A System and a Method for Management of Confidential Data
First Claim
Patent Images
1. A system for management of confidential data, the system comprising:
- a cloud service for holding encrypted data,a cryptographic key service comprising two or more cryptographic key servers, Si, each cryptographic key server, Si, being arranged to generate one or more cryptographic key(s), Kj, and to compute one or more file encryption key(s), kj, on the basis of information regarding data to be encrypted or decrypted, and using the cryptographic key(s), Kj, the cryptographic key(s), Kj, and the file encryption key(s), kj, thereby being created at the cryptographic key servers, Si, andone or more client devices, each client device being arranged to communicate with the cloud service and/or with the cryptographic key service in order to obtain encryption and/or decryption of data, and in order to provide encrypted data to the cloud service and/or retrieve decrypted data from the cloud service, using two or more file encryption keys, kj, computed by the cryptographic key servers, Si,wherein the cryptographic key servers, Si, of the cryptographic key service are further arranged to generate one or more new cryptographic key(s), Kj′
, and wherein the system is further arranged to reencrypt one or more encrypted data files stored in the cloud service, using the new cryptographic keys, Kj′
.
3 Assignments
0 Petitions
Accused Products
Abstract
A system and a method for managing confidential data in a cloud service is provided. The system comprises a cryptographic key service comprising two or more cryptographic key servers, Si, each being arranged to compute file encryption keys, kj, on the basis of information regarding data and using one or more cryptographic keys, Kj. The cryptographic keys, Kj, are secretly shared among the cryptographic key servers, Si, and none of the cryptographic key servers, Si, possesses knowledge of all of the cryptographic keys, Kj. A single point of trust at the cryptographic key service is avoided.
-
Citations
15 Claims
-
1. A system for management of confidential data, the system comprising:
-
a cloud service for holding encrypted data, a cryptographic key service comprising two or more cryptographic key servers, Si, each cryptographic key server, Si, being arranged to generate one or more cryptographic key(s), Kj, and to compute one or more file encryption key(s), kj, on the basis of information regarding data to be encrypted or decrypted, and using the cryptographic key(s), Kj, the cryptographic key(s), Kj, and the file encryption key(s), kj, thereby being created at the cryptographic key servers, Si, and one or more client devices, each client device being arranged to communicate with the cloud service and/or with the cryptographic key service in order to obtain encryption and/or decryption of data, and in order to provide encrypted data to the cloud service and/or retrieve decrypted data from the cloud service, using two or more file encryption keys, kj, computed by the cryptographic key servers, Si, wherein the cryptographic key servers, Si, of the cryptographic key service are further arranged to generate one or more new cryptographic key(s), Kj′
, and wherein the system is further arranged to reencrypt one or more encrypted data files stored in the cloud service, using the new cryptographic keys, Kj′
. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for managing confidential data in a cloud service, the method comprising the steps of:
-
a user contacting a cryptographic key service, via a client device, the cryptographic key service comprising two or more cryptographic key servers, Si, the user providing information to the cryptographic key service, regarding data to be encrypted or decrypted, at least two of the cryptographic key servers, Si, each computing one or more file encryption key(s), kj, based on the information regarding the data, and using one or more cryptographic key(s), Kj, which has/have previously been generated by the cryptographic key service, the cryptographic key(s), Kj, and the file encryption key(s), kj, thereby being created at the cryptographic key servers, Si, in the case that the data is to be encrypted, encrypting the data, using at least some of the file encryption keys, kj, computed by the cryptographic key servers, Si, and providing the encrypted data to the cloud service, and in the case that the data is to be decrypted, retrieving the data from the cloud service, and decrypting the data, using at least some of the file encryption keys, kj, computed by the cryptographic key servers, Si, the method further comprising the steps of; the cryptographic key service generating one or more new cryptographic key(s), Kj′
, andreencrypting one or more encrypted data files stored in the cloud service, using the new cryptographic keys, Kj′
. - View Dependent Claims (8, 9, 10, 11, 12, 13, 15)
-
-
14. (canceled)
Specification