Systems and methods for secure hybrid third-party data storage

US 9,076,004 B1
Filed: 05/07/2014
Issued: 07/07/2015
Est. Priority Date: 05/07/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for secure hybrid third-party data storage, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

identifying, at a trusted proxy system, an access request from a client system to access an encrypted file stored under a user account at a third-party storage system, wherein the requested access requires decryption of the encrypted file, wherein the trusted proxy system is owned by an owner of the encrypted file and the third-party storage system is not owned by the owner of the encrypted file;

retrieving, in response to the request, from the third-party storage system and for the trusted proxy system;

the encrypted file;

a decryption key that has been encrypted with a client-side key, wherein an asymmetric key pair designated for the user account comprises an encryption key and the encrypted decryption key;

receiving, at the trusted proxy system, the client-side key, without exposing the client-side key to the third-party storage system;

decrypting the encrypted decryption key with the client-side key at the trusted proxy system rather than at the third-party storage system responsive to the trusted proxy system being owned by the owner of the encrypted file and the third-party storage system not being owned by the owner of the encrypted file;

using the decryption key to access an unencrypted version of the encrypted file at the trusted proxy system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for secure hybrid third-party data storage may include (1) identifying, at a trusted proxy system, an access request from a client system to access an encrypted file stored under a user account at a third-party storage system, where the requested access requires decryption of the encrypted file, (2) retrieving, from the third-party storage system, (i) the encrypted file and (ii) a decryption key that has been encrypted with a client-side key, where an asymmetric key pair designated for the user account includes an encryption key and the encrypted decryption key, (3) receiving, at the trusted proxy system, the client-side key, (4) decrypting, at the trusted proxy system, the decryption key with the client-side key, and (5) using the decryption key to access an unencrypted version of the encrypted file at the trusted proxy system. Various other methods, systems, and computer-readable media are also disclosed.

47 Citations

View as Search Results

20 Claims

1. A computer-implemented method for secure hybrid third-party data storage, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying, at a trusted proxy system, an access request from a client system to access an encrypted file stored under a user account at a third-party storage system, wherein the requested access requires decryption of the encrypted file, wherein the trusted proxy system is owned by an owner of the encrypted file and the third-party storage system is not owned by the owner of the encrypted file;
  
  retrieving, in response to the request, from the third-party storage system and for the trusted proxy system;
  
  the encrypted file;
  
  a decryption key that has been encrypted with a client-side key, wherein an asymmetric key pair designated for the user account comprises an encryption key and the encrypted decryption key;
  
  receiving, at the trusted proxy system, the client-side key, without exposing the client-side key to the third-party storage system;
  
  decrypting the encrypted decryption key with the client-side key at the trusted proxy system rather than at the third-party storage system responsive to the trusted proxy system being owned by the owner of the encrypted file and the third-party storage system not being owned by the owner of the encrypted file;
  
  using the decryption key to access an unencrypted version of the encrypted file at the trusted proxy system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computer-implemented method of claim 1, wherein the trusted proxy system is administrated by an owner of the encrypted file and the third-party storage system is not administrated by the owner of the encrypted file.
  - 3. The computer-implemented method of claim 1, wherein accessing the encrypted file comprises transmitting the unencrypted version of the encrypted file to the client system.
  - 4. The computer-implemented method of claim 1, wherein using the decryption key to access the unencrypted version of the encrypted file comprises:
    - generating, at the trusted proxy system, metadata describing the unencrypted version of the encrypted file;
      
      providing the metadata to at least one of the client system and the third-party storage system.
  - 5. The computer-implemented method of claim 4, wherein generating the metadata describing the unencrypted version of the encrypted file comprises at least one of:
    - performing a scan on the unencrypted version of the encrypted file at the trusted proxy system;
      
      creating, at the trusted proxy system, an index entry of the unencrypted version of the encrypted file based on content within the unencrypted version of the encrypted file;
      
      generating, at the trusted proxy system, a preview of the unencrypted version of the encrypted file based on content within the unencrypted version of the encrypted file.
  - 6. The computer-implemented method of claim 1, wherein accessing the encrypted file comprises:
    - identifying, at the trusted proxy system, a policy for scanning the unencrypted version of the encrypted file;
      
      scanning, at the trusted proxy system, the unencrypted version of the encrypted file based on the policy.
  - 7. The computer-implemented method of claim 1, wherein using the decryption key to access the encrypted file comprises:
    - retrieving, from the third-party storage system and for the trusted proxy system, a file key used to encrypt the encrypted file, wherein the file key is encrypted with the encryption key;
      
      decrypting, at the trusted proxy system, the file key with the decryption key;
      
      decrypting, at the trusted proxy system, the encrypted file with the file key.
  - 8. The computer-implemented method of claim 1, wherein:
    - accessing the encrypted file comprises providing access to the unencrypted version of the encrypted file to an additional user account;
      
      an additional asymmetric key pair is designated for the additional user account, the asymmetric key pair comprising an additional encryption key and an additional decryption key that has been encrypted with an additional client-side key.
  - 9. The computer-implemented method of claim 8, wherein providing access to the unencrypted version of the encrypted file to the additional user account comprises:
    - retrieving, from the third-party storage system and for the trusted proxy system, the additional encryption key and a file key used to encrypt the encrypted file, wherein the file key is encrypted with the encryption key;
      
      decrypting, at the trusted proxy system, the file key with the decryption key;
      
      encrypting, at the trusted proxy system, a copy of the file key with the additional encryption key;
      
      transmitting the encrypted copy of the file key from the trusted proxy system to the third-party storage system.
  - 10. The computer-implemented method of claim 1, further comprising:
    - receiving, at the trusted proxy system, the unencrypted version of the encrypted file from the client system;
      
