SYSTEMS AND METHODS FOR SECURE HYBRID THIRD-PARTY DATA STORAGE

US 20150324303A1
Filed: 05/22/2015
Published: 11/12/2015
Est. Priority Date: 05/07/2014
Status: Abandoned Application

First Claim

Patent Images

1. A computer-implemented method for secure hybrid third-party data storage, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

identifying, at a trusted proxy system, an access request from a client system to access an encrypted file stored under a user account at a third-party storage system, wherein the requested access requires decryption of the encrypted file;

retrieving, in response to the request, from the third-party storage system and for the trusted proxy system;

the encrypted file;

a decryption key that has been encrypted with a cryptographic key, wherein an asymmetric key pair designated for the user account comprises an encryption key and the encrypted decryption key;

decrypting, at the trusted proxy system, the decryption key with the cryptographic key;

using the decryption key to access an unencrypted version of the encrypted file at the trusted proxy system.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for secure hybrid third-party data storage may include (1) identifying, at a trusted proxy system, an access request from a client system to access an encrypted file stored under a user account at a third-party storage system, where the requested access requires decryption of the encrypted file, (2) retrieving, from the third-party storage system, (i) the encrypted file and (ii) a decryption key that has been encrypted with a cryptographic key, where an asymmetric key pair designated for the user account includes an encryption key and the encrypted decryption key, (3) decrypting, at the trusted proxy system, the decryption key with the cryptographic key, and (4) using the decryption key to access an unencrypted version of the encrypted file at the trusted proxy system. Various other methods, systems, and computer-readable media are also disclosed.

15 Citations

View as Search Results

20 Claims

1. A computer-implemented method for secure hybrid third-party data storage, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying, at a trusted proxy system, an access request from a client system to access an encrypted file stored under a user account at a third-party storage system, wherein the requested access requires decryption of the encrypted file;
  
  retrieving, in response to the request, from the third-party storage system and for the trusted proxy system;
  
  the encrypted file;
  
  a decryption key that has been encrypted with a cryptographic key, wherein an asymmetric key pair designated for the user account comprises an encryption key and the encrypted decryption key;
  
  decrypting, at the trusted proxy system, the decryption key with the cryptographic key;
  
  using the decryption key to access an unencrypted version of the encrypted file at the trusted proxy system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The computer-implemented method of claim 1, further comprising retrieving the cryptographic key at the trusted proxy system and from a key store.
  - 3. The computer-implemented method of claim 2, wherein the trusted proxy system and the key store are located within a network and the third-party storage system is not located within the network.
  - 4. The computer-implemented method of claim 2, wherein:
    - the trusted proxy system operates within a demilitarized zone of an enterprise network;
      
      the key store exists within the enterprise network but outside the demilitarized zone;
      
      retrieving the cryptographic key at the trusted proxy system and from the key store comprises retrieving the cryptographic key via a key store bridge within the demilitarized zone that communicates with the key store.
  - 5. The computer-implemented method of claim 4, wherein at least one of the trusted proxy system, the key store bridge, and the key store receive an authentication token from the client system that validates access to the cryptographic key from the key store.
  - 6. The computer-implemented method of claim 1, wherein the trusted proxy system is owned by an owner of the encrypted file and the third-party storage system is not owned by the owner of the encrypted file.
  - 7. The computer-implemented method of claim 1, wherein accessing the encrypted file comprises transmitting the unencrypted version of the encrypted file to the client system.
  - 8. The computer-implemented method of claim 1, wherein using the decryption key to access the unencrypted version of the encrypted file comprises:
    - generating, at the trusted proxy system, metadata describing the unencrypted version of the encrypted file;
      
      providing the metadata to at least one of the client system and the third-party storage system.
  - 9. The computer-implemented method of claim 8, wherein generating the metadata describing the unencrypted version of the encrypted file comprises at least one of:
    - performing a scan on the unencrypted version of the encrypted file at the trusted proxy system;
      
      creating, at the trusted proxy system, an index entry of the unencrypted version of the encrypted file based on content within the unencrypted version of the encrypted file;
      
      generating, at the trusted proxy system, a preview of the unencrypted version of the encrypted file based on content within the unencrypted version of the encrypted file.
  - 10. The computer-implemented method of claim 1, wherein accessing the encrypted file comprises:
    - identifying, at the trusted proxy system, a policy for scanning the unencrypted version of the encrypted file;
      
      scanning, at the trusted proxy system, the unencrypted version of the encrypted file based on the policy.
  - 11. The computer-implemented method of claim 1, wherein using the decryption key to access the encrypted file comprises:
    - retrieving, from the third-party storage system and for the trusted proxy system, a file key used to encrypt the encrypted file, wherein the file key is encrypted with the encryption key;
      
      decrypting, at the trusted proxy system, the file key with the decryption key;
      
