Storing user data in a service provider cloud without exposing user-specific secrets to the service provider
First Claim
Patent Images
1. A method of storing and protecting user data in a service provider cloud, comprising:
- associating a key pair with an account of an authorized user, the key pair comprising an account public key, and an associated account secret key;
storing a value that has been generated by encrypting the account secret key with a user-specific secret;
storing in the service provider cloud a file that has been generated by encrypting data associated with the authorized user with a data key;
encrypting the data key with the account public key to generate an account encrypted data key;
storing the account encrypted data key; and
providing access to the data associated with the authorized user upon receipt at the service provider cloud of the user-specific secret by (i) decrypting the value to obtain the account secret key, then (ii) decrypting the account encrypted data key to obtain the data key, then (iii) decrypting the file stored in the service provider cloud with the data key.
14 Assignments
0 Petitions
Accused Products
Abstract
Subscriber (user) data is encrypted and stored in a service provider cloud in a manner such that the service provider is unable to decrypt and, as a consequence, to view, access or copy the data. Only the user knows a user-specific secret (e.g., a password) that is the basis of the encryption. The techniques herein enable the user to share his or her data, privately or publicly, without exposing the user-specific secret with anyone or any entity (such as the service provider).
140 Citations
12 Claims
-
1. A method of storing and protecting user data in a service provider cloud, comprising:
-
associating a key pair with an account of an authorized user, the key pair comprising an account public key, and an associated account secret key; storing a value that has been generated by encrypting the account secret key with a user-specific secret; storing in the service provider cloud a file that has been generated by encrypting data associated with the authorized user with a data key; encrypting the data key with the account public key to generate an account encrypted data key; storing the account encrypted data key; and providing access to the data associated with the authorized user upon receipt at the service provider cloud of the user-specific secret by (i) decrypting the value to obtain the account secret key, then (ii) decrypting the account encrypted data key to obtain the data key, then (iii) decrypting the file stored in the service provider cloud with the data key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An article comprising a tangible machine-readable medium that stores a program, the program being executable by a machine to perform a method of storing and protecting user data in a service provider cloud, comprising:
-
associating a key pair with an account of an authorized user, the key pair comprising an account public key, and an associated account secret key; storing a value that has been generated by encrypting the account secret key with a user-specific secret; storing in the service provider cloud a file that has been generated by encrypting data associated with the authorized user with a data key; encrypting the data key with the account public key to generate an account encrypted data key; storing the account encrypted data key; and providing access to the data associated with the authorized user upon receipt at the service provider cloud of the user-specific secret by (i) decrypting the value to obtain the account secret key, then (ii) decrypting the account encrypted data key to obtain the data key, then (iii) decrypting the file stored in the service provider cloud with the data key.
-
-
12. Apparatus, comprising:
-
one or more processors; computer memory holding computer program instructions executed by the one or more processors to provide a method of storing and protecting user data in a service provider cloud, the method comprising; associating a key pair with an account of an authorized user, the key pair comprising an account public key, and an associated account secret key; storing a value that has been generated by encrypting the account secret key with a user-specific secret; storing in the service provider cloud a file that has been generated by encrypting data associated with the authorized user with a data key; encrypting the data key with the account public key to generate an account encrypted data key; storing the account encrypted data key; and providing access to the data associated with the authorized user upon receipt at the service provider cloud of the user-specific secret by (i) decrypting the value to obtain the account secret key, then (ii) decrypting the account encrypted data key to obtain the data key, then (iii) decrypting the file stored in the service provider cloud with the data key.
-
Specification