Encryption-Based Data Access Management

US 20140164774A1
Filed: 12/12/2012
Published: 06/12/2014
Est. Priority Date: 12/12/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

transmitting, by a computing device, a user authentication request for accessing encrypted data to a data storage server storing the encrypted data;

receiving, by the computing device, a validation token associated with the user'"'"'s authentication request, wherein the validation token indicates that the user successfully authenticated;

transmitting, by the computing device, the validation token to a first key server;

in response to transmitting the validation token, receiving, by the computing device from the first key server, a key required for decrypting the encrypted data; and

decrypting, by the computing device, at least a portion of the encrypted data using the key.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Encryption-based data access management may include a variety of processes. In one example, a device may transmit a user authentication request for decrypting encrypted data to a data storage server storing the encrypted data. The computing device may then receive a validation token associated with the user'"'"'s authentication request, the validation token indicating that the user is authenticated to a domain. Subsequently, the computing device may transmit the validation token to a first key server different from the data storage server. Then, in response to transmitting the validation token the computing device may receive, from the first key server, a key required for decrypting the encrypted data. The device may then decrypt at least a portion of the encrypted data using the key.

Citations

20 Claims

1. A method comprising:
- transmitting, by a computing device, a user authentication request for accessing encrypted data to a data storage server storing the encrypted data;
  
  receiving, by the computing device, a validation token associated with the user'"'"'s authentication request, wherein the validation token indicates that the user successfully authenticated;
  
  transmitting, by the computing device, the validation token to a first key server;
  
  in response to transmitting the validation token, receiving, by the computing device from the first key server, a key required for decrypting the encrypted data; and
  
  decrypting, by the computing device, at least a portion of the encrypted data using the key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the validation token indicates that the data storage server received confirmation, from a domain server, that the user successfully authenticated to the domain server.
  - 3. The method of claim 1, wherein the key is transmitted in response to verifying that the user is a member of a group authorized to access the encrypted data, wherein the group comprises a plurality of users.
  - 4. The method of claim 1, further comprising:
    - transmitting, by the computing device, the validation token to a second key server;
      
      receiving, by the computing device, a second key,wherein the first key is associated with a first secret, and the second key is associated with a second secret;
      
      wherein either the first key or the second key alone only allows the computing device to decrypt a first portion of the data; and
      
      wherein both the first key and the second key are required to allow the computing device to decrypt a second portion the data including the first portion of the data.
  - 5. The method of claim 4, wherein the first key and the second key are used to generate a decryption key, and wherein the decryption key is deleted by the computing device prior to and without allowing any transmission of the decryption key.
  - 6. The method of claim 1, further comprising receiving, by the computing device, a kill pill, the kill pill including instructions to the computing device to delete one or more of the key and the encrypted data.
  - 7. The method of claim 6, wherein the kill pill is authorized by a key server administrator.
  - 8. The method of claim 1, further comprising:
    - reencrypting, using a second encryption key different from the key received from the first key server, the decrypted data;
      
      storing the reencrypted data on the computing device;
      
      receiving a request to synchronize the reencrypted data with the data storage server;
      
      decrypting the reencrypted data; and
      
      reencrypting the data using the key received from the first key server.

9. A method comprising:
- receiving, by a data storage server storing encrypted data, a user authentication request for decrypting the encrypted data from a client device;
  
  transmitting, by the data storage server, a validation token associated with the user authentication request to the client device, wherein the validation token indicates that the user successfully authenticated;
  
  receiving, by the data storage server, a confirmation request associated with the user validation token from another device different from the client device; and
  
  transmitting, by the data storage server, a confirmation to the other device indicating that the user is authenticated to the data storage server.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method of claim 9, further comprising, prior to transmitting the validation token:
    - authenticating a user associated with the user authentication request to a domain; and
      
      determining, based on the user'"'"'s domain group memberships, data accessible to the user, wherein the domain group comprises a plurality of users.
  - 11. The method of claim 9, wherein the confirmation request is sent by a first key server in response to receiving the validation token from a computing device, the first key server configured to store at least a portion of a decryption key for decrypting the encrypted data.
  - 12. The method of claim 11, further comprising:
    - receiving, by the data storage server, from a second key server, a second confirmation request associated the user'"'"'s validation token; and
      
      transmitting, by the data storage server, to a second key server, a second confirmation indicating that the user is authenticated to the data storage server.
  - 13. The method of claim 11, wherein one or more of the first key server and the second key server transmits, to the computing device, a kill pill, the kill pill including instructions to the computing device to delete one or more of the key and the encrypted data.
  - 14. The method of claim 9, wherein the confirmation is associated with a key, the key required for decrypting the encrypted data.

15. A non-transitory computer readable medium storing computer readable instructions that, when executed, cause an apparatus to:
- receive a request to decrypt at least a portion of data, the data stored at a first network location at a first physical location controlled by a first entity;
  
  retrieve a validation token from a second network location using a user identifier and a password, the second network location at a second physical location controlled by a second entity;
  
  retrieve a first encryption secret from a third network location and a second encryption secret from a fourth network location, the third network location at a third physical location, the fourth network location at a fourth physical location;
  
  generate a decryption key using the first and second encryption secrets; and
  
  decrypt the at least a portion of the data using the decryption key.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer readable medium of claim 15, wherein the validation token indicates that the following processes were performed at the second network location:
    - authenticating a user to a domain; and
      
      determining the user'"'"'s one or more domain group memberships.
  - 17. The non-transitory computer readable medium of claim 16, wherein the decrypted at least a portion of the data is associated with the user'"'"'s file-access privileges associated with the user'"'"'s one or more domain group memberships.
  - 18. The non-transitory computer readable medium of claim 15, wherein the first encryption secret and the second encryption secret are both required to decrypt a portion of the data.
  - 19. The non-transitory computer readable medium of claim 15, further comprising computer readable instructions that cause the apparatus to:
    - receive a notification denying access to the at least a portion of the data.
  - 20. The non-transitory computer readable medium of claim 15, wherein access to the at least a portion of the data is denied by deleting one or more of the decryption key, the first encryption secret, and the second encryption secret.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Nord, Joseph, Tucker, Benjamin Elliot, Gaylor, Timothy

Granted Patent

US 8,997,197 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

G06F 16/00   Information retrieval; Data...

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 9/00   Arrangements for program co...

H04L 63/064   Hierarchical key distributi...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 63/105   Multiple levels of security

H04L 9/0861   Generation of secret inform...

H04L 9/0869   involving random numbers or...

H04L 9/12   Transmitting and receiving ...

Encryption-Based Data Access Management

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Encryption-Based Data Access Management

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links