Encrypting data for access by multiple users

US 7,596,222 B2
Filed: 06/21/2007
Issued: 09/29/2009
Est. Priority Date: 01/27/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method for protecting data for N users using N passphrases respectively known to the N users such that N is at least 2, comprising:

encrypting data using a master key according to a first symmetric encryption algorithm, to provide encrypted data;

deriving a key encryption key for each user from the passphrase known to each user;

encrypting the master key using the key encryption key of each user according to a second symmetric encryption algorithm, to provide an encrypted master key for each user;

deriving a verification key for each user from the passphrase known to each user, said verification key for each user differing from said key encryption key for each user; and

posting the encrypted data along with an ancillary file for access by the user, said ancillary file comprising a user identifier specific to each user, the encrypted master key for each user, and the verification key for each user.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for protecting data for access by a plurality of users. A server encrypts data using a master key and a symmetric encryption algorithm. For each authorized user, a key encryption key (KEK) is derived from a passphrase, and the master key is encrypted using the KEK. The server posts the encrypted data and an ancillary file that includes, for each user, a user identifier and the master key encrypted according to the user'"'"'s KEK. To access the data, a user enters the passphrase into a client, which re-derives the user'"'"'s KEK, and finds, in the ancillary file, the master key encrypted using the user'"'"'s KEK. The client decrypts the master key and then decrypts the data. A KEK may be derived from a natural language passphrase by hashing the passphrase, concatenating the result and a predetermined text, hashing the concatenation, and truncating.

237 Citations

9 Claims

1. A method for protecting data for N users using N passphrases respectively known to the N users such that N is at least 2, comprising:
- encrypting data using a master key according to a first symmetric encryption algorithm, to provide encrypted data;
  
  deriving a key encryption key for each user from the passphrase known to each user;
  
  encrypting the master key using the key encryption key of each user according to a second symmetric encryption algorithm, to provide an encrypted master key for each user;
  
  deriving a verification key for each user from the passphrase known to each user, said verification key for each user differing from said key encryption key for each user; and
  
  posting the encrypted data along with an ancillary file for access by the user, said ancillary file comprising a user identifier specific to each user, the encrypted master key for each user, and the verification key for each user.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the ancillary file comprises N records and three columns, wherein the N records are respectively associated with the N users, and wherein the three columns comprise a column that includes a user identifier of each user, a column that includes the encrypted master key for each user, and a column that includes the verification key for each user.
  - 3. The method of claim 2, wherein the ancillary file consists of the N records and the three columns.
  - 4. The method of claim 1, wherein the method further comprises:
    - prior to said encrypting data and said encrypting the master key, randomly generating the master key.
  - 5. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform the method of claim 1.

6. A method for protecting data for N users using N passphrases respectively known to the N users such that N is at least 2, comprising:
- encrypting data using a master key according to a first symmetric encryption algorithm, to provide encrypted data;
  
  deriving a key encryption key for each user from the passphrase known to each user;
  
  encrypting the master key using the key encryption key of each user according to a second symmetric encryption algorithm, to provide an encrypted master key for each user;
  
  deriving a verification key for each user from the passphrase known to each user, said verification key for each user differing from said key encryption key for each user; and
  
  posting the encrypted data along with an ancillary file for access by the user, said ancillary file comprising a user identifier specific to each user, the encrypted master key for each user, and the verification key for each user,wherein said deriving said key encryption key for each user comprises;
  
  hashing the passphrase known to each user, to provide a hashed passphrase pertaining to each user;
  
  altering the hashed passphrase pertaining to each user to provide an altered passphrase pertaining to each user;
  
  hashing the altered passphrase pertaining to each user, to provide a result pertaining to each user; and
  
  truncating the result pertaining to each user, to provide the key encryption key for each user.
- View Dependent Claims (7)
- - 7. The method of claim 6, wherein said altering comprises concatenating a predetermined text with the hashed passphrase pertaining to each user to provide the altered passphrase pertaining to each user.

8. A method for protecting data for N users using N passphrases respectively known to the N users such that N is at least 2, comprising:
- encrypting data using a master key according to a first symmetric encryption algorithm, to provide encrypted data;
  
  deriving a key encryption key for each user from the passphrase known to each user;
  
  encrypting the master key using the key encryption key of each user according to a second symmetric encryption algorithm, to provide an encrypted master key for each user;
  
  deriving a verification key for each user from the passphrase known to each user, said verification key for each user differing from said key encryption key for each user; and
  
  posting the encrypted data along with an ancillary file for access by the user, said ancillary file comprising a user identifier specific to each user, the encrypted master key for each user, and the verification key for each user,wherein said deriving said verification key for each user comprises;
  
  hashing the passphrase known to each user, to provide a hashed passphrase pertaining to each user;
  
  altering the hashed passphrase pertaining to each user to provide an altered passphrase pertaining to each user;
  
  hashing the altered passphrase pertaining to each user, to provide a result pertaining to each user; and
  
  truncating the result pertaining to each user, to provide the verification key for each user.
- View Dependent Claims (9)
- - 9. The method of claim 8, wherein said altering comprises concatenating a predetermined text with the hashed passphrase pertaining to each user to provide the altered passphrase pertaining to each user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Jonas, Per Erwin, Zunic, Nevenko, Roginsky, Allen Leonid
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Tran; Tongoc

Application Number

US11/766,192
Publication Number

US 20070297608A1
Time in Patent Office

831 Days
Field of Search

713/165, 713/184, 713/189, 713/183, 380/281, 380/285, 380/259, 380/278
US Class Current

380/259
CPC Class Codes

H04L 9/0822 using key encryption key

H04L 9/0863 involving passwords or one-...

Encrypting data for access by multiple users

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

237 Citations

9 Claims

Specification

Use Cases

Quick Links

Others

Encrypting data for access by multiple users

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

237 Citations

9 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others