SECURE CLOUD STORAGE DISTRIBUTION AND AGGREGATION

US 20150363611A1
Filed: 08/12/2015
Published: 12/17/2015
Est. Priority Date: 12/02/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

establishing and maintaining, by a trusted a trusted gateway device logically interposed between an enterprise network and a plurality of third-party cloud storage services, a plurality of cryptographic keys;

receiving, by the trusted gateway device, a request from a user of the enterprise network to store a file;

partitioning, by the trusted gateway device, the file into a plurality of chunks of a predefined or configurable size;

causing to be created, by the trusted gateway device, a directory within one or more cloud storage services of the plurality of third-party cloud storage services, wherein a name attribute of the directory is set based on an encrypted version of a name of the file; and

for each chunk of the plurality of chunks;

selecting, by the trusted gateway device, a cryptographic key of the plurality of cryptographic keys;

identifying, by the trusted gateway device, existence of data within the chunk associated with one or more predefined search indices of a plurality of predefined searchable indices;

generating, by the trusted gateway device, searchable encrypted metadata based on the identified data and the selected cryptographic key;

generating, by the trusted gateway device, an encrypted version of the chunk; and

causing to be created, by the trusted gateway device, a file within the directory, wherein a name attribute of the file includes the searchable encrypted metadata and wherein a contents of the file includes the encrypted version of the chunk.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for secure cloud storage are provided. According to one embodiment, a trusted gateway device establishes and maintains multiple cryptographic keys. A request is received by the gateway from a user of an enterprise network to store a file. The file is partitioned into chunks. A directory is created within a cloud storage service having a name attribute based on an encrypted version of a name of the file. For each chunk: (i) a cryptographic key is selected; (ii) existence of data is identified within the chunk associated with one or more predefined search indices; (iii) searchable encrypted metadata is generated based on the identified data and the selected cryptographic key; (iv) an encrypted version of the chunk is generated; and (v) a file is created within the directory in which a name attribute includes the searchable encrypted metadata and the file content includes the encrypted chunk.

41 Citations

View as Search Results

14 Claims

1. A method comprising:
- establishing and maintaining, by a trusted a trusted gateway device logically interposed between an enterprise network and a plurality of third-party cloud storage services, a plurality of cryptographic keys;
  
  receiving, by the trusted gateway device, a request from a user of the enterprise network to store a file;
  
  partitioning, by the trusted gateway device, the file into a plurality of chunks of a predefined or configurable size;
  
  causing to be created, by the trusted gateway device, a directory within one or more cloud storage services of the plurality of third-party cloud storage services, wherein a name attribute of the directory is set based on an encrypted version of a name of the file; and
  
  for each chunk of the plurality of chunks;
  
  selecting, by the trusted gateway device, a cryptographic key of the plurality of cryptographic keys;
  
  identifying, by the trusted gateway device, existence of data within the chunk associated with one or more predefined search indices of a plurality of predefined searchable indices;
  
  generating, by the trusted gateway device, searchable encrypted metadata based on the identified data and the selected cryptographic key;
  
  generating, by the trusted gateway device, an encrypted version of the chunk; and
  
  causing to be created, by the trusted gateway device, a file within the directory, wherein a name attribute of the file includes the searchable encrypted metadata and wherein a contents of the file includes the encrypted version of the chunk.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - receiving, by the trusted gateway device, a query from the user, wherein the query includes a value of a predefined search index of the plurality of predefined searchable indices;
      
      creating, by the trusted gateway device, a corresponding token for the value by encrypting the value based on an appropriate cryptographic key for the value;
      
      causing, by the trusted gateway device, the one or more cloud storage services to identify one or more files containing those of the plurality of chunks satisfying the query by invoking respective filename search functions of the one or more cloud storage services with the corresponding token; and
      
