Methods and apparatus for secure data sharing

US 20130013921A1
Filed: 07/07/2011
Published: 01/10/2013
Est. Priority Date: 07/07/2011
Status: Active Grant

First Claim

Patent Images

1. A communication method comprising:

receiving from a first client a communication request that includes an encrypted conversation, a first key, and authentication bits, the communication request requesting that a host server sends the encrypted conversation and a decryption key for the encrypted conversation to a second client, wherein the first key is the decryption key that has been encrypted using a first public key associated with a first user at the first client;

in order to retrieve the decryption key from the first key,retrieving, at the host server, an encrypted secret key associated with the first user;

decrypting the encrypted secret key using the authentication bits included in the communication request received from the first user, thereby retrieving a secret key associated with the first user;

retrieving, at the host server, an encrypted private key associated with the first user;

decrypting the encrypted private key using the secret key associated with the first user, thereby retrieving a private key associated with the first user;

decrypting the first key using the private key associated with the first user, thereby retrieving the decryption key;

encrypting the decryption key using a second public key associated with a second user at the second client to generate a second key; and

sending to the second client the encrypted conversation and the second key.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure relates to methods and apparatus for securely and easily sharing data over a communications network. As communications services on a communications network are continuously becoming cheaper, faster, and easier to use, more users are becoming receptive to the idea of sharing data over the communications network. However, although E-mails and web folders, to a certain degree, provide easy-to-use or secure data sharing mechanisms, none of the existing data sharing methods is both easy-to-use and highly secure. This disclosure provides methods and apparatus for easily and securely sharing data over a communications network.

109 Citations

View as Search Results

24 Claims

1. A communication method comprising:
- receiving from a first client a communication request that includes an encrypted conversation, a first key, and authentication bits, the communication request requesting that a host server sends the encrypted conversation and a decryption key for the encrypted conversation to a second client, wherein the first key is the decryption key that has been encrypted using a first public key associated with a first user at the first client;
  
  in order to retrieve the decryption key from the first key,retrieving, at the host server, an encrypted secret key associated with the first user;
  
  decrypting the encrypted secret key using the authentication bits included in the communication request received from the first user, thereby retrieving a secret key associated with the first user;
  
  retrieving, at the host server, an encrypted private key associated with the first user;
  
  decrypting the encrypted private key using the secret key associated with the first user, thereby retrieving a private key associated with the first user;
  
  decrypting the first key using the private key associated with the first user, thereby retrieving the decryption key;
  
  encrypting the decryption key using a second public key associated with a second user at the second client to generate a second key; and
  
  sending to the second client the encrypted conversation and the second key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The communication method of claim 1, further comprising:
    - receiving, at the second client, the encrypted conversation and the second key;
      
      decrypting, at the second client, the second key using a second private key associated with the second client, thereby retrieving the decryption key for the encrypted conversation; and
      
      decrypting the encrypted conversation using the decrypted second key.
  - 3. The communication method of claim 1, wherein the encrypted conversation includes an encrypted message and an encrypted document, each encrypted using a unique encryption key.
  - 4. The communication method of claim 1, wherein the authentication bits are derived from a password associated with the first user.
  - 5. The communication method of claim 1, wherein the secret key is an Advanced Encryption Standard (AES) key.
  - 6. The communication method of claim 1, further comprising:
    - receiving, from the first client, a password reset notification notifying that a password associated with the first user is lost;
      
      receiving new authentication bits derived from a new password to be associated with the first user;
      
      retrieving a backup secret key associated with the first user, wherein the backup secret key is encrypted using a master public key;
      
      sending a password reset request to a management server that maintains a master private key paired with the master public key, wherein the password reset request includes the backup secret key;
      
      receiving from the management server a password reset response that includes the secret key associated with the first user;
      
      encrypting the secret key using the new authentication bits; and
      
      storing the secret key encrypted using the new authentication bits.
  - 7. The communication method of claim 6, wherein the password reset request includes an access key that notifies the maintenance server that the host server is authorized to send the password reset request to the maintenance server.
  - 8. The communication method of claim 6, wherein the password reset request further includes a response key that will be used by the management server to encrypt the password reset response.
  - 9. The communication method of claim 1, further comprising:
    - receiving a timestamp request message from the first client, the timestamp request message requesting a maximum timestamp value for each object type in the conversation; and
      
      sending a timestamp response message that includes the maximum timestamp value for each object type in the conversation.
  - 10. The communication method of claim 9, further comprising:
    - receiving the timestamp response message at the first client;
      
      analyzing the timestamp response message to determine whether the conversation has changed since the conversation was downloaded to the first client last time;
      
      if the conversation has changed since the conversation was downloaded to the first client last time,sending a timestamp profile request to the host server;
      
      receiving a timestamp profile response that includes a summary of what has changed in the conversation; and
      
      sending a data update request to the host server, the data update request requesting the host server to send changes in the stored conversation.
  - 11. The communication method of claim 10, wherein analyzing the timestamp response message includes comparing the maximum timestamp value of each object type in the timestamp response message to a maximum timestamp value of a corresponding object type maintained locally at the first client.
  - 12. The communication method of claim 1, further comprising:
    - retrieving a configuration file template that includes a parameter;
      
      retrieving a property file that includes a key and a value paired with the key;
      
      mapping the parameter in the configuration file template to the key;
      
      substituting the parameter with the value paired with the key, thereby generating a configuration file to be used to configure the host server.
  - 13. The communication method of claim 12, wherein the value is encrypted using an encryption key, and is decrypted at the host server by receiving a decryption key from a management system.

