Accessing protected data on network storage from multiple devices
First Claim
1. A method of securely storing data on a network (100) for access by devices (101, 102, 103) that belong to an authorized domain, the method comprising the steps of:
- establishing (S301) an authenticated channel (203) between a domain member device (201) and a candidate device (202) that is to be included in the domain, over which channel authentication data of the candidate device is sent;
encrypting (S303), at the domain member device, a confidential domain key with an encryption key of said candidate device and storing (S304) the encrypted domain key, thereby including the candidate device in the domain; and
storing (S502) encrypted data on the network, which data is encrypted (S501) at any storing domain member device (101, 102, 103) by means of the domain key.
2 Assignments
0 Petitions
Accused Products
Abstract
The present invention relates to a method and a system of securely storing data on a network (100) for access by an authorized domain (101, 102, 103), which authorized domain includes at least two devices that share a confidential domain key (K), and an authorized domain management system for securely storing data on a network for access by an authorized domain. The present invention enables any member device to store protected data on the network such that any other member device can access the data in plaintext without having to communicate with the device that actually stored the data.
-
Citations
57 Claims
-
1. A method of securely storing data on a network (100) for access by devices (101, 102, 103) that belong to an authorized domain, the method comprising the steps of:
-
establishing (S301) an authenticated channel (203) between a domain member device (201) and a candidate device (202) that is to be included in the domain, over which channel authentication data of the candidate device is sent;
encrypting (S303), at the domain member device, a confidential domain key with an encryption key of said candidate device and storing (S304) the encrypted domain key, thereby including the candidate device in the domain; and
storing (S502) encrypted data on the network, which data is encrypted (S501) at any storing domain member device (101, 102, 103) by means of the domain key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 45)
-
-
16. An authorized domain management system for securely storing data on a network (100) for access by devices (101, 102, 103) that belong to an authorized domain, the system comprising:
-
means (205) for establishing an authenticated channel (203) between a domain member device (201) and a candidate device (202) that is to be included in the domain, over which channel authentication data of the candidate device is sent;
means (205) for encrypting, at the domain member device, a confidential domain key with an encryption key of said candidate device and storing the encrypted domain key, thereby including the candidate device in the domain; and
means (104) for storing encrypted data on the network, which data is encrypted at any storing domain member device (101, 102, 103) by means of the domain key. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A master device (201) to be included in an authorized domain management system for securely storing data on a network (100), the master device comprising:
-
means (205) for establishing an authenticated channel (203) with a candidate device (202) that is to be included in the domain, over which channel authentication data of the candidate device is sent;
means (205) for encrypting a confidential domain key with an encryption key of the candidate device;
means (205) for encrypting data with the domain key;
means (205) for outputting the encrypted domain key and the encrypted data; and
means (205) for accessing encrypted data stored on the network and decrypting said data by means of the domain key. - View Dependent Claims (32)
-
-
33. A candidate device (202) to be included in an authorized domain management system for securely storing data on a network (100), the candidate device comprising:
-
means (206) for sending authentication data over an authenticated channel (203) established with a master device (201) that is included in the domain;
means (206) for encrypting a confidential domain key with an encryption key of the candidate device;
means (206) for encrypting data with the domain key;
means (206) for outputting the encrypted domain key and the encrypted data; and
means (206) for accessing encrypted data stored on the network and decrypting said data by means of the domain key. - View Dependent Claims (34)
-
-
35. A method of removing devices (101, 102, 103), which devices belong to an authorized domain, from said authorized domain, the method comprising the steps of:
-
deleting, at a domain master device (201), when a domain member device is removed (S601) from the domain, an encryption key that corresponds to said domain member device from an existing domain list;
creating (S602), at the master device, a confidential new domain key (K′
);
encrypting (S603), at the master device, the new domain key with each remaining encryption key, said each remaining encryption key being associated with a respective domain member device obtained from the existing domain list and producing a new message authentication code based on the new domain key and the remaining encryption keys; and
creating (S604), at the master device, an updated domain list based on the new domain key and storing the updated domain list on a storage device (104) to which domain member devices have access. - View Dependent Claims (36, 37, 38, 39)
-
-
40. A system for removing devices (101, 102, 103), which devices belong to an authorized domain, from said authorized domain, the system comprising:
-
means (205) for deleting, at a domain master device (201), when a domain member device is removed from the domain, a corresponding encryption key that corresponds to said member device from an existing domain list;
means (205) for creating, at the master device, a confidential new domain key (K′
);
means (205) for encrypting (S603), at the master device, the new domain key with each remaining encryption key, said each remaining encryption key being associated with a respective domain member device obtained from the existing domain list and producing a new message authentication code (MAC) based on the new domain key and the remaining encryption keys; and
means (205) for creating, at the master device, an updated copy of the domain list based on the new domain key and storing the updated domain list on a storage device (104). - View Dependent Claims (41, 42, 43, 44)
-
-
46. A method of controlling access to data stored on a network (100), the method comprising the steps of:
-
creating access authentication data that is known to a network server (104) and to devices (101, 102, 103) that are allowed to access the data stored on the network, checking, at the network server, whether a device is in possession of said access authentication data, and controlling, at the network server, access by the device to the data stored on the network. - View Dependent Claims (47, 48, 49, 50, 51)
-
-
52. A system for controlling access to data stored on a network (100), the system comprising:
-
means (205) for creating access authentication data that is known to a network server (104) and to devices (101, 102, 103) that are allowed to access said data stored on the network;
means (205) for checking, at the network server, whether a device is in possession of said access authentication data; and
means (205) for controlling, at the network server, access by the device to the data stored on the network. - View Dependent Claims (53, 54, 55, 56, 57)
-
Specification