Secure information storage

US 10,438,006 B2
Filed: 07/27/2017
Issued: 10/08/2019
Est. Priority Date: 07/27/2017
Status: Active Grant

First Claim

Patent Images

1. A method of secure storage, comprising:

receiving a request to securely store data associated with a customer, the request comprising data to be stored;

generating an initialization vector to be used during encryption of the data to be stored;

transmitting the data to be stored and the initialization vector to an encryption service for encryption,wherein the encryption service is configured to, based on receiving the data to be stored and the initialization vector, retrieve an encrypted private key from a first secure data store associated with the encryption service, and generate an encrypted version of the data to be stored using the initialization vector and a decrypted customer-specific key, andwherein a remote key vault is configured to generate the decrypted customer-specific key by decrypting the retrieved encrypted private key based on a customer-specific partition of the remote key vault;

receiving information comprising the encrypted version of the data to be stored from the encryption service; and

storing the encrypted version of the data to be stored and the initialization vector in a second secure data store that is independent of the first secure data store.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the disclosure include systems and methods for secure storage and/or retrieval of customer secrets by, e.g., a cloud services provider. According to methods, secret data that is to be securely stored may be transmitted, along with an initialization vector, to an encryption service for encryption using a private key stored on in a remote key vault. The encrypted data can be returned and stored, in its encrypted form, in a secure storage along with the initialization vector data. To retrieve the securely stored data, embodiments disclose retrieving the encrypted form of the data and transmitting it, along with its related initialization vector data, to the encryption service for decryption using the private key stored in the remote key vault. The decrypted data can then be made available to a requesting product service.

17 Citations

18 Claims

1. A method of secure storage, comprising:
- receiving a request to securely store data associated with a customer, the request comprising data to be stored;
  
  generating an initialization vector to be used during encryption of the data to be stored;
  
  transmitting the data to be stored and the initialization vector to an encryption service for encryption,wherein the encryption service is configured to, based on receiving the data to be stored and the initialization vector, retrieve an encrypted private key from a first secure data store associated with the encryption service, and generate an encrypted version of the data to be stored using the initialization vector and a decrypted customer-specific key, andwherein a remote key vault is configured to generate the decrypted customer-specific key by decrypting the retrieved encrypted private key based on a customer-specific partition of the remote key vault;
  
  receiving information comprising the encrypted version of the data to be stored from the encryption service; and
  
  storing the encrypted version of the data to be stored and the initialization vector in a second secure data store that is independent of the first secure data store.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the initialization vector is randomly generated based on receiving the request to securely store the data.
  - 3. The method of claim 1, further comprising:
    - temporarily encrypting the data to be stored using a pre-shared key and transmitting the temporarily encrypted data to be stored and the initialization vector to the encryption service, wherein the encryption service is further configured to decrypt the temporarily encrypted data to be stored using the pre-shared key.
  - 4. The method of claim 3, wherein the pre-shared key comprises a public key.
  - 5. The method of claim 1, wherein the method is further configured to:
    - generate temporarily encrypted data by encrypting the encrypted version of the data to be stored using a pre-shared key; and
      
      generate the encrypted version of the data by decrypting the temporarily encrypted data using the pre-shared key.
  - 6. The method of claim 1, further comprising:
    - determining, based on evaluating at least one of a plurality of criteria, whether to bypass the encryption service, wherein the plurality of criteria includes a size of the data to be stored, an urgency, a system capacity, and an available bandwidth; and
      
      based on a determination to bypass the encryption service;
      
      transmitting the data to be stored and the initialization vector to the remote key vault, wherein the remote key vault is configured to generate the encrypted version of the data using the initialization vector and based on the customer-specific partition of the remote key vault, andreceiving the encrypted version of the data to be stored from the remote key vault.
  - 7. The method of claim 1, wherein the request further specifies the encrypted private key or the customer-specific partition of the remote key vault.
  - 8. The method of claim 1, wherein the encryption service is further configured to delete the decrypted customer-specific key from memory of the encryption service based on at least one of:
    - generating the encrypted version of the data to be stored, ora pre-determined amount of time elapsing after the decrypted customer-specific key is generated.

