Personal key archive

US 5,495,533 A
Filed: 04/29/1994
Issued: 02/27/1996
Est. Priority Date: 04/29/1994
Status: Expired due to Term

First Claim

Patent Images

1. A computing system for automatically managing keys to encrypt and decrypt stored data;

comprising;

an authentication server;

a key client;

a key generator;

a key server;

a key database;

an encrypted data memory;

said authentication server authenticates said user and provides said user with a ticket identifying said user;

said key client of a creating user, when a creating user creates stored data invokes said generator to generate a key corresponding to said stored data to form encrypted stored data, said key is provided to said key server, said key client of said creating user uses said key to encrypt said stored data which is stored in said encrypted data memory;

said key client of an accessing user, when an accessing user accesses said stored data, sends said ticket and identification data for said stored data to said key server, said key server obtains said authentification data from said ticket for said accessing user, said key server sends said key corresponding to said stored data to said key client of said accessing user, said key client of said accessing user uses said key to decrypt said encrypted stored data.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing system is described having an automated management system for managing keys to encrypt and decrypt stored data on the computing system. The computing system has an authentication server; a key client; a key generator; a key server; a key database; and an encrypted data file memory. The authentication server authenticates the user and in response to the user accessing the computing system the authentication server provides the user with a ticket validating the user. The key client of a creating user when creating a data file invokes the generator to generate a key corresponding to the data file. The key is provided to the key server and the key client uses the key to encrypt the data file which is stored in the encrypted data file memory. The key client of an accessing user sends its ticket and data file identification data to the key server. The key server checks the ticket and sends the key corresponding to the data file to the key client of the accessing user. The key client of the accessing user uses the key to decrypt the encrypted data file. The stored data can further include a header containing the key and owner and permitted user identification data. The ticket can contain a key to encrypt messages sent between the client server and key client.

Citations

39 Claims

1. A computing system for automatically managing keys to encrypt and decrypt stored data;
- comprising;
  
  an authentication server;
  
  a key client;
  
  a key generator;
  
  a key server;
  
  a key database;
  
  an encrypted data memory;
  
  said authentication server authenticates said user and provides said user with a ticket identifying said user;
  
  said key client of a creating user, when a creating user creates stored data invokes said generator to generate a key corresponding to said stored data to form encrypted stored data, said key is provided to said key server, said key client of said creating user uses said key to encrypt said stored data which is stored in said encrypted data memory;
  
  said key client of an accessing user, when an accessing user accesses said stored data, sends said ticket and identification data for said stored data to said key server, said key server obtains said authentification data from said ticket for said accessing user, said key server sends said key corresponding to said stored data to said key client of said accessing user, said key client of said accessing user uses said key to decrypt said encrypted stored data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 31, 32, 33, 34, 36, 37)
- - 2. A computing system according to claim 1, wherein said key client sends said encrypted stored data to said encrypted data memory.
  - 3. A computing system according to claim 1, wherein said key server stores said key and said file identification data in an entry in a key data base.
  - 4. A computing system according to claim 1 wherein said key is a random number.
  - 5. A computing system according to claim 1, wherein said ticket is a set of authentication data.
  - 6. A computing system according to claim 1, wherein said user is authenticated by said authentication server by providing a userid and password to said authentication server.
  - 7. A computing system according to claim 1, wherein said key client resides on a user computer and said key server is a separate unit from said user computer.
  - 8. A computing system according to claim 7, wherein said authentication server is a separate unit from said key server.
  - 9. A computing system according to claim 7, wherein authentication server and said key server are in the same unit.
  - 10. A computing system according to claim 1, further including a file server.
  - 11. A computing system according to claim 6, further including a file server.
  - 12. A computing system according to claim 7, further including a file server.
  - 13. A computing system according to claim 1, wherein there are a plurality of user computers each having a key client and each connected by a network to said key server and to said authentication server.
  - 14. A computing system according to claim 1, wherein said computing system is a single computing system having a plurality of users and wherein said key client, said authentication server and said key server are parts of said single system.
  - 15. A computing system according to claim 1, wherein said key server distinguishes between said creating user and said accessing user who is not a creating user.
  - 16. A computing system according to claim 15, wherein said key server stores an identification of said creating user, said accessing user and an owning user in said key database.
  - 17. A computing system according to claim 1, wherein there are actions which only a creating user is permitted to perform on said stored data as identified in said key database, messages send between said key client and said key server relating to said actions are accompanied by said ticket of said creating user and said messages are encrypted.
  - 18. A computing system according to claim 17, wherein said actions are selected from the group consisting of renaming said stored data, changing a user who owns said stored data and modifying a list of users permitted to access said data file.
  - 19. A computer system according to claim 1, wherein said generator is part of said key client and said key is sent to said key server when said stored data is created.
  - 20. A computing system according to claim 1, wherein said generator is part of said key server, said key client invokes said generator to generate said key by sending said ticket corresponding to said creating user to said key server, said key server in response to receiving said ticket corresponding to said creating user generates said key, said key server sends said key to said key client of said creating user.
  - 21. A computing system according to claim 1, further including a header associated with said storage data.
  - 22. A computing system according to claim 21, wherein said header accompanies said stored data if said data file is moved, renamed or backed up.
  - 23. A computing system according to claim 21, wherein said header contains said key, an identification of an owner user of said stored data, a message authentication check field, a control key identifier and a list of users permitted to access said stored data.
  - 24. A computing system according to claim 23, wherein said key is encrypted under a control key.
  - 25. A computing system according to claim 24, wherein said control key is a randomly generated key used to encrypt said key of said stored data and to encrypt message authentication check fields of said header.
  - 26. A computing system according to claim 25, wherein said control key applies to N data files where N is greater than or equal to zero.
  - 27. A computing system according to claim 25, wherein said control key applies to said N data files created within a fixed period of time.
  - 31. A computer system according to claim 1, wherein said stored data is selected from the group consisting of a data file and a data base record.
  - 32. A computing system according to claim 1, further including a means to validate said user as permitted to operate on said computing system.
  - 33. A computing system according to claim 21, further including a means for sending encrypted messages between said personal key client and said personal key server.
  - 34. A computing system according to claim 33, wherein said means for sending encrypted messages encrypts said messages using a message encryption key provided by said ticket.
  - 36. A computing system according to claim 1, wherein said computing system is an automated management system for automatically managing keys to encrypt and decrypt stored data.
  - 37. A computing system according to claim 3, wherein said key server stores an identification of said creating user, said accessing user and an owning user in said key database.

