Method for flexible data protection with dynamically authorized data receivers in a content network or in cloud storage and content delivery services

US 8,769,705 B2
Filed: 02/13/2012
Issued: 07/01/2014
Est. Priority Date: 06/10/2011
Status: Active Grant

First Claim

Patent Images

1. A secure content publishing method implemented by a content provider coupled to a cloud service, comprising:

encrypting a content object using a data encryption key to obtain an encrypted content object;

re-encrypting the encrypted content object using a secret key to obtain a dual-encrypted content object;

publishing the dual-encrypted content object to the cloud service to obtain a published content object;

distributing a group decryption key for decrypting the published content object to a plurality of users in a group via a content delivery network (CDN);

distributing an updated group decryption key for the users in the group when a user joins, leaves, or is revoked from the group; and

forwarding an updated re-encryption key to the cloud service for re-encrypting the published content object,wherein the published content object is stored in the cloud service and comprises a first component that depends on a random secret and a secret key, a second component that depends on the random secret and a data encryption key, and a third component that depends on the random secret and the content object, andwherein the first component and the second component is smaller in data size than the third component.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A networking system comprising an application service that runs on a cloud infrastructure and is configured to receive dual encrypted content from a content provider and re-encrypt the dual encrypted content to enable dynamic user group control for group-based user authorization, and a cloud storage service coupled to the application service and configured to store the dual encrypted content from the content provider and the re-encrypted dual encrypted content from the application service, wherein the application service and the storage service are configured to communicate and operate with a content delivery service that uses a content delivery network (CDN) to deliver the re-encrypted content to one or more users in a group authorized by the content provider.

30 Citations

View as Search Results

15 Claims

1. A secure content publishing method implemented by a content provider coupled to a cloud service, comprising:
- encrypting a content object using a data encryption key to obtain an encrypted content object;
  
  re-encrypting the encrypted content object using a secret key to obtain a dual-encrypted content object;
  
  publishing the dual-encrypted content object to the cloud service to obtain a published content object;
  
  distributing a group decryption key for decrypting the published content object to a plurality of users in a group via a content delivery network (CDN);
  
  distributing an updated group decryption key for the users in the group when a user joins, leaves, or is revoked from the group; and
  
  forwarding an updated re-encryption key to the cloud service for re-encrypting the published content object,wherein the published content object is stored in the cloud service and comprises a first component that depends on a random secret and a secret key, a second component that depends on the random secret and a data encryption key, and a third component that depends on the random secret and the content object, andwherein the first component and the second component is smaller in data size than the third component.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The secure content publishing method of claim 1, further comprising forwarding a re-encryption key from the content provider to the cloud service when a user in the group requests to access the published content object.
  - 3. The secure content publishing method of claim 2, wherein the re-encryption key is generated according to a re-encryption algorithm using the secret key and a group decryption key.
  - 4. The secure content publishing method of claim 3, wherein the cloud service re-encrypts the published content object before allowing the user access according to the re-encryption algorithm using the re-encryption key from the content provider to obtain a deliverable copy of the content object to the user that is different from the published content object stored in the cloud service.
  - 5. The secure content publishing method of claim 3, wherein the deliverable copy of the content object comprises a first component that is generated using the re-encryption key, a second component w that is similar to the second component of the published content object stored in the cloud service, and a third component v that is similar to the third component of the published content object stored in the cloud service.
  - 6. The secure content publishing method of claim 5, wherein the published content object is stored in the cloud service without being subsequently updated, and wherein the deliverable copy of the content object is updated when a user joins, leaves, or is revoked from the group.
  - 7. The secure content publishing method of claim 6, wherein the second component and the third component of the deliverable copy of the content object are cached without the first component in a content oriented network (CON) that delivers a copy of the content object.
  - 8. The secure content publishing method of claim 4, wherein the users in the group use the group decryption key to decrypt the deliverable copy of the content object from the cloud service.

