Systems and methods for secure third-party data storage

US 8,458,494 B1
Filed: 03/26/2012
Issued: 06/04/2013
Est. Priority Date: 03/26/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for secure third-party data storage, at least a portion of the method being performed by a server-side computing device comprising at least one processor, the method comprising:

identifying, at the server-side computing device, a request from a client system to access an encrypted file stored under a user account, wherein the requested access requires decryption of the encrypted file;

identifying, in response to the request, an asymmetric key pair designated for the user account that comprises an encryption key and a decryption key, wherein the decryption key has been encrypted with a client-side key that is not stored on the server-side computing device;

receiving, at the server-side computing device from the client system, the client-side key;

storing the client-side key in volatile memory of the server-side computing device without storing the client-side key in non-volatile memory of the server-side computing device;

decrypting, at the server-side computing device, the decryption key with the client-side key;

using the decryption key to access an unencrypted version of the encrypted file.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for secure third-party data storage may include 1) identifying, at a server-side computing device, a request from a client system to access an encrypted file stored under a user account, 2) identifying, in response to the request, an asymmetric key pair designated for the user account that includes an encryption key and a decryption key that has been encrypted with a client-side key, 3) receiving, from the client system, the client-side key, 4) decrypting the decryption key with the client-side key, and 5) using the decryption key to access an unencrypted version of the encrypted file. Various other methods, systems, and computer-readable media are also disclosed.

52 Citations

View as Search Results

20 Claims

1. A computer-implemented method for secure third-party data storage, at least a portion of the method being performed by a server-side computing device comprising at least one processor, the method comprising:
- identifying, at the server-side computing device, a request from a client system to access an encrypted file stored under a user account, wherein the requested access requires decryption of the encrypted file;
  
  identifying, in response to the request, an asymmetric key pair designated for the user account that comprises an encryption key and a decryption key, wherein the decryption key has been encrypted with a client-side key that is not stored on the server-side computing device;
  
  receiving, at the server-side computing device from the client system, the client-side key;
  
  storing the client-side key in volatile memory of the server-side computing device without storing the client-side key in non-volatile memory of the server-side computing device;
  
  decrypting, at the server-side computing device, the decryption key with the client-side key;
  
  using the decryption key to access an unencrypted version of the encrypted file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computer-implemented method of claim 1, wherein using the decryption key to access the unencrypted version of the encrypted file comprises:
    - identifying a file key used to encrypt the encrypted file, wherein the file key is encrypted with the encryption key;
      
      decrypting the file key with the decryption key;
      
      decrypting the encrypted file with the file key.
  - 3. The computer-implemented method of claim 1, wherein:
    - accessing the encrypted file comprises providing access to the unencrypted version of the encrypted file to an additional user account;
      
      an additional asymmetric key pair is designated for the additional user account, the additional asymmetric key pair comprising an additional encryption key and an additional decryption key that has been encrypted with an additional client-side key.
  - 4. The computer-implemented method of claim 3, wherein providing access to the unencrypted version of the encrypted file to the additional user account comprises:
    - identifying a file key used to encrypt the encrypted file, wherein the file key is encrypted with the encryption key;
      
      decrypting the file key with the decryption key;
      
      encrypting a copy of the file key with the additional encryption key.
  - 5. The computer-implemented method of claim 1, wherein accessing the encrypted file comprises transmitting the unencrypted version of the encrypted file to the client system.
  - 6. The computer-implemented method of claim 1, wherein using the decryption key to access the unencrypted version of the encrypted file comprises generating metadata describing the unencrypted version of the encrypted file.
  - 7. The computer-implemented method of claim 6, wherein generating the metadata describing the unencrypted version of the encrypted file comprises at least one of:
    - performing a security scan on the unencrypted version of the encrypted file;
      
      indexing the unencrypted version of the encrypted file based on content within the unencrypted version of the encrypted file;
      
      generating a preview of the unencrypted version of the encrypted file based on content within the unencrypted version of the encrypted file.
  - 8. The computer-implemented method of claim 1, further comprising:
    - receiving the unencrypted version of the encrypted file from the client system;
      
      generating the encrypted file by;
      
      generating a file key based on at least one characteristic of the unencrypted version of the encrypted file;
      
      encrypting the unencrypted version of the encrypted file with the file key;
      
      encrypting the file key with the encryption key.
  - 9. The computer-implemented method of claim 8, further comprising deduplicating the encrypted file with an additional encrypted file that is encrypted with the file key.
  - 10. The computer-implemented method of claim 1, wherein:
    - the volatile memory of the server-side computing device comprises temporary memory;
      
