Network application encryption with server-side key management

US 8,583,911 B1
Filed: 12/29/2010
Issued: 11/12/2013
Est. Priority Date: 12/29/2010
Status: Active Grant

First Claim

Patent Images

1. A method of storing user data over a network securely using a remote service, the method comprising:

by a server system comprising one or more computing devices;

receiving user data from a client device over a network, the user data associated with a user of a remote content site that presents the user data as part of a content page;

encrypting the user data to produce encrypted user data, the encrypted user data not decryptable by the remote content site;

creating recipient data, the recipient data reflecting one or more recipients authorized to decrypt the encrypted user data, the one or more recipients being users of the remote content site authorized to access data provided by the user to the remote content site based at least in part on being associated with the user at the remote content site;

creating an encryption message comprising the encrypted user data and the recipient data; and

providing the encryption message to the remote content site for storage, enabling the one or more recipients to access the encrypted user data from the remote content site.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a system and associated processes for transparent client-side cryptography are provided. In this system, some or all of a user'"'"'s private data can be encrypted at a client device operated by the user. The client can transmit the encrypted user data to a content site that hosts a network application, such as a social networking application, financial application, or the like. The content site can store the private data in its encrypted form instead of the actual private data. When the content site receives a request for the private data from the user or optionally from other users (such as social networking friends), the server can send the encrypted user data to a client associated with the requesting user. This client, if operated by an authorized user, can decrypt the private data and present it to the authorized user.

48 Citations

View as Search Results

25 Claims

1. A method of storing user data over a network securely using a remote service, the method comprising:
- by a server system comprising one or more computing devices;
  
  receiving user data from a client device over a network, the user data associated with a user of a remote content site that presents the user data as part of a content page;
  
  encrypting the user data to produce encrypted user data, the encrypted user data not decryptable by the remote content site;
  
  creating recipient data, the recipient data reflecting one or more recipients authorized to decrypt the encrypted user data, the one or more recipients being users of the remote content site authorized to access data provided by the user to the remote content site based at least in part on being associated with the user at the remote content site;
  
  creating an encryption message comprising the encrypted user data and the recipient data; and
  
  providing the encryption message to the remote content site for storage, enabling the one or more recipients to access the encrypted user data from the remote content site.
- View Dependent Claims (2, 3, 4, 5, 6, 25)
- - 2. The method of claim 1, further comprising deleting the user data from the server system after producing the encrypted user data.
  - 3. The method of claim 1, wherein the encryption message conforms to a storage requirement of the content site.
  - 4. The method of claim 1, wherein said encrypting the user data comprises encrypting the user data with a first key.
  - 5. The method of claim 4, wherein said creating the recipient data comprises using one or more second keys of the one or more recipients to encrypt the first key.
  - 6. The method of claim 1, wherein said receiving user data comprises creating a secure communications channel to the client device and receiving the user data over the secure communications channel.
  - 25. The method of claim 1, wherein said encrypting the user data comprises encrypting the user data with an encryption key without sending an unencrypted version of the encryption key to the remote content site, thereby preventing the remote content site from being able to decrypt the user data.

7. A system for storing user data over a network securely using a remote service, the system comprising:
- a content site comprising one or more computing devices, the content site programmed to implement a network application configured to;
  
  receive data associated with a user from a client device;
  
  encrypt the user data to produce encrypted user data, the encrypted user data not decryptable by the content site;
  
  create recipient data reflecting one or more recipients authorized to decrypt the encrypted user data;
  
  store, in physical computer storage, the encrypted user data and recipient data for subsequent access by the one or more recipients, thereby enabling the one or more recipients to access the encrypted user data from the content site, the one or more recipients being users of the content site authorized to access data provided by the user to the content site based at least in part on being associated with the user at the content site;
  
  present the user data as part of a content page; and
  
  delete the user data, thereby at least partially protecting the user data from being compromised at the content site.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 8. The system of claim 7, wherein the network application comprises a social networking application.
  - 9. The system of claim 8, wherein the network application is further configured to automatically add one or more friends of the user as the one or more recipients.
  - 10. The system of claim 9, wherein the network application is further configured to use a public key associated with each of the one or more friends to create the recipient data.
  - 11. The system of claim 10, wherein the recipient data comprises one or more recipient keys each derived from a respective public key, and wherein the one or more recipient keys are each decryptable by a respective private key of the one or more authorized recipients.
  - 12. The system of claim 7, wherein the content site comprises a public key store configured to store public keys of a plurality of users, the plurality of users including the one or more authorized recipients.
  - 13. The system of claim 7, wherein the network application comprises a financial application.
  - 14. The system of claim 13, wherein the one or more recipients includes a financial aggregation service configured to access financial data associated with the financial application.
  - 15. The system of claim 7, wherein the storing of the encrypted user data eliminates a username and password requirement to access the user data.
  - 16. The system of claim 15, wherein said eliminating of the username and password requirement enables a handheld device to access the network application at the content site.

17. A non-transitory computer-readable storage medium comprising computer-executable instructions configured to implement a method of storing user data over a network securely using a remote service, the method comprising:
- receiving user data from a client device at a server system, the user data associated with a user of a content site and comprising data to be provided to the content site;
  
  receiving an indication of the content site to which the user data is to be transmitted subsequent to being encrypted;
  
  encrypting the user data to produce encrypted user data, the encrypted user data not decryptable by the content site;
  
  creating an encryption message comprising the encrypted user data and recipient data, the recipient data reflecting one or more recipients authorized to decrypt the encrypted user data, the one or more recipients being users of the content site authorized to access data provided by the user to the content site based at least in part on being associated with the user at the content site; and
  
  transmitting the encryption message to the content site, enabling the one or more recipients to access the encrypted user data from the content site.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The non-transitory computer-readable storage medium of claim 17, further comprising, subsequent to said transmitting the encryption message to the content site, receiving a request from a second client device to decrypt the encryption message.
  - 19. The non-transitory computer-readable storage medium of claim 18, further comprising decrypting the encryption message and providing the user data to the second client device.
  - 20. The non-transitory computer-readable storage medium of claim 18, wherein the second client device is operated by one of the one or more authorized recipients.
  - 21. The non-transitory computer-readable storage medium of claim 17, wherein said receiving the user data comprises receiving first encrypted user data and a receiver key corresponding to the server system.
  - 22. The non-transitory computer-readable storage medium of claim 21, further comprising using the receiver key to decrypt the first encrypted data to obtain the user data.
  - 23. The non-transitory computer-readable storage medium of claim 17, wherein the server system is further configured to manage a public key infrastructure for a plurality of users.
  - 24. The non-transitory computer-readable storage medium of claim 17, wherein the one or more authorized recipients comprise a user who originally sent the user data to the server system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Miller, Kevin
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Jamshidi, Ghodrat

Application Number

US12/981,291
Time in Patent Office

1,049 Days
Field of Search

713/150
US Class Current

713/150
CPC Class Codes

G06F 21/6245   Protecting personal data, e...

G06F 2221/2107   File encryption

H04L 63/0428   wherein the data content is...

H04L 63/045   wherein the sending and rec...

Network application encryption with server-side key management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

48 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Network application encryption with server-side key management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links