CRYPTOGRAPHIC KEY MANAGEMENT SYSTEM FACILITATING SECURE ACCESS OF DATA PORTIONS TO CORRESPONDING GROUPS OF USERS
First Claim
1. A computer readable medium storing one or more sequences of instructions for causing a system to provide access to a plurality of data portions stored in a storage, wherein a first data portion contained in said plurality of data portions is stored in said storage in an encrypted form, wherein decryption of said first data portion in said encrypted form requires a data key, wherein execution of said one or more sequences of instructions by one or more processors contained in said network monitoring system causes said one or more processors to perform the actions of:
- encrypting said data key using a group public key to form a group encrypted key, wherein a group private key and said group public key form a group key pair according to a symmetric encryption approach;
encrypting said group private key to form a user-group data, where said group private key is encrypted using an approach which requires a unique data which identifies a first user for decryption;
decrypting said user group data using said unique data to form said group private key in unencrypted form when said first user requests access to said first data portion;
decrypting said group encrypted key using said group private key to form said data key in unencrypted form; and
decrypting said first data portion in said encrypted form using said data key in unencrypted form to form said first data in unencrypted form.
7 Assignments
0 Petitions
Accused Products
Abstract
Cryptographic Key Management System facilitating secure access of data portions to corresponding groups of users. In an embodiment, corresponding group key (asymmetric key pair) is provided for each group, with the private key being stored in a secure format requiring the user credentials for decryption. In addition, a data key required to decrypt a data portion of interest is encrypted using the group public key. Thus, when a user attempts to access a data portion, the user credentials are used to decrypt the group private key, which is then used to decrypt the data key. The data key is then used to decrypt the data portion of interest.
59 Citations
11 Claims
-
1. A computer readable medium storing one or more sequences of instructions for causing a system to provide access to a plurality of data portions stored in a storage, wherein a first data portion contained in said plurality of data portions is stored in said storage in an encrypted form, wherein decryption of said first data portion in said encrypted form requires a data key, wherein execution of said one or more sequences of instructions by one or more processors contained in said network monitoring system causes said one or more processors to perform the actions of:
-
encrypting said data key using a group public key to form a group encrypted key, wherein a group private key and said group public key form a group key pair according to a symmetric encryption approach; encrypting said group private key to form a user-group data, where said group private key is encrypted using an approach which requires a unique data which identifies a first user for decryption; decrypting said user group data using said unique data to form said group private key in unencrypted form when said first user requests access to said first data portion; decrypting said group encrypted key using said group private key to form said data key in unencrypted form; and decrypting said first data portion in said encrypted form using said data key in unencrypted form to form said first data in unencrypted form. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method of providing access to a plurality of data portions, said method comprising:
-
storing a first data portion in an encrypted format, wherein decryption of said first data portion in said encrypted format requires a data key; encrypting said data key using a group public key to form a group encrypted key, wherein a group private key and said group public key form a group key pair according to a symmetric encryption approach; encrypting said group private key to form a user-group data, where said group private key is encrypted using an approach which requires a unique data which identifies a first user for decryption; decrypting said user group data using said unique data to form said group private key in unencrypted form when said first user requests access to said first data portion; decrypting said group encrypted key using said group private key to form said data key in unencrypted form; and decrypting said first data portion in said encrypted form using said data key in unencrypted form to form said first data in unencrypted form. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A system comprising:
-
a persistent storage to store a first data portion in an encrypted format, wherein decryption of said first data portion in said encrypted format requires a data key; a memory to store a group encrypted key and a user-group data, wherein said group encrypted key is formed earlier by encrypting a group public key, wherein a group private key and said group public key form a group key pair according to a symmetric encryption approach, wherein said user-group data is formed by encrypting said group private key, where said group private key is encrypted using an approach which requires a unique data which identifies a first user for decryption, a processor operable to decrypt said user group data using said unique data to form said group private key in unencrypted form when said first user requests access to said first data portion, said processor to further decrypt said group encrypted key using said group private key to form said data key in unencrypted form, and then to decrypt said first data portion in said encrypted form using said data key in unencrypted form to form said first data in unencrypted form.
-
Specification