      decrypting, at the trusted proxy system, the encrypted file with the file key.
  - 12. The computer-implemented method of claim 1, wherein:
    - accessing the encrypted file comprises providing access to the unencrypted version of the encrypted file to an additional user account;
      
      an additional asymmetric key pair is designated for the additional user account, the asymmetric key pair comprising an additional encryption key and an additional decryption key that has been encrypted with an additional cryptographic key.
  - 13. The computer-implemented method of claim 12, wherein providing access to the unencrypted version of the encrypted file to the additional user account comprises:
    - retrieving, from the third-party storage system and for the trusted proxy system, the additional encryption key and a file key used to encrypt the encrypted file, wherein the file key is encrypted with the encryption key;
      
      decrypting, at the trusted proxy system, the file key with the decryption key;
      
      encrypting, at the trusted proxy system, a copy of the file key with the additional encryption key;
      
      transmitting the encrypted copy of the file key from the trusted proxy system to the third-party storage system.
  - 14. The computer-implemented method of claim 1, further comprising:
    - receiving, at the trusted proxy system, the unencrypted version of the encrypted file from the client system;
      
      generating the encrypted file at the trusted proxy system by;
      
      generating a file key based on at least one characteristic of the unencrypted version of the encrypted file;
      
      encrypting the unencrypted version of the encrypted file with the file key;
      
      encrypting the file key with the encryption key;
      
      transmitting the encrypted file and the encrypted file key to the third-party storage system.
  - 15. The computer-implemented method of claim 14, further comprising deduplicating the encrypted file with an additional encrypted file that is encrypted with the file key.
  - 16. The computer-implemented method of claim 1, wherein the third-party storage system lacks access to:
    - the unencrypted version of the encrypted file;
      
      an unencrypted version of the decryption key;
      
      the cryptographic key.
  - 17. The computer-implemented method of claim 1, wherein using the decryption key to access the unencrypted version of the encrypted file comprises:
    - retrieving, from the third-party storage system and for the trusted proxy system, an additional asymmetric key pair designated for a plurality of user accounts comprising the user account, the additional asymmetric key pair comprising an additional encryption key and an additional decryption key that has been encrypted with the encryption key;
      
      decrypting, at the trusted proxy system, the additional decryption key with the decryption key;
      
      retrieving, from the third-party storage system and for the trusted proxy system, a file key used to encrypt the encrypted file, wherein the file key is encrypted with the additional encryption key;
      
      decrypting, at the trusted proxy system, the file key with the additional decryption key;
      
      decrypting, at the trusted proxy system, the encrypted file with the file key.

18. A system for secure hybrid third-party data storage, the system comprising:
- an identification module, stored in memory, that identifies, at a trusted proxy system, an access request from a client system to access an encrypted file stored under a user account at a third-party storage system, wherein the requested access requires decryption of the encrypted file;
  
  a retrieving module, stored in memory, that retrieves, in response to the request, from the third-party storage system and for the trusted proxy system;
  
  the encrypted file;
  
  a decryption key that has been encrypted with a cryptographic key, wherein an asymmetric key pair designated for the user account by an encryption key and the encrypted decryption key;
  
  a decryption module, stored in memory, that decrypts, at the trusted proxy system, the decryption key with the cryptographic key;
  
  a using module, stored in memory, that uses the decryption key to access an unencrypted version of the encrypted file at the trusted proxy system;
  
  at least one physical processor that executes the identification module, the retrieving module, the decryption module, and the using module.
- View Dependent Claims (19)
- - 19. The system of claim 18, further comprising a receiving module that retrieves the cryptographic key at the trusted proxy system and from a key store.

20. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify, at a trusted proxy system, an access request from a client system to access an encrypted file stored under a user account at a third-party storage system, wherein the requested access requires decryption of the encrypted file;
  
  retrieve, in response to the request, from the third-party storage system and for the trusted proxy system;
  
  the encrypted file;
  
  a decryption key that has been encrypted with a cryptographic key, wherein an asymmetric key pair designated for the user account comprises an encryption key and the encrypted decryption key;
  
  decrypt, at the trusted proxy system, the decryption key with the cryptographic key;
  
  use the decryption key to access an unencrypted version of the encrypted file at the trusted proxy system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Bogorad, Walter

Application Number

US14/720,684
Publication Number

US 20150324303A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 21/602   Providing cryptographic fac...

G06F 2212/1052   Security improvement

H04L 2209/24   Key scheduling, i.e. genera...

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/045   wherein the sending and rec...

H04L 63/08   for authentication of entit...

H04L 9/14   using a plurality of keys o...

SYSTEMS AND METHODS FOR SECURE HYBRID THIRD-PARTY DATA STORAGE

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

15 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR SECURE HYBRID THIRD-PARTY DATA STORAGE

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links