Method and apparatus for re-encrypting data in a transaction-based secure storage system
First Claim
1. A method for re-encrypting encrypted data in a secure storage file system, comprising:
- obtaining one or more selected encrypted data blocks from the secure storage file system, each selected encrypted data block comprising a selected encrypted data, the one or more selected encrypted data blocks comprising data blocks accessed by a first user, wherein the one or more selected encrypted data blocks were selected based on a user data access record, wherein the user data access record comprises a bitmap indicating which encrypted data blocks are accessed by a first user;
decrypting, re-encrypting and storing each one of the one or more selected encrypted data blocks, the decrypting, re-encrypting and storing of each data block comprising;
decrypting the selected encrypted data using a first symmetric key associated with the encrypted data block to obtain selected data;
re-encrypting the selected data using a second symmetric key associated with the data block to obtain new encrypted data;
for each user who has access to the data block,obtaining a public key associated with a private key, wherein the first user is denied access to the private key;
encrypting the second symmetric key using the public key to obtain a new encrypted symmetric key;
storing in a new data block, stored in a storage device;
the new encrypted data and the new encrypted symmetric key if a second user has read permission, wherein the second user is allowed access to the private key;
applying a hash function to the selected data to obtain hash data;
encrypting the hash data with the private key to obtain encrypted hash data; and
storing the encrypted hash data, the new encrypted data, and the new encrypted symmetric key if the second user has write permission.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for re-encrypting encrypted data in a secure storage file system, including obtaining selected data to re-encrypt from the secure storage file system using a user data access record and the encrypted data, decrypting the selected data using a symmetric key, re-encrypting the selected data using a new symmetric key to obtain new encrypted data, encrypting the new symmetric key using a public key to obtain a new encrypted symmetric key, storing the new encrypted data and the new encrypted symmetric key if the public key is associated with a file system user having read permission, and storing an encrypted hash data if the file system user has write permission.
-
Citations
18 Claims
-
1. A method for re-encrypting encrypted data in a secure storage file system, comprising:
-
obtaining one or more selected encrypted data blocks from the secure storage file system, each selected encrypted data block comprising a selected encrypted data, the one or more selected encrypted data blocks comprising data blocks accessed by a first user, wherein the one or more selected encrypted data blocks were selected based on a user data access record, wherein the user data access record comprises a bitmap indicating which encrypted data blocks are accessed by a first user; decrypting, re-encrypting and storing each one of the one or more selected encrypted data blocks, the decrypting, re-encrypting and storing of each data block comprising; decrypting the selected encrypted data using a first symmetric key associated with the encrypted data block to obtain selected data; re-encrypting the selected data using a second symmetric key associated with the data block to obtain new encrypted data; for each user who has access to the data block, obtaining a public key associated with a private key, wherein the first user is denied access to the private key; encrypting the second symmetric key using the public key to obtain a new encrypted symmetric key; storing in a new data block, stored in a storage device; the new encrypted data and the new encrypted symmetric key if a second user has read permission, wherein the second user is allowed access to the private key; applying a hash function to the selected data to obtain hash data; encrypting the hash data with the private key to obtain encrypted hash data; and storing the encrypted hash data, the new encrypted data, and the new encrypted symmetric key if the second user has write permission. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer system generating a secure storage file system, comprising:
-
a processor; a memory; a storage device; a computer display; and software instructions stored in the memory for enabling the computer system under control of the processor, to perform; obtaining one or more selected encrypted data blocks from the secure storage file system, each selected encrypted data block comprising a selected encrypted data, the one or more selected encrypted data blocks comprising data blocks accessed by a first user, wherein the one or more selected encrypted data blocks were selected based on a user data access record, wherein the user data access record comprises a bitmap indicating which encrypted data blocks are accessed by a first user; decrypting, re-encrypting and storing each one of the one or more selected encrypted data blocks, the decrypting, re-encrypting and storing of each data block comprising; decrypting the selected encrypted data using a first symmetric key associated with the data block to obtain selected data; re-encrypting the selected data using a second symmetric key associated with the data block to obtain new encrypted data; for each user who has access to the data block, obtaining a public key associated with a private key, wherein the first user is denied access to the private key; encrypting the second symmetric key using the public key to obtain a new encrypted symmetric key; storing in a new data block, stored in a storage device the new encrypted data and the new encrypted symmetric key if a second user has read permission, wherein the second user is allowed access to the private key; applying a hash function to the selected data to obtain hash data; encrypting the hash data with the public key to obtain encrypted hash data; and storing the encrypted hash data, the new encrypted data, and the new encrypted symmetric key if the second user has write permission. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A secure storage system comprising:
-
a storage provider storing encrypted data in a storage device, obtaining one or more selected encrypted data blocks from the secure storage file system, each selected encrypted data block comprising a selected encrypted data, the secure storage file system executing on the storage provider using a user data access record in response to receiving a key re-encryption event, the one or more selected encrypted data blocks comprising data blocks accessed by a first user, wherein the one or more selected encrypted data blocks were selected based on a user data access record, wherein the user data access record comprises a bitmap indicating which encrypted data blocks are accessed by a first user; decrypting, re-encrypting and storing each one of the one or more selected encrypted data blocks, the decrypting, re-encrypting and storing of each data block comprising; decrypting the selected encrypted data using a first symmetric key associated with the encrypted data block to obtain selected data; re-encrypting the selected data using a second symmetric key associated with the data block to obtain new encrypted data; for each user who has access to the data block, obtaining a public key associated with a private key, wherein the first user is denied access to the private key; encrypting the second symmetric key using the public key to obtain a new encrypted symmetric key; storing in a new data block, stored in the storage device, the new encrypted data and the new encrypted symmetric key if a second user has read permission, wherein the second user is allowed access to the private key; applying a hash function to the selected data to obtain hash data; encrypting the hash data with the private key to obtain encrypted hash data; and storing the encrypted hash data, the new encrypted data, and the new encrypted symmetric key if the second user has write permission; and a client device, wherein the client device comprises a client kernel for generating the key re-encryption event and a client application using the encrypted data. - View Dependent Claims (16, 17, 18)
-
Specification