A System and a Method for Management of Confidential Data

US 20160253515A1
Filed: 10/21/2014
Published: 09/01/2016
Est. Priority Date: 10/28/2013
Status: Active Grant

First Claim

Patent Images

1. A system for management of confidential data, the system comprising:

a cloud service for holding encrypted data,a cryptographic key service comprising two or more cryptographic key servers, S_i, each cryptographic key server, S_i, being arranged to generate one or more cryptographic key(s), K_j, and to compute one or more file encryption key(s), k_j, on the basis of information regarding data to be encrypted or decrypted, and using the cryptographic key(s), K_j, the cryptographic key(s), K_j, and the file encryption key(s), k_j, thereby being created at the cryptographic key servers, S_i, andone or more client devices, each client device being arranged to communicate with the cloud service and/or with the cryptographic key service in order to obtain encryption and/or decryption of data, and in order to provide encrypted data to the cloud service and/or retrieve decrypted data from the cloud service, using two or more file encryption keys, k_j, computed by the cryptographic key servers, S_i,wherein the cryptographic key servers, S_i, of the cryptographic key service are further arranged to generate one or more new cryptographic key(s), K_j′

, and wherein the system is further arranged to reencrypt one or more encrypted data files stored in the cloud service, using the new cryptographic keys, K_j′

.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and a method for managing confidential data in a cloud service is provided. The system comprises a cryptographic key service comprising two or more cryptographic key servers, S_i, each being arranged to compute file encryption keys, k_j, on the basis of information regarding data and using one or more cryptographic keys, K_j. The cryptographic keys, K_j, are secretly shared among the cryptographic key servers, S_i, and none of the cryptographic key servers, S_i, possesses knowledge of all of the cryptographic keys, K_j. A single point of trust at the cryptographic key service is avoided.

Citations

15 Claims

1. A system for management of confidential data, the system comprising:
- a cloud service for holding encrypted data,a cryptographic key service comprising two or more cryptographic key servers, S_i, each cryptographic key server, S_i, being arranged to generate one or more cryptographic key(s), K_j, and to compute one or more file encryption key(s), k_j, on the basis of information regarding data to be encrypted or decrypted, and using the cryptographic key(s), K_j, the cryptographic key(s), K_j, and the file encryption key(s), k_j, thereby being created at the cryptographic key servers, S_i, andone or more client devices, each client device being arranged to communicate with the cloud service and/or with the cryptographic key service in order to obtain encryption and/or decryption of data, and in order to provide encrypted data to the cloud service and/or retrieve decrypted data from the cloud service, using two or more file encryption keys, k_j, computed by the cryptographic key servers, S_i,wherein the cryptographic key servers, S_i, of the cryptographic key service are further arranged to generate one or more new cryptographic key(s), K_j′
  
  , and wherein the system is further arranged to reencrypt one or more encrypted data files stored in the cloud service, using the new cryptographic keys, K_j′
  
  .
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system according to claim 1, wherein the cryptographic key servers, S_i, are arranged to communicate with each other in order to share at least some of the cryptographic keys, K_j, among some of the cryptographic key servers, S_i.
  - 3. The system according to claim 2, wherein the number of cryptographic keys, K_j, is larger than the number of cryptographic key servers, S_i.
  - 4. The system according to claim 1, further comprising an access control service arranged to control access to data held by the cloud service, for users requesting access to the data via a client device.
  - 5. The system according to claim 4, wherein the access control service forms part of the cryptographic key service.
  - 6. The system according to claim 1, wherein each client device is arranged to perform encryption and/or decryption of data, using two or more file encryption keys, k_j, received from the cryptographic key servers, S_i.

7. A method for managing confidential data in a cloud service, the method comprising the steps of:
- a user contacting a cryptographic key service, via a client device, the cryptographic key service comprising two or more cryptographic key servers, S_i,the user providing information to the cryptographic key service, regarding data to be encrypted or decrypted,at least two of the cryptographic key servers, S_i, each computing one or more file encryption key(s), k_j, based on the information regarding the data, and using one or more cryptographic key(s), K_j, which has/have previously been generated by the cryptographic key service, the cryptographic key(s), K_j, and the file encryption key(s), k_j, thereby being created at the cryptographic key servers, S_i,in the case that the data is to be encrypted, encrypting the data, using at least some of the file encryption keys, k_j, computed by the cryptographic key servers, S_i, and providing the encrypted data to the cloud service, andin the case that the data is to be decrypted, retrieving the data from the cloud service, and decrypting the data, using at least some of the file encryption keys, k_j, computed by the cryptographic key servers, S_i,the method further comprising the steps of;
  
  the cryptographic key service generating one or more new cryptographic key(s), K_j′
  
  , andreencrypting one or more encrypted data files stored in the cloud service, using the new cryptographic keys, K_j′
  
  .
- View Dependent Claims (8, 9, 10, 11, 12, 13, 15)
- - 8. The method according to claim 7, further comprising the steps of:
    - the user contacting an access control service in order to gain access to data in the cloud service, andthe access control service granting or denying access to the requested data based on previously provided access information data.
  - 9. The method according to claim 8, further comprising the steps of:
    - a user granting access permission to data in the cloud service for another user, and communicating this to the access control service, andthe access control service updating the access information data in accordance with the granted access permission.
  - 10. The method according to claim 7, further comprising the step of at least some of the cryptographic key servers, S_i, sharing a generated cryptographic key, K_j, with some of the other cryptographic key servers, S_i.
  - 11. The method according to claim 7, further comprising the steps of:
    - in the case that the data is to be encrypted, performing the step of encrypting the data at the client device, and the user providing the encrypted data to the cloud service, via the client device, andin the case that the data is to be decrypted, the user retrieving encrypted data from the cloud service, via the client device, and performing the step of decrypting the data at the client device.
  - 12. The method according to claim 7, further comprising the steps of:
    - in the case that the data is to be encrypted, the step of encrypting the data is performed in a distributed manner at least partly at the cryptographic key service, and the cryptographic key service providing the encrypted data to the cloud service, andin the case that the data is to be decrypted, the cryptographic key service retrieving encrypted data from the cloud service, and performing the step of decrypting the data at least partly at the cryptographic key service, in a distributed manner.
  - 13. The method according to claim 7, wherein the step of encrypting data and/or the step of decrypting data comprise(s) computing two or more bit streams on the basis of the computed file encryption keys, k_j.
  - 15. The method according to claim 7, further comprising the steps of:
    - the user providing altered information to the cryptographic key service, regarding an encrypted data file stored in the cloud service,at least some of the cryptographic key servers, S_i, computing one or more new file encryption keys, k_j′
      
      , based on the altered information regarding the data file, and using one or more of the cryptographic keys, K_j,reencrypting the data file using at least some of the new file encryption keys, k_j′
      
      , andstoring the reencrypted data file in the cloud service.

14. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Blockdaemon APS
Original Assignee
Sepior APS
Inventors
Damgrd, Ivan Bjerre, Jakobsen, Thomas Pelle, Pagter, Jakob Illeborg

Granted Patent

US 10,354,084 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/062   for key distribution, e.g. ...

H04L 9/0819   Key transport or distributi...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0861   Generation of secret inform...

H04L 9/088   Usage controlling of secret...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

A System and a Method for Management of Confidential Data

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

A System and a Method for Management of Confidential Data

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links