14. An apparatus comprising:
- an interface that is configured to provide communication with a first client and a second client;
  
  a memory that is configured to maintain an encrypted private key and an encrypted secret key associated with the first client, wherein the encrypted private key is derived from encrypting a private key of the first client with a secret key of the first client, and wherein the encrypted secret key is derived from encrypting the secret key using authentication bits of the first client;
  
  a module that is configured to receive an encrypted conversation, an encrypted decryption key, and authentication bits associated with the first client, the module configured to retrieve a decryption key for the encrypted conversation by retrieving the secret key from the encrypted secret key using the authentication bits, by retrieving the private key from the encrypted private key using the secret key, and by decrypting the encrypted decryption key using the private key, the module further configured to generate a second key by encrypting the decryption key using a second public key associated with a second user at the second client, and to send to the second client the encrypted conversation and the second key.
- View Dependent Claims (15, 16, 17)
- - 15. The apparatus of claim 14, wherein the memory is further configured to maintain the encrypted conversation and the module is further configured to send to the first client a maximum timestamp value for each object type in the encrypted conversation.
  - 16. The apparatus of claim 14, wherein when the first client has never served a third user, the module is configured to retrieve public/private key associated with the third user, to encrypt public/private key associated with the third user using a client key uniquely associated with the third user operating at the first client, and to send the encrypted public/private key to the first client.
  - 17. The apparatus of claim 14, wherein the memory is configured to maintain a property file and a configuration file template, the property file including a key and a value paired with the key and the configuration file template including a parameter, and wherein the module is configured to generate a configuration file to be used in configuring the apparatus by mapping the parameter in the configuration file template to the key and by substituting the parameter using the value paired with the key.

18. Logic encoded on one or more tangible media for execution and when executed operable to:
- receive a communication request that includes an encrypted conversation, a first key, and authentication bits, the communication request requesting that a host server sends the encrypted conversation and a decryption key for the encrypted conversation to a second client, wherein the first key is the decryption key that has been encrypted using a first public key associated with a first user at the first client;
  
  in order to retrieve the decryption key from the first key,retrieve an encrypted secret key associated with the first user;
  
  decrypt the encrypted secret key using the authentication bits included in the communication request received from the first user, thereby retrieving a secret key associated with the first user;
  
  retrieve an encrypted private key associated with the first user;
  
  decrypt the encrypted private key using the secret key associated with the first user, thereby retrieving a private key associated with the first user;
  
  decrypt the first key using the private key associated with the first user, thereby retrieving the decryption key;
  
  encrypt the decryption key using a second public key associated with a second user at the second client to generate a second key; and
  
  send to the second client the encrypted conversation and the second key.
- View Dependent Claims (19, 20, 21, 22, 23, 24)
- - 19. The logic of claim 18, further operable to:
    - receive, from the first client, a password reset notification notifying that a password associated with the first user is lost;
      
      receive new authentication bits derived from a new password to be associated with the first user;
      
      retrieve a backup secret key associated with the first user, wherein the backup secret key is encrypted using a master public key;
      
      send a password reset request to a management server that maintains a master private key paired with the master public key, wherein the password reset request includes the backup secret key;
      
      receive from the management server a password reset response that includes the secret key associated with the first user;
      
      encrypt the secret key using the new authentication bits; and
      
      store the secret key encrypted using the new authentication bits.
  - 20. The logic of claim 19, wherein the password reset request includes an access key that notifies the maintenance server that the host server is authorized to send the password reset request to the maintenance server.
  - 21. The logic of claim 18, further operable to:
    - retrieve a configuration file template that includes a parameter;
      
      retrieve a property file that includes a key and a value paired with the key;
      
      map the parameter in the configuration file template to the key;
      
      substitute the parameter with the value paired with the key, thereby generating a configuration file to be used to configure the host server.
  - 22. The logic of claim 21, wherein the value is encrypted using an encryption key, and is decrypted at the host server by receiving a decryption key from a management system.
  - 23. The logic of claim 18, further operable to:
    - receive a registration request from a third client notifying that the third client has never served a third user;
      
      retrieve X.509 public/private key associated with the third user;
      
      encrypt the X.509 public/private key using a client key uniquely associated with the third user operating at third client; and
      
      send the encrypted X.509 public/private key to the third client.
  - 24. The logic of claim 23, further operable to generate the client key uniquely associated with the third user operating at the third client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Etsy Incorporated
Original Assignee
Ziptr Incorporated
Inventors
BHATHENA, Firdaus, ANUSZCZYK, Jeffrey, BORAN, Christopher

Granted Patent

US 8,732,462 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

H04L 63/045   wherein the sending and rec...

H04L 63/0471   applying encryption by an i...

H04L 63/061   for key exchange, e.g. in p...

H04L 9/002   Countermeasures against att...

H04L 9/0825   using asymmetric-key encryp...

Methods and apparatus for secure data sharing

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

109 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for secure data sharing

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

109 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links