SECURING FILES AT REST IN REMOTE STORAGE SYSTEMS

US 20180137291A1
Filed: 11/14/2016
Published: 05/17/2018
Est. Priority Date: 11/14/2016
Status: Abandoned Application

First Claim

Patent Images

1. A method, comprising:

receiving a first request from a user to write a file to a remote storage system; and

processing, by a computer system, the first request by;

receiving a first encrypted version of the file from a client associated with the first request;

decrypting the first encrypted version to obtain an unencrypted version of the file;

using the unencrypted version to generate a second encrypted version of the file;

writing the second encrypted version to a file store; and

storing metadata for the file in a virtual filesystem that is physically separate from the file store.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed embodiments provide a system for managing access to a remote storage system. During operation, the system receives a first request from a user to write a file to a remote storage system. Next, the system receives a first encrypted version of the file from a client associated with the first request. The system then decrypts the first encrypted version to obtain an unencrypted version of the file and uses the unencrypted version to generate a second encrypted version of the file. Finally, the system writes the second encrypted version to a file store and stores metadata for the file in a virtual filesystem that is physically separate from the file store.

40 Citations

View as Search Results

20 Claims

1. A method, comprising:
- receiving a first request from a user to write a file to a remote storage system; and
  
  processing, by a computer system, the first request by;
  
  receiving a first encrypted version of the file from a client associated with the first request;
  
  decrypting the first encrypted version to obtain an unencrypted version of the file;
  
  using the unencrypted version to generate a second encrypted version of the file;
  
  writing the second encrypted version to a file store; and
  
  storing metadata for the file in a virtual filesystem that is physically separate from the file store.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - receiving a second request to read the file from the remote storage system;
      
      matching a filename in the second request to the metadata in the virtual filesystem;
      
      using the metadata to retrieve the second encrypted version from the file store;
      
      decrypting the second encrypted version to produce the unencrypted version; and
      
      during decryption of the second encrypted version, using the unencrypted version to generate and transmit a third encrypted version of the file in a response to the second request.
  - 3. The method of claim 2, further comprising:
    - tracking decryption of the second encrypted version into the unencrypted version during transmission of the third encrypted version; and
      
      when an end of the second encrypted version is reached during generation of the third encrypted version, signaling an end of transmission of the file in the response.
  - 4. The method of claim 2, wherein using the metadata to retrieve the second encrypted version from the file store comprises:
    - obtaining, from the metadata, a mapping of the filename to an obfuscated filename; and
      
      retrieving a file representing the second encrypted version with the obfuscated filename from the file store.
  - 5. The method of claim 2, wherein a symmetric-key technique is used to encrypt and decrypt the second encrypted version.
  - 6. The method of claim 2, wherein the third encrypted version is generated using authentication credentials associated with the second request.
  - 7. The method of claim 1, further comprising:
    - matching authentication credentials from the user to a virtual user in a user store;
      
      upon initiation of a user session for the virtual user, creating a sandbox for accessing the virtual filesystem for the virtual user; and
      
      configuring the sandbox with a set of permissions for the virtual user.
  - 8. The method of claim 7, wherein creating the sandbox for accessing the virtual filesystem for the virtual user comprises:
    - creating a virtual root directory representing the virtual filesystem; and
      
      creating a set of virtual files comprising the metadata within the virtual root directory.
  - 9. The method of claim 1, wherein using the unencrypted version to generate the second encrypted version of the file comprises:
    - padding a portion of the unencrypted version prior to encrypting the portion.
  - 10. The method of claim 1, wherein the metadata comprises at least one of:
    - a filename;
      
      an upload time;
      
      a file size;
      
      a status;
      
      an expiration time; and
      
      an obfuscated filename in the file store.
  - 11. The method of claim 1, wherein the virtual filesystem comprises:
    - a virtual root directory for the user;
      
      one or more sub-directories under the virtual root directory; and
      
      one or more files.