9. A computer program product comprising computer executable instructions stored on a non-transitory medium that when executed by a processor in a Central Processing Unit (CPU) cause the processor to:
- encrypt a content object using a data encryption key to obtain an encrypted content object;
  
  re-encrypt the encrypted content object using a secret key to obtain a dual-encrypted content object;
  
  publish the dual-encrypted content object to the cloud service to obtain a published content object;
  
  distribute a group decryption key for decrypting the published content object to a plurality of users in a group via a content delivery network (CDN);
  
  distribute an updated group decryption key for the users in the group when a user joins, when a user leaves, and when a user is revoked from the group; and
  
  forward an updated re-encryption key to the cloud service for re-encrypting the published content object,wherein the published content object is stored in the cloud service and comprises a first component that depends on a random secret and a secret key, a second component that depends on the random secret and a data encryption key, and a third component that depends on the random secret and the content object, andwherein the first component and the second component is smaller in data size than the third component.
- View Dependent Claims (10, 11, 12)
- - 10. The computer program product of claim 9, wherein the data encryption key is a data encryption key for a symmetric data encryption scheme.
  - 11. The computer program product of claim 10, wherein encrypting the content object comprises using a symmetric encryption process.
  - 12. The computer program product of claim 11, wherein re-encrypting the encrypted content object comprises using a proxy-based re-encryption process.

13. An apparatus for protecting content in a network comprising:
- a memory;
  
  a transmitter;
  
  a processor in a Central Processing Unit (CPU) coupled to the transmitter and the memory, wherein the memory contains instructions that when executed by the processor cause the apparatus to;
  
  encrypt a content object using a data encryption key to obtain an encrypted content object;
  
  re-encrypt the encrypted content object using a secret key to obtain a dual-encrypted content object;
  
  publish the dual-encrypted content object to a cloud service to obtain a published content object;
  
  distribute a group decryption key for decrypting the published content object to a plurality of users in a group via a content delivery network (CDN);
  
  distribute an updated group decryption key for the users in the group when a user joins the group, when a user leaves the group, and when a user is revoked from the group; and
  
  forward an updated re-encryption key to the cloud service for re-encrypting the published content object,wherein the published content object is stored in the cloud service and comprises a first component that depends on a random secret and a secret key, a second component that depends on the random secret and a data encryption key, and a third component that depends on the random secret and the content object, andwherein the first component and the second component is smaller in data size than the third component.
- View Dependent Claims (14, 15)
- - 14. The apparatus of claim 13, wherein the instructions further cause the processor to forward a re-encryption key from the apparatus to the cloud service when a user in the group requests to access the published content object.
  - 15. The apparatus of claim 14, wherein the re-encryption key is generated according to a proxy-based re-encryption algorithm using the secret key and the group decryption key, wherein the cloud service re-encrypts the published content object before allowing the user access according to the re-encryption algorithm using the re-encryption key from the content provider to obtain a deliverable copy of the content object to the user that is different from the published content object stored in the cloud service, wherein the deliverable copy of the content object comprises a first component that is generated using the re-encryption key, a second component w that is similar to the second component of the published content object stored in the cloud service, and a third component v that is similar to the third component of the published content object stored in the cloud service, wherein the published content object is stored in the cloud service without being subsequently updated, and wherein the deliverable copy of the content object is updated when a user joins, leaves, or is revoked from the group, and wherein the second component and the third component of the deliverable copy of the content object are cached without the first component in a content oriented network (CON) that delivers a copy of the content object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Futurewei Technologies Incorporated (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Futurewei Technologies Incorporated (Huawei Investment & Holding Co., Ltd.)
Inventors
Zhang, Xinwen, Xiong, Huijun, Wang, Guoqiang
Primary Examiner(s)
LEE, JASON T

Application Number

US13/371,944
Publication Number

US 20120317655A1
Time in Patent Office

869 Days
Field of Search

726/28, 713/193
US Class Current

726/28
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 2209/601   Broadcast encryption

H04L 63/0464   using hop-by-hop encryption...

H04L 63/0478   applying multiple layers of...

H04L 63/104   Grouping of entities

H04L 67/10   in which an application is ...

H04L 9/0833   involving conference or gro...

Method for flexible data protection with dynamically authorized data receivers in a content network or in cloud storage and content delivery services

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

30 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method for flexible data protection with dynamically authorized data receivers in a content network or in cloud storage and content delivery services

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links