Cloud-based data backup and sync with secure local storage of access keys
First Claim
1. A computer-implemented method, the method comprising:
- receiving a user master password at a client device on behalf of a user;
generating, during a device authentication process, a unique user device key identifier comprising a first portion generated based on a hardware identifier associated with the user device and a second portion generated based on a portion of the user master password, wherein the generated unique user device key identifier is not used to encrypt data on the user device;
decrypting the unique user device key identifier with the user master password at the client device, wherein the unique user device key identifier is specific to a unique combination of the user and the client device, and wherein decrypting the unique user device key identifier comprises generating, at the client device, a cryptographic key from the user master password and decrypting, at the client device, a user file containing an encrypted unique user device key identifier using the generated cryptographic key;
sending a request to access a storage server from the client device without sending either of the user master password or a hash of the user master password;
sending the unique user device key identifier to the storage server; and
in response to sending the unique user device key identifier, receiving access to elements of the storage server controlled by the user.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems are provided for secure online data access. In one embodiment, three levels of security are provided where user master passwords are not required at a server. A user device may register with a storage service and receive a user device key that is stored on the device and at the service. The user device key may be used to authenticate the user device with the storage service. As data in the storage service is encrypted with a master password, the data may be protected from disclosure. As a user master key or derivative thereof is not used in authentication, the data may be protected from a disclosure or breach of the authentication credentials. Encryption and decryption may thus be performed on the user device with a user master key that may not be disclosed externally from the user device.
58 Citations
17 Claims
-
1. A computer-implemented method, the method comprising:
-
receiving a user master password at a client device on behalf of a user; generating, during a device authentication process, a unique user device key identifier comprising a first portion generated based on a hardware identifier associated with the user device and a second portion generated based on a portion of the user master password, wherein the generated unique user device key identifier is not used to encrypt data on the user device; decrypting the unique user device key identifier with the user master password at the client device, wherein the unique user device key identifier is specific to a unique combination of the user and the client device, and wherein decrypting the unique user device key identifier comprises generating, at the client device, a cryptographic key from the user master password and decrypting, at the client device, a user file containing an encrypted unique user device key identifier using the generated cryptographic key; sending a request to access a storage server from the client device without sending either of the user master password or a hash of the user master password; sending the unique user device key identifier to the storage server; and in response to sending the unique user device key identifier, receiving access to elements of the storage server controlled by the user. - View Dependent Claims (2, 3, 4, 5)
-
-
6. One or more non-transitory computer-readable storage media having collectively stored thereon executable instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
-
send, by a client device over a first channel of communication, a request to access a storage server on behalf of a user; receive an authorization code via a second channel of communication; authenticate, for the user, the client device using the authorization code; generate, during a device authentication process, a unique user device key identifier specific to a unique combination of the user and the client device, wherein a first portion of the unique user device key identifier is generated based on a hardware identifier associated with the user device and a second portion is generated based on a portion of the user master password, wherein the generated unique user device key identifier is not used to encrypt data on the user device; send the unique user device key identifier to the storage server; encrypt the unique user device key identifier on the client device, wherein encrypting the unique user device key identifier on the client device further comprises; encrypting the unique user device key identifier using a user master password; decrypt the unique user device key identifier using the user master password, wherein decrypting the unique user device key identifier comprises generating, at the client device, a cryptographic key from the user master password and decrypting, at the client device, a user file containing the encrypted unique user device key identifier using the generated cryptographic key; send the unique user device key identifier to the storage server without sending either of the user master password or a hash of the user master password; and in response to sending the unique user device key identifier, receive access to elements controlled by the user. - View Dependent Claims (7, 8, 9, 10, 11)
-
-
12. A computer system, comprising:
-
one or more processors; memory, operatively connected to the one or more processors and including instructions that, when executed by the one or more processors, cause the computer system to perform a method, the method comprising; receiving a user master password at a client device on behalf of a user; generating, during a device authentication process, a unique user device key identifier comprising a first portion generated based on a hardware identifier associated with the user device and a second portion generated based on a portion of the user master password, wherein the generated unique user device key identifier is not used to encrypt data on the user device; decrypting a unique user device key identifier with the user master password at the client device, wherein the unique user device key identifier is specific to the user and the client device, and wherein decrypting the unique user device key identifier comprises generating, at the client device, a cryptographic key from the user master password and decrypting, at the client device, a user file containing an encrypted unique user device key identifier using the generated cryptographic key; sending a request to access a storage server from the client device without sending either of the user master password or a hash of the user master password, wherein sending the request to access includes using the unique user device key identifier in the request; and in response to sending the request using the unique user device key identifier, receiving access to elements of the storage server controlled by the user. - View Dependent Claims (13, 14, 15, 16, 17)
-
Specification