Client-side encryption with DRM

US 9,129,095 B1
Filed: 12/19/2014
Issued: 09/08/2015
Est. Priority Date: 12/19/2014
Status: Active Grant

First Claim

Patent Images

1. An apparatus operative in association with a group key service, and a digital rights management (DRM) service having a DRM license server, the apparatus being distinct from the group key service and the DRM service, comprising:

one or more hardware processors;

computer memory storing computer program instructions executed by the hardware processors;

to receive and store an encrypted DRM-protected object, the encrypted DRM-protected object having been generated at a first computing entity distinct from the apparatus, the group key service and the DRM service by (i) associating together (a) a result of encrypting an object with a DRM key, and (b) a result of encrypting the DRM key and a DRM license with a public key of the DRM license server, to produce a DRM-protected object, and (ii) encrypting the DRM-protected object so produced with a group key, the group key having been obtained at the first computing entity according to a distributed group key agreement protocol managed by the group key service and enforced by a set of computing entities that include the first computing entity but not the apparatus that receives and stores the encrypted DRM-protected object, wherein the group key and the encrypted DRM-protected object are unavailable to the DRM license server, and wherein the group key in a clear form is unavailable to the group key service;

to receive and store an access control that is set on the encrypted DRM-protected object;

to use the access control, in response to receipt of a request from a second computing entity that is a member of the set of computing entities, to determine whether access to the encrypted DRM-protected object and thus the object by the second computing entity is permitted; and

to provide the encrypted DRM-protected object to the second computing entity when access to the encrypted DRM-protected object and the object by the second computing entity is permitted as determined by the access control, the object being recoverable by the second computing entity using the group key to decrypt the encrypted DRM-protected object, and a DRM operation with the DRM license server to recover the object for subsequent use according to the DRM license.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique for extending security to a data object (e.g., a document, a file, a message, etc.) once it has been shared and during collaboration with others who have access rights to that data object. The approach advantageously combines group key-based client-side encryption to secure the data object as it travels from a user'"'"'s computer, to the cloud, and to a chosen collaborator'"'"'s computer, together with a digital rights management (DRM) layer that provides permission management that associates a set of permission rights that travel with the data object.

Citations

19 Claims

1. An apparatus operative in association with a group key service, and a digital rights management (DRM) service having a DRM license server, the apparatus being distinct from the group key service and the DRM service, comprising:
- one or more hardware processors;
  
  computer memory storing computer program instructions executed by the hardware processors;
  
  to receive and store an encrypted DRM-protected object, the encrypted DRM-protected object having been generated at a first computing entity distinct from the apparatus, the group key service and the DRM service by (i) associating together (a) a result of encrypting an object with a DRM key, and (b) a result of encrypting the DRM key and a DRM license with a public key of the DRM license server, to produce a DRM-protected object, and (ii) encrypting the DRM-protected object so produced with a group key, the group key having been obtained at the first computing entity according to a distributed group key agreement protocol managed by the group key service and enforced by a set of computing entities that include the first computing entity but not the apparatus that receives and stores the encrypted DRM-protected object, wherein the group key and the encrypted DRM-protected object are unavailable to the DRM license server, and wherein the group key in a clear form is unavailable to the group key service;
  
  to receive and store an access control that is set on the encrypted DRM-protected object;
  
  to use the access control, in response to receipt of a request from a second computing entity that is a member of the set of computing entities, to determine whether access to the encrypted DRM-protected object and thus the object by the second computing entity is permitted; and
  
  to provide the encrypted DRM-protected object to the second computing entity when access to the encrypted DRM-protected object and the object by the second computing entity is permitted as determined by the access control, the object being recoverable by the second computing entity using the group key to decrypt the encrypted DRM-protected object, and a DRM operation with the DRM license server to recover the object for subsequent use according to the DRM license.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 19)
- - 2. The apparatus as described in claim 1 wherein the encrypted DRM-protected object and the access control are received from the first computing entity over a secure transport channel.
  - 3. The apparatus as described in claim 1 wherein the encrypted DRM-protected object is provided to the second computing entity over a secure transport channel.
  - 4. The apparatus as described in claim 1 wherein the group key is an encryption key that is shared by current members of the set of computing entities.
  - 5. The apparatus as described in claim 4 wherein the encryption key is protected by public keys associated with the current members of the set of computing entities.
  - 6. The apparatus as described in claim 1 wherein the computer program instructions are executed in the hardware processors as software-as-a-service.
  - 7. The apparatus as described in claim 1 wherein the computer program instructions are further operative to authenticate a user associated with the second computing entity.
  - 8. The apparatus as described in claim 1 wherein the set of computing entities associated with the group key is dynamic.
  - 9. The apparatus as described in claim 1 wherein the object is one of:
    - a document, a file comprising text, a message, an audio file, a video file, and an executable.
  - 10. The apparatus as described in claim 1 wherein the access control is a role-based access control.
  - 11. The apparatus as described in claim 1 wherein the DRM operation is implemented using a third party DRM protection technology.
  - 19. The apparatus as described in claim 1 wherein the computer program instructions are further executed by the hardware processors:
    - to create a sharing folder for the set of computing entities, the sharing folder being an online file system for protecting multiple objects including the object using the group key, and to store the encrypted DRM-protected object in the sharing folder.

