System for enabling lazy-revocation through recursive key generation
First Claim
1. A method of enabling lazy-revocation in a cryptographic file system, said method comprising:
- revoking access of a user of a plurality of users to a file;
generating a new version of a key based on a current version of said key; and
encrypting said file with said new version of said key in response to an update of said file.
5 Assignments
0 Petitions
Accused Products
Abstract
A security module is utilized to improve key management for encrypted files. In particular, multiple cryptographic keys may be used to encrypt multiple versions of a file, or to encrypt multiple separate files within a single encryption group for storage on an untrusted file server. An authorized user may require access to only a single cryptographic key to access the encrypted file or files. To revoke access of a user or to encrypt subsequent versions of a file, a file owner may utilize the security module to generate subsequent or new versions of the cryptographic key based on an asymmetric private key of the file owner. An authorized user may obtain a subsequent or new versions of the cryptographic key from the file owner or by other means. An authorized user may generate previous versions of the current cryptographic key based on an asymmetric public key of the file owner, without further contacting the owner. Accordingly, a single cryptographic key may be used to manage a group of files encrypted with the same key, or to manage multiple versions of a single file.
-
Citations
44 Claims
-
1. A method of enabling lazy-revocation in a cryptographic file system, said method comprising:
-
revoking access of a user of a plurality of users to a file;
generating a new version of a key based on a current version of said key; and
encrypting said file with said new version of said key in response to an update of said file. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of managing files in a file system, said method comprising:
-
revoking access of a user of a plurality of users to a file;
generating a new key from a current key of said file in response to said revocation; and
encrypting said file with said new key. - View Dependent Claims (12, 13, 14)
-
-
15. A method of accessing files, comprising:
-
determining a version of a file;
determining a version of a key; and
accessing said file in response to said version of said file and said version of said key matching. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A method for accessing files, comprising:
-
determining a version of a file;
determining a version of a key; and
recursively generating a previous version of said key from said key until said version of said key matches said version of said file. - View Dependent Claims (21, 22, 23, 24, 43, 44)
-
-
25. A method of managing files in a file system, said method comprising:
-
revoking access of a user from a plurality of user to a file;
generating a new key from a current key of said file in response to said revocation; and
encrypting said file with said new key. - View Dependent Claims (26, 27, 28)
-
-
29. A system for managing files, comprising:
-
a file system configured to store files and provide access to said files;
a user station; and
a security module configured to be executed on said user station, wherein said security module is configured to revoke access of a user of a plurality of users to a file, is also configured to generate a new key from a current key of said file stored on said file system in response to said revocation, and is further configured to encrypt said file with said new key. - View Dependent Claims (30, 31, 32, 33)
-
-
34. A system for accessing files comprising:
-
a memory;
at least one processor; and
a security module residing in said memory and executed by said at least one processor, wherein said security module is configured to determine a version of a file, is also configured to determine a version of a key, and is further configured to access said file in response to said version of said file and said version of said key matching. - View Dependent Claims (35, 36, 37)
-
-
38. An apparatus for accessing files, comprising:
-
means for determining a version of a file;
means for determining a version of a key; and
means for recursively generating a previous version of said key from said key until said version of said key matches said version of said file. - View Dependent Claims (39, 40)
-
-
41. An apparatus for managing files in a file system, said apparatus comprising:
-
means for revoking access of a user from a plurality of user to a file;
means for generating a new key from a current key of said file in response to said revocation; and
means for encrypting said file with said new key. - View Dependent Claims (42)
-
Specification