28. A method for automatically managing keys used to encrypt and decrypt stored data on a computing system comprising the steps of:
- authenticating said user, said user is provided with a ticket identifying said user as permitted to operate on said computing system;
  
  when a creating user creates stored data, said creating user invokes a generator to generate a key corresponding to said stored data, said key is provided to said key client, said key client of said creating user uses said key to encrypt said stored data to form encrypted stored data which is stored in an encrypted data memory;
  
  said key client of an accessing user, when an accessing user accesses said stored data file, sends said ticket and said data file identification data to said key server, said key server checks said ticket to verify that said accessing user is permitted to access said data file, said key server sends said key corresponding to said data file to said key client of said accessing user, said key client of said accessing user uses said key to decrypt said encrypted stored data.

29. A method of modifying stored data on a computer system, comprising:
- retrieving encrypted stored data from a first storage media, said encrypted stored data being an encryption of said stored data;
  
  maintaining a database on a second storage media for correlating said encrypted stored data to a userid and a data encryption key;
  
  retrieving said data encryption key corresponding to said encrypted stored data from said second storage media; and
  
  decrypting said encrypted stored data using said retrieved encryption key.

30. A computer system, comprising:
- means for retrieving encrypted stored data from a first storage media, said encrypted stored data being an encryption of said stored data;
  
  means for maintaining a database on a second storage media for correlating said encrypted stored data to a userid and a data encryption key;
  
  means for retrieving said data encryption key corresponding to said encrypted stored data from said second storage media; and
  
  means for decrypting said encrypted stored data using said retrieved encryption key.

35. A computing system for automatically managing keys to encrypt and decrypt stored data;
- an authentication server;
  
  a key client;
  
  a key generator;
  
  a key server;
  
  a key database;
  
  an encrypted data memory;
  
  said authentication server authenticates said user and provides said user with a ticket identifying said user;
  
  said key client of a creating user, when a creating user creates said stored data invokes said generator to generate a key corresponding to said stored data, said key is provided to said key server, said key client of said creating user uses said key to encrypt said stored data to form an encrypted stored data which is stored in said encrypted data memory;
  
  said key client of an accessing user, when an accessing user access said stored data sends said ticket and stored data identification data to said key server, said key server checks said ticket to verify that said accessing user is permitted to access said stored data said key server sends said key corresponding to said stored data to said key client of said accessing user, said key client of said accessing user uses said key to decrypt said encrypted stored data;
  
  a header associated with said stored data;
  
  said header contains said key, an identification of an owner of said stored data, a message authentication check field, a control key identifier and a list of user permitted to access said stored data;
  
  said key is encrypted under a control key;
  
  said control key is used to encrypt message authentication check fields of said header;
  
  said ticket contains a message key for encrypting messages sent between said key client and said key server.

38. A method of modifying stored data on a distributed computer system, comprising:
- authenticating an identity of a user via an authentication system that provides identification tickets, said user having a userid;
  
  storing encrypted data on a first storage media, said encrypted data being an encryption of said stored data;
  
  maintaining a database on a second storage media for correlating said encrypted stored data to a data encryption key and said userid;
  
  validating said userid identified in an authentication ticket against said userid contained in said database, and automatically choosing whether to grant access to said encrypted stored data;
  
  retrieving said data encryption key corresponding to said encrypted stored data from said second storage media; and
  
  decrypting said encrypted stored data using said retrieved encrypted key.

39. A distributed computer system, comprising:
- means for authenticating a user, said user having a userid;
  
  means for retrieving encrypted stored data from a first storage media, said encrypted stored data being an encryption of said stored data;
  
  means for maintaining a database on a second storage media for correlating said encrypted stored data to a data encryption key and said userid;
  
  means for validating an authenticated user as one of the userids listed in said database as permitted to access said encrypted stored data;
  
  means for retrieving said data encryption key corresponding to said encrypted stored data from said second storage media; and
  
  means for decrypting said encrypted stored data using said retrieved encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
International Business Machines Corporation
Inventors
Linehan, Mark H., Tsudik, Gene Y., Simicich, Nicholas J.
Primary Examiner(s)
Cain, David C.

Application Number

US08/235,578
Time in Patent Office

669 Days
Field of Search

380/23, 380/24, 380/25, 380/4, 380/21, 380/49
US Class Current

713/155
CPC Class Codes

G06F 21/31   User authentication

H04L 9/0822   using key encryption key

H04L 9/083   involving central third par...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3213   using tickets or tokens, e....

Personal key archive

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Personal key archive

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links