Controlling access to data within encrypted copies of files using salt parameters

US 8,751,804 B1
Filed: 06/30/2011
Issued: 06/10/2014
Est. Priority Date: 06/30/2011
Status: Active Grant

First Claim

Patent Images

1. A method of controlling access to a file, of controlling access to a file, the method comprising:

creating a file encryption key based on (i) a user input parameter from a user of the client device and (ii) an automatically generated salt parameter;

encrypting the file using the file encryption key to form an encrypted copy of the file; and

providing the salt parameter to an external storage system to externally store the salt parameter, access to data within the encrypted copy of the file requiring the salt parameter provided to the external storage system;

wherein the external storage system includes a remote backup assembly which performs backup operations on behalf of multiple client devices; and

wherein the method further comprises;

while the file resides locally in the client device, sending the encrypted copy of the file to the remote backup assembly to backup the file in the remote backup assembly;

wherein the salt parameter is a random number which is locally generated by the client device;

wherein creating the file encryption key includes deriving the file encryption key based on the user input parameter and the random number;

wherein the user input parameter is a user password obtained from the user of the client device;

wherein the file encryption key is created from the user password and the random number; and

wherein providing the salt parameter to the external storage system includes sending the salt parameter to the external storage system while withholding the user password from the external storage system in a secure mode which imposes responsibility to manage the user password on the user of the client device to decrypt the encrypted copy of the file.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique controls access to a file. The technique involves creating a file encryption key based on (i) a user input parameter (e.g., a user password) from a user of the client device and (ii) an automatically generated salt parameter (e.g., a random number). The technique further involves encrypting the file using the file encryption key to form an encrypted copy of the file, and providing the salt parameter to an external storage system to externally store the salt parameter. Access to data within the encrypted copy of the file requires the salt parameter provided to the external storage system.

Citations

15 Claims

1. A method of controlling access to a file, of controlling access to a file, the method comprising:
- creating a file encryption key based on (i) a user input parameter from a user of the client device and (ii) an automatically generated salt parameter;
  
  encrypting the file using the file encryption key to form an encrypted copy of the file; and
  
  providing the salt parameter to an external storage system to externally store the salt parameter, access to data within the encrypted copy of the file requiring the salt parameter provided to the external storage system;
  
  wherein the external storage system includes a remote backup assembly which performs backup operations on behalf of multiple client devices; and
  
  wherein the method further comprises;
  
  while the file resides locally in the client device, sending the encrypted copy of the file to the remote backup assembly to backup the file in the remote backup assembly;
  
  wherein the salt parameter is a random number which is locally generated by the client device;
  
  wherein creating the file encryption key includes deriving the file encryption key based on the user input parameter and the random number;
  
  wherein the user input parameter is a user password obtained from the user of the client device;
  
  wherein the file encryption key is created from the user password and the random number; and
  
  wherein providing the salt parameter to the external storage system includes sending the salt parameter to the external storage system while withholding the user password from the external storage system in a secure mode which imposes responsibility to manage the user password on the user of the client device to decrypt the encrypted copy of the file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A method as in claim 1, further comprising:
    - sending an erase command to the external storage system, the erase command directing the external storage system to delete the salt parameter to prevent access to the data within the encrypted copy of the file.
  - 3. A method as in claim 1 wherein the external storage system further includes a salt parameter database;
    - wherein entries of the salt parameter database store salt parameters corresponding to files backed up in the remote backup assembly;
      
      wherein the entries of the salt parameter database are indexed by file pathnames corresponding to the files backed up in the remote backup assembly; and
      
      wherein providing the salt parameter to the external storage system to externally store the salt parameter includes sending, to the external storage system, a file pathname describing where the file resides locally in the client device to enable the external storage system to create a new entry in the salt parameter database which uses the file pathname as an index to the new entry.
  - 4. A method as in claim 1, further comprising:
    - creating other file encryption keys based on (i) the user input parameter from the user of the client device and (ii) other automatically generated salt parameters;
      
      encrypting changed portions of the file using the other file encryption keys to form encrypted copies of the changed portions of the file, the changed portions of the file corresponding to a set of later versions of the file; and
      
      providing the other salt parameters to the external storage system to externally store the other salt parameters, access to data within the encrypted copies of the changed portion of the file requiring the other salt parameters provided to the external storage system.
  - 5. A method as in claim 4, further comprising:
    - sending an erase command to the external storage system, the erase command directing the external storage system to delete one of the other salt parameters provided to the external storage system to prevent access to a later version of the file.
  - 6. A method as in claim 1 wherein the file resides locally within a folder in the client device;
    - and wherein the method further comprises;
      
      creating a folder encryption key based on (i) the user input parameter from the user of the client device and (ii) another automatically generated salt parameter;
      
      encrypting the folder using the folder encryption key to form an encrypted copy of the folder; and
      
      providing the other salt parameter to the external storage system to externally store the salt parameter, access to the encrypted copy of the folder requiring the other salt parameter provided to the external storage system.
  - 7. A method as in claim 6, further comprising:
    - sending an erase command to the external storage system, the erase command directing the external storage system to delete the other salt parameter provided to the external storage system to simultaneously prevent access to the folder and the file.
  - 8. A method as in claim 1, further comprising:
    - obtaining the salt parameter and the encrypted copy of the file from the external storage system;
      
      recreating the file encryption key based on the user input parameter and the salt parameter; and
      
      decrypting the encrypted copy of the file from the external storage system using the recreated file encryption key to restore the file on the client device.
  - 9. A method as in claim 1 wherein the client device is a portable computerized device which locally stores another encrypted copy of the file;
    - and wherein the method further comprises;
      
      obtaining the salt parameter from the external storage system; and
      
      decrypting the other encrypted copy of the file locally stored on the portable computerized device to provide the user with access to data of the file.
  - 10. A method as in claim 1,wherein the external storage system is remote from the client device, a connection between the client device and the external storage system being created over a public network connection;
    - andwherein providing the salt parameter to the external storage system includes;
      
      sending the salt parameter to the external storage system over the public network connection.
  - 11. A method as in claim 10,wherein the client device includes a local storage device;
    - andwherein sending the salt parameter to the external storage system over the network connection includes;
      
      transmitting the salt parameter over the network connection without the file encryption key, the file encryption key being retained in the client device; and
      
      storing the file encryption key in the local storage device.

