Device independent encrypted content access system

US 10,341,304 B1
Filed: 01/04/2017
Issued: 07/02/2019
Est. Priority Date: 01/04/2017
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a first authentication credential at a user device, the first authentication credential being associated with a user;

based on the first authentication credential, accessing, by one or more processors of the user device, a second authentication credential stored on a key server;

generating, by the one or more processors, an authentication token and an encryption token;

based on the authentication token, accessing, by the one or more processors, a plurality of encrypted content elements, an encrypted master key, and a plurality of encrypted content keys, each content element of the plurality of content elements associated with a separate encrypted content key of the plurality of encrypted content keys;

in response to accessing the encrypted master key, decrypting the master key to generate a master key using the encryption token;

in response to generating the master key, decrypting the plurality of encrypted content keys to generate a plurality of content keys using the master key;

decrypting one or more encrypted content elements of the plurality of encrypted content elements using one or more content keys of the plurality of content keys associated with the one or more encrypted content elements to generate a plurality of content elements;

causing presentation of at least a portion of the plurality of content elements on a display device of the user device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, devices, media, and methods are presented for retrieving authentication credentials and decryption keys to access remotely stored user-generated content. The systems and methods receive a first authentication credential and access a second authentication credential based on receiving the first authentication credential. The system and methods generate an authentication token and an encryption token. Based on the authentication token, the system and methods access a set of encrypted content and an encrypted content key. The systems and methods decrypt the encrypted content key using the encryption token and decrypt the set of encrypted content using the decrypted content key. At least a portion of the content is presented at the user device.

55 Citations

View as Search Results

20 Claims

1. A method, comprising:
- receiving a first authentication credential at a user device, the first authentication credential being associated with a user;
  
  based on the first authentication credential, accessing, by one or more processors of the user device, a second authentication credential stored on a key server;
  
  generating, by the one or more processors, an authentication token and an encryption token;
  
  based on the authentication token, accessing, by the one or more processors, a plurality of encrypted content elements, an encrypted master key, and a plurality of encrypted content keys, each content element of the plurality of content elements associated with a separate encrypted content key of the plurality of encrypted content keys;
  
  in response to accessing the encrypted master key, decrypting the master key to generate a master key using the encryption token;
  
  in response to generating the master key, decrypting the plurality of encrypted content keys to generate a plurality of content keys using the master key;
  
  decrypting one or more encrypted content elements of the plurality of encrypted content elements using one or more content keys of the plurality of content keys associated with the one or more encrypted content elements to generate a plurality of content elements;
  
  causing presentation of at least a portion of the plurality of content elements on a display device of the user device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the first authentication credential is a user selected login credential received in response to a user interface element prompting entry of an authentication credential.
  - 3. The method of claim 1, wherein accessing the second authentication credential on the key server further comprises:
    - based on receiving the first authentication credential transmitting an indication of the first authentication credential to a content server;
      
      receiving a session credential from the content server, the session credential indicating initiation of a present session of the user device in response to receiving the first authentication credential; and
      
      transmitting the session credential and an indication of the first authentication credential to the key server, access to the second authentication credential being established in response to the session credential and the indication being received by the key server.
  - 4. The method of claim 1, wherein accessing the plurality of encrypted content elements and the plurality of encrypted content keys further comprises:
    - receiving an authentication challenge from the key server, the authentication challenge associated with an expected response;
      
      generating a response from the authentication challenge and the authentication token;
      
      transmitting the authentication challenge and the response to a content server; and
      
      receiving a permission to access the plurality of encrypted content elements and the plurality of encrypted content keys based on the response matching the expected response.
  - 5. The method of claim 4, wherein a digital session credential, received from the content server, is transmitted to the content server with the authentication challenge and the response, and wherein permission to access the plurality of encrypted content elements and the plurality of encrypted content keys is based on the response matching the expected response for the authentication challenge and the digital session credential, received from the content server, matching the digital session credential transmitted with the authentication challenge and the response.
  - 6. The method of claim 1, further comprising:
    - in response to receiving the first authentication credential, accessing a value at the key server, the value being a random string exceeding a threshold length and being associated with the first authentication credential; and
      
      generating the encryption token and the authentication token, the encryption token being a token for encrypting and decrypting an encryption key generated at the user device based on the value, the authentication token being a token for generating a challenge response.
  - 7. The method of claim 6, wherein the value comprises a first value and a second value, each of the first value and the second value being a random string exceeding a threshold length.
  - 8. The method of claim 7, wherein generating the encryption token and the authentication token further comprises:
    - generating the authentication token by applying a first key derivation function and a first work factor to the first value and the first authentication credential; and
      
      generating the encryption token by applying a second key derivation function and a second work factor to the second value and the first authentication credential.

9. A system, comprising:
- one or more processors; and
  
  a processor-readable storage device coupled to the one or more processors, the processor-readable storage device storing processor-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising;
  
  receiving a first authentication credential at a user device, the first authentication credential being associated with a user;
  
  based on the first authentication credential, accessing, by one or more processors of the user device, a second authentication credential stored on a key server;
  
  generating, by the one or more processors, an authentication token and an encryption token;
  
  based on the authentication token, accessing, by the one or more processors, a plurality of encrypted content elements, an encrypted master key, and a plurality of encrypted content keys, each content element of the plurality of content elements associated with a separate encrypted content key of the plurality of encrypted content keys;
  
  in response to accessing the encrypted master key, decrypting the master key to generate a master key using the encryption token;
  
  in response to generating the master key, decrypting the plurality of encrypted content keys to generate a plurality of content keys using the master key;
  
  decrypting one or more encrypted content elements of the plurality of encrypted content elements using one or more content keys of the plurality of content keys associated with the one or more encrypted content elements to generate a plurality of content elements;
  
