Transparent client-side cryptography for network applications

US 9,094,379 B1
Filed: 12/29/2010
Issued: 07/28/2015
Est. Priority Date: 12/29/2010
Status: Active Grant

First Claim

Patent Images

1. A method of securely storing user data over a network, the method comprising:

by one or more computer systems comprising computer hardware;

intercepting user data associated with a user from a local network application, the user data sent by the local network application to a remote network application implemented in a remote content site configured to provide access to the remote network application, the remote network application capable of storing and sharing data received from the user with other users of the remote network application;

responsive to intercepting the user data, accessing a remote network application to determine one or more data fields from a set of data fields accessible at the remote network application that are capable of accepting encrypted data, wherein at least some fields from the set of data fields are not eligible to store encrypted data, and wherein said accessing the remote network application to determine the one or more data fields further comprises overriding an indication that at least one data field is not eligible to store encrypted data and including the at least one data field in the one or more data fields that are capable of accepting encrypted data;

determining whether the user data is associated with the one or more data fields; and

in response to determining that the user data is associated with the one or more data fields;

encrypting the user data with a data encryption key to obtain encrypted user data;

encrypting the data encryption key with one or more keys of authorized recipients to produce one or more receiver keys, the authorized recipients comprising users with accounts at the remote network application who are associated with the user at the remote network application; and

providing a message comprising the encrypted user data and the one or more receiver keys to the local network application, such that the local network application is configured to direct the message to the remote network application for storage.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a system and associated processes for transparent client-side cryptography are provided. In this system, some or all of a user'"'"'s private data can be encrypted at a client device operated by the user. The client can transmit the encrypted user data to a content site that hosts a network application, such as a social networking application, financial application, or the like. The content site can store the private data in its encrypted form instead of the actual private data. When the content site receives a request for the private data from the user or optionally from other users (such as social networking friends), the server can send the encrypted user data to a client associated with the requesting user. This client, if operated by an authorized user, can decrypt the private data and present it to the authorized user.

Citations

30 Claims

1. A method of securely storing user data over a network, the method comprising:
- by one or more computer systems comprising computer hardware;
  
  intercepting user data associated with a user from a local network application, the user data sent by the local network application to a remote network application implemented in a remote content site configured to provide access to the remote network application, the remote network application capable of storing and sharing data received from the user with other users of the remote network application;
  
  responsive to intercepting the user data, accessing a remote network application to determine one or more data fields from a set of data fields accessible at the remote network application that are capable of accepting encrypted data, wherein at least some fields from the set of data fields are not eligible to store encrypted data, and wherein said accessing the remote network application to determine the one or more data fields further comprises overriding an indication that at least one data field is not eligible to store encrypted data and including the at least one data field in the one or more data fields that are capable of accepting encrypted data;
  
  determining whether the user data is associated with the one or more data fields; and
  
  in response to determining that the user data is associated with the one or more data fields;
  
  encrypting the user data with a data encryption key to obtain encrypted user data;
  
  encrypting the data encryption key with one or more keys of authorized recipients to produce one or more receiver keys, the authorized recipients comprising users with accounts at the remote network application who are associated with the user at the remote network application; and
  
  providing a message comprising the encrypted user data and the one or more receiver keys to the local network application, such that the local network application is configured to direct the message to the remote network application for storage.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein said intercepting the user data comprises accessing the user data from a content page obtained by the local network application.
  - 3. The method of claim 2, wherein the local network application is a web browser.
  - 4. The method of claim 1, wherein the message is configured to conform with a storage format of the remote network application so as to be storable at the remote content site in place of the user data.
  - 5. The method of claim 4, wherein the storage format of the remote network application is specified in a form field of a content page received by the local network application.
  - 6. The method of claim 4, wherein the storage format specifies a maximum length of data that can be stored by the remote network application.
  - 7. The method of claim 4, wherein the storage format specifies an encoding type for data that can be stored by the remote network application.
  - 8. The method of claim 1, further comprising sending test data to the remote network application prior to providing the message to the local network application, said sending configured to confirm whether the test data conforms to the storage format of the remote network application.
  - 9. The method of claim 1, wherein the message is configured to be decryptable by a client device operated by one of the authorized recipients.
  - 10. The method of claim 1, wherein said encrypting the user data is configured to enable the content site to eliminate a username and password requirement to access the user data.
  - 11. The method of claim 10, wherein the local network application is implemented in a mobile device.
  - 12. The method of claim 1, wherein said accessing the remote network application to determine the one or more data fields further comprises accessing metadata associated with each of the one or more data fields to determine whether the data field is capable of accepting encrypted data.
  - 13. The method of claim 1, wherein said accessing the remote network application to determine the one or more data fields further comprises presenting a user with an option to override an indication that at least one data field is not eligible to store encrypted data.