      generating the encrypted file at the trusted proxy system by;
      
      generating a file key based on at least one characteristic of the unencrypted version of the encrypted file;
      
      encrypting the unencrypted version of the encrypted file with the file key;
      
      encrypting the file key with the encryption key;
      
      transmitting the encrypted file and the encrypted file key to the third-party storage system.
  - 11. The computer-implemented method of claim 10, further comprising deduplicating the encrypted file with an additional encrypted file that is encrypted with the file key.
  - 12. The computer-implemented method of claim 1, wherein the third-party storage system lacks access to:
    - the unencrypted version of the encrypted file;
      
      an unencrypted version of the decryption key;
      
      the client-side key.
  - 13. The computer-implemented method of claim 1, wherein using the decryption key to access the unencrypted version of the encrypted file comprises:
    - retrieving, from the third-party storage system and for the trusted proxy system, an additional asymmetric key pair designated for a plurality of user accounts comprising the user account, the additional asymmetric key pair comprising an additional encryption key and an additional decryption key that has been encrypted with the encryption key;
      
      decrypting, at the trusted proxy system, the encrypted additional decryption key with the decryption key;
      
      retrieving, from the third-party storage system and for the trusted proxy system, a file key used to encrypt the encrypted file, wherein the file key is encrypted with the additional encryption key;
      
      decrypting, at the trusted proxy system, the file key with the additional decryption key;
      
      decrypting, at the trusted proxy system, the encrypted file with the file key.

14. A system for secure hybrid third-party data storage, the system comprising:
- an identification module, stored in memory, that identifies, at a trusted proxy system, an access request from a client system to access an encrypted file stored under a user account at a third-party storage system, wherein the requested access requires decryption of the encrypted file, wherein the trusted proxy system is owned by an owner of the encrypted file and the third-party storage system is not owned by the owner of the encrypted file;
  
  a retrieving module, stored in memory, that retrieves, in response to the request, from the third-party storage system and for the trusted proxy system;
  
  the encrypted file;
  
  a decryption key that has been encrypted with a client-side key, wherein an asymmetric key pair designated for the user account by an encryption key and the encrypted decryption key;
  
  a receiving module, stored in memory, that receives, at the trusted proxy system, the client-side key, without exposing the client-side key to the third-party storage system;
  
  a decryption module, stored in memory, that decrypts the encrypted decryption key with the client-side key at the trusted proxy system rather than at the third-party storage system responsive to the trusted proxy system being owned by the owner of the encrypted file and the third-party storage system not being owned by the owner of the encrypted file;
  
  a using module, stored in memory, that uses the decryption key to access an unencrypted version of the encrypted file at the trusted proxy system;
  
  at least one physical processor configured to execute the identification module, the retrieving module, the receiving module, the decryption module, and the using module.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The system of claim 14, wherein the trusted proxy system is administrated by an owner of the encrypted file and the third-party storage system is not administrated by the owner of the encrypted file.
  - 16. The system of claim 14, wherein the using module accesses the encrypted file by transmitting the unencrypted version of the encrypted file to the client system.
  - 17. The system of claim 14, wherein the using module uses the decryption key to access the unencrypted version of the encrypted file by:
    - generating, at the trusted proxy system, metadata describing the unencrypted version of the encrypted file;
      
      providing the metadata to at least one of the client system and the third-party storage system.
  - 18. The system of claim 17, wherein the using module generates the metadata describing the unencrypted version of the encrypted file by at least one of:
    - performing a scan on the unencrypted version of the encrypted file at the trusted proxy system;
      
      creating, at the trusted proxy system, an index entry of the unencrypted version of the encrypted file based on content within the unencrypted version of the encrypted file;
      
      generating, at the trusted proxy system, a preview of the unencrypted version of the encrypted file based on content within the unencrypted version of the encrypted file.
  - 19. The system of claim 14, wherein the using module accesses the encrypted file by:
    - identifying, at the trusted proxy system, a policy for scanning the unencrypted version of the encrypted file;
      
      scanning, at the trusted proxy system, the unencrypted version of the encrypted file based on the policy.

20. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify, at a trusted proxy system, an access request from a client system to access an encrypted file stored under a user account at a third-party storage system, wherein the requested access requires decryption of the encrypted file, wherein the trusted proxy system is owned by an owner of the encrypted file and the third-party storage system is not owned by the owner of the encrypted file;
  
  retrieve, in response to the request, from the third-party storage system and for the trusted proxy system;
  
  the encrypted file;
  
  a decryption key that has been encrypted with a client-side key, wherein an asymmetric key pair designated for the user account comprises an encryption key and the encrypted decryption key;
  
  receive, at the trusted proxy system, the client-side key, without exposing the client-side key to the third-party storage system;
  
  decrypt the encrypted decryption key with the client-side key at the trusted proxy system rather than at the third-party storage system responsive to the trusted proxy system being owned by the owner of the encrypted file and the third-party storage system not being owned by the owner of the encrypted file;
  
  use the decryption key to access an unencrypted version of the encrypted file at the trusted proxy system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Bogorad, Walter
Primary Examiner(s)
Chao, Michael
Assistant Examiner(s)
Pan, Peiliang

Application Number

US14/271,967
Time in Patent Office

426 Days
Field of Search

726/2, 726/12, 380/259, 380/277, 380/282
US Class Current

1/1
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 21/602   Providing cryptographic fac...

G06F 2212/1052   Security improvement

H04L 2209/24   Key scheduling, i.e. genera...

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/045   wherein the sending and rec...

H04L 63/08   for authentication of entit...

H04L 9/14   using a plurality of keys o...

Systems and methods for secure hybrid third-party data storage

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

47 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for secure hybrid third-party data storage

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links