Distributed encryption and access control scheme in a cloud environment

US 9,373,001 B2
Filed: 03/11/2014
Issued: 06/21/2016
Est. Priority Date: 12/26/2012
Status: Active Grant

First Claim

Patent Images

1. A method for selectively assisting a fourth computerized system in a decryption of an encrypted file entity, the method comprises:

receiving, by a third computerized system from the fourth computerized system, a first encrypted file entity key and signed access metadata;

wherein the first encrypted file entity key is created by encrypting a file entity key by a first computerized system using an encryption key of a second computerized system;

wherein the signed access metadata is signed by the file entity key;

wherein the encrypted file entity is created by encrypting a file entity by the first computerized system using the file entity key;

sending, by the third computerized system, the signed access metadata and the first encrypted file entity key to the second computerized system;

receiving a response from the second computerized system;

determining, based on the response from the second computerized system, whether to facilitate the decryption of the encrypted file entity by the fourth computerized system;

wherein if determining to facilitate the decryption of the encrypted file entity by the fourth computerized system then sending, by the third computerized system, a fourth computerized system encrypted file entity key to the fourth computerized system;

wherein the fourth computerized system encrypted file entity key is created by the second computerized system by (a) decrypting the first encrypted file entity key to provide the file entity key, and (b) encrypting the file entity key with an encryption key of the fourth computerized system; and

wherein if determining not to facilitate the decryption of the encrypted file entity by the fourth computerized system then preventing from assisting the fourth computerized system to decrypt the encrypted file entity.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System, computer readable medium and method for decryption. The method may include receiving, by a third computerized system and from a fourth computerized system, a first encrypted file entity key and signed access metadata. The first encrypted file entity key is created by encrypting a file entity key by a first computerized system using an encryption key of a second computerized system. The signed access metadata is signed by the file entity key. The encrypted file entity is created by encrypting a file entity by the first computerized system using the file entity key. Sending, by the third computerized system, the signed access metadata and the first encrypted file entity key to the second computerized system. Receiving a response from the second computerized system. Determining, based on the response from the second computerized system, whether to facilitate a decryption of the encrypted file entity by the fourth computerized entity.

11 Citations

View as Search Results

19 Claims

1. A method for selectively assisting a fourth computerized system in a decryption of an encrypted file entity, the method comprises:
- receiving, by a third computerized system from the fourth computerized system, a first encrypted file entity key and signed access metadata;
  
  wherein the first encrypted file entity key is created by encrypting a file entity key by a first computerized system using an encryption key of a second computerized system;
  
  wherein the signed access metadata is signed by the file entity key;
  
  wherein the encrypted file entity is created by encrypting a file entity by the first computerized system using the file entity key;
  
  sending, by the third computerized system, the signed access metadata and the first encrypted file entity key to the second computerized system;
  
  receiving a response from the second computerized system;
  
  determining, based on the response from the second computerized system, whether to facilitate the decryption of the encrypted file entity by the fourth computerized system;
  
  wherein if determining to facilitate the decryption of the encrypted file entity by the fourth computerized system then sending, by the third computerized system, a fourth computerized system encrypted file entity key to the fourth computerized system;
  
  wherein the fourth computerized system encrypted file entity key is created by the second computerized system by (a) decrypting the first encrypted file entity key to provide the file entity key, and (b) encrypting the file entity key with an encryption key of the fourth computerized system; and
  
  wherein if determining not to facilitate the decryption of the encrypted file entity by the fourth computerized system then preventing from assisting the fourth computerized system to decrypt the encrypted file entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1 wherein the file entity is a file.
  - 3. The method according to claim 1 wherein the file entity is a first portion of a file.
  - 4. The method according to claim 3, wherein the file further comprises a second file portion that is not encrypted by the file key.
  - 5. The method according to claim 1 comprising preventing the third computerized system from accessing the file key.
  - 6. The method according to claim 1 wherein the first, second, third and fourth computerized systems differ from each other.
  - 7. The method according to claim 1 comprising determining not to facilitate the decryption of the encrypted file entity by the fourth computerized system if the response indicates that the signed access data is invalid.
  - 8. The method according to claim 1 comprising determining whether to facilitate the decryption of the encrypted file entity by the fourth computerized system in response to a content of the signed access data if the response indicates that the signed access data is valid.
  - 9. The method according to claim 1 wherein the signed access metadata comprises an identity of the first computerized system.
  - 10. The method according to claim 1 wherein the signed access metadata comprises information about a group of computerized entities that are entitled to decrypt the encrypted file portion.

