Storing encrypted objects
First Claim
1. A method comprising:
- storing an encrypted resource at a hosted storage service and in association with an access control list, the access control list specifying a group identifier that identifies a group of users that can access the resource and a wrapped key associated with the group identifier, the wrapped key including an encrypted resource encryption key, wherein the resource encryption key is able to decrypt the encrypted resource, wherein the wrapped key also includes the group identifier in encrypted form;
receiving, at an application server system of the hosted storage service and from a client application executing on a client system, a request to retrieve the resource, the request including authentication credentials;
sending, from the application server system, the wrapped key and the authentication credentials to a key server system;
decrypting, at the key server system, the received wrapped key to generate an unwrapped key that includes the resource encryption key and the group identifier in unencrypted form;
accessing, at the key server system, the group identifier from the unwrapped key;
determining, at the key server system, that the received authentication credentials correspond to a user in the group of users identified by the accessed group identifier; and
in response to determining that the received authentication credentials correspond to a user in the group of users identified by the accessed group identifier, sending, from the key server system, an unencrypted version of the resource encryption key to the application server system;
receiving, at the application server system, the unencrypted version of the resource encryption key from the key server system;
decrypting, at the application server system, the stored encrypted resource using the received unencrypted version of the resource encryption key to generate an unencrypted version of the resource; and
sending, from the application server system, the unencrypted version of the resource to the client application.
2 Assignments
0 Petitions
Accused Products
Abstract
An encrypted resource is stored in association with an access control list. A request to retrieve the resource is received. The wrapped key and the authentication credentials are sent, from the application server system, to a key server system. An unencrypted version of the resource encryption key is received from the key server system if the key server system determines that the authentication credentials correspond to a user in the group of users identified by the group identifier. The stored encrypted resource is decrypted using the received unencrypted version of the resource encryption key to generate an unencrypted version of the resource. The unencrypted version of the resource is sent, from the application server system, to the client application.
-
Citations
18 Claims
-
1. A method comprising:
-
storing an encrypted resource at a hosted storage service and in association with an access control list, the access control list specifying a group identifier that identifies a group of users that can access the resource and a wrapped key associated with the group identifier, the wrapped key including an encrypted resource encryption key, wherein the resource encryption key is able to decrypt the encrypted resource, wherein the wrapped key also includes the group identifier in encrypted form; receiving, at an application server system of the hosted storage service and from a client application executing on a client system, a request to retrieve the resource, the request including authentication credentials; sending, from the application server system, the wrapped key and the authentication credentials to a key server system; decrypting, at the key server system, the received wrapped key to generate an unwrapped key that includes the resource encryption key and the group identifier in unencrypted form; accessing, at the key server system, the group identifier from the unwrapped key; determining, at the key server system, that the received authentication credentials correspond to a user in the group of users identified by the accessed group identifier; and in response to determining that the received authentication credentials correspond to a user in the group of users identified by the accessed group identifier, sending, from the key server system, an unencrypted version of the resource encryption key to the application server system; receiving, at the application server system, the unencrypted version of the resource encryption key from the key server system; decrypting, at the application server system, the stored encrypted resource using the received unencrypted version of the resource encryption key to generate an unencrypted version of the resource; and sending, from the application server system, the unencrypted version of the resource to the client application. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer system comprising:
-
an application server system configured to; store an encrypted resource at a hosted storage service and in association with an access control list, the access control list specifying a group identifier that identifies a group of users that can access the resource and a wrapped key associated with the group identifier, the wrapped key including an encrypted resource encryption key, wherein the resource encryption key is able to decrypt the encrypted resource, wherein the wrapped key also includes the group identifier in encrypted form; receive, at an application server system of the hosted storage service and from a client application executing on a client system, a request to retrieve the resource, the request including authentication credentials; send, from the application server system, the wrapped key and the authentication credentials to a key server system; receive, at the application server system, an unencrypted version of the resource encryption key from the key server system; decrypt, at the application server system, the stored encrypted resource using the received unencrypted version of the resource encryption key to generate an unencrypted version of the resource; and send, from the application server system, the unencrypted version of the resource to the client application; and the key server system configured to; decrypt, at the key server system, the received wrapped key to generate an unwrapped key that includes the resource encryption key and the group identifier in unencrypted form; access, at the key server system, the group identifier from the unwrapped key; determine, at the key server system, that the received authentication credentials correspond to a user in the group of users identified by the accessed group identifier; and in response to determining that the received authentication credentials correspond to a user in the group of users identified by the accessed group identifier, send, from the key server system, an unencrypted version of the resource encryption key to the application server system. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A computer readable device storing instructions that, when executed by one or more processing devices, cause the one or more processing devices to perform operations including:
-
storing an encrypted resource at a hosted storage service and in association with an access control list, the access control list specifying a group identifier that identifies a group of users that can access the resource and a wrapped key associated with the group identifier, the wrapped key including an encrypted resource encryption key, wherein the resource encryption key is able to decrypt the encrypted resource, wherein the wrapped key also includes the group identifier in encrypted form; receiving, at an application server system of the hosted storage service and from a client application executing on a client system, a request to retrieve the resource, the request including authentication credentials; sending, from the application server system, the wrapped key and the authentication credentials to a key server system; decrypting, at the key server system, the received wrapped key to generate an unwrapped key that includes the resource encryption key and the group identifier in unencrypted form; accessing, at the key server system, the group identifier from the unwrapped key; determining, at the key server system, that the received authentication credentials correspond to a user in the group of users identified by the accessed group identifier; and in response to determining that the received authentication credentials correspond to a user in the group of users identified by the accessed group identifier, sending, from the key server system, an unencrypted version of the resource encryption key to the application server system; receiving, at the application server system, the unencrypted version of the resource encryption key from the key server system; decrypting, at the application server system, the stored encrypted resource using the received unencrypted version of the resource encryption key to generate an unencrypted version of the resource; and sending, from the application server system, the unencrypted version of the resource to the client application. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification