Personal key archive
First Claim
1. A computing system for automatically managing keys to encrypt and decrypt stored data;
- comprising;
an authentication server;
a key client;
a key generator;
a key server;
a key database;
an encrypted data memory;
said authentication server authenticates said user and provides said user with a ticket identifying said user;
said key client of a creating user, when a creating user creates stored data invokes said generator to generate a key corresponding to said stored data to form encrypted stored data, said key is provided to said key server, said key client of said creating user uses said key to encrypt said stored data which is stored in said encrypted data memory;
said key client of an accessing user, when an accessing user accesses said stored data, sends said ticket and identification data for said stored data to said key server, said key server obtains said authentification data from said ticket for said accessing user, said key server sends said key corresponding to said stored data to said key client of said accessing user, said key client of said accessing user uses said key to decrypt said encrypted stored data.
4 Assignments
0 Petitions
Accused Products
Abstract
A computing system is described having an automated management system for managing keys to encrypt and decrypt stored data on the computing system. The computing system has an authentication server; a key client; a key generator; a key server; a key database; and an encrypted data file memory. The authentication server authenticates the user and in response to the user accessing the computing system the authentication server provides the user with a ticket validating the user. The key client of a creating user when creating a data file invokes the generator to generate a key corresponding to the data file. The key is provided to the key server and the key client uses the key to encrypt the data file which is stored in the encrypted data file memory. The key client of an accessing user sends its ticket and data file identification data to the key server. The key server checks the ticket and sends the key corresponding to the data file to the key client of the accessing user. The key client of the accessing user uses the key to decrypt the encrypted data file. The stored data can further include a header containing the key and owner and permitted user identification data. The ticket can contain a key to encrypt messages sent between the client server and key client.
-
Citations
39 Claims
-
1. A computing system for automatically managing keys to encrypt and decrypt stored data;
- comprising;
an authentication server; a key client; a key generator; a key server; a key database; an encrypted data memory; said authentication server authenticates said user and provides said user with a ticket identifying said user; said key client of a creating user, when a creating user creates stored data invokes said generator to generate a key corresponding to said stored data to form encrypted stored data, said key is provided to said key server, said key client of said creating user uses said key to encrypt said stored data which is stored in said encrypted data memory; said key client of an accessing user, when an accessing user accesses said stored data, sends said ticket and identification data for said stored data to said key server, said key server obtains said authentification data from said ticket for said accessing user, said key server sends said key corresponding to said stored data to said key client of said accessing user, said key client of said accessing user uses said key to decrypt said encrypted stored data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 31, 32, 33, 34, 36, 37)
- comprising;
-
28. A method for automatically managing keys used to encrypt and decrypt stored data on a computing system comprising the steps of:
-
authenticating said user, said user is provided with a ticket identifying said user as permitted to operate on said computing system; when a creating user creates stored data, said creating user invokes a generator to generate a key corresponding to said stored data, said key is provided to said key client, said key client of said creating user uses said key to encrypt said stored data to form encrypted stored data which is stored in an encrypted data memory; said key client of an accessing user, when an accessing user accesses said stored data file, sends said ticket and said data file identification data to said key server, said key server checks said ticket to verify that said accessing user is permitted to access said data file, said key server sends said key corresponding to said data file to said key client of said accessing user, said key client of said accessing user uses said key to decrypt said encrypted stored data.
-
-
29. A method of modifying stored data on a computer system, comprising:
-
retrieving encrypted stored data from a first storage media, said encrypted stored data being an encryption of said stored data; maintaining a database on a second storage media for correlating said encrypted stored data to a userid and a data encryption key; retrieving said data encryption key corresponding to said encrypted stored data from said second storage media; and
decrypting said encrypted stored data using said retrieved encryption key.
-
-
30. A computer system, comprising:
-
means for retrieving encrypted stored data from a first storage media, said encrypted stored data being an encryption of said stored data; means for maintaining a database on a second storage media for correlating said encrypted stored data to a userid and a data encryption key; means for retrieving said data encryption key corresponding to said encrypted stored data from said second storage media; and means for decrypting said encrypted stored data using said retrieved encryption key.
-
-
35. A computing system for automatically managing keys to encrypt and decrypt stored data;
-
an authentication server; a key client; a key generator; a key server; a key database; an encrypted data memory; said authentication server authenticates said user and provides said user with a ticket identifying said user; said key client of a creating user, when a creating user creates said stored data invokes said generator to generate a key corresponding to said stored data, said key is provided to said key server, said key client of said creating user uses said key to encrypt said stored data to form an encrypted stored data which is stored in said encrypted data memory; said key client of an accessing user, when an accessing user access said stored data sends said ticket and stored data identification data to said key server, said key server checks said ticket to verify that said accessing user is permitted to access said stored data said key server sends said key corresponding to said stored data to said key client of said accessing user, said key client of said accessing user uses said key to decrypt said encrypted stored data; a header associated with said stored data; said header contains said key, an identification of an owner of said stored data, a message authentication check field, a control key identifier and a list of user permitted to access said stored data; said key is encrypted under a control key; said control key is used to encrypt message authentication check fields of said header; said ticket contains a message key for encrypting messages sent between said key client and said key server.
-
-
38. A method of modifying stored data on a distributed computer system, comprising:
-
authenticating an identity of a user via an authentication system that provides identification tickets, said user having a userid; storing encrypted data on a first storage media, said encrypted data being an encryption of said stored data; maintaining a database on a second storage media for correlating said encrypted stored data to a data encryption key and said userid; validating said userid identified in an authentication ticket against said userid contained in said database, and automatically choosing whether to grant access to said encrypted stored data; retrieving said data encryption key corresponding to said encrypted stored data from said second storage media; and decrypting said encrypted stored data using said retrieved encrypted key.
-
-
39. A distributed computer system, comprising:
-
means for authenticating a user, said user having a userid; means for retrieving encrypted stored data from a first storage media, said encrypted stored data being an encryption of said stored data; means for maintaining a database on a second storage media for correlating said encrypted stored data to a data encryption key and said userid; means for validating an authenticated user as one of the userids listed in said database as permitted to access said encrypted stored data; means for retrieving said data encryption key corresponding to said encrypted stored data from said second storage media; and means for decrypting said encrypted stored data using said retrieved encryption key.
-
Specification