Client-side encryption with DRM
First Claim
1. An apparatus operative in association with a group key service, and a digital rights management (DRM) service having a DRM license server, the apparatus being distinct from the group key service and the DRM service, comprising:
- one or more hardware processors;
computer memory storing computer program instructions executed by the hardware processors;
to receive and store an encrypted DRM-protected object, the encrypted DRM-protected object having been generated at a first computing entity distinct from the apparatus, the group key service and the DRM service by (i) associating together (a) a result of encrypting an object with a DRM key, and (b) a result of encrypting the DRM key and a DRM license with a public key of the DRM license server, to produce a DRM-protected object, and (ii) encrypting the DRM-protected object so produced with a group key, the group key having been obtained at the first computing entity according to a distributed group key agreement protocol managed by the group key service and enforced by a set of computing entities that include the first computing entity but not the apparatus that receives and stores the encrypted DRM-protected object, wherein the group key and the encrypted DRM-protected object are unavailable to the DRM license server, and wherein the group key in a clear form is unavailable to the group key service;
to receive and store an access control that is set on the encrypted DRM-protected object;
to use the access control, in response to receipt of a request from a second computing entity that is a member of the set of computing entities, to determine whether access to the encrypted DRM-protected object and thus the object by the second computing entity is permitted; and
to provide the encrypted DRM-protected object to the second computing entity when access to the encrypted DRM-protected object and the object by the second computing entity is permitted as determined by the access control, the object being recoverable by the second computing entity using the group key to decrypt the encrypted DRM-protected object, and a DRM operation with the DRM license server to recover the object for subsequent use according to the DRM license.
1 Assignment
0 Petitions
Accused Products
Abstract
A technique for extending security to a data object (e.g., a document, a file, a message, etc.) once it has been shared and during collaboration with others who have access rights to that data object. The approach advantageously combines group key-based client-side encryption to secure the data object as it travels from a user'"'"'s computer, to the cloud, and to a chosen collaborator'"'"'s computer, together with a digital rights management (DRM) layer that provides permission management that associates a set of permission rights that travel with the data object.
-
Citations
19 Claims
-
1. An apparatus operative in association with a group key service, and a digital rights management (DRM) service having a DRM license server, the apparatus being distinct from the group key service and the DRM service, comprising:
-
one or more hardware processors; computer memory storing computer program instructions executed by the hardware processors; to receive and store an encrypted DRM-protected object, the encrypted DRM-protected object having been generated at a first computing entity distinct from the apparatus, the group key service and the DRM service by (i) associating together (a) a result of encrypting an object with a DRM key, and (b) a result of encrypting the DRM key and a DRM license with a public key of the DRM license server, to produce a DRM-protected object, and (ii) encrypting the DRM-protected object so produced with a group key, the group key having been obtained at the first computing entity according to a distributed group key agreement protocol managed by the group key service and enforced by a set of computing entities that include the first computing entity but not the apparatus that receives and stores the encrypted DRM-protected object, wherein the group key and the encrypted DRM-protected object are unavailable to the DRM license server, and wherein the group key in a clear form is unavailable to the group key service; to receive and store an access control that is set on the encrypted DRM-protected object; to use the access control, in response to receipt of a request from a second computing entity that is a member of the set of computing entities, to determine whether access to the encrypted DRM-protected object and thus the object by the second computing entity is permitted; and to provide the encrypted DRM-protected object to the second computing entity when access to the encrypted DRM-protected object and the object by the second computing entity is permitted as determined by the access control, the object being recoverable by the second computing entity using the group key to decrypt the encrypted DRM-protected object, and a DRM operation with the DRM license server to recover the object for subsequent use according to the DRM license. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 19)
-
-
12. An apparatus operative as a client device in association with a group key service, and a digital rights management (DRM) service having a DRM license server, and a cloud storage service, the apparatus being distinct from the group key service, the DRM service and the cloud storage service, comprising:
-
at least one hardware processors; computer memory storing computer program instructions executed by the hardware processor; to apply to an object a digital rights management (DRM) operation to an object to produce a DRM-protected object, the DRM-protected object being produced by (i) associating together (a) a result of encrypting the object with a DRM key, and (b) a result of encrypting the DRM key and a DRM license with a public key of the DRM license server; to encrypt the DRM-protected object with a group key to produce an encrypted DRM-protected object, the group key having been generated at the client device and according to a distributed group key agreement protocol managed by the group key service and enforced by a set of computing entities that include the client device, wherein the group key and the encrypted DRM-protected object are unavailable to the DRM license server, and wherein the group key in a clear form is unavailable to the group key service; to establish an access control on the encrypted DRM-protected object; and to output the encrypted DRM-protected object and the access control to a cloud storage, the encrypted DRM-protected object and the access control adapted to be stored in a shared folder at the cloud storage and selectively released to one or more other computing entities that are members of the set of computing entities based on the access control, the object being recoverable by the other computing entity using the group key to decrypt the encrypted DRM-protected object, and a DRM operation with the DRM license server to recover the object for subsequent use according to the DRM license. - View Dependent Claims (13)
-
-
14. A method of protecting an object, comprising:
-
associating with a cloud storage service a group key service, and a digital rights management (DRM) service having a DRM license server, the group key service managing a distributed group key agreement protocol enforced by a set of computing entities that are distinct from the group key service, the DRM service and the cloud storage service; the cloud storage service receiving and storing an encrypted DRM protected object, the encrypted DRM protected object having been generated at a first computing entity of the set of computing entities by (i) associating together (a) a result of encrypting an object with a DRM key, and (b) a result of encrypting the DRM key and a DRM license with a public key of the DRM license server, to produce a DRM-protected object, and (ii) encrypting the DRM-protected object so produced with a group key, the group key having been obtained at the first computing entity according to the distributed group key agreement protocol managed by the group key service, wherein the group key and the encrypted DRM-protected object are unavailable to the DRM license server, and wherein the group key in a clear form is unavailable to the group key service; the cloud storage service receiving and storing an access control that is set on the encrypted DRM protected object; the cloud storage service operative in response to a request from a second computing entity that is a member of the set of computing entities to use the access control to determine whether access to the object by the second computing entity is permitted; and the cloud storage service operative when access to the object by the second computing entity is permitted as determined by the access control to provide the encrypted DRM protected object to the second computing entity, the object being recoverable by the second computing entity using the group key to decrypt the encrypted DRM-protected object, and a DRM operation with the DRM license server to recover the object for subsequent use according to the DRM license. - View Dependent Claims (15, 16, 17, 18)
-
Specification