  causing presentation of at least a portion of the plurality of content elements on a display device of the user device.
- View Dependent Claims (10, 11, 12, 13, 20)
- - 10. The system of claim 9, wherein accessing the second authentication credential on the key server further comprises:
    - based on receiving the first authentication credential, transmitting an indication of the first authentication credential to a content server;
      
      receiving a session credential from the content server, the session credential indicating initiation of a present session of the user device in response to receiving the first authentication credential; and
      
      transmitting the session credential and an indication of the first authentication credential to the key server, access to the second authentication credential being established in response to the session credential and the indication being received by the key server.
  - 11. The system of claim 9, wherein accessing the plurality of encrypted content elements and the plurality of encrypted content keys further comprises:
    - receiving an authentication challenge from the key server, the authentication challenge associated with an expected response;
      
      generating a response from the authentication challenge and the authentication token;
      
      transmitting the authentication challenge and the response to a content server; and
      
      receiving a permission to access the plurality of encrypted content elements and the plurality of encrypted content keys based on the response matching the expected response.
  - 12. The system of claim 9, wherein the operations further comprise:
    - in response to receiving the first authentication credential, accessing a value at the key server, the value being a random string exceeding a threshold length and being associated with the first authentication credential; and
      
      generating the encryption token and the authentication token, the encryption token being a token for encrypting and decrypting an encryption key generated at the user device based on the value, the authentication token being a token for generating a challenge response.
  - 13. The system of claim 12, wherein the value comprises a first value and a second value, each of the first value and the second value being a random string exceeding a threshold length, and wherein generating the encryption token and the authentication token further comprises:
    - generating the authentication token by applying a first key derivation function and a first work factor to the first value and the first authentication credential; and
      
      generating the encryption token by applying a second key derivation function and a second work factor to the second value and the first authentication credential.
  - 20. The system of claim 9, wherein the first authentication credential is a user selected login credential received in response to a user interface element prompting entry of an authentication credential.

14. A processor-readable storage device coupled to one or more processors, the processor-readable storage device storing processor-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising:
- receiving a first authentication credential at a user device, the first authentication credential being associated with a user;
  
  based on the first authentication credential, accessing, by one or more processors of the user device, a second authentication credential stored on a key server;
  
  generating, by the one or more processors, an authentication token and an encryption token;
  
  based on the authentication token, accessing, by the one or more processors, a plurality of encrypted content elements, an encrypted master key, and a plurality of encrypted content keys, each content element of the plurality of content elements associated with a separate encrypted content key of the plurality of encrypted content keys;
  
  in response to accessing the encrypted master key, decrypting the master key to generate a master key using the encryption token;
  
  in response to generating the master key, decrypting the plurality of encrypted content keys to generate a plurality of content keys using the master key;
  
  decrypting one or more encrypted content elements of the plurality of encrypted content elements using one or more content keys of the plurality of content keys associated with the one or more encrypted content elements to generate a plurality of content elements;
  
  causing presentation of at least a portion of the plurality of content elements on a display device of the user device.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The processor-readable storage device of claim 14, wherein accessing the second authentication credential on the key server further comprises:
    - based on receiving the first authentication credential, transmitting an indication of the first authentication credential to a content server;
      
      receiving a session credential from the content server, the session credential indicating initiation of a present session of the user device in response to receiving the first authentication credential; and
      
      transmitting the session credential and an indication of the first authentication credential to the key server, access to the second authentication credential being established in response to the session credential and the indication being received by the key server.
  - 16. The processor-readable storage device of claim 14, wherein accessing the plurality of encrypted content elements and the plurality of encrypted content keys further comprises:
    - receiving an authentication challenge from the key server, the authentication challenge associated with an expected response;
      
      generating a response from the authentication challenge and the authentication token;
      
      transmitting the authentication challenge and the response to a content server; and
      
      receiving a permission to access the plurality of encrypted content elements and the plurality of encrypted content keys based on the response matching the expected response.
  - 17. The processor-readable storage device of claim 14, wherein the operations further comprise:
    - in response to receiving the first authentication credential, accessing a value at the key server, the value being a random string exceeding a threshold length and being associated with the first authentication credential; and
      
      generating the encryption token and the authentication token, the encryption token being a token for encrypting and decrypting an encryption key generated at the user device based on the value, the authentication token being a token for generating a challenge response.
  - 18. The processor-readable storage device of claim 17, wherein the value comprises a first value and a second value, each of the first value and the second value being a random string exceeding a threshold length.
  - 19. The processor-readable storage device of claim 18, wherein generating the encryption token and authentication token further comprises:
    - generating the authentication token by applying a first key derivation function and a first work factor to the first value and the first authentication credential; and
      
      generating the encryption token by applying a second key derivation function and a second work factor to the second value and the first authentication credential.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Snap, Inc.
Original Assignee
Snap, Inc.
Inventors
Boutros, Jad S., Ma, Jiayuan, Marques de Almeida, Filipe Jorge, Yung, Marcel M.
Primary Examiner(s)
Lanier, Benjamin E

Application Number

US15/398,564
Time in Patent Office

909 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

H04L 2209/80   Wireless network architectu...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 9/0822   using key encryption key

H04L 9/0836   using tree structure or hie...

H04L 9/0861   Generation of secret inform...

H04L 9/14   using a plurality of keys o...

H04L 9/3226   using a predetermined code,...

H04L 9/3247   involving digital signatures

H04L 9/3271   using challenge-response

H04M 1/67   by electronic means

H04M 1/724   User interfaces specially a...

H04M 1/72463   to restrict the functionali...

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

Device independent encrypted content access system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

55 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Device independent encrypted content access system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

55 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links