12. A client device, comprising:
- a network interface;
  
  a user interface; and
  
  a controller coupled to the network interface and the user interface, the controller being constructed and arranged to;
  
  create a file encryption key based on (i) a user input parameter received from a user through the user interface and (ii) an automatically generated salt parameter,encrypt the file using the file encryption key to form an encrypted copy of the file, andprovide the salt parameter to an external storage system through the network interface to externally store the salt parameter, access to data within the encrypted copy of the file requiring the salt parameter provided to the external storage system;
  
  wherein the external storage system includes a remote backup assembly which performs backup operations on behalf of multiple client devices; and
  
  wherein the controller is further constructed and arranged to;
  
  while the file resides locally in the client device, send the encrypted copy of the file to the remote backup assembly through the network interface to backup the file in the remote backup assembly;
  
  wherein the salt parameter is a random number which is locally generated by the client device;
  
  wherein creating the file encryption key includes deriving the file encryption key based on the user input parameter and the random number;
  
  wherein the user input parameter is a user password obtained from the user of the client device;
  
  wherein the file encryption key is created from the user password and the random number; and
  
  wherein providing the salt parameter to the external storage system includes sending the salt parameter to the external storage system while withholding the user password from the external storage system in a secure mode which imposes responsibility to manage the user password on the user of the client device to decrypt the encrypted copy of the file.

13. A computer program product having a non-transitory computer readable medium which stores a set of instructions that, when performed by a computerized device, cause the computerized device to:
- create a file encryption key based on (i) a user input parameter from a user of the computerized device and (ii) an automatically generated salt parameter;
  
  encrypt the file using the file encryption key to form an encrypted copy of the file; and
  
  provide the salt parameter to an external storage system to externally store the salt parameter, access to data within the encrypted copy of the file requiring the salt parameter provided to the external storage system;
  
  wherein the external storage system includes a remote backup assembly which performs backup operations on behalf of multiple client devices; and
  
  wherein set of instructions further causes the computerized device to;
  
  while the file resides locally in the client device, send the encrypted copy of the file to the remote backup assembly through the network interface to backup the file in the remote backup assembly;
  
  wherein the salt parameter is a random number which is locally generated by the client device;
  
  wherein creating the file encryption key includes deriving the file encryption key based on the user input parameter and the random number;
  
  wherein the user input parameter is a user password obtained from the user of the client device;
  
  wherein the file encryption key is created from the user password and the random number; and
  
  wherein providing the salt parameter to the external storage system includes sending the salt parameter to the external storage system while withholding the user password from the external storage system in a secure mode which imposes responsibility to manage the user password on the user of the client device to decrypt the encrypted copy of the file.

14. In a storage system, a method of controlling access to a file, the method comprising:
- after an external client device creates a file encryption key based on (i) a user input parameter from a user of the external client device and (ii) an automatically generated salt parameter and after the external client device encrypts the file using the file encryption key to form an encrypted copy of the file, obtaining the salt parameter from the external client device, access to data within the encrypted copy of the file requiring the salt parameter;
  
  storing the salt parameter within the storage system; and
  
  providing a response message to the external client device informing the external client device that the salt parameter is stored within the storage system;
  
  wherein the storage system includes a backup assembly which performs backup operations on behalf of multiple client devices, and wherein the method further comprises;
  
  while the file resides locally in the external client device, receiving the encrypted copy of the file, andstoring the encrypted copy of the file in the backup assembly;
  
  wherein the salt parameter is a random number which is locally generated by the external client device;
  
  wherein, when the external client device creates the file encryption key, the external client device derives the file encryption key based on the user input parameter and the random number;
  
  wherein the user input parameter is a user password obtained from the user of the external client device;
  
  wherein the file encryption key is created from the user password and the random number; and
  
  wherein obtaining the salt parameter from the external client device includes receiving the salt parameter while the external client device withholds the user password in a secure mode which imposes responsibility to manage the user password on the user of the external client device to decrypt the encrypted copy of the file.
- View Dependent Claims (15)
- - 15. A method as in claim 14, further comprising:
    - receiving an erase command;
      
      in response to the erase command deleting the salt parameter from the storage system while the encrypted copy of the file remains stored in the backup assembly; and
      
      providing an acknowledgement message to the external client device informing the external client device that the file has been erased.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
DECHO Corporation (Open Text Corporation)
Inventors
Nystrm, Magnus, Oprea, Alina, Back, Adam
Primary Examiner(s)
McNally, Michael S

Application Number

US13/173,448
Time in Patent Office

1,076 Days
Field of Search

713/189, 713/168
US Class Current

713/168
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

Controlling access to data within encrypted copies of files using salt parameters

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling access to data within encrypted copies of files using salt parameters

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links