METHODS FOR CRYPTOGRAPHIC DELEGATION AND ENFORCEMENT OF DYNAMIC ACCESS TO STORED DATA
3 Assignments
0 Petitions
Accused Products
Abstract
Efficient methods for assigning, revoking, and realizing access to stored data involve a cryptographic key hierarchy and a set of operations performed on cryptographic keys and performed on the data objects to be protected. In addition to providing confidentiality and integrity for data objects, the methods allow access to selected data objects to be permanently revoked for all entities without requiring all instances of the data objects to be destroyed or overwritten. The methods also support access right modifications for a data object without requiring the re-encryption of the entire data object; instead, certain keys are selectively re-encrypted and re-authenticated to implement access control changes. The key hierarchy is parameterized to enable flexible performance tuning, and to provide efficient random access, keying and other security operations are performed for individual blocks within a data object rather than only for the entire data object.
27 Citations
40 Claims
-
1. (canceled)
-
2. A computer implemented method for reading a protected data object stored in a memory of a computer, the protected data object comprising encrypted data blocks and a region of data block metadata, the region of data block metadata associated with at least one of the encrypted data blocks, the method comprising:
-
reading a first encrypted data block of the encrypted data blocks from the memory; reading a hierarchical key tree associated with the protected data object from a) the region of data block metadata or b) a data object header stored in the protected data object; decrypting, in succession, using a set of first decryption algorithms, encrypted first path keys on a first key path of the hierarchical key tree from a top node of the hierarchical key tree comprising a plaintext version of a received data object decryption key to a node in a bottom row of the hierarchical key tree comprising an encrypted per-block decryption key for the first encrypted data block, the decrypting including decrypting the encrypted first path keys starting with decrypting one of the encrypted first path keys immediately following the data object decryption key using the data object decryption key and continuing with decrypting the next encrypted first path key with a decrypted version of a preceding first path key moving from the top node to the bottom row until a decrypted version of the per-block decryption key for the first encrypted data block is obtained; and decrypting, using the per-block decryption key and a second decryption algorithm, the first encrypted data block to produce a first decrypted data block. - View Dependent Claims (3)
-
-
4. A computer implemented method for reading a protected data object stored in a memory of a computer, the protected data object comprising encrypted data blocks and a region of data block metadata, the region of data block metadata associated with at least one of the encrypted data blocks, the method comprising:
-
reading a first encrypted data block of the encrypted data blocks from the memory; reading a hierarchical key tree associated with the protected data object from a) the region of data block metadata or b) a data object header stored in the protected data object; and decrypting, in succession, using a set of first decryption algorithms, encrypted first path keys on a first key path of the hierarchical key tree from a top node of the hierarchical key tree comprising a plaintext version of a received data object decryption key to a node in a bottom row of the hierarchical key tree comprising an encrypted per-block hash key for the first encrypted data block, the decrypting including decrypting the encrypted first path keys starting with decrypting one of the encrypted first path keys immediately following the data object decryption key using the data object decryption key and continuing with decrypting the next encrypted first path key with a decrypted version of a preceding first path key moving from the top node to the bottom row until a decrypted version of the per-block hash key for the first encrypted data block is obtained. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computer implemented method for modifying a protected data object stored in a memory of a computer, wherein the protected data object comprises data blocks and a region of data block metadata, the region of data block metadata associated with at least one of the data blocks, the method comprising:
generating new first path decryption keys for first path keys on a first key path, the generating including generating the new first path decryption keys for a per-block decryption key but not a data object decryption key, the first key path from a hierarchical key tree read from at least one of the region of data block metadata or a data object header associated with the protected data object. - View Dependent Claims (16, 17, 18)
-
19. A computer implemented method for enforcing access rights changes for a protected data object stored in a memory of a computer, wherein the protected data object comprises data blocks and a region of data block metadata associated with at least one of the data blocks, the method comprising:
-
reading a hierarchical key tree from the memory, wherein the hierarchical key tree comprises A) a first data object decryption key disposed in a top node of the hierarchical key tree and B) at least one of
1) an intermediate row of nodes wherein each of the nodes contains an encrypted intermediate decryption key and a bottom row of nodes wherein each of the nodes contains at least one key and
2) an encrypted per-block decryption key, wherein a plurality of key paths, each consisting of two keys, have been defined in the hierarchical key tree, the key paths having a first end point comprising the top node and a second end point comprising one of the nodes in the intermediate row of nodes or one of the nodes in the bottom row nodes;decrypting, using the first data object decryption key, each encrypted key in succession on each of the plurality of key paths, except for the first data object decryption key, the decrypting starting with decrypting the encrypted key immediately following the first data object decryption key using the first data object decryption key and continuing with decrypting the next encrypted key on the key path with decrypted version of a preceding key on the key path moving from the top node to the second end point of the key path; generating a new data object decryption key and a corresponding new data object encryption key associated with the data object; and encrypting each key on each of the plurality of key paths, by starting at the second end point of each of the key paths and encrypting each key on the key path, except for the new data object encryption key, with the new data object encryption key. - View Dependent Claims (20, 21, 22, 23, 24)
-
-
25. A computer implemented method for an entity to disable access to a protected data object stored in a memory of a computer, the method comprising:
-
encrypting a data object key using an encryption key and a second encryption algorithm to produce an encrypted data object key, the data object key received at the entity from the computer that encrypted the protected data object with the data object key using a first encryption algorithm; sending the encrypted data object key to the computer; and destroying a decryption key corresponding to the encryption key to disable access to the protected data object. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
-
-
37. A computer implemented method for deleting a first data block from a protected data object stored in a memory of a computer, wherein the protected data object comprises a data block and a region of data block metadata associated with the data blocks, the method comprising:
-
deleting the first data block from the memory; and deleting a key path corresponding to the first data block in a hierarchical key tree read from at least one of the data block metadata or a data object header, the deleting including deleting a bottom row node on the key path in a bottom row of the hierarchical key tree containing a per-block cryptographic key corresponding to the first data block. - View Dependent Claims (38)
-
-
39. A computer implemented method for appending a first data block from a protected data object stored in a memory of a computer, wherein the protected data object comprises a data block and a region of data block metadata associated with at least one of the data blocks, the method comprising:
-
appending the first data block to the protected data object in the memory; and adding a key path corresponding to the first data block in a hierarchical key tree read from at least one of the region of data block metadata or a data object header, the adding including adding a bottom row node on the key path in a bottom row of the hierarchical key tree containing a per-block cryptographic key corresponding to the first data block. - View Dependent Claims (40)
-
Specification