Storing encrypted objects
First Claim
1. A method performed by one or more processors, the method comprising:
- receiving, from an application server system and at a key server system, authentication credentials and a wrapped key, the wrapped key including a resource identifier, a resource encryption key, and a user identifier that have been encrypted, wherein the resource identifier identifies a resource encrypted with the resource encryption key and the user identifier identifies a user that is permitted to use the resource encryption key to decrypt the resource;
identifying a service associated with the wrapped key;
accessing a master key based on the identified service, the master key being associated with the identified service;
decrypting the wrapped key to generate an unwrapped key that includes the resource identifier, the resource encryption key, and the user identifier in unencrypted form, wherein decrypting the wrapped key includes decrypting the wrapped key using the accessed master key;
accessing the user identifier from the unwrapped key;
determining that the received authentication credentials correspond to the accessed user identifier; and
in response to determining that the received authentication credentials correspond to the accessed user identifier, sending the resource encryption key in unecrypted form to the application server system such that the application server system can decrypt the resource using the resource encryption key in unencrypted form.
2 Assignments
0 Petitions
Accused Products
Abstract
Authentication credentials are received at a key server system. A service associated with the wrapped key is identified. A master key is accessed based on the identified service, the master key being associated with the identified service. The wrapped key is decrypted to generate an unwrapped key that includes the resource identifier, the resource encryption key, and the user identifier in unencrypted form. The user identifier is identified accessed from the unwrapped key. The received authentication credentials are determined to correspond to the accessed user identifier. In response to determining that the received authentication credentials correspond to the accessed user identifier, the resource encryption key are sent in unecrypted to the application server system such that the application server system can decrypt the resource using the resource encryption key in unencrypted form.
-
Citations
29 Claims
-
1. A method performed by one or more processors, the method comprising:
-
receiving, from an application server system and at a key server system, authentication credentials and a wrapped key, the wrapped key including a resource identifier, a resource encryption key, and a user identifier that have been encrypted, wherein the resource identifier identifies a resource encrypted with the resource encryption key and the user identifier identifies a user that is permitted to use the resource encryption key to decrypt the resource; identifying a service associated with the wrapped key; accessing a master key based on the identified service, the master key being associated with the identified service; decrypting the wrapped key to generate an unwrapped key that includes the resource identifier, the resource encryption key, and the user identifier in unencrypted form, wherein decrypting the wrapped key includes decrypting the wrapped key using the accessed master key; accessing the user identifier from the unwrapped key; determining that the received authentication credentials correspond to the accessed user identifier; and in response to determining that the received authentication credentials correspond to the accessed user identifier, sending the resource encryption key in unecrypted form to the application server system such that the application server system can decrypt the resource using the resource encryption key in unencrypted form. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer system comprising:
a key server system comprising a processor and memory and configured to; receive, from an application server system, authentication credentials and a wrapped key, the wrapped key including a resource identifier, a resource encryption key, and a user identifier that have been encrypted, wherein the resource identifier identifies a resource encrypted with the resource encryption key and the user identifier identifies a user that is permitted to use the resource encryption key to decrypt the resource; identify a service associated with the wrapped key; access a master key based on the identified service, the master key being associated with the identified service; decrypt the wrapped key to generate an unwrapped key that includes the resource identifier, the resource encryption key, and the user identifier in unencrypted form, wherein decrypting the wrapped key includes decrypting the wrapped key using the accessed master key; access the user identifier from the unwrapped key; determine that the received authentication credentials correspond to the accessed user identifier; and in response to determining that the received authentication credentials correspond to the accessed user identifier, send the resource encryption key in unecrypted form to the application server system such that the application server system can decrypt the resource using the resource encryption key in unencrypted form. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
21. A non-transitory computer readable medium storing instructions that, when executed by one or more processing devices, cause the one or more processing devices to perform operations including:
-
receiving, from an application server system and at a key server system, authentication credentials and a wrapped key, the wrapped key including a resource identifier, a resource encryption key, and a user identifier that have been encrypted, wherein the resource identifier identifies a resource encrypted with the resource encryption key and the user identifier identifies a user that is permitted to use the resource encryption key to decrypt the resource; identifying a service associated with the wrapped key; accessing a master key based on the identified service, the master key being associated with the identified service; decrypting the wrapped key to generate an unwrapped key that includes the resource identifier, the resource encryption key, and the user identifier in unencrypted form, wherein decrypting the wrapped key includes decrypting the wrapped key using the accessed master key; accessing the user identifier from the unwrapped key; determining that the received authentication credentials correspond to the accessed user identifier; and in response to determining that the received authentication credentials correspond to the accessed user identifier, sending the resource encryption key in unecrypted form to the application server system such that the application server system can decrypt the resource using the resource encryption key in unencrypted form. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
-
Specification