Encrypting data for access by multiple users
First Claim
1. A method for protecting data for N users using N passphrases respectively known to the N users such that N is at least 2, comprising:
- encrypting data using a master key according to a first symmetric encryption algorithm, to provide encrypted data;
deriving a key encryption key for each user from the passphrase known to each user;
encrypting the master key using the key encryption key of each user according to a second symmetric encryption algorithm, to provide an encrypted master key for each user;
deriving a verification key for each user from the passphrase known to each user, said verification key for each user differing from said key encryption key for each user; and
posting the encrypted data along with an ancillary file for access by the user, said ancillary file comprising a user identifier specific to each user, the encrypted master key for each user, and the verification key for each user.
0 Assignments
0 Petitions
Accused Products
Abstract
A method for protecting data for access by a plurality of users. A server encrypts data using a master key and a symmetric encryption algorithm. For each authorized user, a key encryption key (KEK) is derived from a passphrase, and the master key is encrypted using the KEK. The server posts the encrypted data and an ancillary file that includes, for each user, a user identifier and the master key encrypted according to the user'"'"'s KEK. To access the data, a user enters the passphrase into a client, which re-derives the user'"'"'s KEK, and finds, in the ancillary file, the master key encrypted using the user'"'"'s KEK. The client decrypts the master key and then decrypts the data. A KEK may be derived from a natural language passphrase by hashing the passphrase, concatenating the result and a predetermined text, hashing the concatenation, and truncating.
237 Citations
9 Claims
-
1. A method for protecting data for N users using N passphrases respectively known to the N users such that N is at least 2, comprising:
-
encrypting data using a master key according to a first symmetric encryption algorithm, to provide encrypted data; deriving a key encryption key for each user from the passphrase known to each user; encrypting the master key using the key encryption key of each user according to a second symmetric encryption algorithm, to provide an encrypted master key for each user; deriving a verification key for each user from the passphrase known to each user, said verification key for each user differing from said key encryption key for each user; and posting the encrypted data along with an ancillary file for access by the user, said ancillary file comprising a user identifier specific to each user, the encrypted master key for each user, and the verification key for each user. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method for protecting data for N users using N passphrases respectively known to the N users such that N is at least 2, comprising:
-
encrypting data using a master key according to a first symmetric encryption algorithm, to provide encrypted data; deriving a key encryption key for each user from the passphrase known to each user; encrypting the master key using the key encryption key of each user according to a second symmetric encryption algorithm, to provide an encrypted master key for each user; deriving a verification key for each user from the passphrase known to each user, said verification key for each user differing from said key encryption key for each user; and posting the encrypted data along with an ancillary file for access by the user, said ancillary file comprising a user identifier specific to each user, the encrypted master key for each user, and the verification key for each user, wherein said deriving said key encryption key for each user comprises; hashing the passphrase known to each user, to provide a hashed passphrase pertaining to each user; altering the hashed passphrase pertaining to each user to provide an altered passphrase pertaining to each user; hashing the altered passphrase pertaining to each user, to provide a result pertaining to each user; and truncating the result pertaining to each user, to provide the key encryption key for each user. - View Dependent Claims (7)
-
-
8. A method for protecting data for N users using N passphrases respectively known to the N users such that N is at least 2, comprising:
-
encrypting data using a master key according to a first symmetric encryption algorithm, to provide encrypted data; deriving a key encryption key for each user from the passphrase known to each user; encrypting the master key using the key encryption key of each user according to a second symmetric encryption algorithm, to provide an encrypted master key for each user; deriving a verification key for each user from the passphrase known to each user, said verification key for each user differing from said key encryption key for each user; and posting the encrypted data along with an ancillary file for access by the user, said ancillary file comprising a user identifier specific to each user, the encrypted master key for each user, and the verification key for each user, wherein said deriving said verification key for each user comprises; hashing the passphrase known to each user, to provide a hashed passphrase pertaining to each user; altering the hashed passphrase pertaining to each user to provide an altered passphrase pertaining to each user; hashing the altered passphrase pertaining to each user, to provide a result pertaining to each user; and truncating the result pertaining to each user, to provide the verification key for each user. - View Dependent Claims (9)
-
Specification