9. A method of secure storage, comprising:
- receiving, from a product service, a request for securely stored data associated with a customer of the product service;
  
  based on receiving the request, retrieving, from a first secure data store, an encrypted version of the data and an associated initialization vector;
  
  transmitting the encrypted version of the data and the associated initialization vector to an encryption service for decryption,wherein the encryption service is configured to, based on receiving the encrypted version of the data and the associated initialization vector, retrieve an encrypted private key from a second secure data store that is associated with the encryption service and is independent of the first secure data store, and generate a decrypted version of the data by decrypting the encrypted version of the data using the initialization vector and a decrypted customer specific key, andwherein a remote key vault is configured to generate the decrypted customer-specific key by decrypting the retrieved encrypted private key based on a customer-specific partition of the remote key vault;
  
  receiving information comprising the decrypted version of the data from the encryption service; and
  
  providing, to the product service, the decrypted version of the data.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The method of claim 9, wherein providing the decrypted version of the data is provided to the product service via a connector component.
  - 11. The method of claim 10, further comprising:
    - re-encrypting the decrypted version of the data using a pre-shared key associated with the connector component and providing the re-encrypted data to the connector component.
  - 12. The method of claim 9, wherein the encryption service is further configured to re-encrypt the decrypted version of the data using a pre-shared key and the method further comprises:
    - receiving information comprising the re-encrypted data, and generating the decrypted version of the data by decrypting the re-encrypted data using the pre-shared key.
  - 13. The method of claim 12, wherein the pre-shared key comprises a public key.
  - 14. The method of claim 9, wherein the request for the stored data is received from the product service via a connector component.
  - 15. The method of claim 9, further comprising:
    - deleting the information comprising the decrypted data from a local memory after transmitting the decrypted data to the product service.
  - 16. The method of claim 9, further comprising:
    - authenticating the product service to verify that it has permission to access the stored data.
  - 17. The method of claim 9, wherein the customer-specific partition is a link to a partition that is provided by the product service.

18. A system, comprising:
- one or more processors; and
  
  a memory storing computer-readable instructions that, when executed by the one or more processors, configure the one or more processors to;
  
  receive, from a product service, a request for stored data, associated with a customer of the product service;
  
  based on receiving the request, retrieve, from a first secure data store, an encrypted version of the data and an associated initialization vector;
  
  transmit the encrypted version of the data and the associated initialization vector to an encryption service for decryption,wherein the encryption service is configured to, based on receiving the encrypted version of the data and the associated initialization vector, provide an encrypted private key, and generate a decrypted version of the data by decrypting the encrypted version of the data using the initialization vector and a decrypted customer-specific key, andwherein a remote key vault is configured to generate a decrypted customer-specific key by decrypting the encrypted private key based on a customer-specific partition of the remote key vault;
  
  receive information comprising the decrypted version of the data from the encryption service; and
  
  provide, to the product service, the decrypted version of the data, wherein the encryption service is further configured to store the encrypted private key in a second secure data store that is independent of the first secure data store.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Kludy, Thomas M., Feijoo, Ricardo Fernando
Primary Examiner(s)
Lwin, Maung T

Application Number

US15/661,290
Publication Number

US 20190034643A1
Time in Patent Office

803 Days
Field of Search

707 10, 707827
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6209   to a single file or object,...

G06Q 20/00   Payment architectures, sche...

G06Q 20/363   with the personal data of a...

G06Q 20/382   insuring higher security of...

G06Q 20/3829   involving key management

H04L 2209/56   Financial cryptography, e.g...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/0823   using certificates cryptogr...

H04L 67/1097   for distributed storage of ...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0894   Escrow, recovery or storing...

H04W 12/068   using credential vaults, e....

Secure information storage

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Secure information storage

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links