Data storage incorporating cryptographically enhanced data protection
First Claim
1. A system for storing a plurality of encrypted data objects and providing access to a group of users comprising:
- a record of user accounts, wherein at least one record for a user account includes;
a user identifier, anda public encryption key corresponding to a private encryption key, the private encryption key known to the user and unknown to the server;
at least one access control list (ACL) defining an access control policy for a group of users, wherein the ACL includes;
permissions for the group of users, wherein each user of the group has access to a plurality of data objects associated with the ACL as defined by the permissions, andan ACL key list including, for each authorized user of the group, a copy of a symmetric ACL key corresponding to the ACL (ACL key) encrypted with the public encryption key of the user;
a user-data non-transitory machine readable storage medium including;
encrypted user data, stored as a plurality of data objects associated with the ACL, each object encrypted with the ACL key, andcleartext meta-data that describes each data object including an identifier of the ACL associated with the data object; and
an access controller configured to;
receive, from a user, an access request from a user requesting access to a requested data object, and send, to the user, a copy of the requested encrypted data object to the user if the ACL associated with the data object indicates that the user has permission to access the data object; and
send, to a user, the copy of the ACL key encrypted with the public key of the user, wherein an authentication controller configured to;
receive data objects sent to the system by a user that have been digitally signed with the private encryption key of the user; and
authenticate the data object by applying the user public key, wherein the authentication controller is further configured to;
generate an accounting record including at least the identifier of the user and a time of receipt; and
store the accounting record as meta-data associated with the data object.
1 Assignment
0 Petitions
Accused Products
Abstract
Various exemplary embodiments relate to a system for storing encrypted data and providing access to a group of users. The system may include: a record of user accounts including: a user identifier and a public encryption key; an access control list (ACL) defining an access control policy including: permissions defining access to data objects associated with the ACL and an ACL key list including copies of a an ACL key encrypted with the public keys of the users; a user-data storage medium including: encrypted user data, stored as a plurality of data objects, each object associated with an ACL and encrypted with the ACL key, and meta-data; and an access controller configured to: receive a request for a data object, and send a copy of the data object and the ACL key encrypted with the public key of the user if the user has permission to access the data object.
-
Citations
12 Claims
-
1. A system for storing a plurality of encrypted data objects and providing access to a group of users comprising:
-
a record of user accounts, wherein at least one record for a user account includes;
a user identifier, anda public encryption key corresponding to a private encryption key, the private encryption key known to the user and unknown to the server; at least one access control list (ACL) defining an access control policy for a group of users, wherein the ACL includes; permissions for the group of users, wherein each user of the group has access to a plurality of data objects associated with the ACL as defined by the permissions, and an ACL key list including, for each authorized user of the group, a copy of a symmetric ACL key corresponding to the ACL (ACL key) encrypted with the public encryption key of the user; a user-data non-transitory machine readable storage medium including; encrypted user data, stored as a plurality of data objects associated with the ACL, each object encrypted with the ACL key, and cleartext meta-data that describes each data object including an identifier of the ACL associated with the data object; and
an access controller configured to;
receive, from a user, an access request from a user requesting access to a requested data object, and send, to the user, a copy of the requested encrypted data object to the user if the ACL associated with the data object indicates that the user has permission to access the data object; andsend, to a user, the copy of the ACL key encrypted with the public key of the user, wherein an authentication controller configured to;
receive data objects sent to the system by a user that have been digitally signed with the private encryption key of the user; and
authenticate the data object by applying the user public key, wherein the authentication controller is further configured to;
generate an accounting record including at least the identifier of the user and a time of receipt; and
store the accounting record as meta-data associated with the data object. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method performed by a computer server for securely storing a plurality of encrypted data objects:
-
receiving, from a client device associated with a first user, a request for an Access Control List (ACL) stored on the server, the ACL including; permissions for a group of users, wherein each authorized user of the group has access to a plurality of data objects associated with the ACL as defined by the permissions, and an ACL key list including, for each authorized user of the group, a copy of a symmetric ACL key corresponding to the ACL (ACL key) encrypted with a public encryption key of the authorized user; transmitting ACL information including the encrypted ACL key for the first user to the client device; receiving, from the client device, a write request including a data object encrypted with the decrypted ACL key and meta-data including at least an identifier of the ACL and an identifier of the data object; verifying the permission of the first user to write according to the ACL by comparing an identifier of the first user with permissions of the first user in the ACL stored on the server; and
adding the data object and meta-data to the plurality of data objects associated with the ACL on the server only if the first user has permission to write according to the ACL, wherein the step of verifying comprises;
verifying the identity of the first user by decrypting a digital signature on the data object using the public key of the first user stored on the server;
generating an accounting record of the write request; and
storing the accounting record as meta-data describing the data object. - View Dependent Claims (7, 8, 9, 10, 11, 12)
-
Specification