System and method for providing different levels of key security for controlling access to secured items

US 8,341,406 B2
Filed: 04/04/2011
Issued: 12/25/2012
Est. Priority Date: 12/12/2001
Status: Expired due to Term

First Claim

Patent Images

1. A method comprising:

receiving, by at least one processing device, a request to access a header of a secured file, wherein the header comprises a file key, at least the header of the secured file is configured to be decrypted by a user key, and a data portion of the secured file is configured to be decrypted by the file key;

obtaining, by the at least one processing device, the user key from a particular storage location that indicates a level of security of the user key, wherein the level of security is defined in a policy based on a degree of access privileges provided by the user key and a requirement that the user key be obtained from the particular storage location based on the level of security of the user key; and

decrypting, by at the least one processing device, the header using the user key to produce the file key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

With files secured by encryption techniques, keys are often required to gain access to the secured files. Techniques for providing and using multiple levels of keystores for securing the keys are disclosed. The keystores store keys that are needed by users in order to access secured files. The different levels of keystores offer compromises between security and flexibility/ease of use.

Citations

33 Claims

1. A method comprising:
- receiving, by at least one processing device, a request to access a header of a secured file, wherein the header comprises a file key, at least the header of the secured file is configured to be decrypted by a user key, and a data portion of the secured file is configured to be decrypted by the file key;
  
  obtaining, by the at least one processing device, the user key from a particular storage location that indicates a level of security of the user key, wherein the level of security is defined in a policy based on a degree of access privileges provided by the user key and a requirement that the user key be obtained from the particular storage location based on the level of security of the user key; and
  
  decrypting, by at the least one processing device, the header using the user key to produce the file key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein obtaining the user key from the storage location comprises obtaining the user key from a central server keystore corresponding to a high level of security of the user key.
  - 3. The method of claim 1, wherein obtaining the user key from the storage location comprises obtaining the user key from a local server keystore corresponding to an intermediate level of security of the user key.
  - 4. The method of claim 1, wherein obtaining the user key from the storage location comprises obtaining the user key from a user keystore corresponding to a low level of security of the user key.
  - 5. The method of claim 1, wherein obtaining the user key from the storage location comprises obtaining the user key from the storage location corresponding to a user group associated with the user key.
  - 6. The method of claim 1, wherein obtaining the user key from the storage location comprises obtaining the user key from a persistent storage location that is mutually exclusive from one or more additional persistent storage locations.
  - 7. The method of claim 6, wherein the user key is further available at a non-persistent storage location.
  - 8. The method of claim 1, wherein obtaining the user key from the storage location comprises providing the header to a central server keystore configured to obtain the user key and decrypt the header using the user key.
  - 9. The method of claim 8, further comprising:
    - receiving the file key, decrypted from the header, from the central server keystore.
  - 10. The method of claim 1, further comprising:
    - caching the user key at a local cache.
  - 11. The method of claim 10, further comprising:
    - clearing the local cache after a predetermined duration.

12. A computer-readable storage device having instructions stored thereon, execution of which, by a computing device, causes the computing device to perform operations comprising:
- receiving a request to access a header of a secured file, wherein the header comprises a file key, at least the header of the secured file is configured to be decrypted by a user key, and a data portion of the secured file is configured to be decrypted by the file key;
  
  obtaining the user key from a particular storage location that indicates a level of security of the user key, wherein the level of security is defined in a policy based on a degree of access privileges provided by the user key and a requirement that the user key be obtained from the particular storage location based on the level of security of the user key; and
  
  decrypting the header using the user key to produce the file key.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The computer-readable storage device of claim 12, wherein obtaining the user key from the storage location comprises obtaining the user key from a central server keystore corresponding to a high level of security of the user key.
  - 14. The computer-readable storage device of claim 12, wherein obtaining the user key from the storage location comprises obtaining the user key from a local server keystore corresponding to an intermediate level of security of the user key.
  - 15. The computer-readable storage device of claim 12, wherein obtaining the user key from the storage location comprises obtaining the user key from a user keystore corresponding to a low level of security of the user key.
  - 16. The computer-readable storage device of claim 12, wherein obtaining the user key from the storage location comprises obtaining the user key from the storage location corresponding to a user group associated with the user key.
  - 17. The computer-readable storage device of claim 12, wherein obtaining the user key from the storage location comprises obtaining the user key from a persistent storage location that is mutually exclusive from one or more additional persistent storage locations.
  - 18. The computer-readable storage device of claim 17, wherein the user key is further available at a non-persistent storage location.
  - 19. The computer-readable storage device of claim 12, wherein obtaining the user key from the storage location comprises providing the header to a central server keystore configured to obtain the user key and decrypt the header using the user key.
  - 20. The computer-readable storage device of claim 19, the operations further comprising:
    - receiving the file key, decrypted from the header, from the central server keystore.
  - 21. The computer-readable storage device of claim 12, the operations further comprising:
    - caching the user key at a local cache.
  - 22. The computer-readable storage device of claim 21, the operations further comprising:
    - clearing the local cache after a predetermined duration.

23. A system comprising:
- a memory storing;
  
  a receiving module configured to receive a request to access a header of a secured file, wherein the header comprises a file key, at least the header of the secured file is configured to be decrypted by a user key, and a data portion of the secured file is configured to be decrypted by the file key,an obtaining module configured to obtain the user key from a particular storage location that indicates a level of security of the user key, wherein the level of security is defined in a policy based on a degree of access privileges provided by the user key and a requirement that the user key be obtained from the particular storage location based on the level of security of the user key, anda decrypting module configured to decrypt the header using the user key to produce the file key; and
  
  one or more processors configured to process the modules.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 24. The system of claim 23, wherein obtaining the user key from the storage location comprises obtaining the user key from a central server keystore corresponding to a high level of security of the user key.
  - 25. The system of claim 23, wherein obtaining the user key from the storage location comprises obtaining the user key from a local server keystore corresponding to an intermediate level of security of the user key.
  - 26. The system of claim 23, wherein obtaining the user key from the storage location comprises obtaining the user key from a user keystore corresponding to a low level of security of the user key.
  - 27. The system of claim 23, wherein obtaining the user key from the storage location comprises obtaining the user key from the storage location corresponding to a user group associated with the user key.
  - 28. The system of claim 23, wherein obtaining the user key from the storage location comprises obtaining the user key from a persistent storage location that is mutually exclusive from one or more additional persistent storage locations.
  - 29. The system of claim 28, wherein the user key is further available at a non-persistent storage location.
  - 30. The system of claim 23, wherein obtaining the user key from the storage location comprises providing the header to a central server keystore configured to obtain the user key and decrypt the header using the user key.
  - 31. The system of claim 30, further comprising:
    - a second receiving module configured to receive the file key, decrypted from the header, from the central server keystore.
  - 32. The system of claim 23, further comprising:
    - a caching module configured to cache the user key at a local cache.
  - 33. The system of claim 32, further comprising:
    - a clearing module configured to clear the local cache after a predetermined duration.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intellectual Ventures I LLC (Intellectual Ventures LLC)
Original Assignee
Guardian Data Storage LLC (Intellectual Ventures LLC)
Inventors
Hildebrand, Hal S.
Primary Examiner(s)
ABYANEH, ALI S

Application Number

US13/079,583
Publication Number

US 20110258438A1
Time in Patent Office

631 Days
Field of Search

713/165, 713/166
US Class Current

713/165
CPC Class Codes

H04L 63/04   for providing a confidentia...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

System and method for providing different levels of key security for controlling access to secured items

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for providing different levels of key security for controlling access to secured items

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links