12. An apparatus operative as a client device in association with a group key service, and a digital rights management (DRM) service having a DRM license server, and a cloud storage service, the apparatus being distinct from the group key service, the DRM service and the cloud storage service, comprising:
- at least one hardware processors;
  
  computer memory storing computer program instructions executed by the hardware processor;
  
  to apply to an object a digital rights management (DRM) operation to an object to produce a DRM-protected object, the DRM-protected object being produced by (i) associating together (a) a result of encrypting the object with a DRM key, and (b) a result of encrypting the DRM key and a DRM license with a public key of the DRM license server;
  
  to encrypt the DRM-protected object with a group key to produce an encrypted DRM-protected object, the group key having been generated at the client device and according to a distributed group key agreement protocol managed by the group key service and enforced by a set of computing entities that include the client device, wherein the group key and the encrypted DRM-protected object are unavailable to the DRM license server, and wherein the group key in a clear form is unavailable to the group key service;
  
  to establish an access control on the encrypted DRM-protected object; and
  
  to output the encrypted DRM-protected object and the access control to a cloud storage, the encrypted DRM-protected object and the access control adapted to be stored in a shared folder at the cloud storage and selectively released to one or more other computing entities that are members of the set of computing entities based on the access control, the object being recoverable by the other computing entity using the group key to decrypt the encrypted DRM-protected object, and a DRM operation with the DRM license server to recover the object for subsequent use according to the DRM license.
- View Dependent Claims (13)
- - 13. The apparatus as described in claim 12 wherein the computer program instructions are further operative to output the encrypted DRM-protected object and the access control to the cloud storage over a secure transport channel.

14. A method of protecting an object, comprising:
- associating with a cloud storage service a group key service, and a digital rights management (DRM) service having a DRM license server, the group key service managing a distributed group key agreement protocol enforced by a set of computing entities that are distinct from the group key service, the DRM service and the cloud storage service;
  
  the cloud storage service receiving and storing an encrypted DRM protected object, the encrypted DRM protected object having been generated at a first computing entity of the set of computing entities by (i) associating together (a) a result of encrypting an object with a DRM key, and (b) a result of encrypting the DRM key and a DRM license with a public key of the DRM license server, to produce a DRM-protected object, and (ii) encrypting the DRM-protected object so produced with a group key, the group key having been obtained at the first computing entity according to the distributed group key agreement protocol managed by the group key service, wherein the group key and the encrypted DRM-protected object are unavailable to the DRM license server, and wherein the group key in a clear form is unavailable to the group key service;
  
  the cloud storage service receiving and storing an access control that is set on the encrypted DRM protected object;
  
  the cloud storage service operative in response to a request from a second computing entity that is a member of the set of computing entities to use the access control to determine whether access to the object by the second computing entity is permitted; and
  
  the cloud storage service operative when access to the object by the second computing entity is permitted as determined by the access control to provide the encrypted DRM protected object to the second computing entity, the object being recoverable by the second computing entity using the group key to decrypt the encrypted DRM-protected object, and a DRM operation with the DRM license server to recover the object for subsequent use according to the DRM license.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The method as described in claim 14 wherein the access control is a role-based access control.
  - 16. The method as described in claim 14 wherein the object is one of:
    - a document, a file comprising text, a message, an audio file, a video file, and an executable.
  - 17. The apparatus as described in claim 14 wherein the group key is an encryption key that is shared by current members of the set of computing entities.
  - 18. The method as described in claim 17 wherein the DRM key is shared with the encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tresorit Kft.
Original Assignee
Tresorit Kft.
Inventors
Lm, Istvn, Szebeni, Szilveszter, Koczka, Tams
Primary Examiner(s)
Lagor, Alexander

Application Number

US14/576,724
Time in Patent Office

263 Days
Field of Search

726/27
US Class Current

1/1
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/60   Protecting data

G06F 21/6218   to a system of files or obj...

H04L 2463/101   applying security measures ...

H04L 63/0428   wherein the data content is...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/123   received data contents, e.g...

Client-side encryption with DRM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Client-side encryption with DRM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links