Storing encrypted objects

US 8,601,263 B1
Filed: 05/18/2011
Issued: 12/03/2013
Est. Priority Date: 05/18/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

storing an encrypted resource at a hosted storage service and in association with an access control list, the access control list specifying a group identifier that identifies a group of users that can access the resource and a wrapped key associated with the group identifier, the wrapped key including an encrypted resource encryption key, wherein the resource encryption key is able to decrypt the encrypted resource, wherein the wrapped key also includes the group identifier in encrypted form;

receiving, at an application server system of the hosted storage service and from a client application executing on a client system, a request to retrieve the resource, the request including authentication credentials;

sending, from the application server system, the wrapped key and the authentication credentials to a key server system;

decrypting, at the key server system, the received wrapped key to generate an unwrapped key that includes the resource encryption key and the group identifier in unencrypted form;

accessing, at the key server system, the group identifier from the unwrapped key;

determining, at the key server system, that the received authentication credentials correspond to a user in the group of users identified by the accessed group identifier; and

in response to determining that the received authentication credentials correspond to a user in the group of users identified by the accessed group identifier, sending, from the key server system, an unencrypted version of the resource encryption key to the application server system;

receiving, at the application server system, the unencrypted version of the resource encryption key from the key server system;

decrypting, at the application server system, the stored encrypted resource using the received unencrypted version of the resource encryption key to generate an unencrypted version of the resource; and

sending, from the application server system, the unencrypted version of the resource to the client application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An encrypted resource is stored in association with an access control list. A request to retrieve the resource is received. The wrapped key and the authentication credentials are sent, from the application server system, to a key server system. An unencrypted version of the resource encryption key is received from the key server system if the key server system determines that the authentication credentials correspond to a user in the group of users identified by the group identifier. The stored encrypted resource is decrypted using the received unencrypted version of the resource encryption key to generate an unencrypted version of the resource. The unencrypted version of the resource is sent, from the application server system, to the client application.

Citations

18 Claims

1. A method comprising:
- storing an encrypted resource at a hosted storage service and in association with an access control list, the access control list specifying a group identifier that identifies a group of users that can access the resource and a wrapped key associated with the group identifier, the wrapped key including an encrypted resource encryption key, wherein the resource encryption key is able to decrypt the encrypted resource, wherein the wrapped key also includes the group identifier in encrypted form;
  
  receiving, at an application server system of the hosted storage service and from a client application executing on a client system, a request to retrieve the resource, the request including authentication credentials;
  
  sending, from the application server system, the wrapped key and the authentication credentials to a key server system;
  
  decrypting, at the key server system, the received wrapped key to generate an unwrapped key that includes the resource encryption key and the group identifier in unencrypted form;
  
  accessing, at the key server system, the group identifier from the unwrapped key;
  
  determining, at the key server system, that the received authentication credentials correspond to a user in the group of users identified by the accessed group identifier; and
  
  in response to determining that the received authentication credentials correspond to a user in the group of users identified by the accessed group identifier, sending, from the key server system, an unencrypted version of the resource encryption key to the application server system;
  
  receiving, at the application server system, the unencrypted version of the resource encryption key from the key server system;
  
  decrypting, at the application server system, the stored encrypted resource using the received unencrypted version of the resource encryption key to generate an unencrypted version of the resource; and
  
  sending, from the application server system, the unencrypted version of the resource to the client application.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein the group of users is managed by a provider of the hosted storage service for reasons other than storage permissions and existed prior to the storage of the encrypted resource at the hosted storage service.
  - 3. The method of claim 2 wherein the group identifier is a single username associated with the group of users, an e-mail address associated with the group of users, or a domain name associated with the group of users.
  - 4. The method of claim 1 wherein the group of users did not exist prior to the storage of the encrypted resource at the hosted storage service.
  - 5. The method of claim 4 further comprising:
    - receiving a group addition request from the client application, the group addition request specifying the group of users and the group identifier; and
      
      inserting the group identifier into the access control list.
  - 6. The method of claim 1, the method further comprising:
    - identifying a service associated with the wrapped key; and
      
      wherein decrypting the received wrapped key includes decrypting the received wrapped key using a master key associated with the service.

