REMOTE KEY MANAGEMENT IN A CLOUD-BASED ENVIRONMENT

US 20140270178A1
Filed: 10/17/2013
Published: 09/18/2014
Est. Priority Date: 10/17/2012
Status: Active Grant

First Claim

Patent Images

1. A key service engine for facilitating remote key management services in a collaborative cloud-based environment, the key service engine comprising:

a processor;

a key service proxy device configured to initiate a remote key request responsive to a determination that a data item indicated by a content request is associated with remote key management functionality, wherein the remote key request includes a reason code enumerating a reason associated with the content request;

a reason engine configured to direct the processor to process the content request to identify the reason associated with the content request and responsively generate the corresponding reason code.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are disclosed for facilitating remote key management services in a collaborative cloud-based environment. In one embodiment, the remote key management architecture and techniques described herein provide for local key encryption and automatic generation of a reason code associated with content access. The reason code is used by a remote client device (e.g., an enterprise client) to control a second (remote) layer of key encryption. The remote client device provides client-side control and configurability of the second layer of key encryption.

47 Citations

View as Search Results

23 Claims

1. A key service engine for facilitating remote key management services in a collaborative cloud-based environment, the key service engine comprising:
- a processor;
  
  a key service proxy device configured to initiate a remote key request responsive to a determination that a data item indicated by a content request is associated with remote key management functionality, wherein the remote key request includes a reason code enumerating a reason associated with the content request;
  
  a reason engine configured to direct the processor to process the content request to identify the reason associated with the content request and responsively generate the corresponding reason code.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The key service engine of claim 1, wherein the content request comprises an upload request and wherein the remote key request includes a request to encrypt an encrypted encryption key.
  - 3. The key service engine of claim 1, wherein the content request comprises an access request and wherein the remote key request includes a request to decrypt a twice encrypted encryption key.
  - 4. The key service engine of claim 1, further comprising:
    - a key encryption/decryption engine (E/D) engine configured to encrypt and decrypt an encryption key using a local key encryption key (KEK).
  - 5. The key service engine of claim 1, further comprising:
    - a metadata engine configured to process the received content request to identify metadata associated with the content request,wherein the remote key request further includes the metadata,
  - 6. The key service engine of claim 1, further comprising:
    - a client interface configured to send the remote key request to a remote client system for encryption with a once encrypted key or fur decryption with a twice encrypted key,wherein the client interface is configured to responsively receive the twice encrypted key or the once encrypted, respectively.
  - 7. The key service engine of claim 6, wherein the client interface is further configured to receive a remote key encryption key (KEK) initiated by the remote client computer system responsive to an encryption request, wherein the remote KEK is utilized by the remote key management system to twice encrypt the encrypted encryption key.

8. The key service engine of claim I, further comprising:
- a cloud-based platform interface configure to receive the content request,wherein the cloud-based platform is in communication with a data store to direct the data store to store or access a local or remote key encryption keys associated with an encryption key.

9. A collaboration system for facilitating remote key management services in a collaborative cloud-based environment, the system comprising:
- a processor;
  
  a memory unit having instructions stored thereon which when executed by the processor, causes the collaboration system to;
  
  encrypt a content item indicated by a content request using an encryption key;
  
  encrypt the encryption key using a local key encryption key (KEK);
  
  determine if the content item is associated with remote key management functionality; and
  
  if the content item is associated with remote key management functionality,determine a reason code associated with the content request; and
  
  initiate a remote key encryption request including the encrypted encryption key and the reason code.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The collaboration system of claim 9, wherein the instructions, when executed by the processor, further causes the collaboration system to receive a twice encrypted encryption key responsive to initiating the remote key encryption request.
  - 12. The collaboration system of claim 9, wherein the instructions, when executed by the processor, further causes the collaboration system to receive a receive a remote KEK responsive to initiating the remote key encryption request.
  - 13. The collaboration system of claim 9, wherein the collaboration system is configured to randomly select the local KEK.
  - 14. The collaboration system of claim 9, when the instructions, when executed by the processor, further causes the collaboration system to:
    - receive the content request; and
      
      process the content request to determine that the content item request is an upload request andidentify the content item indicated by the content item request;

15. A collaboration system for facilitating remote key management services in a collaborative cloud-based environment, the system comprising:
- a processor;
  
  a memory unit having instructions stored thereon which when executed by the processor, causes the collaboration system to;
  
  determine if a content item associated with a received content request is associated with remote key management functionality; and
  
  if the content item is associated with the remote key management functionality,identify a reason code associated with the content request and generate a reason code enumerating the reason for the content request;
  
  access a twice encrypted encryption key from a data store; and
  
  initiate a remote key decryption request including the twice encrypted encryption key and the reason code.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The collaboration system of claim 15, wherein the instructions, when executed by the processor, further causes the collaboration system to:
    - receive the content request and identify the content item associated with the content request.
  - 17. The collaboration system of claim 15, wherein the instructions when executed by the processor, further causes the collaboration system to:
    - receive a once encrypted encryption key responsive to initiating the remote key decryption request,wherein the once encrypted encryption key comprises the twice encrypted encryption key when unencrypted using a remote key encryption key (KEK);
      
      access a local KEK from a data store; and
      
      decrypt the once encrypted encryption key using the local KEK resulting in an encryption key.
  - 18. The collaboration system of claim 17, wherein the instructions when executed by the processor, further causes the collaboration system to:
    - access an encrypted content item from the data store, wherein the encrypted content item is the content item requested via the content request; and
      
      decrypt the encrypted content item using the encryption key.
  - 19. The collaboration system of claim 17, wherein the instructions when executed by the processor, further causes the collaboration system to provide the decrypted content item responsive to the content item request.

20. A machine-readable storage medium including executable instructions, which when executed by a processor, causes the processor to:
- receive a remote key request including a reason code enumerating a reason associated with a content request,wherein the remote key request includes a request to encrypt or decrypt an encrypted encryption key;
  
  access a set of pre-configured rules from a rule store;
  
  determine whether to accept or reject the remote key request based the set of pre-configured rules and the reason.
- View Dependent Claims (21, 22, 23)
- - 21. The machine-readable storage medium of claim 20, wherein the instructions, when executed by a processor, further causes the processor to:
    - determine that a kill switch has been asserted;
      
      reject the remote key based the kill switch being set regardless of the pre-configured rules and the reason.
  - 22. The machine-readable storage medium of claim 20, wherein the content request comprises an upload request and wherein the remote key request includes a request to encrypt an encrypted encryption key.
  - 23. The machine-readable storage medium of claim 20, wherein the content request comprises an access request and wherein the remote key request includes a request to decrypt a twice encrypted encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Box Incorporated
Original Assignee
Box Incorporated
Inventors
Queisser, Jeffrey, Kiang, Andy, Byron, Chris

Granted Patent

US 9,628,268 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/281
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 2463/062   applying encryption of the ...

H04L 63/062   for key distribution, e.g. ...

H04L 63/10   for controlling access to d...

H04L 9/0822   using key encryption key

REMOTE KEY MANAGEMENT IN A CLOUD-BASED ENVIRONMENT

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

47 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

REMOTE KEY MANAGEMENT IN A CLOUD-BASED ENVIRONMENT

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links