Off-loading data re-encryption in encrypted data management systems
First Claim
1. A computer-implemented method for maintaining security of encrypted data despite a compromised private key comprising:
- re-encrypting a previously encrypted version of a symmetric key using a public key of a new asymmetric key pair wherein an unencrypted version of the symmetric key can decrypt an encrypted data unit; and
storing the re-encrypted version of the symmetric key, and a version of the compromised private key encrypted using the public key wherein an unencrypted version of the compromised private key is capable of decrypting the previously encrypted version of the symmetric key.
1 Assignment
0 Petitions
Accused Products
Abstract
Described is a solution for maintaining the security of encrypted data despite a compromised private key by using a re-encryption process that does not require decryption of the encrypted data. The compromised private key is re-encrypted using a new public key as is the encrypted symmetric key which the compromised private key can decrypt. When a decrypted version of the encrypted data is requested, the private key corresponding to the new public key decrypts both the encrypted version of the compromised private key and the re-encrypted version of the symmetric key resulting in the unencrypted compromised private key and the previously encrypted version of the symmetric key, which when decrypted using the compromised private key decrypts the encrypted data. The unencrypted symmetric key can then be encrypted using the new public key any encrypted compromised private key can be deleted.
94 Citations
30 Claims
-
1. A computer-implemented method for maintaining security of encrypted data despite a compromised private key comprising:
-
re-encrypting a previously encrypted version of a symmetric key using a public key of a new asymmetric key pair wherein an unencrypted version of the symmetric key can decrypt an encrypted data unit; and
storing the re-encrypted version of the symmetric key, and a version of the compromised private key encrypted using the public key wherein an unencrypted version of the compromised private key is capable of decrypting the previously encrypted version of the symmetric key. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer-implemented method for decrypting encrypted data wherein security of the encrypted data has been maintained despite the compromised private key, the method comprising:
-
(a) responsive to a request for a decrypted version of an encrypted data unit associated with the compromised private key, decrypting an encrypted version of the compromised private key using a private key of a new asymmetric pair resulting in the compromised private key;
(b) decrypting a re-encrypted symmetric key using the private key of the new asymmetric pair resulting in a previously encrypted version of the symmetric key;
(c) decrypting the previously encrypted version of the symmetric key using the compromised private key resulting in a resultant symmetric key; and
(d) responsive to the resultant symmetric key being an unencrypted version of the symmetric key, decrypting content data of the encrypted data unit using the unencrypted version of the symmetric key. - View Dependent Claims (8, 9)
-
-
10. A computer-implemented system for maintaining security of encrypted data despite a compromised private key comprising:
-
a re-encryption module for re-encrypting a previously encrypted version of a symmetric key using a public key of a new asymmetric key pair wherein an unencrypted version of the symmetric key can decrypt an encrypted data unit; and
a data-store accessible to the re-encryption module for storing the re-encrypted version of the symmetric key, and a version of the compromised private key encrypted using the public key wherein an unencrypted version of the compromised private key is capable of decrypting the previously encrypted version of the symmetric key. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A computer-implemented system for decrypting encrypted data wherein security of the encrypted data has been maintained despite the compromised private key, the system comprising a decryption module for performing the following:
-
(a) responsive to a request for a decrypted version of an encrypted data unit associated with the compromised private key, decrypting an encrypted version of the compromised private key using a private key of a new asymmetric pair resulting in the compromised private key;
(b) decrypting a re-encrypted symmetric key using the private key of the new asymmetric pair resulting in a previously encrypted version of the symmetric key;
(c) decrypting the previously encrypted version of the symmetric key using the compromised private key resulting in a resultant symmetric key; and
(d) responsive to the resultant symmetric key being an unencrypted version of the symmetric key, decrypting content data of the encrypted data unit using the unencrypted version of the symmetric key. - View Dependent Claims (17, 18)
-
-
19. A computer usable medium comprising instructions for causing a processor to execute a method for maintaining security of encrypted data despite a compromised private key, the method comprising:
-
re-encrypting a previously encrypted version of a symmetric key using a public key of a new asymmetric key pair wherein an unencrypted version of the symmetric key can decrypt an encrypted data unit; and
storing the re-encrypted version of the symmetric key, the, and a version of the compromised private key encrypted using the public key wherein an unencrypted version of the compromised private key is capable of decrypting the previously encrypted version of the symmetric key. - View Dependent Claims (20, 21)
-
-
22. A computer usable medium comprising instructions for causing a processor to execute a method for decrypting encrypted data wherein security of the encrypted data has been maintained despite the compromised private key, the method comprising:
-
(a) responsive to a request for a decrypted version of an encrypted data unit associated with the compromised private key, decrypting an encrypted version of the compromised private key using a private key of a new asymmetric pair resulting in the compromised private key;
(b) decrypting a re-encrypted symmetric key using the private key of the new asymmetric pair resulting in a previously encrypted version of the symmetric key;
(c) decrypting the previously encrypted version of the symmetric key using the compromised private key resulting in a resultant symmetric key; and
(d) responsive to the resultant symmetric key being an unencrypted version of the symmetric key, decrypting content data of the encrypted data unit using the unencrypted version of the symmetric key. - View Dependent Claims (23, 24)
-
-
25. A computer-implemented system for maintaining security of encrypted data despite a compromised private key comprising:
-
means for re-encrypting a previously encrypted version of a symmetric key using a public key of a new asymmetric key pair wherein an unencrypted version of the symmetric key can decrypt an encrypted data unit; and
a data-store accessible to the means for re-encrypting for storing the re-encrypted version of the symmetric key, and a version of the compromised private key encrypted using the public key wherein an unencrypted version of the compromised private key is capable of decrypting the previously encrypted version of the symmetric key. - View Dependent Claims (26, 27)
-
-
28. A computer-implemented system for decrypting encrypted data wherein security of the encrypted data has been maintained despite the compromised private key, the system comprising means for decryption for performing the following:
-
(a) responsive to a request for a decrypted version of an encrypted data unit associated with the compromised private key, decrypting an encrypted version of the compromised private key using a private key of a new asymmetric pair resulting in the compromised private key;
(b) decrypting a re-encrypted symmetric key using the private key of the new asymmetric pair resulting in a previously encrypted version of the symmetric key;
(c) decrypting the previously encrypted version of the symmetric key using the compromised private key resulting in a resultant symmetric key; and
(d) responsive to the resultant symmetric key being an unencrypted version of the symmetric key, decrypting content data of the encrypted data unit using the unencrypted version of the symmetric key. - View Dependent Claims (29, 30)
-
Specification