Systems and methods for secure third-party data storage

US 9,203,815 B1
Filed: 11/27/2013
Issued: 12/01/2015
Est. Priority Date: 11/27/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for secure third-party data storage,at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

receiving, at a server-side computing system, a long poll request from a client system;

identifying, at the server-side computing system, a data access request from the client system to access an encrypted file stored under a user account, wherein the requested access requires decryption of the encrypted file, wherein the data access request is subsequent to the long poll request;

identifying, in reaction to the data access request, an asymmetric key pair designated for the user account, the asymmetric key pair comprising an encryption key and a decryption key that has been encrypted with a client-side key;

responding to the long poll request, in reaction to the data access request, with a message notifying the client system to transmit the client-side key;

receiving, from the client system, the client-side key;

decrypting the decryption key with the client-side key; and

using the decryption key to access an unencrypted version of the encrypted file.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for secure third-party data storage may include (1) identifying, at a server-side computing system, a data access request from a client system to access an encrypted file stored under a user account, (2) receiving a long poll request from the client system, (3) identifying an asymmetric key pair designated for the user account, the asymmetric key pair including an encryption key and a decryption key that has been encrypted with a client-side key, (4) responding to the long poll request with a message notifying the client system to transmit the client-side key, (5) receiving, from the client system, the client-side key, (6) decrypting the decryption key with the client-side key, and (7) using the decryption key to access an unencrypted version of the encrypted file. Various other methods, systems, and computer-readable media are also disclosed.

Citations

20 Claims

1. A computer-implemented method for secure third-party data storage,at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- receiving, at a server-side computing system, a long poll request from a client system;
  
  identifying, at the server-side computing system, a data access request from the client system to access an encrypted file stored under a user account, wherein the requested access requires decryption of the encrypted file, wherein the data access request is subsequent to the long poll request;
  
  identifying, in reaction to the data access request, an asymmetric key pair designated for the user account, the asymmetric key pair comprising an encryption key and a decryption key that has been encrypted with a client-side key;
  
  responding to the long poll request, in reaction to the data access request, with a message notifying the client system to transmit the client-side key;
  
  receiving, from the client system, the client-side key;
  
  decrypting the decryption key with the client-side key; and
  
  using the decryption key to access an unencrypted version of the encrypted file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, further comprising receiving a prior long poll request from the client system that times out before receiving the long poll request from the client system, wherein the client system sends the long poll request in response to determining that the prior long poll request has timed out.
  - 3. The computer-implemented method of claim 1, wherein:
    - receiving the long poll request from the client system comprises receiving the long poll request at an intermediate application tier that is configured to receive the client-side key from the client system and to provide the client-side key to a data-serving application tier that accesses the unencrypted version of the encrypted file;
      
      decrypting the decryption key with the client-side key comprises decrypting the decryption key at the data-serving application tier.
  - 4. The computer-implemented method of claim 3, wherein identifying the data access request comprises receiving the data access request at the data-serving application tier.
  - 5. The computer-implemented method of claim 4, wherein the data-serving application tier, in response to receiving the data access request, performs a synchronous call to the intermediate application tier that requests the client-side key.
  - 6. The computer-implemented method of claim 3, wherein the intermediate application tier, upon receiving a synchronous call from the data-serving application tier that requests the client-side key, checks for an active long poll connection established by the long poll request.
  - 7. The computer-implemented method of claim 3, wherein:
    - the intermediate application tier, upon receiving a synchronous call from the data-serving application tier that requests the client-side key, determines that no active long poll connection for requesting the client-side key is available;
      
      in response to determining that no active long poll connection for requesting the client-side key is available, the intermediate application tier places the synchronous call in a request queue until an active long poll connection is established via the long poll request.
  - 8. The computer-implemented method of claim 3, wherein:
    - a first server within the intermediate application tier receives a synchronous call from the data-serving application tier requesting the client-side key;
      
      a second server within the intermediate application tier receives the client-side key from the client system;
      
      the second server places the client-side key in a return queue;
      
      the first server retrieves the client-side key from the return queue.
  - 9. The computer-implemented method of claim 3, wherein:
    - the intermediate application tier receives an authentication token derived at least in part from user credential information used for access to the data-serving application tier;
      
      the intermediate application tier responds with the message notifying the client system to transmit the client-side key in response to determining that the authentication token is valid.

