System for providing session-based network privacy, private, persistent storage, and discretionary access control for sharing private data

US 8,826,021 B2
Filed: 09/26/2013
Issued: 09/02/2014
Est. Priority Date: 12/02/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A method for providing private storage of data on a server within a network, to a storing user operating a client computer connected to the network, wherein the storage is persistent, encrypted, and anonymous, and wherein access to the data may be granted by the storing user to an accessing user, the method comprising:

(a) providing to the storing user a client application, the client application being configured to;

identify the data to be stored and the accessing user, who is to have access thereto;

generate a first encryption key and a first decryption key;

encrypt the data within said client using the first encryption key;

generate a data object identifier;

generate a challenge public-private key pair for the data;

read an identifier for the accessing user;

generate a coded user identifier from the user identifier by hashing;

send the coded user identifier to the server together with a request for the accessing user'"'"'s message queue public key;

receive the message queue public key from the server;

create a message object comprising the data object identifier, the first decryption key, and the private challenge key;

encrypt the message object with the message queue public key;

send the encrypted message object to the message queue on the server associated with the coded user identifier;

create a data object comprising the data object identifier, the encrypted data, and the public challenge key;

send the data object to the server;

(b) receiving the coded user identifier and request for the accessing user'"'"'s message queue public key from the client application, and responsive thereto identifying the message queue public key associated with the coded user identifier and returning the message queue public key to the client application; and

(c) receiving the encrypted data, data object identifier, and public challenge key from the client application, and responsive thereto storing the encrypted data in a database under the control of the server, using the data object identifier as a locator and maintaining an association with the public challenge key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides secure and private communication over a network, as well as persistent private storage and private access control to the stored information, which is accomplished by imposing mechanisms that separate a user'"'"'s actions from their identity. The system provides (i) anonymous network browsing, in which event the anonymity system is unaware of both the user'"'"'s identity and browsing activities, (ii) private network storage and retrieval of data such as passwords, profiles and files in a manner such that the data can be stored into the system and later retrieved without the system knowing the contents or owners of the data, and (iii) the ability of the user to control and manage access to the remotely stored data without the system knowing the contents, owners, or accessors of the data.

Citations

5 Claims

1. A method for providing private storage of data on a server within a network, to a storing user operating a client computer connected to the network, wherein the storage is persistent, encrypted, and anonymous, and wherein access to the data may be granted by the storing user to an accessing user, the method comprising:
- (a) providing to the storing user a client application, the client application being configured to;
  
  identify the data to be stored and the accessing user, who is to have access thereto;
  
  generate a first encryption key and a first decryption key;
  
  encrypt the data within said client using the first encryption key;
  
  generate a data object identifier;
  
  generate a challenge public-private key pair for the data;
  
  read an identifier for the accessing user;
  
  generate a coded user identifier from the user identifier by hashing;
  
  send the coded user identifier to the server together with a request for the accessing user'"'"'s message queue public key;
  
  receive the message queue public key from the server;
  
  create a message object comprising the data object identifier, the first decryption key, and the private challenge key;
  
  encrypt the message object with the message queue public key;
  
  send the encrypted message object to the message queue on the server associated with the coded user identifier;
  
  create a data object comprising the data object identifier, the encrypted data, and the public challenge key;
  
  send the data object to the server;
  
  (b) receiving the coded user identifier and request for the accessing user'"'"'s message queue public key from the client application, and responsive thereto identifying the message queue public key associated with the coded user identifier and returning the message queue public key to the client application; and
  
  (c) receiving the encrypted data, data object identifier, and public challenge key from the client application, and responsive thereto storing the encrypted data in a database under the control of the server, using the data object identifier as a locator and maintaining an association with the public challenge key.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising:
    - (a) providing to the accessing user an accessing client application, said accessing client application being configured to perform as follows;
      
      receive an authentication token from the accessing user;
      
      generate a user object identifier based on the authentication token in the same manner previously used to generate the user object identifier associated with the accessing user on the server;
      
      send the user object identifier and a request for a user object to the server, the user object comprising a reference to the accessing user'"'"'s message queue on the server, and a message queue decryption key, the message queue comprising a message object previously inserted in the message queue;
      
      receive the user object from the server;
      
      request the message queue from the server;
      
      responsive to receiving the user object from the server, read the message queue decryption key from the user object;
      
      decrypt the message object from the message queue with the message queue decryption key;
      
      read the message object and obtain therefrom the data object identifier for encrypted data that had been stored under control of the server;
      
      generate a challenge request;
      
      forward the challenge request and the data object identifier to the server;
      
      read the private challenge key from the message object;
      
      responsive to receiving the encrypted challenge from the server, decrypt the encrypted challenge using the private challenge decryption key;
      
      return the unencrypted challenge together with the data object identifier to the server;
      
      read the first decryption key from the message object;
      
      receive the data associated with the data element; and
      
      responsive to receiving the data associated with the data element, decrypting encrypted data associated with the data element;
      
      (b) receiving the user object identifier and the request for the user object from the accessing client application, and responsive thereto, if the user object identifier matches a user object identifier previously stored by the server, sending the requested user object to the accessing client application;
      
      (c) receiving the request for the message queue from the accessing client application, and responsive thereto, retrieving the message queue from a database under control of the server, and returning the message queue to the accessing client application;
      
      (d) receiving the challenge request and the data object identifier from the accessing client application, and responsive thereto encrypting the challenge with the public challenge key associated with the data object identifier, and returning the encrypted challenge to the client application;
      
      (e) receiving the challenge from the accessing client application, and responsive thereto matching the challenge received with the challenge sent, and if a match is found, retrieving an encrypted data element associated with the data object identifier and sending the encrypted data element to the accessing client application.
  - 3. The method of claim 2, wherein the encrypted data element comprises the encrypted data previously stored on the server.
  - 4. The method of claim 2, wherein the encrypted data element comprises a handle conferring temporary approval to access one or more objects, whereby the encrypted data previously stored on the server may be separately accessed in increments and decrypted.
  - 5. The method of claim 2, wherein the accessing user is any member of a group of users defined in the server, the group having a message queue and a challenge key, and wherein the users who were members of the group had in their user objects maintained within the server a reference to the group and the group'"'"'s challenge key, so as to enable the user to access any data for which access has been authorized to the group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ponoi Corporation
Original Assignee
Ponoi Corporation
Inventors
Savage, Colin, Petro, Christopher, Goldsmith, Sascha
Primary Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US14/038,513
Publication Number

US 20140032901A1
Time in Patent Office

341 Days
Field of Search

713/168, 713/193, 707/781
US Class Current

713/168
CPC Class Codes

G06F 21/31   User authentication

G06F 21/62   Protecting access to data v...

G06F 21/6227   where protection concerns t...

G06F 21/78   to assure secure storage of...

G06Q 20/383   Anonymous user system

H04L 63/0407   wherein the identity of one...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3271   using challenge-response

System for providing session-based network privacy, private, persistent storage, and discretionary access control for sharing private data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

5 Claims

Specification

Solutions

Use Cases

Quick Links

System for providing session-based network privacy, private, persistent storage, and discretionary access control for sharing private data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

5 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links