12. An apparatus, comprising:
- one or more processors; and
  
  memory storing instructions that, when executed by the one or more processors, cause the apparatus to;
  
  receive a first request from a user to write a file to a remote storage system;
  
  receive a first encrypted version of the file from a client associated with the first request;
  
  decrypt the first encrypted version to obtain an unencrypted version of the file;
  
  use the unencrypted version to generate a second encrypted version of the file;
  
  write the second encrypted version to a file store; and
  
  store metadata for the file in a virtual filesystem that is physically separate from the file store.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The apparatus of claim 12, wherein the memory further stores instructions that, when executed by the one or more processors, cause the apparatus to:
    - receive a second request to read the file from the remote storage system;
      
      match a filename in the second request to the metadata in the virtual filesystem;
      
      use the metadata to retrieve the second encrypted version from the file store;
      
      decrypt the second encrypted version to produce the unencrypted version; and
      
      during decryption of the second encrypted version, use the unencrypted version to generate and transmit a third encrypted version of the file in a response to the second request.
  - 14. The apparatus of claim 13, wherein the memory further stores instructions that, when executed by the one or more processors, cause the apparatus to:
    - track decryption of the second encrypted version into the unencrypted version during transmission of the third encrypted version; and
      
      when an end of the second encrypted version is reached during generation of the third encrypted version, signal an end of transmission of the file in the response.
  - 15. The apparatus of claim 13, wherein using the metadata to retrieve the second encrypted version from the file store comprises:
    - obtaining, from the metadata, a mapping of the filename to an obfuscated filename; and
      
      retrieving a file representing the second encrypted version with the obfuscated filename from the file store.
  - 16. The apparatus of claim 12, wherein the memory further stores instructions that, when executed by the one or more processors, cause the apparatus to:
    - match authentication credentials from the user to a virtual user in a user store;
      
      upon initiation of a user session for the virtual user, create a sandbox for accessing the virtual filesystem for the virtual user; and
      
      configure the sandbox with a set of permissions for the virtual user.
  - 17. The apparatus of claim 16, wherein creating the sandbox for accessing the virtual filesystem for the virtual user comprises:
    - creating a virtual root directory representing the virtual filesystem; and
      
      creating a set of virtual files comprising the metadata within the virtual root directory.
  - 18. The apparatus of claim 12, wherein using the unencrypted version to generate the second encrypted version of the file comprises:
    - padding a portion of the unencrypted version prior to encrypting the portion.

19. A remote storage system, comprising:
- a file store;
  
  a virtual filesystem that is physically separate from the file store; and
  
  a server comprising a non-transitory computer-readable medium comprising instructions that, when executed, cause the system to;
  
  receive a first request from a user to write a file to the remote storage system;
  
  receive a first encrypted version of the file from a client associated with the first request;
  
  decrypt the first encrypted version to obtain an unencrypted version of the file;
  
  use the unencrypted version to generate a second encrypted version of the file;
  
  write the second encrypted version to the file store; and
  
  store metadata for the file in the virtual filesystem.
- View Dependent Claims (20)
- - 20. The remote storage system of claim 19, wherein the non-transitory computer-readable medium of the server further comprises instructions that, when executed, cause the system to:
    - receive a second request to read the file from the remote storage system;
      
      match a filename in the second request to the metadata in the virtual filesystem;
      
      use the metadata to retrieve the second encrypted version from the file store;
      
      decrypt the second encrypted version to produce the unencrypted version; and
      
      during decryption of the second encrypted version, use the unencrypted version to generate and transmit a third encrypted version of the file in a response to the second request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
LinkedIn Corporation (Microsoft Corporation)
Inventors
Ho, Albert M., Liu, Qi, Sandori, Mark I.

Application Number

US15/350,776
Publication Number

US 20180137291A1
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/13   File access structures, e.g...

G06F 16/164   File meta data generation

G06F 16/192   Implementing virtual folder...

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

SECURING FILES AT REST IN REMOTE STORAGE SYSTEMS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

40 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

SECURING FILES AT REST IN REMOTE STORAGE SYSTEMS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others