10. A system for secure third-party data storage, the system comprising:
- a connection module that receives, at a server-side computing system, a long poll request from a client system;
  
  an identification module that identifies, at the server-side computing system, a data access request from the client system to access an encrypted file stored under a user account, wherein the requested access requires decryption of the encrypted file, wherein the data access request is subsequent to the long poll request;
  
  a key module that identifies, in reaction to the data access request, an asymmetric key pair designated for the user account, the asymmetric key pair comprising an encryption key and a decryption key that has been encrypted with a client-side key;
  
  a response module that responds to the long poll request, in reaction to the data access request, with a message notifying the client system to transmit the client-side key;
  
  a receiving module that receives, from the client system, the client-side key;
  
  a decryption module that decrypts the decryption key with the client-side key;
  
  an access module that uses the decryption key to access an unencrypted version of the encrypted file;
  
  at least one hardware processor configured to execute the identification module, the connection module, the key module, the response module, the receiving module, the decryption module, and the access module.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein:
    - the receiving module further receives a prior long poll request from the client system that times out before receiving the long poll request from the client system;
      
      the client system sends the long poll request in response to determining that the prior long poll request has timed out.
  - 12. The system of claim 10, wherein:
    - the receiving module receives the long poll request from the client system by receiving the long poll request at an intermediate application tier that is configured to receive the client-side key from the client system and to provide the client-side key to a data-serving application tier that accesses the unencrypted version of the encrypted file;
      
      the decryption module decrypts the decryption key with the client-side key by decrypting the decryption key at the data-serving application tier.
  - 13. The system of claim 12, wherein the identification module identifies the data access request by receiving the data access request at the data-serving application tier.
  - 14. The system of claim 13, wherein the data-serving application tier, in response to receiving the data access request, performs a synchronous call to the intermediate application tier that requests the client-side key.
  - 15. The system of claim 12, wherein the intermediate application tier, upon receiving a synchronous call from the data-serving application tier that requests the client-side key, checks for an active long poll connection established by the long poll request.
  - 16. The system of claim 12, wherein:
    - the intermediate application tier, upon receiving a synchronous call from the data-serving application tier that requests the client-side key, determines that no active long poll connection for requesting the client-side key is available;
      
      in response to determining that no active long poll connection for requesting the client-side key is available, the intermediate application tier places the synchronous call in a request queue until an active long poll connection is established via the long poll request.
  - 17. The system of claim 12, wherein:
    - a first server within the intermediate application tier receives a synchronous call from the data-serving application tier requesting the client-side key;
      
      a second server within the intermediate application tier receives the client-side key from the client system;
      
      the second server places the client-side key in a return queue;
      
      the first server retrieves the client-side key from the return queue.
  - 18. The system of claim 12, wherein:
    - the intermediate application tier receives an authentication token derived at least in part from user credential information used for access to the data-serving application tier;
      
      the intermediate application tier responds with the message notifying the client system to transmit the client-side key in response to determining that the authentication token is valid.

19. A non-transitory computer-readable-storage medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- receive, at a server-side computing system, a long poll request from a client system;
  
  identify, at the server-side computing system, a data access request from the client system to access an encrypted file stored under a user account, wherein the requested access requires decryption of the encrypted file, wherein the data access request is subsequent to the long poll request;
  
  identify, in reaction to the data access request, an asymmetric key pair designated for the user account, the asymmetric key pair comprising an encryption key and a decryption key that has been encrypted with a client-side key;
  
  respond to the long poll request, in reaction to the data access request, with a message notifying the client system to transmit the client-side key;
  
  receive, from the client system, the client-side key;
  
  decrypt the decryption key with the client-side key;
  
  use the decryption key to access an unencrypted version of the encrypted file.
- View Dependent Claims (20)
- - 20. The non-transitory computer-readable-storage medium of claim 19, wherein:
    - the one or more computer-readable instructions cause the computing device to receive a prior long poll request from the client system that times out before receiving the long poll request from the client system;
      
      the client system sends the long poll request in response to determining that the prior long poll request has timed out.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Bogorad, Walter, Douglas, Eric
Primary Examiner(s)
Kim, Tae
Assistant Examiner(s)
TENG, LOUIS C

Application Number

US14/092,757
Time in Patent Office

734 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/176   Support for shared access t...

G06F 21/604   Tools and structures for ma...

G06F 21/6209   to a single file or object,...

H04L 2463/062   applying encryption of the ...

H04L 63/0442   wherein the sending and rec...

Systems and methods for secure third-party data storage

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for secure third-party data storage

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links