System for enabling lazy-revocation through recursive key generation

US 20030081787A1
Filed: 10/31/2001
Published: 05/01/2003
Est. Priority Date: 10/31/2001
Status: Active Grant

First Claim

Patent Images

1. A method of enabling lazy-revocation in a cryptographic file system, said method comprising:

revoking access of a user of a plurality of users to a file;

generating a new version of a key based on a current version of said key; and

encrypting said file with said new version of said key in response to an update of said file.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security module is utilized to improve key management for encrypted files. In particular, multiple cryptographic keys may be used to encrypt multiple versions of a file, or to encrypt multiple separate files within a single encryption group for storage on an untrusted file server. An authorized user may require access to only a single cryptographic key to access the encrypted file or files. To revoke access of a user or to encrypt subsequent versions of a file, a file owner may utilize the security module to generate subsequent or new versions of the cryptographic key based on an asymmetric private key of the file owner. An authorized user may obtain a subsequent or new versions of the cryptographic key from the file owner or by other means. An authorized user may generate previous versions of the current cryptographic key based on an asymmetric public key of the file owner, without further contacting the owner. Accordingly, a single cryptographic key may be used to manage a group of files encrypted with the same key, or to manage multiple versions of a single file.

Citations

44 Claims

1. A method of enabling lazy-revocation in a cryptographic file system, said method comprising:
- revoking access of a user of a plurality of users to a file;
  
  generating a new version of a key based on a current version of said key; and
  
  encrypting said file with said new version of said key in response to an update of said file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1, further comprising:
    - distributing said new version of said key to at least one authorized user in response to said update of said file.
  - 3. The method according to claim 2, further comprising:
    - generating a previous version of said key based on said new version of said key to access a previous version of said file.
  - 4. The method according to claim 3, further comprise:
    - receiving a public key of a file owner of said file, wherein said generation of said previous version of said key comprises generating said previous version of said key utilizing said public key of said file owner of said file.
  - 5. The method according to claim 4, wherein said public key is part of an asymmetric public/private key pair of said file owner.
  - 6. The method according to claim 1, wherein said generation of said new version of said key utilizes a private key of a file owner of said file.
  - 7. The method according to claim 6, wherein said private key is part of an asymmetric public/private key pair of the said file owner.
  - 8. The method according to claim 1, wherein said key is a symmetric key and said new version of said key is generated utilizing an asymmetric private/public key pair of said file owner.
  - 9. The method according to claim 1, wherein said key is an asymmetric key and said new version of said key is generated utilizing an asymmetric private/public key pair of said file owner.
  - 10. The method according to claim 9, wherein said asymmetric private/public key pair of said file owner is generated by an El Gamal asymmetric crypto-system.

11. A method of managing files in a file system, said method comprising:
- revoking access of a user of a plurality of users to a file;
  
  generating a new key from a current key of said file in response to said revocation; and
  
  encrypting said file with said new key.
- View Dependent Claims (12, 13, 14)
- - 12. The method according to claim 11, wherein said generation of said new key utilizes a private key of an owner of said file.
  - 13. The method according to claim 11, further comprising:
    - accessing a previous version of said file; and
      
      generating a respective previous version of a key from said current key.
  - 14. The method according to claim 13, wherein generation of said respective previous version of said key utilizes a public key of an owner of said file.

15. A method of accessing files, comprising:
- determining a version of a file;
  
  determining a version of a key; and
  
  accessing said file in response to said version of said file and said version of said key matching.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The method according to claim 15, further comprising:
    - requesting access from an owner of said file in response to said version of said key being older than said version of said file.
  - 17. The method according to claim 15, further comprising:
    - generating a previous version of said key in response to said version of said file being older than said version of said key.
  - 18. The method according to claim 17, wherein said generation of said previous version of said key utilizes a public key of said owner of said file.
  - 19. The method according to claim 17, further comprising:
    - recursively generating another previous version of said key from said key until said version of said key matches said version of said file.

