System and method for secure release of secret information over a network

US 9,338,008 B1
Filed: 04/01/2013
Issued: 05/10/2016
Est. Priority Date: 04/02/2012
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a data repository storing a deposit of secret information, wherein a piece of the secret information in the deposit is associated with individual designated trustees and an individual trustee policy;

a server coupled to the repository, the server having a processor and a memory storing a plurality of instructions which, when executed by the processor, configure the server to;

receive an access request, encrypted with a seed that is rotated and randomly generated by the server, from a client to access the piece of secret information in the deposit;

in response to the access request, send an authorization request to the individual designated trustees associated with the piece of secret information;

receive responses regarding the authorization request from the one or more of the designated trustees;

determine whether to grant the access request based on applying the trustee policy to the received responses, wherein the trustee policy requires approval of the authorization request associated with secret information by at least three or more of the designated trustees; and

when the access request is granted, send the piece of secret information to the client, wherein the piece of secret information is not accessible by the one or more of the designated trustees,wherein the server is further configured to encrypt the authorization request sent to the one or more of the designated trustees with respective public keys of the designated trustees, andwherein the server the data repository, and the client are all separate entities from one another.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present disclosure include systems and methods for secure release of secret information over a network. The server can be configured to receive a request from a client to access the deposit of secret information, send an authorization request to at least one designated trustee in the set of designated trustees for the deposit of secret information, receive responses over the network from one or more of the designated trustees in the set of designated trustees and apply a trustee policy to the responses from the one or more designated trustees in the set of trustees to determine if the request is authorized. If the request is authorized, the server can send the secret information to the client. If the request is not authorized, the server denies access by the client to the secret information.

174 Citations

22 Claims

1. A system comprising:
- a data repository storing a deposit of secret information, wherein a piece of the secret information in the deposit is associated with individual designated trustees and an individual trustee policy;
  
  a server coupled to the repository, the server having a processor and a memory storing a plurality of instructions which, when executed by the processor, configure the server to;
  
  receive an access request, encrypted with a seed that is rotated and randomly generated by the server, from a client to access the piece of secret information in the deposit;
  
  in response to the access request, send an authorization request to the individual designated trustees associated with the piece of secret information;
  
  receive responses regarding the authorization request from the one or more of the designated trustees;
  
  determine whether to grant the access request based on applying the trustee policy to the received responses, wherein the trustee policy requires approval of the authorization request associated with secret information by at least three or more of the designated trustees; and
  
  when the access request is granted, send the piece of secret information to the client, wherein the piece of secret information is not accessible by the one or more of the designated trustees,wherein the server is further configured to encrypt the authorization request sent to the one or more of the designated trustees with respective public keys of the designated trustees, andwherein the server the data repository, and the client are all separate entities from one another.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the server is further configured to:
    - receive a client public key from the client;
      
      provide a server public key to the client;
      
      decrypt the access request from the client using a server private key; and
      
      when the access request is granted, encrypt the piece of secret information using the client public key.
  - 3. The system of claim 1, wherein the received responses each comprise a vote on whether to authorize the access request.
  - 4. The system of claim 1, wherein the piece of secret information is encrypted by an encryption key private to the client so that the server is unable to decrypt the piece of secret information without the encryption key private to the client.
  - 5. The system of claim 1, wherein the designated trustees are separate entities from the client or the server.
  - 6. The system of claim 1, wherein:
    - the piece of the secret information is further associated with an individual set of authorized clients; and
      
      the server is further configured to determine whether to grant the access request based on matching an identity of the client against the set of authorized clients associated with the piece of secret information.
  - 7. The system of claim 6, wherein the identity of the client comprises a hash value of a public key of the client.
  - 8. The system of claim 1, wherein the server comprises a key storage system server configured to distribute encrypted encryption keys to a plurality of clients.

