Extending encrypting web service
First Claim
1. A computer-implemented method for protecting information exchanged between entities, comprising:
- as implemented by one or more computing devices configured with specific executable instructions,receiving, by a trusted service via a secure transmission from a first entity over a communication link;
information that is to be protected; and
authorization information that can be used to determine who is authorized to access the information;
encrypting, by the trusted service, both the information that is to be protected and the authorization information, within an encrypted data envelope;
securely transmitting, by the trusted service, the encrypted data envelope to the first entity over a communication link, so that the first entity can subsequently convey the encrypted data envelope to one or more other entities authorized to access the information being protected;
receiving, by the trusted service, the encrypted data envelope securely transmitted by a second entity over a communication link;
decrypting, by the trusted service, the encrypted data envelope in order to access the authorization information;
using the authorization information, by the trusted service, for determining if the second entity is authorized to access the information in the encrypted data envelope;
if the second entity is authorized to access the information in the encrypted data envelope, then;
decrypting, by the trusted service, the encrypted data envelope to access the information; and
securely transmitting, by the trusted service, the information to the second entity over a communication link; and
if the second entity is not authorized to access the information in the encrypted data envelope, then returning, by the trusted service, an access denied status to the second entity.
1 Assignment
0 Petitions
Accused Products
Abstract
A data encryption service is provided over the Internet. Users specifying only authorized users'"'"' identity information can share encrypted information without sharing passwords or accessing public key certificates. A user sends data to be encrypted to a trusted EWS, along with authorization information. An encrypted data envelope including signed encrypted data blocks, authorization information, and a digital signature is returned to the user. When a second user attempts to access the data inside the encrypted data envelope, it is transmitted to the EWS. If the EWS authenticates the second user, determines that tampering has not occurred, and verifies the second user'"'"'s identity against the authorization information in the data envelope, then the data are returned. The encrypted data envelope can be expressed as a raw byte stream or encoded within an HTML file to enable browser-based data envelope submission and retrieval.
40 Citations
25 Claims
-
1. A computer-implemented method for protecting information exchanged between entities, comprising:
-
as implemented by one or more computing devices configured with specific executable instructions, receiving, by a trusted service via a secure transmission from a first entity over a communication link; information that is to be protected; and authorization information that can be used to determine who is authorized to access the information; encrypting, by the trusted service, both the information that is to be protected and the authorization information, within an encrypted data envelope; securely transmitting, by the trusted service, the encrypted data envelope to the first entity over a communication link, so that the first entity can subsequently convey the encrypted data envelope to one or more other entities authorized to access the information being protected; receiving, by the trusted service, the encrypted data envelope securely transmitted by a second entity over a communication link; decrypting, by the trusted service, the encrypted data envelope in order to access the authorization information; using the authorization information, by the trusted service, for determining if the second entity is authorized to access the information in the encrypted data envelope; if the second entity is authorized to access the information in the encrypted data envelope, then; decrypting, by the trusted service, the encrypted data envelope to access the information; and securely transmitting, by the trusted service, the information to the second entity over a communication link; and if the second entity is not authorized to access the information in the encrypted data envelope, then returning, by the trusted service, an access denied status to the second entity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for protecting information exchanged between entities, comprising:
-
a first computing device associated with a first entity, the first computing device comprising a network interface for communicating over a network, a memory in which machine executable instructions are stored, and a processor connected to the network interface and the memory, the processor executing the machine executable instructions stored in the memory to carry out a plurality of functions, including; enabling the first entity that is using the first computing device to securely transmit an encrypt request to a trusted service over the network, the encrypt request comprising information that is to be protected, as well as authorization information that can be used to determine who is authorized to access the information; and receiving an encrypted data envelope from the trusted service via a secure transmission over the network, the encrypted data envelope including the information that is to be protected and the authorization information; and a second computing device associated with the trusted service, the second computing device comprising a second network interface for communicating over the network, a second memory in which machine executable instructions are stored, and a second processor connected to the second network interface and the second memory, the second processor executing the machine executable instructions stored in the second memory to carry out a plurality of functions, including; receiving the encrypt request from the first entity encrypting the information that is to be protected and the authorization information, to produce the encrypted data envelope; securely transmitting the encrypted data envelope to the first entity over the network, so that the first entity can subsequently convey the encrypted data envelope to one or more other entities authorized to access the information being protected; and in response to a decrypt request securely transmitted over the network from a second entity, the decrypt request including the encrypted data envelope; decrypting the encrypted data envelope in order to access the authorization information; using the authorization information to determine if the second entity is authorized to access the information in the encrypted data envelope; if the second entity is authorized to access the information in the encrypted data envelope, then; decrypting the encrypted data envelope to access the information; and securely transmitting the information to the second entity over the network; and if the second entity is not authorized to access the information in the encrypted data envelope, then returning an access denied status to the second entity. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
Specification