11. A method for selectively assisting a fourth computerized system in a decryption of an encrypted file entity, the method comprises:
- receiving, by a third computerized system from the fourth computerized system, a double encrypted file entity key and signed access metadata;
  
  wherein the double encrypted file entity key is created by encrypting a first encrypted file entity key by a first computerized system using an encryption key of the third computerized system;
  
  wherein the first encrypted file entity key is created by encrypting a file entity key by the first computerized system using an encryption key of a second computerized system;
  
  wherein the signed access metadata is signed by the first encrypted file entity key;
  
  wherein the encrypted file entity is created by encrypting a file entity by the first computerized system using the file entity key;
  
  determining, by the third computerized system and in response to the signed access metadata whether the fourth computerized system is entitled to decrypt the file entity;
  
  if it is determined that the fourth computerized system is not entitled to decrypt the file entity then preventing from assisting the fourth computerized system to decrypt the encrypted file entity;
  
  if it is determined that the fourth computerized system is entitled to decrypt the file entity then;
  
  decrypting, by the third computerized system, the double encrypted file entity key to provide the first encrypted file entity key;
  
  sending, by the third computerized system, the first encrypted file entity key to the second computerized system;
  
  receiving, by the third computerized system, a fourth computerized system encrypted file entity key;
  
  wherein the fourth computerized system encrypted file entity key is created by the second computerized system by (a) decrypting the first encrypted file entity key to provide the file entity key, and (b) encrypting the file entity key with an encryption key of the fourth computerized system; and
  
  sending, by the third computerized system, to the fourth computerized system the fourth computerized system encrypted file entity key.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method according to claim 11 wherein the file entity is a file.
  - 13. The method according to claim 11 wherein the file entity is a first portion of a file.
  - 14. The method according to claim 13, wherein the file further comprises a second file portion that is not encrypted by the file key.
  - 15. The method according to claim 11 comprising preventing the third computerized system from accessing the file key.
  - 16. The method according to claim 11 wherein the first, second, third and fourth computerized systems differ from each other.

17. A non-transitory computer readable medium storing computer executable instructions that once executed by a third computerized system causes the third computerized system to selectively assist in a decryption of an encrypted file entity by a fourth computerized system by executing the stages of:
- receiving, by a third computerized system from the fourth computerized system, a first encrypted file entity key and signed access metadata;
  
  wherein the first encrypted file entity key is created by encrypting a file entity key by a first computerized system using an encryption key of a second computerized system;
  
  wherein the signed access metadata is signed by the file entity key;
  
  wherein the encrypted file entity is created by encrypting a file entity by the first computerized system using the file entity key;
  
  sending, by the third computerized system, the signed access metadata and the first encrypted file entity key to the second computerized system;
  
  receiving, by the third computerized system, a response from the second computerized system;
  
  determining , by the third computerized system, based on the response from the second computerized system, whether to facilitate a decryption of the encrypted file entity by the fourth computerized entity;
  
  wherein if determining to facilitate the decryption of the encrypted file entity by the fourth computerized system then sending, by the third computerized system, a fourth computerized system encrypted file entity key to the fourth computerized system;
  
  wherein the fourth computerized system encrypted file entity key is created by the second computerized system by (a) decrypting the first encrypted file entity key to provide the file entity key, and (b) encrypting the file entity key with an encryption key of the fourth computerized system; and
  
  wherein if determining not to facilitate the decryption of the encrypted file entity by the fourth computerized system then preventing from assisting the fourth computerized system to decrypt the encrypted file entity.