20. A method for accessing files, comprising:
- determining a version of a file;
  
  determining a version of a key; and
  
  recursively generating a previous version of said key from said key until said version of said key matches said version of said file.
- View Dependent Claims (21, 22, 23, 24, 43, 44)
- - 21. The method according to claim 20, wherein said generation of said previous version of said key utilizes an asymmetric public key of said owner of said file.
  - 22. The method according to claim 20, wherein said key is a symmetric key and said asymmetric public key is generated utilizing an asymmetric crypto-algorithm.
  - 23. The method according to claim 20, wherein said key is an asymmetric key pair and said asymmetric public key is generated utilizing an asymmetric crypto-algorithm.
  - 24. The method according to claim 23, wherein said asymmetric crypto-algorithm being an El Gamal crypto-system.
  - 43. The apparatus according to claim 21, further comprising:
    - means for accessing a previous version of said file; and
      
      means for generating a respective previous version of a key from said current key.
  - 44. The method according to claim 43, wherein generation of said respective previous version of said key utilizes an asymmetric public key of an owner of said file.

25. A method of managing files in a file system, said method comprising:
- revoking access of a user from a plurality of user to a file;
  
  generating a new key from a current key of said file in response to said revocation; and
  
  encrypting said file with said new key.
- View Dependent Claims (26, 27, 28)
- - 26. The method according to claim 25, wherein said generation of said new key utilizes a private key of an owner of said file.
  - 27. The method according to claim 25, further comprising:
    - accessing a previous version of said file; and
      
      generating a respective previous version of a key from said current key.
  - 28. The method according to claim 27, wherein generation of said respective previous version of said key utilizes an asymmetric public key of an owner of said file.

29. A system for managing files, comprising:
- a file system configured to store files and provide access to said files;
  
  a user station; and
  
  a security module configured to be executed on said user station, wherein said security module is configured to revoke access of a user of a plurality of users to a file, is also configured to generate a new key from a current key of said file stored on said file system in response to said revocation, and is further configured to encrypt said file with said new key.
- View Dependent Claims (30, 31, 32, 33)
- - 30. The system according to claim 29, wherein said security module is further configured to distribute said new version of said key to at least one authorized user in response to said update of said file.
  - 31. The system according to claim 29, wherein said security module is further configured to generate a previous version of said key based on said new version of said key to access a previous version of said file.
  - 32. The system according to claim 31, wherein said security module is further configured to receive a asymmetric public key of a file owner of said file, wherein said generation comprises generating said previous version of said key utilizing said asymmetric public key of said file owner of said file.
  - 33. The system according to claim 29, wherein said generation of said new version of said key utilizes an asymmetric private key of a file owner of said file.

34. A system for accessing files comprising:
- a memory;
  
  at least one processor; and
  
  a security module residing in said memory and executed by said at least one processor, wherein said security module is configured to determine a version of a file, is also configured to determine a version of a key, and is further configured to access said file in response to said version of said file and said version of said key matching.
- View Dependent Claims (35, 36, 37)
- - 35. The system according to claim 34, wherein said security module is further configured to generate a previous version of said key in response to said version of said file being older than said version of said key.
  - 36. The system according to claim 35, wherein said generation of said previous version of said key utilizes a public key of said owner of said file.
  - 37. The system according to claim 35, further comprising:
    - recursively generating another previous version of said key from said key until said version of said key matches said version of said file.

38. An apparatus for accessing files, comprising:
- means for determining a version of a file;
  
  means for determining a version of a key; and
  
  means for recursively generating a previous version of said key from said key until said version of said key matches said version of said file.
- View Dependent Claims (39, 40)
- - 39. The apparatus according to claim 38, further comprising:
    - means for requesting access from an owner of said file in response to said version of said key being older than said version of said file.
  - 40. The apparatus according to claim 38, wherein said generation of said previous version of said key utilizes an asymmetric public key of said owner of said file.

41. An apparatus for managing files in a file system, said apparatus comprising:
- means for revoking access of a user from a plurality of user to a file;
  
  means for generating a new key from a current key of said file in response to said revocation; and
  
  means for encrypting said file with said new key.
- View Dependent Claims (42)
- - 42. The apparatus according to claim 41, wherein said generation of said new key utilizes an asymmetric private key of an owner of said file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Valtrus Innovations Limited (f/k/a Dolya Holdco 9 Limited) (Key Patent Innovations Limited)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Riedel, Erik, Swaminathan, Ram, Kallahalla, Mahesh

Granted Patent

US 7,203,317 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/278
CPC Class Codes

G06F 21/6209 to a single file or object,...

H04L 9/0891 Revocation or update of sec...

System for enabling lazy-revocation through recursive key generation

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

System for enabling lazy-revocation through recursive key generation

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links