SYSTEMS AND METHODS FOR SECURE THIRD-PARTY DATA STORAGE

US 20130254537A1
Filed: 03/13/2013
Published: 09/26/2013
Est. Priority Date: 03/26/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for secure third-party data storage, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

identifying, at the server-side computing device, a request from a client system to share access to an encrypted file stored under a user account, wherein the access to the encrypted file comprises access to unencrypted contents of the encrypted file;

identifying, in response to the request, an asymmetric key pair designated for the user account, the asymmetric key pair comprising an encryption key and a decryption key that has been encrypted with a client-side key;

receiving, from the client system, the client-side key;

decrypting the decryption key with the client-side key;

identifying a file key used to encrypt the encrypted file, wherein the file key is encrypted with the encryption key;

decrypting the file key with the decryption key to create an unencrypted version of the file key;

generating a temporary encryption key;

encrypting the unencrypted version of the file key with the temporary encryption key to create a temporary encrypted file key;

transmitting a temporary decryption key corresponding to the temporary encryption key to share the access to the encrypted file.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for secure third-party data storage may include 1) identifying, at a server-side computing device, a request from a client system to access an encrypted file stored under a user account, 2) identifying, in response to the request, an asymmetric key pair designated for the user account that includes an encryption key and a decryption key that has been encrypted with a client-side key, 3) receiving, from the client system, the client-side key, 4) decrypting the decryption key with the client-side key, and 5) using the decryption key to access an unencrypted version of the encrypted file. Various other methods, systems, and computer-readable media are also disclosed.

76 Citations

View as Search Results

20 Claims

1. A computer-implemented method for secure third-party data storage, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying, at the server-side computing device, a request from a client system to share access to an encrypted file stored under a user account, wherein the access to the encrypted file comprises access to unencrypted contents of the encrypted file;
  
  identifying, in response to the request, an asymmetric key pair designated for the user account, the asymmetric key pair comprising an encryption key and a decryption key that has been encrypted with a client-side key;
  
  receiving, from the client system, the client-side key;
  
  decrypting the decryption key with the client-side key;
  
  identifying a file key used to encrypt the encrypted file, wherein the file key is encrypted with the encryption key;
  
  decrypting the file key with the decryption key to create an unencrypted version of the file key;
  
  generating a temporary encryption key;
  
  encrypting the unencrypted version of the file key with the temporary encryption key to create a temporary encrypted file key;
  
  transmitting a temporary decryption key corresponding to the temporary encryption key to share the access to the encrypted file.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, further comprising:
    - receiving a subsequent request to access the encrypted file, the subsequent request comprising the temporary decryption key;
      
      decrypting the temporary encrypted file key with the temporary decryption key to access the unencrypted version of the file key;
      
      decrypting the encrypted file with the unencrypted version of the file key to provide access to an unencrypted version of the encrypted file.
  - 3. The computer-implemented method of claim 1, wherein sharing access to the encrypted file comprises transmitting the temporary decryption key to the client system.
  - 4. The computer-implemented method of claim 1, wherein sharing access to the encrypted file comprises transmitting the temporary decryption key to at least one address specified in the request to share access.
  - 5. The computer-implemented method of claim 1, wherein transmitting the temporary decryption key comprises transmitting a uniform resource locator that comprises the temporary decryption key.
  - 6. The computer-implemented method of claim 1, further comprising:
    - determining that an access limit for sharing the access to the encrypted file has been reached;
      
      removing the temporary encrypted file key in response to determining that the access limit has been reached.
  - 7. The computer-implemented method of claim 1, wherein generating the temporary encryption key comprises generating the temporary encryption key without storing the temporary encryption key on a non-volatile server-side storage device.

