Methods for providing secure access to shared information

US 5,719,938 A
Filed: 08/01/1994
Issued: 02/17/1998
Est. Priority Date: 08/01/1994
Status: Expired due to Term

First Claim

Patent Images

1. A method of controlling access to electronically-defined information among a plurality of users connected to a network having a server operable for assuring that the electronically-defined information is accessible by only at least a predetermined one of the plural users, each of said plural users having a unique first encryption key having a first portion and a second portion, said method comprising the steps of:

making said first portion known to both the server and said predetermined user;

making said second portion known only to the server;

encrypting the electronically-defined information using a second encryption key known only to the server to define encrypted information;

storing the encrypted information in network-associated electronic storage accessible through the network to said plurality of users;

encrypting the second encryption key using the first encryption key of the predetermined user to which access to the electronically-defined information is to be provided so as to define an encrypted second key;

storing the encrypted second key in an electronic storage location accessible by said predetermine user; and

attaining access by the predetermined user to the unencrypted electronically-defined information by;

accessing the stored encrypted second key from a network-connected apparatus of the predetermined user;

decrypting the accessed encrypted second key using the first key of the predetermined user at the apparatus of the predetermined user to recover the second encryption key;

accessing the stored encrypted information from the network-connected apparatus of the predetermined user; and

decrypting the accessed encrypted information using the recovered second encryption key to recover the electrically-defined information for examination of the recovered information by the predetermined user.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The inventive methods employ symmetric encryption with first and second keys to provide secure access to information accessible to be shared among a dynamically changing set of authorized users on a network having a server. A single copy of the information, encrypted with the first key of the server, is stored in a location accessible to all network users. The second key is a private key of an authorized user and is used by the server to encrypt the first key. The encrypted first key is then stored by the server at a storage location accessible by the authorized user. The user accesses the storage location, obtains the encrypted first key, and uses his private second key to decrypt and thereby recover the first key. The user then decrypts the stored information using the recovered first key.

156 Citations

17 Claims

1. A method of controlling access to electronically-defined information among a plurality of users connected to a network having a server operable for assuring that the electronically-defined information is accessible by only at least a predetermined one of the plural users, each of said plural users having a unique first encryption key having a first portion and a second portion, said method comprising the steps of:
- making said first portion known to both the server and said predetermined user;
  
  making said second portion known only to the server;
  
  encrypting the electronically-defined information using a second encryption key known only to the server to define encrypted information;
  
  storing the encrypted information in network-associated electronic storage accessible through the network to said plurality of users;
  
  encrypting the second encryption key using the first encryption key of the predetermined user to which access to the electronically-defined information is to be provided so as to define an encrypted second key;
  
  storing the encrypted second key in an electronic storage location accessible by said predetermine user; and
  
  attaining access by the predetermined user to the unencrypted electronically-defined information by;
  
  accessing the stored encrypted second key from a network-connected apparatus of the predetermined user;
  
  decrypting the accessed encrypted second key using the first key of the predetermined user at the apparatus of the predetermined user to recover the second encryption key;
  
  accessing the stored encrypted information from the network-connected apparatus of the predetermined user; and
  
  decrypting the accessed encrypted information using the recovered second encryption key to recover the electrically-defined information for examination of the recovered information by the predetermined user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 14, 15)
- - 2. A method in accordance with claim 1, further comprising the step of generating the second encryption key at the server.
  - 3. A method in accordance with claim 1, further comprising the steps of:
    - periodically generating a new second encryption key to replace a then-current second encryption key; and
      
      each time that a new second encryption key is generated,encrypting the new second encryption key using the first encryption key of the predetermined user so as to define a new encrypted second key; and
      
      storing the new encrypted second key in the electronic storage location accessible by the predetermined user to replace the encrypted second key previously stored in the electronic storage location for access by the predetermined user.
  - 4. A method in accordance with claim 3 and further comprising, each time that a new second encryption key is generated, the steps of:
    - encrypting the electronically-defined information using the new second encryption key to define newly-encrypted information; and
      
