Hybrid client-server cryptography for network applications

US 8,538,020 B1
Filed: 12/29/2010
Issued: 09/17/2013
Est. Priority Date: 12/29/2010
Status: Active Grant

First Claim

Patent Images

1. A method of decrypting encrypted user data stored with a remote content site, the method comprising:

obtaining, with a user device, encrypted user data from a remote content site, the remote content site storing the encrypted user data in place of corresponding user data to enable the remote content site to store the encrypted user data without an entity associated with the remote content site accessing the corresponding user data;

sending the encrypted user data to a remote security server to enable the remote security server to perform a first layer of decryption using a first private key;

in response to sending the encrypted user data to the remote security server, receiving partially-decrypted user data from the remote security server, the partially-decrypted user data reflecting partial decryption of the encrypted user data at the remote security server from a first encrypted form to a second encrypted form;

decrypting the partially-decrypted user data to obtain the corresponding user data, wherein decrypting the partially-decrypted data comprises decrypting the encrypted user data from the second encrypted form to an unencrypted form using a second private key; and

providing the corresponding user data in the unencrypted form to a network application configured to output the corresponding user data in conjunction with a content page obtained from the remote content site;

wherein at least said decrypting is performed by one or more computing devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a system and associated processes for transparent client-side cryptography are provided. In this system, some or all of a user'"'"'s private data can be encrypted at a client device operated by the user. The client can transmit the encrypted user data to a content site that hosts a network application, such as a social networking application, financial application, or the like. The content site can store the private data in its encrypted form instead of the actual private data. When the content site receives a request for the private data from the user or optionally from other users (such as social networking friends), the server can send the encrypted user data to a client associated with the requesting user. This client, if operated by an authorized user, can decrypt the private data and present it to the authorized user.

80 Citations

View as Search Results

18 Claims

1. A method of decrypting encrypted user data stored with a remote content site, the method comprising:
- obtaining, with a user device, encrypted user data from a remote content site, the remote content site storing the encrypted user data in place of corresponding user data to enable the remote content site to store the encrypted user data without an entity associated with the remote content site accessing the corresponding user data;
  
  sending the encrypted user data to a remote security server to enable the remote security server to perform a first layer of decryption using a first private key;
  
  in response to sending the encrypted user data to the remote security server, receiving partially-decrypted user data from the remote security server, the partially-decrypted user data reflecting partial decryption of the encrypted user data at the remote security server from a first encrypted form to a second encrypted form;
  
  decrypting the partially-decrypted user data to obtain the corresponding user data, wherein decrypting the partially-decrypted data comprises decrypting the encrypted user data from the second encrypted form to an unencrypted form using a second private key; and
  
  providing the corresponding user data in the unencrypted form to a network application configured to output the corresponding user data in conjunction with a content page obtained from the remote content site;
  
  wherein at least said decrypting is performed by one or more computing devices.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein said obtaining the encrypted user data comprises accessing the encrypted user data from the remote content site.
  - 3. The method of claim 1, wherein the remote security server has access to the first private key that enables the remote security server to perform the first layer of decryption.
  - 4. The method of claim 1, further comprising disabling the second private key in response to detecting theft or loss of the first private key.
  - 5. The method of claim 1, wherein both the first and second private keys are required to fully decrypt the encrypted user data.
  - 6. The method of claim 1, further comprising disabling the first private key in response to detecting theft or loss of the second private key.

7. A system for decrypting encrypted user data stored with a remote content site, the system comprising:
- a user system comprising one or more computing devices, the user system configured to;
  
  obtain encrypted user data from a remote content site, the remote content site storing the encrypted user data in place of corresponding user data to enable the remote content site to store the encrypted user data without an entity associated with the remote content site accessing the corresponding user data;
  
  send the encrypted user data to a remote security server so as to partially-decrypt the encrypted user data by enabling the remote security server to perform a first layer of decryption using a first private key;
  
  receive the partially-decrypted user data from the remote security server, the partially-decrypted user data reflecting the decryption of the encrypted user data from a first encrypted form to a second encrypted form;
  
  decrypt the partially-decrypted user data to obtain the corresponding user data by using a second private key, the corresponding user data comprising unencrypted user data; and
  
  provide the corresponding user data to a network application configured to output the corresponding user data.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the user system is further configured to initially encrypt the user data to produce the encrypted user data.
  - 9. The system of claim 8, wherein the user system is configured to sign the encrypted user data with the second private key.
  - 10. The system of claim 9, wherein the user system is further configured to transmit the encrypted user data to the remote security server for signing with the first private key.
  - 11. The system of claim 7, wherein the user system is further configured to disable the first private key in response to detecting theft or loss of the second private key.
  - 12. The system of claim 7, wherein the remote security server is further configured to disable the second private key in response to detecting theft or loss of the first private key.

13. A non-transitory computer-readable storage medium comprising computer-executable instructions configured to implement a method of decrypting encrypted user data stored with a remote content site, the method comprising:
- receiving, at a security server, encrypted user data from a remote content site;
  
  determining whether a decryption constraint is satisfied;
  
  partially decrypting the encrypted user data using a first private key to produce partially-decrypted user data in response to determining that the decryption constraint is satisfied, wherein partially decrypting the encrypted user data comprises decrypting the encrypted user data from a first encrypted form to a second encrypted form; and
  
  transmitting the partially-decrypted user data in the second encrypted form to a user system for further decryption, so as to enable the user system to access the corresponding user data by decrypting the partially-decrypted user data from the second encrypted form to an unencrypted form using a second private key.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer-readable storage medium of claim 13, wherein said further decryption is performed in response to determining that the decryption constraint is satisfied.
  - 15. The computer-readable storage medium of claim 13, wherein the decryption constraint comprises a time constraint, such that said partial decrypting can be performed only within a time frame specified by the time constraint.
  - 16. The computer-readable storage medium of claim 15, wherein the time constraint prevents unauthorized partial decryption of the encrypted user data.
  - 17. The computer-readable storage medium of claim 13, wherein said method further comprises not partially decrypting the encrypted user data in response to determining that the decryption constraint is not satisfied.
  - 18. The computer-readable storage medium of claim 13, wherein the decryption constraint comprises a location constraint, such that said partial decrypting can be performed only within a location specified by the location constraint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Miller, Kevin
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
LAKHIA, VIRAL S

Application Number

US12/981,327
Time in Patent Office

993 Days
Field of Search

380255-260, 713/193, 713150-155, 726 3- 6
US Class Current

380/259
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/60   Digital content management,...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/085   Secret sharing or secret sp...

H04L 9/14   using a plurality of keys o...

H04L 9/3247   involving digital signatures

Hybrid client-server cryptography for network applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

80 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Hybrid client-server cryptography for network applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

80 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links