Cloud key escrow system

US 8,891,772 B2
Filed: 06/17/2011
Issued: 11/18/2014
Est. Priority Date: 06/17/2011
Status: Active Grant

First Claim

Patent Images

1. At a computer system including at least one processor and a memory, in a computer networking environment including a plurality of computing systems, a computer-implemented method for allowing a user to store encrypted, third-party-accessible data in a data store, the method comprising:

receiving encrypted data from a user at a data storage system, wherein the encrypted data was encrypted using a user'"'"'s private key prior to having been received and the encryption having been securely completed on the user'"'"'s own system;

storing the received encrypted data in the data storage system according to a predefined policy, the encryption preventing the storage system from decrypting the encrypted data, the policy allowing the encrypted data to be released upon receiving at least a threshold number of requests from verified third parties;

the data storage system implementing a verifiable secret sharing scheme to verify that the encrypted data can be decrypted without the data storage system having the ability to decrypt the encrypted data; and

acknowledging to the user that the received encrypted data has been verified and successfully stored.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to allowing a user to store encrypted, third-party-accessible data in a data store and to providing third party data access to a user'"'"'s encrypted data according to a predefined policy. A data storage system receives encrypted data from a user at a data storage system. The data is encrypted using the user'"'"'s private key. The data storage system stores the received encrypted data according to a predefined policy. The encryption prevents the storage system from gaining access to the encrypted data, while the policy allows the encrypted data to be released upon receiving a threshold number of requests from verified third parties. The data storage system implements a verifiable secret sharing scheme to verify that the encrypted data can be reconstituted without the data storage system accessing the encrypted data. The data storage system synchronously acknowledges that the received encrypted data has been verified and successfully stored.

62 Citations

View as Search Results

15 Claims

1. At a computer system including at least one processor and a memory, in a computer networking environment including a plurality of computing systems, a computer-implemented method for allowing a user to store encrypted, third-party-accessible data in a data store, the method comprising:
- receiving encrypted data from a user at a data storage system, wherein the encrypted data was encrypted using a user'"'"'s private key prior to having been received and the encryption having been securely completed on the user'"'"'s own system;
  
  storing the received encrypted data in the data storage system according to a predefined policy, the encryption preventing the storage system from decrypting the encrypted data, the policy allowing the encrypted data to be released upon receiving at least a threshold number of requests from verified third parties;
  
  the data storage system implementing a verifiable secret sharing scheme to verify that the encrypted data can be decrypted without the data storage system having the ability to decrypt the encrypted data; and
  
  acknowledging to the user that the received encrypted data has been verified and successfully stored.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the received, encrypted data comprises a cryptographic key belonging to the user.
  - 3. The method of claim 2, wherein the user'"'"'s cryptographic key is encrypted on the user'"'"'s private computer system.
  - 4. The method of claim 1, wherein the user modifies the threshold number of requests from verified third parties in the policy that are to be received before the user'"'"'s encrypted data is released.
  - 5. The method of claim 1, wherein the user has a public key that is made public in a secure manner using a secure service that runs on the user'"'"'s private computer system.
  - 6. The method of claim 1, wherein the received encrypted key is stored as a plurality of shares, the shares being mathematical transformations of the user'"'"'s private key, and wherein each share is provided to one of the verified third parties.
  - 7. The method of claim 6, wherein each verified third party publishes their own public keys and encrypts their share of the encrypted key using their published public key.
  - 8. The method of claim 7, wherein the verified third party shares encrypted according to the third parties'"'"' public keys are stored in the data storage system, the encrypted shares preventing the data storage system from accessing the user'"'"'s data.
  - 9. The method of claim 8, wherein the shares are generated in such a way that a threshold gate is used to recreate the original key from those shares.
  - 10. The method of claim 9, wherein the predefined policy indicates that the threshold gate is a specified number or percentage of the total number of shares, such that when that specified number of verified third party share holders has requested release of the encrypted data, the data storage system provides the encrypted data.
  - 11. The method of claim 10, wherein the predefined policy indicates a set of rules comprising Boolean logic indicating which specific verified third parties are to request release of the encrypted data before the data storage system will release the encrypted data.
  - 12. The method of claim 1, wherein the verifiable secret sharing scheme performs the verification without opening or looking at the encrypted data.

13. A computer system comprising the following:
- one or more processors;
  
  system memory;
  
  one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by the one or more processors, causes the computing system to perform a method for allowing a user to store encrypted, third-party-accessible data in a data store, the method comprising the following;
  
  receiving encrypted data from a user at a data storage system, wherein the encrypted data was encrypted using a user'"'"'s private key prior to having been received and the encryption having been securely completed on the user'"'"'s own system;
  
  storing the received encrypted data in the data storage system according to a predefined policy, the encryption preventing the storage system from decrypting the encrypted data, the policy allowing the encrypted data to be released upon receiving at least a threshold number of requests from verified third parties, wherein a received encrypted key is stored as a plurality of shares, the shares being mathematical transformations of the user'"'"'s private key, and wherein each share is provided to one of the verified third parties;
  
  the data storage system implementing a verifiable secret sharing scheme to verify that the encrypted data can be decrypted without the data storage system having the ability to decrypt the encrypted data;
  
  acknowledging to the user that the received encrypted data has been verified and successfully stored;
  
  receiving a request from the user requesting the user'"'"'s encrypted data; and
  
  the data storage system providing the user'"'"'s stored encrypted data based at least in part on the user'"'"'s request.
- View Dependent Claims (14, 15)
- - 14. The system of claim 13, wherein each verified third party publishes their own public keys and encrypts their share of the encrypted key using their published public key, such that the verified third party shares encrypted according to third parties'"'"' public keys are stored in the data storage system.
  - 15. The system of claim 13, wherein one or more of the trusted third parties are themselves users of the system of claim 13, wherein the trusted third party system users'"'"' own public keys are escrowed to other trusted third parties in the system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
D'Souza, Roy Peter, Pandey, Omkant
Primary Examiner(s)
SCOTT, RANDY A

Application Number

US13/162,950
Publication Number

US 20120321086A1
Time in Patent Office

1,250 Days
Field of Search

None
US Class Current

380/278
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 2221/2107   File encryption

G06F 2221/2115   Third party

H04L 63/0428   wherein the data content is...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0894   Escrow, recovery or storing...

Cloud key escrow system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

62 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Cloud key escrow system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links