7. A computer system comprising:
- an application server system configured to;
  
  store an encrypted resource at a hosted storage service and in association with an access control list, the access control list specifying a group identifier that identifies a group of users that can access the resource and a wrapped key associated with the group identifier, the wrapped key including an encrypted resource encryption key, wherein the resource encryption key is able to decrypt the encrypted resource, wherein the wrapped key also includes the group identifier in encrypted form;
  
  receive, at an application server system of the hosted storage service and from a client application executing on a client system, a request to retrieve the resource, the request including authentication credentials;
  
  send, from the application server system, the wrapped key and the authentication credentials to a key server system;
  
  receive, at the application server system, an unencrypted version of the resource encryption key from the key server system;
  
  decrypt, at the application server system, the stored encrypted resource using the received unencrypted version of the resource encryption key to generate an unencrypted version of the resource; and
  
  send, from the application server system, the unencrypted version of the resource to the client application; and
  
  the key server system configured to;
  
  decrypt, at the key server system, the received wrapped key to generate an unwrapped key that includes the resource encryption key and the group identifier in unencrypted form;
  
  access, at the key server system, the group identifier from the unwrapped key;
  
  determine, at the key server system, that the received authentication credentials correspond to a user in the group of users identified by the accessed group identifier; and
  
  in response to determining that the received authentication credentials correspond to a user in the group of users identified by the accessed group identifier, send, from the key server system, an unencrypted version of the resource encryption key to the application server system.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7 wherein the group of users is managed by a provider of the hosted storage service for reasons other than storage permissions and existed prior to the storage of the encrypted resource at the hosted storage service.
  - 9. The system of claim 8 wherein the group identifier is a single username associated with the group of users, an e-mail address associated with the group of users, or a domain name associated with the group of users.
  - 10. The system of claim 7 wherein the group of users did not exist prior to the storage of the encrypted resource at the hosted storage service.
  - 11. The system of claim 10 the application server system further configured to:
    - receive a group addition request from the client application, the group addition request specifying the group of users and the group identifier; and
      
      insert the group identifier into the access control list.
  - 12. The system of claim 7, the application server system further configured to:
    - identify a service associated with the wrapped key; and
      
      wherein decrypting the received wrapped key includes decrypting the received wrapped key using a master key associated with the service.

13. A computer readable device storing instructions that, when executed by one or more processing devices, cause the one or more processing devices to perform operations including:
- storing an encrypted resource at a hosted storage service and in association with an access control list, the access control list specifying a group identifier that identifies a group of users that can access the resource and a wrapped key associated with the group identifier, the wrapped key including an encrypted resource encryption key, wherein the resource encryption key is able to decrypt the encrypted resource, wherein the wrapped key also includes the group identifier in encrypted form;
  
  receiving, at an application server system of the hosted storage service and from a client application executing on a client system, a request to retrieve the resource, the request including authentication credentials;
  
  sending, from the application server system, the wrapped key and the authentication credentials to a key server system;
  
  decrypting, at the key server system, the received wrapped key to generate an unwrapped key that includes the resource encryption key and the group identifier in unencrypted form;
  
  accessing, at the key server system, the group identifier from the unwrapped key;
  
  determining, at the key server system, that the received authentication credentials correspond to a user in the group of users identified by the accessed group identifier; and
  
  in response to determining that the received authentication credentials correspond to a user in the group of users identified by the accessed group identifier, sending, from the key server system, an unencrypted version of the resource encryption key to the application server system;
  
  receiving, at the application server system, the unencrypted version of the resource encryption key from the key server system;
  
  decrypting, at the application server system, the stored encrypted resource using the received unencrypted version of the resource encryption key to generate an unencrypted version of the resource; and
  
  sending, from the application server system, the unencrypted version of the resource to the client application.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The device of claim 13 wherein the group of users is managed by a provider of the hosted storage service for reasons other than storage permissions and existed prior to the storage of the encrypted resource at the hosted storage service.
  - 15. The device of claim 14 wherein the group identifier is a single username associated with the group of users, an e-mail address associated with the group of users, or a domain name associated with the group of users.
  - 16. The device of claim 13 wherein the group of users did not exist prior to the storage of the encrypted resource at the hosted storage service.
  - 17. The device of claim 16 the instructions further including:
    - receiving a group addition request from the client application, the group addition request specifying the group of users and the group identifier; and
      
      inserting the group identifier into the access control list.
  - 18. The device of claim 13, the instructions further including:
    - identifying a service associated with the wrapped key; and
      
      wherein decrypting the received wrapped key includes decrypting the received wrapped key using a master key associated with the service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Patel, Sarvar, Bershad, Brian N., Erb, David, Shankar, Umesh, Kulik, Andrei, Moller, Bodo
Primary Examiner(s)
Orgad, Edan
Assistant Examiner(s)
TURCHEN, JAMES R

Application Number

US13/110,361
Time in Patent Office

930 Days
Field of Search

713/168, 726 27- 29
US Class Current

713/166
CPC Class Codes

H04L 2463/062   applying encryption of the ...

H04L 63/0428   wherein the data content is...

H04L 63/101   Access control lists [ACL]

H04L 63/104   Grouping of entities

H04L 67/1097   for distributed storage of ...

H04L 9/0819   Key transport or distributi...

H04L 9/321   involving a third party or ...

Storing encrypted objects

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Storing encrypted objects

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links