9. A non-transitory computer readable medium storing a set of computer executable instructions, the set of computer executable instructions executable by a processor to:
- receive an access request, encrypted with a seed that is rotated and randomly generated by a server, from a client to access a piece of secret information in a deposit of secret information stored in a data repository, wherein the piece of secret information in the deposit is associated with individual designated trustees and an individual trustee policy;
  
  in response to the access request, send an authorization request to the designated trustees associated with the piece of secret information;
  
  receive responses regarding the authorization request from the one or more of the designated trustees;
  
  determine whether to grant the access request based on applying the trustee policy to the received responses, wherein the trustee policy requires approval of the authorization request associated with secret information by at least three or more of the designated trustees; and
  
  when the access request is granted, send the piece of secret information to the client, wherein the piece of secret information is not accessible by the one or more of the designated trustees;
  
  wherein the server is further configured to encrypt the authorization request sent to the one or more of the designated trustees with respective public keys of the designated trustees,wherein the server, the data repository, and the client are all separate entities from one another.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The medium of claim 9, wherein the set of computer executable instructions further comprise instructions executable to:
    - receive a client public key from the client;
      
      provide a server public key to the client;
      
      decrypt the access request from the client using a server private key; and
      
      when the access request is granted, encrypt the piece of secret information using the client public key.
  - 11. The medium of claim 9, wherein the set of computer executable instructions further comprise instructions executable to encrypt the authorization request sent to the designated trustees with respective public keys of the designated trustees.
  - 12. The medium of claim 9, wherein the received responses each comprise a vote on whether to authorize the access request.
  - 13. The medium of claim 9, wherein the piece of the secret information is further associated with an individual set of authorized clients, and wherein the set of computer executable instructions further comprise instructions executable to determine whether to grant the access request based on matching an identity of the client against the set of authorized clients associated with the piece of secret information.
  - 14. The medium of claim 13, wherein the identity of the client comprises a hash value of a public key of the client.
  - 15. The medium of claim 9, wherein the set of computer executable instructions further comprise instructions executable to maintain a set of encrypted encryption keys for client applications and distribute encrypted encryption keys from the set of encrypted encryption keys according to authorizations by corresponding designated trustees among the individual designated trustees.

16. A method for secure release of secret information comprising:
- maintaining a deposit of secret information in a data repository, wherein a piece of the secret information in the deposit is associated with individual designated trustees and an individual trustee policy;
  
  receiving an access request encrypted with a seed that is rotated and randomly generated by a server, from a client to access the piece of secret information in the deposit;
  
  in response to the access request, sending an authorization request to one or more of the designated trustees associated with the piece of secret information;
  
  receiving responses regarding the authorization request from the one or more of the designated trustees;
  
  determining whether to grant the access request based on applying the trustee policy to the received responses, wherein the trustee policy requires approval of the authorization request associated with secret information by at least three or more of the designated trustees; and
  
  when the access request is granted, sending the piece of secret information to the client, wherein the piece of secret information is not accessible by the one or more of the designated trustees,wherein the server is further configured to encrypt the authorization request sent to the one or more of the designated trustees with respective public keys of the designated trustees, andwherein the server, the data repository, and the client are all separate entities from one another.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The method of claim 16, wherein the piece of secret information is encrypted by an encryption key private to the client so that the server is unable to decrypt the piece of secret information without the encryption key private to the client.
  - 18. The method of claim 16, further comprising:
    - receiving a client public key from the client;
      
      providing a server public key to the client;
      
      decrypting the access request from the client using a server private key; and
      
      when the access request is granted, encrypting the piece of secret information using the client public key.
  - 19. The method of claim 16, wherein the designated trustees are separate entities from the client or the server.
  - 20. The method of claim 16, wherein the piece of secret information is further associated with an individual list of authorized clients.
  - 21. The method of claim 20, further comprising determining whether to grant the access request based on matching an identity of the client against the list of authorized clients associated with the piece of secret information.
  - 22. The method of claim 21, wherein the identity of the client comprises a hash value of a public key of the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cloudera Incorporated
Original Assignee
Cloudera Incorporated
Inventors
Kirkland, Dustin C., Garcia, Eduardo
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
Lynch, Sharon

Application Number

US13/854,773
Time in Patent Office

1,135 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0442   wherein the sending and rec...

H04L 63/10   for controlling access to d...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/083   involving central third par...

H04L 9/321   involving a third party or ...

System and method for secure release of secret information over a network

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

174 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

System and method for secure release of secret information over a network

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

174 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others