      retrieving, by the trusted gateway device, the identified one or more files from the one or more cloud storage services on behalf of the user.
  - 3. The method of claim 1, wherein the file includes one or more records of a database and wherein the predefined or configurable size is based on sizes of the one or more records.
  - 4. The method of claim 1, wherein a global policy file is maintained by the trusted gateway device and wherein the global policy file contains therein information defining the predefined or configurable size and permissible values of each of the plurality of predefined search indices.
  - 5. The method of claim 4, wherein the global policy file defines for each user of the enterprise network a manner in which file data is encrypted, stored, accessed and processed.
  - 6. The method of claim 1, wherein the encrypted version of the name of the file is created with an Advanced Encryption Standard (AES) encryption algorighm and wherein the plurality of cryptographic keys have key lengths of 512 bits
  - 7. The method of claim 1, wherein the plurality of chunks are distributed among two or more cloud storage services of the plurality of third-party cloud storage services.

8. A non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of a trusted gateway device logically interposed between a plurality of third-party cloud storage services and an enterprise network, cause the one or more processors to perform a method comprising:
- establishing and maintaining a plurality of cryptographic keys;
  
  receiving a request from a user of the enterprise network to store a file;
  
  partitioning the file into a plurality of chunks of a predefined or configurable size;
  
  causing to be created a directory within one or more cloud storage services of the plurality of third-party cloud storage services, wherein a name attribute of the directory is set based on an encrypted version of a name of the file; and
  
  for each chunk of the plurality of chunks;
  
  selecting a cryptographic key of the plurality of cryptographic keys;
  
  identifying existence of data within the chunk associated with one or more predefined search indices of a plurality of predefined searchable indices;
  
  generating searchable encrypted metadata based on the identified data and the selected cryptographic key;
  
  generating an encrypted version of the chunk; and
  
  causing to be created a file within the directory, wherein a name attribute of the file includes the searchable encrypted metadata and wherein a contents of the file includes the encrypted version of the chunk.
- View Dependent Claims (9, 10, 11, 13, 14)
- - 9. The non-transitory computer-readable storage medium of claim 8, wherein the method further comprises:
    - receiving a query from the user, wherein the query includes a value of a predefined search index of the plurality of predefined searchable indices;
      
      creating a corresponding token for the value by encrypting the value based on an appropriate cryptographic key for the value;
      
      causing the one or more cloud storage services to identify one or more files containing those of the plurality of chunks satisfying the query by invoking respective filename search functions of the one or more cloud storage services with the corresponding token; and
      
      retrieving the identified one or more files from the one or more cloud storage services on behalf of the user.
  - 10. The non-transitory computer-readable storage medium of claim 8, wherein the file includes one or more records of a database and wherein the predefined or configurable size is based on sizes of the one or more records.
  - 11. The non-transitory computer-readable storage medium of claim 8, wherein a global policy file is maintained by the trusted gateway device and wherein the global policy file contains therein information defining the predefined or configurable size and permissible values of each of the plurality of predefined search indices.
  - 13. The non-transitory computer-readable storage medium of claim 8, wherein the encrypted version of the name of the file is created with an Advanced Encryption Standard (AES) encryption algorighm and wherein the plurality of cryptographic keys have key lengths of 512 bits
  - 14. The non-transitory computer-readable storage medium of claim 8, wherein the plurality of chunks are distributed among two or more cloud storage services of the plurality of third-party cloud storage services.

12. The non-transitory computer-readable storage medium of claim 12, wherein the global policy file defines for each user of the enterprise network a manner in which file data is encrypted, stored, accessed and processed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Redberg, David A.

Granted Patent

US 9,495,556 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/148   File search processing

G06F 16/164   File meta data generation

G06F 16/182   Distributed file systems

G06F 21/60   Protecting data

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 21/6272   by registering files or doc...

H04L 63/02   for separating internal fro...

H04L 63/06   for supporting key manageme...

H04L 63/20   for managing network securi...

H04L 9/0631   Substitution permutation ne...

SECURE CLOUD STORAGE DISTRIBUTION AND AGGREGATION

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

41 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE CLOUD STORAGE DISTRIBUTION AND AGGREGATION

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links