8. A system for secure third-party data storage, the system comprising:
- an identification module programmed to identify, at the server-side computing device, a request from a client system to share access to an encrypted file stored under a user account, wherein the access to the encrypted file comprises access to unencrypted contents of the encrypted file;
  
  a key module programmed to identify, in response to the request, an asymmetric key pair designated for the user account, the asymmetric key pair comprising an encryption key and a decryption key that has been encrypted with a client-side key;
  
  a receiving module programmed to receive, from the client system, the client-side key;
  
  a decryption module programmed to;
  
  decrypt the decryption key with the client-side key;
  
  identify a file key used to encrypt the encrypted file, wherein the file key is encrypted with the encryption key;
  
  decrypt the file key with the decryption key to create an unencrypted version of the file key;
  
  a sharing module programmed to;
  
  generate a temporary encryption key;
  
  encrypt the unencrypted version of the file key with the temporary encryption key to create a temporary encrypted file key;
  
  transmit a temporary decryption key corresponding to the temporary encryption key to share the access to the encrypted file;
  
  at least one processor configured to execute the identification module, the key module, the receiving module, the decryption module, and the sharing module.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein:
    - the identification module is further programmed to receive a subsequent request to access the encrypted file, the subsequent request comprising the temporary decryption key;
      
      the decryption module is further programmed to;
      
      decrypt the temporary encrypted file key with the temporary decryption key to access the unencrypted version of the file key;
      
      decrypt the encrypted file with the unencrypted version of the file key to provide access to an unencrypted version of the encrypted file.
  - 10. The system of claim 8, wherein the sharing module is programmed to share access to the encrypted file by transmitting the temporary decryption key to the client system.
  - 11. The system of claim 8, wherein the sharing module is programmed to share access to the encrypted file by transmitting the temporary decryption key to at least one address specified in the request to share access.
  - 12. The system of claim 8, wherein the sharing module is programmed to transmit the temporary decryption key by transmitting a uniform resource locator that comprises the temporary decryption key.
  - 13. The system of claim 8, wherein the sharing module is further programmed to:
    - determine that an access limit for sharing the access to the encrypted file has been reached;
      
      remove the temporary encrypted file key in response to determining that the access limit has been reached.
  - 14. The system of claim 8, wherein the sharing module is programmed to generate the temporary encryption key by generating the temporary encryption key without storing the temporary encryption key on a non-volatile server-side storage device.

15. A non-transitory computer-readable-storage medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify, at the server-side computing device, a request from a client system to share access to an encrypted file stored under a user account, wherein the access to the encrypted file comprises access to unencrypted contents of the encrypted file;
  
  identify, in response to the request, an asymmetric key pair designated for the user account, the asymmetric key pair comprising an encryption key and a decryption key that has been encrypted with a client-side key;
  
  receive, from the client system, the client-side key;
  
  decrypt the decryption key with the client-side key;
  
  identify a file key used to encrypt the encrypted file, wherein the file key is encrypted with the encryption key;
  
  decrypt the file key with the decryption key to create an unencrypted version of the file key;
  
  generate a temporary encryption key;
  
  encrypt the unencrypted version of the file key with the temporary encryption key to create a temporary encrypted file key;
  
  transmit a temporary decryption key corresponding to the temporary encryption key to share the access to the encrypted file.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable-storage medium of claim 15, wherein the one or more computer-executable instructions further cause the computing device to:
    - receive a subsequent request to access the encrypted file, the subsequent request comprising the temporary decryption key;
      
      decrypt the temporary encrypted file key with the temporary decryption key to access the unencrypted version of the file key;
      
      decrypt the encrypted file with the unencrypted version of the file key to provide access to an unencrypted version of the encrypted file.
  - 17. The non-transitory computer-readable-storage medium of claim 15, wherein sharing access to the encrypted file comprises transmitting the temporary decryption key to the client system.
  - 18. The non-transitory computer-readable-storage medium of claim 15, wherein sharing access to the encrypted file comprises transmitting the temporary decryption key to at least one address specified in the request to share access.
  - 19. The non-transitory computer-readable-storage medium of claim 15, wherein transmitting the temporary decryption key comprises transmitting a uniform resource locator that comprises the temporary decryption key.
  - 20. The non-transitory computer-readable-storage medium of claim 15, wherein the one or more computer-executable instructions further cause the computing device to:
    - determine that an access limit for sharing the access to the encrypted file has been reached;
      
      remove the temporary encrypted file key in response to determining that the access limit has been reached.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Bogorad, Walter

Granted Patent

US 8,966,287 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/165
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

H04L 63/06   for supporting key manageme...

H04L 63/10   for controlling access to d...

H04L 9/0822   using key encryption key

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

SYSTEMS AND METHODS FOR SECURE THIRD-PARTY DATA STORAGE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

76 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR SECURE THIRD-PARTY DATA STORAGE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

76 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links