SECURE AND ZERO KNOWLEDGE DATA SHARING FOR CLOUD APPLICATIONS
First Claim
1. A method, comprising:
- obtaining, by one or more processors of a first client device, a private key for a first user of the first client device that is paired to a public key for the first user of the first client device;
receiving, by one or more processors of the first client device, encrypted user data over a network, the encrypted user data having been created by a second user of a second client device;
receiving, by one or more processors of the first client device, a shared data key hierarchy structure (SD-KHS) over the network, the SD-KHS comprising one or more encrypted shared data encryption keys (ESDEKs);
decrypting, by one or more processors of the first client device, an ESDEK with the private key to make available a shared data encryption key (SDEK); and
decrypting, by one or more processors of the first client device, the encrypted user data with the SDEK to make available the user data.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed is a zero-knowledge distributed application configured to securely share information among groups of users having various roles, such as doctors and patients. Confidential information may be encrypted client-side, with private keys that reside solely client side. Encrypted collections of data may be uploaded to, and hosted by, a server that does not have access to keys suitable to decrypt the data. Other users may retrieve encrypted data from the server and decrypt some or all of the data with keys suitable to gain access to at least part of the encrypted data. The system includes a key hierarchy with multiple entry points to a top layer by which access is selectively granted to various users and keys may be recovered.
187 Citations
28 Claims
-
1. A method, comprising:
-
obtaining, by one or more processors of a first client device, a private key for a first user of the first client device that is paired to a public key for the first user of the first client device; receiving, by one or more processors of the first client device, encrypted user data over a network, the encrypted user data having been created by a second user of a second client device; receiving, by one or more processors of the first client device, a shared data key hierarchy structure (SD-KHS) over the network, the SD-KHS comprising one or more encrypted shared data encryption keys (ESDEKs); decrypting, by one or more processors of the first client device, an ESDEK with the private key to make available a shared data encryption key (SDEK); and decrypting, by one or more processors of the first client device, the encrypted user data with the SDEK to make available the user data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method, comprising:
-
deriving, by one or more client-side processors, a derived key (DK) based on information provided by a user of a client device without the information or the DK being made available to other parties; receiving, by one or more client-side processors, encrypted user data sent from a server over a network, the encrypted user data having been created by the user of the client device; decrypting, by one or more client-side processors, an encrypted master encryption key (EMEK) with the DK to make available a master encryption key (MEK), wherein the MEK serves to encrypt data encryption keys; decrypting, by one or more client-side processors, an encrypted data encryption key (EDEK) with the MEK to make available a data encryption key (DEK), wherein the DEK serves to encrypt user data; and decrypting, by one or more client-side processors, the encrypted user data with the DEK. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A tangible, non-transitory, machine-readable media storing instructions that when executed by a client computing device in a zero knowledge messaging system effectuate operations comprising:
-
deriving, by the one or more client-side processors, a derived key (DK) based on information provided by a user of the client device without the information or the DK being made available to other parties; receiving, by the one or more client-side processors, encrypted user data sent from another device over a network; decrypting, by the one or more client-side processors, an encrypted master encryption key (EMEK) with the DK to make available a master encryption key (MEK), wherein the MEK serves to encrypt data encryption keys; decrypting, by the one or more client-side processors, an encrypted data encryption key (EDEK) with the MEK to make available a data encryption key (DEK), wherein the DEK serves to encrypt user data; and decrypting, by the one or more client-side processors, the encrypted user data with the DEK. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
-
Specification