CRYPTOGRAPHIC KEY MANAGEMENT SYSTEM FACILITATING SECURE ACCESS OF DATA PORTIONS TO CORRESPONDING GROUPS OF USERS

US 20100095118A1
Filed: 10/11/2007
Published: 04/15/2010
Est. Priority Date: 10/12/2006
Status: Abandoned Application

First Claim

Patent Images

1. A computer readable medium storing one or more sequences of instructions for causing a system to provide access to a plurality of data portions stored in a storage, wherein a first data portion contained in said plurality of data portions is stored in said storage in an encrypted form, wherein decryption of said first data portion in said encrypted form requires a data key, wherein execution of said one or more sequences of instructions by one or more processors contained in said network monitoring system causes said one or more processors to perform the actions of:

encrypting said data key using a group public key to form a group encrypted key, wherein a group private key and said group public key form a group key pair according to a symmetric encryption approach;

encrypting said group private key to form a user-group data, where said group private key is encrypted using an approach which requires a unique data which identifies a first user for decryption;

decrypting said user group data using said unique data to form said group private key in unencrypted form when said first user requests access to said first data portion;

decrypting said group encrypted key using said group private key to form said data key in unencrypted form; and

decrypting said first data portion in said encrypted form using said data key in unencrypted form to form said first data in unencrypted form.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Cryptographic Key Management System facilitating secure access of data portions to corresponding groups of users. In an embodiment, corresponding group key (asymmetric key pair) is provided for each group, with the private key being stored in a secure format requiring the user credentials for decryption. In addition, a data key required to decrypt a data portion of interest is encrypted using the group public key. Thus, when a user attempts to access a data portion, the user credentials are used to decrypt the group private key, which is then used to decrypt the data key. The data key is then used to decrypt the data portion of interest.

59 Citations

View as Search Results

11 Claims

1. A computer readable medium storing one or more sequences of instructions for causing a system to provide access to a plurality of data portions stored in a storage, wherein a first data portion contained in said plurality of data portions is stored in said storage in an encrypted form, wherein decryption of said first data portion in said encrypted form requires a data key, wherein execution of said one or more sequences of instructions by one or more processors contained in said network monitoring system causes said one or more processors to perform the actions of:
- encrypting said data key using a group public key to form a group encrypted key, wherein a group private key and said group public key form a group key pair according to a symmetric encryption approach;
  
  encrypting said group private key to form a user-group data, where said group private key is encrypted using an approach which requires a unique data which identifies a first user for decryption;
  
  decrypting said user group data using said unique data to form said group private key in unencrypted form when said first user requests access to said first data portion;
  
  decrypting said group encrypted key using said group private key to form said data key in unencrypted form; and
  
  decrypting said first data portion in said encrypted form using said data key in unencrypted form to form said first data in unencrypted form.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer readable medium of claim 1, wherein said first data portion is encrypted using a symmetric key approach such that said data key is used for both encryption and decryption of said first data portion.
  - 3. The computer readable medium of claim 2, wherein said unique data comprises a user credential of said first user.
  - 4. The computer readable medium of claim 1, further comprising:
    - enabling an administrator to specify that a plurality of users including said first user are assigned to a group,wherein said group private key is encrypted using a corresponding unique data for each of said plurality of users to form a plurality of user-group data including said user group data,whereby access to said first data portion is provided only to said plurality of users in said group.
  - 5. The computer readable medium of claim 4, wherein said administrator specifies access privileges associated with said group pair, wherein all of plurality of users are permitted said access privileges with respect to accessing said first data portion.

6. A method of providing access to a plurality of data portions, said method comprising:
- storing a first data portion in an encrypted format, wherein decryption of said first data portion in said encrypted format requires a data key;
  
  encrypting said data key using a group public key to form a group encrypted key, wherein a group private key and said group public key form a group key pair according to a symmetric encryption approach;
  
  encrypting said group private key to form a user-group data, where said group private key is encrypted using an approach which requires a unique data which identifies a first user for decryption;
  
  decrypting said user group data using said unique data to form said group private key in unencrypted form when said first user requests access to said first data portion;
  
  decrypting said group encrypted key using said group private key to form said data key in unencrypted form; and
  
  decrypting said first data portion in said encrypted form using said data key in unencrypted form to form said first data in unencrypted form.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method of claim 6, wherein said first data portion is encrypted using a symmetric key approach such that said data key is used for both encryption and decryption of said first data portion.
  - 8. The method of claim 7, wherein said unique data comprises a user credential of said first user.
  - 9. The method of claim 6, further comprising:
    - enabling an administrator to specify that a plurality of users including said first user are assigned to a group,wherein said group private key is encrypted using a corresponding unique data for each of said plurality of users to form a plurality of user-group data including said user group data,whereby access to said first data portion is provided only to said plurality of users in said group.
  - 10. The method of claim 9, further comprising:
    - encrypting one of said data key and a group key pair using a public administrator key, wherein said public administrator key and a private administrator key form an asymmetric key pair for an administrator; and
      
      recovering said one of data key and said group key pair using said private administrator key.

11. A system comprising:
- a persistent storage to store a first data portion in an encrypted format, wherein decryption of said first data portion in said encrypted format requires a data key;
  
  a memory to store a group encrypted key and a user-group data,wherein said group encrypted key is formed earlier by encrypting a group public key, wherein a group private key and said group public key form a group key pair according to a symmetric encryption approach,wherein said user-group data is formed by encrypting said group private key, where said group private key is encrypted using an approach which requires a unique data which identifies a first user for decryption,a processor operable to decrypt said user group data using said unique data to form said group private key in unencrypted form when said first user requests access to said first data portion, said processor to further decrypt said group encrypted key using said group private key to form said data key in unencrypted form, and then to decrypt said first data portion in said encrypted form using said data key in unencrypted form to form said first data in unencrypted form.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
RSA Security Incorporated (Symphony Technology Group LLC)
Inventors
Meka, Anil Kumar

Application Number

US12/443,823
Publication Number

US 20100095118A1
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

G06F 21/6227 where protection concerns t...

CRYPTOGRAPHIC KEY MANAGEMENT SYSTEM FACILITATING SECURE ACCESS OF DATA PORTIONS TO CORRESPONDING GROUPS OF USERS

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

59 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

CRYPTOGRAPHIC KEY MANAGEMENT SYSTEM FACILITATING SECURE ACCESS OF DATA PORTIONS TO CORRESPONDING GROUPS OF USERS

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

59 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links