Encrypted search cloud service with cryptographic sharing
First Claim
1. A method comprising:
- receiving, at data processing hardware, a shared read access command from a sharor sharing read access to a sharee for a document stored on memory hardware in communication with the data processing hardware, the shared read access command comprising an encrypted value and a first cryptographic share value based on a write key for the document, a read key for the document, a document identifier identifying the document, and a sharee identifier identifying the sharee;
receiving, at the data processing hardware, a shared read access request from the sharee, the shared read access request comprising the sharee identifier, the document identifier, and a second cryptographic share value based on the read key for the document and a sharee cryptographic key associated with the sharee;
multiplying, by the data processing hardware, the first cryptographic share value and the second cryptographic share value to determine a cryptographic read access value, the cryptographic read access value authorizing read access to the sharee for the document; and
storing, by the data processing hardware, a read access token for the sharee in a user read set of the memory hardware, the read access token comprising the cryptographic read access value and the encrypted value, the user read set comprising a list of sharee identifiers associated with sharees having read access to the document.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for sharing read access to a document stored on memory hardware. The method includes receiving a shared read access command from a sharor sharing read access to a sharee for a document stored on memory hardware in communication with the data processing hardware, and receiving a shared read access request from the sharee. The shared read access command includes an encrypted value and a first cryptographic share value based on a write key, a read key, a document identifier, and a sharee identifier. The method also includes multiplying the first and second cryptographic share values to determine a cryptographic read access value. The cryptographic read access value authorizes read access to the sharee for the document. The method also includes storing a read access token for the sharee including the cryptographic read access value and the encrypted value in a user read set of the memory hardware.
-
Citations
29 Claims
-
1. A method comprising:
-
receiving, at data processing hardware, a shared read access command from a sharor sharing read access to a sharee for a document stored on memory hardware in communication with the data processing hardware, the shared read access command comprising an encrypted value and a first cryptographic share value based on a write key for the document, a read key for the document, a document identifier identifying the document, and a sharee identifier identifying the sharee; receiving, at the data processing hardware, a shared read access request from the sharee, the shared read access request comprising the sharee identifier, the document identifier, and a second cryptographic share value based on the read key for the document and a sharee cryptographic key associated with the sharee; multiplying, by the data processing hardware, the first cryptographic share value and the second cryptographic share value to determine a cryptographic read access value, the cryptographic read access value authorizing read access to the sharee for the document; and storing, by the data processing hardware, a read access token for the sharee in a user read set of the memory hardware, the read access token comprising the cryptographic read access value and the encrypted value, the user read set comprising a list of sharee identifiers associated with sharees having read access to the document. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method comprising:
-
receiving, at a sharee device associated with a sharee, shared write access permissions from a sharor sharing write access to the sharee for a document stored on a distributed storage system, the shared write access permissions comprising a read key for the document, a write key for the document, and encrypted metadata for the document; determining, by the sharee device, a cryptographic write access value based on the write key for the document, a document identifier identifying the document, a sharee identifier identifying the sharee, and a sharee cryptographic key associated with the sharee, the cryptographic write access value authorizing write access to the sharee for the document; and sending a write access token for the sharee from the sharee device to the distributed storage system, the write access token comprising the cryptographic write access value, the distributed storage system in response to receiving the write access token, configured to store the write access token in a user write set, the user write set comprising a list of sharee identifiers associated with sharees having write access to the document. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A system comprising:
-
a sharor device configured to create metadata for a document stored on a storage system, encrypt the metadata using a read key for the document and calculate a first cryptographic share value for the document, the first cryptographic share value based on a write key for the document, the read key, a document identifier identifying the document, and a sharee identifier identifying a sharee to receive shared read access to the document; a sharee device associated with the sharee and configured to receive the read key for the document from the sharor device over a secure and authenticated communication channel and calculate a second cryptographic share value for the document, the second cryptographic share value based on based on the read key and a sharee cryptographic key associated with the sharee; data processing hardware of the storage system in communication with the sharor device and the sharee device; memory hardware in communication with the data processing hardware, the memory hardware storing instructions that when executed on the data processing hardware cause the data processing hardware to perform operations comprising; receiving a shared read access command from the sharor device sharing read access to the sharee for the document, the shared read access command comprising the encrypted metadata for the document and the first cryptographic share value; receiving a shared read access request from the sharee device, the shared read access request comprising the sharee identifier, the document identifier, and the second cryptographic share value; determining a cryptographic read access value based on the first cryptographic share value and the second cryptographic share value, the cryptographic read access value authorizing read access to the sharee for the document; and storing a read access token for the sharee comprising the cryptographic read access value and the encrypted value in a user read set of the memory hardware, the user read set comprising a list of sharee identifiers associated with sharees having read access to the document. - View Dependent Claims (22, 23, 24, 25, 26)
-
-
27. A system comprising:
-
a sharor device associated with a creator of a document stored on a distributed storage system; a sharee device associated with a sharee in communication with the sharor device over a secure and authenticated communication channel, the sharee device configured to; receive shared write access permissions from the sharor device sharing write access for the document, the shared write access permissions comprising a read key for the document, a write key for the document and encrypted metadata for the document; determine a cryptographic write access value based on the write key, a document identifier identifying the document, a sharee identifier identifying the sharee, and a sharee cryptographic key associated with the sharee, the cryptographic write access value authorizing write access to the sharee for the document; and determine a cryptographic read access value based on the write key for the document, the document identifier, and the sharee cryptographic key; data processing hardware of the distributed storage system in communication with the sharor device and the sharee device; and memory hardware in communication with the data processing hardware, the memory hardware storing instructions that when executed on the data processing hardware cause the data processing hardware to perform operations comprising; receiving a write access token from the sharee device, the write access token comprising the cryptographic write access value; storing the write access token in a user write set, the user write set comprising a list of sharee identifiers associated with sharees having write access to the document; receiving a read access token for the sharee device comprising the cryptographic read access value and the encrypted metadata for the document from the sharee device; and storing the read access token in a user read set, the user read set comprising a list of sharee identifiers associated with sharees having read access to the document. - View Dependent Claims (28, 29)
-
Specification