Recipient blind cryptographic access control for publicly hosted message and data streams
First Claim
Patent Images
1. A multi-mode communication device, comprising:
- a communication interface arranged to send and receive information; and
a processor coupled with the communication interface, the processor arranged to control a secure messaging service at the communication device by creating a first secure message, the first secure message comprising;
a first secure data portion encrypted with a first symmetric encryption key, anda first authorized recipient device specific information comprising a first group label bound to a first access control list, wherein the first group label is a hash of a public key of the first authorized recipient device and signed with a private key associated with the communication device, and the access control list includes the first symmetric encryption key encrypted with a public key of a first authorized recipient device;
wherein the processor is further configured the communication interface to post at least the first secure data portion to an external data storage device;
wherein a recipient device receives at least the first secure data portion of the first secure message and performs all decryption processing required to read the secure message, the decryption processing is performed if the recipient device is authorized to read the secure message in accordance with the first authorized recipient device information, and the recipient device determines authorization by a query of the authorized recipient device information; and
wherein the external data storage device stores at least the secure data portion in a platform agnostic manner and without performing any encryption and decryption processing of the secure data portion.
1 Assignment
0 Petitions
Accused Products
Abstract
Private message system, method, and apparatus are described. A private message that includes encrypted data and identifying information indicating a recipient client device authorized to read the private message is stored at a server computer. Since the client devices perform all encryption and decryption processing, the server computer stores the private message in a platform agnostic manner and without performing any encryption/decryption related processes. Although any number of recipient devices can receive the private message, only a recipient client device authorized in accordance with the identifying information can read the private message.
55 Citations
18 Claims
-
1. A multi-mode communication device, comprising:
-
a communication interface arranged to send and receive information; and a processor coupled with the communication interface, the processor arranged to control a secure messaging service at the communication device by creating a first secure message, the first secure message comprising; a first secure data portion encrypted with a first symmetric encryption key, and a first authorized recipient device specific information comprising a first group label bound to a first access control list, wherein the first group label is a hash of a public key of the first authorized recipient device and signed with a private key associated with the communication device, and the access control list includes the first symmetric encryption key encrypted with a public key of a first authorized recipient device; wherein the processor is further configured the communication interface to post at least the first secure data portion to an external data storage device; wherein a recipient device receives at least the first secure data portion of the first secure message and performs all decryption processing required to read the secure message, the decryption processing is performed if the recipient device is authorized to read the secure message in accordance with the first authorized recipient device information, and the recipient device determines authorization by a query of the authorized recipient device information; and wherein the external data storage device stores at least the secure data portion in a platform agnostic manner and without performing any encryption and decryption processing of the secure data portion. - View Dependent Claims (2, 3, 4, 5, 6, 7, 18)
-
-
8. A method performed by a multi-mode communication device having a processor and a communication interface, the method comprising:
-
creating a secure message comprising a secure data portion encrypted by a first symmetric encryption key and device specific authorization information used by a recipient device to determine if the recipient device is authorized to read the secure message, the device specific authorization information including a first group label comprising a hash of a public key of the recipient device and signed with a private key associated with the communication device; and posting at least a portion of the secure message to an external data storage device using the communication interface, wherein the recipient device receives the secure message and performs substantially all decryption processing required to read the secure message if authorized in accordance with the device specific authorization information, wherein the recipient device determines authorization by querying the device specific authorization information for identification information associated with the recipient device, thereby permitting the external data storage device to store the secure message in a platform agnostic manner, and to store the secure message without performing any encryption and decryption processing of the secure message. - View Dependent Claims (9, 10, 11, 12)
-
-
13. Non-transitory computer readable medium for storing instructions executable by a processor, to cause the processor to perform operations comprising:
-
storing at least a portion of a private message at a server, the private message comprising an data portion encrypted at an authoring client device, and device specific information identifying a recipient client device authorized to read the private message, the device specific information including a group label including a hash of a public key of the recipient client device and signed with a private key associated with the authoring client device; and sending at least the encrypted data portion of the private message from the server to a client device, wherein the client device performs all decryption processing required to read the encrypted data portion if the client device is authorized, wherein no decryption processing related to the message is performed if the recipient client device is not authorized, and wherein the recipient client device is authorized by querying the server for the device specific identifying information, wherein the server stores the private message in a platform agnostic manner, and stores the private message without performing substantially any encryption or decryption related processing on the private message. - View Dependent Claims (14, 15, 16, 17)
-
Specification