      the non-volatile memory of the server-side computing device comprises non-temporary memory.
  - 11. The computer-implemented method of claim 1, further comprising:
    - identifying an additional user account designated to access the unencrypted version of the encrypted file, wherein an additional asymmetric key pair is designated for the additional user account, the additional asymmetric key pair comprising an additional encryption key and an additional decryption key that has been encrypted with an additional client-side key;
      
      encrypting the decryption key with the additional encryption key.
  - 12. The computer-implemented method of claim 11, further comprising:
    - identifying an additional request from an additional client system to further access the encrypted file via the additional user account, wherein the additional requested access requires decryption of the encrypted file;
      
      decrypting the decryption key with the additional decryption key;
      
      using the decryption key to access the unencrypted version of the encrypted file via the additional user account.
  - 13. The computer-implemented method of claim 1, wherein using the decryption key to access the unencrypted version of the encrypted file comprises:
    - identifying an additional asymmetric key pair designated for a plurality of user accounts comprising the user account, the additional asymmetric key pair comprising an additional encryption key and an additional decryption key that has been encrypted with the encryption key;
      
      decrypting the additional decryption key with the decryption key;
      
      identifying a file key used to encrypt the encrypted file, wherein the file key is encrypted with the additional encryption key;
      
      decrypting the file key with the additional decryption key;
      
      decrypting the encrypted file with the file key.

14. A system for secure third-party data storage, the system comprising:
- an identification module programmed to identify, at a server-side computing device, a request from a client system to access an encrypted file stored under a user account, wherein the requested access requires decryption of the encrypted file;
  
  a key module programmed to identify, in response to the request, an asymmetric key pair designated for the user account that comprises an encryption key and a decryption key, wherein the decryption key has been encrypted with a client-side key that is not stored on the server-side computing device;
  
  a receiving module programmed to;
  
  receive, at the server-side computing device from the client system, the client-side key;
  
  store the client-side key in volatile memory of the server-side computing device without storing the client-side key in non-volatile memory of the server-side computing device;
  
  a decryption module programmed to decrypt, at the server-side computing device, the decryption key with the client-side key;
  
  an access module programmed to use the decryption key to access an unencrypted version of the encrypted file;
  
  at least one processor configured to execute the identification module, the key module, the receiving module, the decryption module, and the access module.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The system of claim 14, wherein the access module is programmed to use the decryption key to access the unencrypted version of the encrypted file by:
    - identifying a file key used to encrypt the encrypted file, wherein the file key is encrypted with the encryption key;
      
      decrypting the file key with the decryption key;
      
      decrypting the encrypted file with the file key.
  - 16. The system of claim 14, wherein:
    - the access module is programmed to access the encrypted file by providing access to the unencrypted version of the encrypted file to an additional user account;
      
      an additional asymmetric key pair is designated for the additional user account, the additional asymmetric key pair comprising an additional encryption key and an additional decryption key that has been encrypted with an additional client-side key.
  - 17. The system of claim 16, wherein the access module is programmed to provide access to the unencrypted version of the encrypted file to the additional user account by:
    - identifying a file key used to encrypt the encrypted file, wherein the file key is encrypted with the encryption key;
      
      decrypting the file key with the decryption key;
      
      encrypting a copy of the file key with the additional encryption key.
  - 18. The system of claim 14, wherein the access module is programmed to access the encrypted file by transmitting the unencrypted version of the encrypted file to the client system.
  - 19. The system of claim 14, wherein the access module is programmed to use the decryption key to access the unencrypted version of the encrypted file by generating metadata describing the unencrypted version of the encrypted file.

20. A non-transitory computer-readable-storage medium comprising one or more computer-executable instructions that, when executed by at least one processor of a server-side computing device, cause the computing device to:
- identify, at the server-side computing device, a request from a client system to access an encrypted file stored under a user account, wherein the requested access requires decryption of the encrypted file;
  
  identify, in response to the request, an asymmetric key pair designated for the user account that comprises an encryption key and a decryption key, wherein the decryption key has been encrypted with a client-side key that is not stored on the server-side computing device;
  
  receive, at the server-side computing device from the client system, the client-side key;
  
  store the client-side key in volatile memory of the server-side computing device without storing the client-side key in non-volatile memory of the server-side computing device;
  
  decrypt, at the server-side computing device, the decryption key with the client-side key;
  
  use the decryption key to access an unencrypted version of the encrypted file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Bogorad, Walter
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US13/430,607
Time in Patent Office

435 Days
Field of Search

None
US Class Current

713/193
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

H04L 2463/062   applying encryption of the ...

H04L 63/0478   applying multiple layers of...

H04L 9/0822   using key encryption key

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

Systems and methods for secure third-party data storage

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for secure third-party data storage

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links