18. A non-transitory computer readable medium storing computer executable instructions that once executed by a third computerized system causes the third computerized system to selectively assist in a decryption of an encrypted file entity by a fourth computerized system by executing the steps of:
- receiving, by the third computerized system from the fourth computerized system, a double encrypted file entity key and signed access metadata;
  
  wherein the double encrypted file entity key is created by encrypting a first encrypted file entity key by a first computerized system using an encryption key of the third computerized system;
  
  wherein the first encrypted file entity key is created by encrypting a file entity key by the first computerized system using an encryption key of a second computerized system;
  
  wherein the signed access metadata is signed by the first encrypted file entity key;
  
  wherein the encrypted file entity is created by encrypting a file entity by the first computerized system using the file entity key;
  
  determining in response to the signed access metadata whether the fourth computerized system is entitled to decrypt the file entity;
  
  if it is determined that the fourth computerized system is not entitled to decrypt the file entity then preventing from assisting the fourth computerized system to decrypt the encrypted file entity;
  
  if it is determined that the fourth computerized system is entitled to decrypt t the file entity then;
  
  decrypting the double encrypted file entity key to provide the first encrypted file entity key;
  
  sending, by the third computerized system, the first encrypted file entity key to the second computerized system;
  
  receiving, by the third computerized system, a fourth computerized system encrypted file entity key;
  
  wherein the fourth computerized system encrypted file entity key is created by the second computerized system by (a) decrypting the first encrypted file entity key to provide the file entity key, and (b) encrypting the file entity key with an encryption key of the fourth computerized system; and
  
  sending, by the third computerized system, to the fourth computerized system the fourth computerized system encrypted file entity key.

19. A computer comprising a memory, an interface and a processor;
- the computer is configured to selectively assist in a decryption of an encrypted file entity by a fourth computerized system;
  
  wherein the interface is arranged to receive from the fourth computerized system, a double encrypted file entity key and signed access metadata;
  
  wherein the double encrypted file entity key is created by encrypting a first encrypted file entity key by a first computerized system using an encryption key of the third computerized system;
  
  wherein the first encrypted file entity key is created by encrypting a file entity key by the first computerized system using an encryption key of a second computerized system;
  
  wherein the signed access metadata is signed by the first encrypted file entity key;
  
  wherein the encrypted file entity is created by encrypting a file entity by the first computerized system using the file entity key;
  
  wherein the processor is arranged to determine in response to the signed access metadata whether the fourth computerized system is entitled to decrypt the file entity;
  
  if it is determined that the fourth computerized system is not entitled to decrypt he file entity then the computer is arranged to prevent from assisting the fourth computerized system to decrypt the encrypted file entity;
  
  if it is determined that the fourth computerized system is entitled to decrypt the file entity then;
  
  the processor is arranged to decrypt the double encrypted file entity key to provide the first encrypted file entity key;
  
  the interface is arranged to send the first encrypted file entity key to the second computerized system and to receive a fourth computerized system encrypted file entity key;
  
  wherein the fourth computerized system encrypted file entity key is created by the second computerized system by (a) decrypting the first encrypted file entity key to provide the file entity key, and (b) encrypting the file entity key with an encryption key of the fourth computerized system; and
  
  to send to the fourth computerized system the fourth computerized system encrypted file entity key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Barracuda Networks Incorporated
Original Assignee
Barracuda Networks Incorporated
Inventors
Cidon, Asaf, Cidon, Israel, Gavish, Lior, Gopal, Prabandham Madan, Shetty, Chandrashekhar
Primary Examiner(s)
LE, UYEN T

Application Number

US14/203,683
Publication Number

US 20140258719A1
Time in Patent Office

833 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 16/13   File access structures, e.g...

G06F 16/182   Distributed file systems

G06F 21/602   Providing cryptographic fac...

G06F 21/62   Protecting access to data v...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

H04L 63/0428   wherein the data content is...

Distributed encryption and access control scheme in a cloud environment

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

11 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed encryption and access control scheme in a cloud environment

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links