of claim 1, wherein the one or more processors are further programmed by the executable instructions to at least:
    - determine a size of the first portion based at least partly on at least one of;
      
      a content type of the data file;
      
      a content type of the first portion;
      
      a processing capability of the system;
      
      or a processing capability of the first user device; and
      
      determine a size of the second portion based at least partly on at least one of;
      
      a content type of the data file;
      
      a content type of the second portion;
      
      a processing capability of the system;
      
      or a processing capability of the first user device.
  - 3. The system of claim 1, wherein the one or more processors are further programmed by the executable instructions to at least:
    - mark at least one of the data file or the second encrypted portion as invalid;
      
      transmit a message to the second user device regarding invalidity of at least one of the data file or the second encrypted portion; and
      
      initiate an authentication failure recovery process.

4. A computer-implemented method comprising:
- as performed by a computing system configured to execute specific instructions, receiving a data object to be securely stored, the data object comprising a first portion and a second portion;
  
  generating a first encrypted portion of the data object using the first portion, a file-level key, and a first portion-level initialization vector, wherein the first encrypted portion is associated with first authentication data;
  
  generate a second encrypted portion of the data object using the second portion, the file-level key, and a second portion-level initialization vector, wherein the second portion-level initialization vector is different than the first portion-level initialization vector, and wherein the second encrypted portion is associated with second authentication data;
  
  receiving, from a user device, a request for the data object;
  
  obtaining the first encrypted portion of the data object from a storage system based at least partly on first sequence data associated with the first encrypted portion;
  
  determining an authenticity of the first encrypted portion using the first authentication data;
  
  generating a first decrypted portion from the first encrypted portion;
  
  transmitting the first decrypted portion to the user device;
  
  obtaining the second encrypted portion of the data object from the storage system based at least partly on second sequence data associated with the second encrypted portion;
  
  determining an authenticity of the second encrypted portion using the second authentication data;
  
  generating a second decrypted portion from the second encrypted portion; and
  
  transmitting the second decrypted portion to the user device.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 5. The computer-implemented method of claim 4, wherein determining the authenticity of the second decrypted portion occurs after transmission of the first decrypted portion to the user device.
  - 6. The computer-implemented method of claim 4, further comprising transmitting sequence data regarding an ordinal position in which at least one of the first decrypted portion or the second decrypted portion is to be arranged.
  - 7. The computer-implemented method of claim 4, further comprising:
    - determining, based at least partly on a size of the data object, to partition the data object into a plurality of portions.
  - 8. The computer-implemented method of claim 4, further comprising:
    - determining, based at least partly on a content type of the data object, a first size of a first portion of the data object and a second size of a second portion of the data object.
  - 9. The computer-implemented method of claim 4, further comprising:
    - generating the first authentication data using the first encrypted portion, wherein the first authentication data comprises a hashed message authentication code, and wherein determining the authenticity of the first encrypted portion comprises comparing the first authentication data to the first encrypted portion.
  - 10. The computer-implemented method of claim 4,wherein the first authentication data is based at least partly on data regarding generating the first encrypted portion, andwherein determining the authenticity of the first encrypted portion comprises comparing the first authentication data to data regarding generating the first decrypted portion.
  - 11. The computer-implemented method of claim 4, further comprising:
    - determining that the data object comprises a base resource referencing a plurality of embedded resources; and
      
      determining to partition the data object into at least the first portion, comprising the base resource, and the second portion, comprising at least one of the plurality of embedded resources.
  - 12. The computer-implemented method of claim 4, further comprising:
    - obtaining a third encrypted portion of the data object from the storage system based at least partly on third sequence data associated with the third encrypted portion; and
      
      determining that authenticity of the third encrypted portion cannot be verified using third authentication data associated with the third encrypted portion.
  - 13. The computer-implemented method of claim 12, further comprising canceling transmission of a decrypted portion of the data object to the user device subsequent to determining that authenticity of the third encrypted portion cannot be verified.
  - 14. The computer-implemented method of claim 12, further comprising initiating an authentication failure workflow in response to determining that authenticity of the third encrypted portion cannot be verified.
  - 15. The computer-implemented method of claim 4, further comprising receiving the data object from the user device.
  - 16. The computer-implemented method of claim 4, further comprising receiving the data object from a second user device, wherein the second user device is different than the user device.

17. A system comprising:
- a first computing device configured to at least;
  
  receive, from a user device, a first portion of a data file to be securely stored remote from the user device, wherein the first portion is associated with first sequence data; and
  
  generate a first encrypted portion of the data file using the first portion, a file-level key, and a first portion-level initialization vector, wherein the first encrypted portion is associated with first authentication data;
  
  a second computing device configured to at least;
  
  receive, from the user device, a second portion of the data file, wherein the second portion is associated with second sequence data; and
  
  generate a second encrypted portion of the data file using the second portion, the file-level key, and a second portion-level initialization vector, wherein the second portion-level initialization vector is different than the first portion-level initialization vector, and wherein the second encrypted portion is associated with second authentication data; and
  
  a third computing device configured to at least;
  
  receive, from the user device, a request for the data file;
  
  authenticate the first encrypted portion;
  
  transmit, to the user device, the first portion and the first sequence data;
  
  authenticate the second encrypted portion; and
  
  transmit, to the user device, the second portion and the second sequence data, wherein the user device is configured to generate the data file using the first portion and the second portion.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein receipt of the second portion by the second device occurs concurrently with receipt of at least a portion of the first portion by the first device.
  - 19. The system of claim 17, wherein the first computing device is further configured to restart reception of the first portion of the data file after a transmission error.
  - 20. The system of claim 17, wherein the third computing device is further configured to generate the first portion using the first encrypted portion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Ciubotariu, Nick, Lounsbury, Brett
Primary Examiner(s)
Tolentino, Roderick

Application Number

US15/633,574
Time in Patent Office

666 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

H04L 63/0435   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/123   received data contents, e.g...

Streaming authenticated encryption

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

18 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Streaming authenticated encryption

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links