      storing the newly-encrypted information in the network-associated electronic storage accessible through the network to said plurality of users to replace the previously-stored encrypted information.
  - 5. A method in accordance with claim 1, wherein said step of storing the encrypted second key comprises storing the encrypted second key in an electronic storage location accessible only by the predetermined user.
  - 6. A method in accordance with claim 1, wherein said step of storing the encrypted information comprises storing the encrypted information in electronic storage associated with the server.
  - 7. A method in accordance with claim 1, wherein said steps of accessing the stored encrypted second key, decrypting the accessed encrypted second key to recover the second encryption key, and decrypting the accessed encrypted information using the recovered second encryption key being carried out by operation of an executable program routine so as to restrict direct access by the predetermined user to the recovered second encryption key and thereby prevent unintended access to the recovered second encryption key by ones of said plural users other than the predetermined user.
  - 8. A method in accordance with claim 1, wherein said steps of accessing the stored encrypted second key, decrypting the accessed encrypted second key to recover the second encryption key, and decrypting the accessed encrypted information using the recovered second encryption key being carried out by operation of an executable program routine at the apparatus of the predetermined user so as to restrict direct access by the predetermined user to the recovered second encryption key and thereby prevent unintended access to the recovered second encryption key by ones of said plural users other than the predetermined user.
  - 9. A method in accordance with claim 1, where in said step of storing the encrypted second key comprises storing the encrypted second key in an electronic storage location associated with the apparatus of the predetermined user.
  - 10. A method in accordance with claim 1, wherein said step of encrypting the electronically-defined information comprises dividing the information into a multiplicity of information portions and separately encrypting each of the multiplicity of information portions to define encrypted information comprising a multiplicity of separately-encrypted portions each individually accessible by predetermined ones of said plural users.
  - 14. The method according to claim 1, further comprising the steps of:
    - obtaining a credit card number from said predetermined user; and
      
      causing said credit card number to be communicated to said predetermined user during said step of decrypting the accessed encrypted information so as to discourage said predetermined user from sharing the first encryption key with a user to whom access is not permitted.
  - 15. The method according to claim 1, further comprising:
    - (a) assigning a unique network address to the network connected apparatus of said predetermined user;
      
      (b) determining, during the step of accessing the stored encrypted information, the unique network address of the network connected apparatus from which access to the encrypted information is being sought;
      
      (c) determining if the unique network address determined in said step (b) matches the unique network address assigned, to the network connected apparatus of the predetermined user; and
      
      (d) preventing the step of decrypting the accessed encrypted information from occurring if no match is found in said step (c).

11. A method of controlling access to electrically defined information among a plurality of users connected to a network having a server operable for assuring that the electronically defined information is accessible by only at least a predetermined one of the plural users, each of said plural users having a unique first encryption key having a first portion and a second portion, said method comprising the steps of:
- making said first portion known to both the server and said predetermined user;
  
  making said second portion known only to the sever;
  
  storing electronically defined information, encrypted using a second encryption key known only to the server, in network-associated electronic storage accessible through the network to said plurality of users; and
  
  attaining access, by a predetermined one of the plural users, to the unencrypted electronically defined information by;
  
  accessing the network from a network-connected apparatus of the predetermined user to further access the second key encrypted using the first encryption key of the predetermined user;
  
  decrypting the accessed encrypted second key using the first key of the predetermined user at the apparatus of the predetermined user to recover the second encryption key;
  
  accessing the stored encrypted information from the network-connected apparatus of the predetermined user; and
  
  decrypting the accessed encrypted information using the recovered second encryption key to recover the electronically defined information for examination of the recovered information by the predetermined user.
- View Dependent Claims (12, 13, 16, 17)
- - 12. The method of claim 11, wherein said storing step includes the steps of:
    - encrypting the electronically defined information using the second encryption key known only to the server to define the encrypted information; and
      
      storing the encrypted information in network-associated electronic storage accessible through the network to said plurality of users.
  - 13. The method of claim 11 wherein, prior to the second key decrypting step, the method further includes the steps of:
    - encrypting the second encryption key using the first encryption key of the predetermined user to which access to the electronically defined information is to be provided so as to define the encrypted second key; and
      
      storing the encrypted second key in an electronic storage location accessible by said predetermined user.
  - 16. The method according to claim 11, further comprising the steps of:
    - obtaining a credit card number from said predetermined user; and
      
      causing said credit card number to be communicated to said predetermined user during said step of decrypting the accessed encrypted information so as to discourage said predetermined user from sharing the first encryption key with a user to whom access is not permitted.
  - 17. The method according to claim 11, further comprising:
    - (a) assigning a unique network address to the network connected apparatus of said predetermined user;
      
      (b) determining, during the step of accessing the stored encrypted information, the unique network address of the network connected apparatus from which access to the encrypted information is being sought;
      
      (c) determining if the unique network address determined in said step (b) matches the unique network address assigned to the network connected apparatus of the predetermined user; and
      
      (d) preventing the step of decrypting the accessed encrypted information from occurring if no match is found in said step (c).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lucent Technologies, Inc. (Nokia Corporation)
Original Assignee
Lucent Technologies, Inc. (Nokia Corporation)
Inventors
Haas, Zygmunt, Paul, Sanjoy
Primary Examiner(s)
Barron, Jr., Gilberto

Application Number

US08/284,025
Time in Patent Office

1,296 Days
Field of Search

380/4, 380/21, 380/25
US Class Current

705/52
CPC Class Codes

H04L 63/062   for key distribution, e.g. ...

H04L 63/10   for controlling access to d...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

Methods for providing secure access to shared information

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

156 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Methods for providing secure access to shared information

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

156 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links