14. A system for securely storing user data over a network, the system comprising:
- one or more computer systems comprising computer hardware, the one or more computer systems programmed to implement;
  
  a security system configured to;
  
  intercept user data associated with a user from a local network application executing on a client device, the user data sent by the local network application to a remote network application implemented in a remote server configured to provide access to the remote network application, the remote network application capable of storing and sharing data received from the user with other users of the remote network application;
  
  access a remote network application to determine one or more data fields from a set of data fields accessible at the remote network application that are capable of storing encrypted data, wherein at least some fields from the set of data fields are not eligible to store encrypted data;
  
  override an indication that at least one data field is not eligible to store encrypted data and include the at least one data field in the one or more data fields that are capable of accepting encrypted data,determine whether the user data is associated with the one or more data fields; and
  
  in response to determining that the user data is associated with the one or more data fields, direct the user data to a cryptography manager stored in a memory of the one or more computer systems; and
  
  the cryptography manager configured to;
  
  encrypt the user data with a data encryption key to obtain encrypted user data;
  
  encrypt the data encryption key with one or more keys of authorized recipients to produce one or more receiver keys, the authorized recipients comprising users with accounts at the remote network application who are associated with the user at the remote network application; and
  
  provide a message comprising the encrypted user data and the one or more receiver keys to the security system, the security system thereby configured to enable the local network application to transmit the message to the remote network application thereby enabling the remote network application to store the encrypted user data instead of the user data.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The system of claim 14, wherein the security system comprises a plug-in that interfaces with the local network application.
  - 16. The system of claim 14, wherein the data encryption key is a symmetric key.
  - 17. The system of claim 14, wherein the one or more keys of the authorized recipients comprise one or more public keys.
  - 18. The system of claim 17, wherein each of the one or more receiver keys are configured to be decryptable by a private key of one of the authorized recipients.
  - 19. The system of claim 18, wherein the cryptography manager is configured to create recovery information associated with the private key using a secret-sharing algorithm, and wherein the cryptography manager can create a copy of the private key using a subset of the recovery information.
  - 20. The system of claim 14, wherein the cryptography manager is further configured to:
    - divide the user data into a first data subset and a second data subset, wherein the first data subset is associated with a first authorization level and the second data subset is associated with a second authorization level;
      
      encrypt the first data subset with a first data encryption key and encrypt the second data subset with a second data encryption key; and
      
      encrypt the first data encryption key with one or more keys of a first set of authorized recipients associated with the first authorization level and the second data encryption key with one or more keys of a second set of authorized recipients associated with the second authorization level to produce the one or more receiver keys.
  - 21. The system of claim 14, wherein the message is configured to conform with a storage format of the remote network application so as to be storable in place of the user data.

22. A non-transitory computer-readable storage medium comprising computer-executable instructions configured to implement a method of securely storing user data over a network, the method comprising:
- intercepting user data associated with a user from a local network application executing on a client device, the user data sent by the local network application to a remote network application of a content site configured to provide access to the remote network application;
  
  responsive to intercepting the user data, accessing the remote network application to determine one or more data fields from a set of data fields accessible at the remote network application that are capable of accepting encrypted data, wherein at least some fields from the set of data fields cannot accept encrypted data, and wherein said accessing the remote network application to determine the one or more data fields further comprises overriding an indication that at least one data field is not eligible to store encrypted data and including the at least one data field in the one or more data fields that are capable of accepting encrypted data;
  
  determining whether the user data is associated with the one or more data fields; and
  
  in response to determining that the user data is associated with the one or more data fields;
  
  encrypting the user data to obtain encrypted user data;
  
  creating an encryption message configured to include the encrypted user data and recipient data reflecting two or more authorized recipients of the encryption message, the two or more authorized recipients comprising users with accounts at the remote network application who are associated with the user at the remote network application; and
  
  providing the encryption message to the local network application, such that the local network application is configured to transmit the message to the remote network application of the content site.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
- - 23. The non-transitory computer-readable storage medium of claim 22, wherein the recipient data comprises a receiver key for each of the authorized recipients.
  - 24. The non-transitory computer-readable storage medium of claim 23, wherein the receiver key comprises an encrypted form of an encryption key used to encrypt the user data.
  - 25. The non-transitory computer-readable storage medium of claim 22, wherein the encryption message comprises a length configured to conform with storage requirements of the content site.
  - 26. The non-transitory computer-readable storage medium of claim 22, wherein the user data is configured to be formatted in a standard data format.
  - 27. The non-transitory computer-readable storage medium of claim 26, wherein the standard data format comprises one or more of the following:
    - HyperText Markup Language (HTML), Extensible Markup Language (XML), and JavaScript Object Notation (JSON).
  - 28. The non-transitory computer-readable storage medium of claim 22, wherein the method further comprises authorizing a third recipient to access the encrypted user data.
  - 29. The non-transitory computer-readable storage medium of claim 28, wherein said authorizing comprises:
    - adding new recipient data for the third recipient to the encryption message to produce a second encryption message; and
      
      transmitting the second encryption message to the remote network application so as to replace the encryption message with the second encryption message.
  - 30. The non-transitory computer-readable storage medium of claim 28, wherein said authorizing comprises sending new recipient data corresponding to the third recipient to the content site for storage with the encryption message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Miller, Kevin
Primary Examiner(s)
Abrishamkar, Kaveh
Assistant Examiner(s)
De Jesus Lassaia, Carlos M

Application Number

US12/981,247
Time in Patent Office

1,672 Days
Field of Search

713/168, 724/4
US Class Current

1/1
CPC Class Codes

G06F 21/6209   to a single file or object,...

H04L 63/0428   wherein the data content is...

H04L 63/045   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/085   Secret sharing or secret sp...

H04L 9/088   Usage controlling of secret...

H04L 9/14   using a plurality of keys o...

Transparent client-side cryptography for network applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Transparent client-side cryptography for network applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links