Distributed encryption and access control scheme in a cloud environment
First Claim
1. A method for selectively assisting a fourth computerized system in a decryption of an encrypted file entity, the method comprises:
- receiving, by a third computerized system from the fourth computerized system, a first encrypted file entity key and signed access metadata;
wherein the first encrypted file entity key is created by encrypting a file entity key by a first computerized system using an encryption key of a second computerized system;
wherein the signed access metadata is signed by the file entity key;
wherein the encrypted file entity is created by encrypting a file entity by the first computerized system using the file entity key;
sending, by the third computerized system, the signed access metadata and the first encrypted file entity key to the second computerized system;
receiving a response from the second computerized system;
determining, based on the response from the second computerized system, whether to facilitate the decryption of the encrypted file entity by the fourth computerized system;
wherein if determining to facilitate the decryption of the encrypted file entity by the fourth computerized system then sending, by the third computerized system, a fourth computerized system encrypted file entity key to the fourth computerized system;
wherein the fourth computerized system encrypted file entity key is created by the second computerized system by (a) decrypting the first encrypted file entity key to provide the file entity key, and (b) encrypting the file entity key with an encryption key of the fourth computerized system; and
wherein if determining not to facilitate the decryption of the encrypted file entity by the fourth computerized system then preventing from assisting the fourth computerized system to decrypt the encrypted file entity.
11 Assignments
0 Petitions
Accused Products
Abstract
System, computer readable medium and method for decryption. The method may include receiving, by a third computerized system and from a fourth computerized system, a first encrypted file entity key and signed access metadata. The first encrypted file entity key is created by encrypting a file entity key by a first computerized system using an encryption key of a second computerized system. The signed access metadata is signed by the file entity key. The encrypted file entity is created by encrypting a file entity by the first computerized system using the file entity key. Sending, by the third computerized system, the signed access metadata and the first encrypted file entity key to the second computerized system. Receiving a response from the second computerized system. Determining, based on the response from the second computerized system, whether to facilitate a decryption of the encrypted file entity by the fourth computerized entity.
11 Citations
19 Claims
-
1. A method for selectively assisting a fourth computerized system in a decryption of an encrypted file entity, the method comprises:
-
receiving, by a third computerized system from the fourth computerized system, a first encrypted file entity key and signed access metadata; wherein the first encrypted file entity key is created by encrypting a file entity key by a first computerized system using an encryption key of a second computerized system; wherein the signed access metadata is signed by the file entity key; wherein the encrypted file entity is created by encrypting a file entity by the first computerized system using the file entity key; sending, by the third computerized system, the signed access metadata and the first encrypted file entity key to the second computerized system; receiving a response from the second computerized system; determining, based on the response from the second computerized system, whether to facilitate the decryption of the encrypted file entity by the fourth computerized system; wherein if determining to facilitate the decryption of the encrypted file entity by the fourth computerized system then sending, by the third computerized system, a fourth computerized system encrypted file entity key to the fourth computerized system;
wherein the fourth computerized system encrypted file entity key is created by the second computerized system by (a) decrypting the first encrypted file entity key to provide the file entity key, and (b) encrypting the file entity key with an encryption key of the fourth computerized system; andwherein if determining not to facilitate the decryption of the encrypted file entity by the fourth computerized system then preventing from assisting the fourth computerized system to decrypt the encrypted file entity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for selectively assisting a fourth computerized system in a decryption of an encrypted file entity, the method comprises:
-
receiving, by a third computerized system from the fourth computerized system, a double encrypted file entity key and signed access metadata; wherein the double encrypted file entity key is created by encrypting a first encrypted file entity key by a first computerized system using an encryption key of the third computerized system; wherein the first encrypted file entity key is created by encrypting a file entity key by the first computerized system using an encryption key of a second computerized system; wherein the signed access metadata is signed by the first encrypted file entity key; wherein the encrypted file entity is created by encrypting a file entity by the first computerized system using the file entity key; determining, by the third computerized system and in response to the signed access metadata whether the fourth computerized system is entitled to decrypt the file entity; if it is determined that the fourth computerized system is not entitled to decrypt the file entity then preventing from assisting the fourth computerized system to decrypt the encrypted file entity; if it is determined that the fourth computerized system is entitled to decrypt the file entity then; decrypting, by the third computerized system, the double encrypted file entity key to provide the first encrypted file entity key; sending, by the third computerized system, the first encrypted file entity key to the second computerized system; receiving, by the third computerized system, a fourth computerized system encrypted file entity key;
wherein the fourth computerized system encrypted file entity key is created by the second computerized system by (a) decrypting the first encrypted file entity key to provide the file entity key, and (b) encrypting the file entity key with an encryption key of the fourth computerized system; andsending, by the third computerized system, to the fourth computerized system the fourth computerized system encrypted file entity key. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A non-transitory computer readable medium storing computer executable instructions that once executed by a third computerized system causes the third computerized system to selectively assist in a decryption of an encrypted file entity by a fourth computerized system by executing the stages of:
-
receiving, by a third computerized system from the fourth computerized system, a first encrypted file entity key and signed access metadata; wherein the first encrypted file entity key is created by encrypting a file entity key by a first computerized system using an encryption key of a second computerized system; wherein the signed access metadata is signed by the file entity key; wherein the encrypted file entity is created by encrypting a file entity by the first computerized system using the file entity key; sending, by the third computerized system, the signed access metadata and the first encrypted file entity key to the second computerized system; receiving, by the third computerized system, a response from the second computerized system; determining , by the third computerized system, based on the response from the second computerized system, whether to facilitate a decryption of the encrypted file entity by the fourth computerized entity; wherein if determining to facilitate the decryption of the encrypted file entity by the fourth computerized system then sending, by the third computerized system, a fourth computerized system encrypted file entity key to the fourth computerized system; wherein the fourth computerized system encrypted file entity key is created by the second computerized system by (a) decrypting the first encrypted file entity key to provide the file entity key, and (b) encrypting the file entity key with an encryption key of the fourth computerized system; and wherein if determining not to facilitate the decryption of the encrypted file entity by the fourth computerized system then preventing from assisting the fourth computerized system to decrypt the encrypted file entity.
-
-
18. A non-transitory computer readable medium storing computer executable instructions that once executed by a third computerized system causes the third computerized system to selectively assist in a decryption of an encrypted file entity by a fourth computerized system by executing the steps of:
-
receiving, by the third computerized system from the fourth computerized system, a double encrypted file entity key and signed access metadata;
wherein the double encrypted file entity key is created by encrypting a first encrypted file entity key by a first computerized system using an encryption key of the third computerized system;
wherein the first encrypted file entity key is created by encrypting a file entity key by the first computerized system using an encryption key of a second computerized system;
wherein the signed access metadata is signed by the first encrypted file entity key;
wherein the encrypted file entity is created by encrypting a file entity by the first computerized system using the file entity key;determining in response to the signed access metadata whether the fourth computerized system is entitled to decrypt the file entity; if it is determined that the fourth computerized system is not entitled to decrypt the file entity then preventing from assisting the fourth computerized system to decrypt the encrypted file entity; if it is determined that the fourth computerized system is entitled to decrypt t the file entity then; decrypting the double encrypted file entity key to provide the first encrypted file entity key; sending, by the third computerized system, the first encrypted file entity key to the second computerized system; receiving, by the third computerized system, a fourth computerized system encrypted file entity key;
wherein the fourth computerized system encrypted file entity key is created by the second computerized system by (a) decrypting the first encrypted file entity key to provide the file entity key, and (b) encrypting the file entity key with an encryption key of the fourth computerized system; andsending, by the third computerized system, to the fourth computerized system the fourth computerized system encrypted file entity key.
-
-
19. A computer comprising a memory, an interface and a processor;
- the computer is configured to selectively assist in a decryption of an encrypted file entity by a fourth computerized system;
wherein the interface is arranged to receive from the fourth computerized system, a double encrypted file entity key and signed access metadata;
wherein the double encrypted file entity key is created by encrypting a first encrypted file entity key by a first computerized system using an encryption key of the third computerized system;
wherein the first encrypted file entity key is created by encrypting a file entity key by the first computerized system using an encryption key of a second computerized system;
wherein the signed access metadata is signed by the first encrypted file entity key;
wherein the encrypted file entity is created by encrypting a file entity by the first computerized system using the file entity key;wherein the processor is arranged to determine in response to the signed access metadata whether the fourth computerized system is entitled to decrypt the file entity; if it is determined that the fourth computerized system is not entitled to decrypt he file entity then the computer is arranged to prevent from assisting the fourth computerized system to decrypt the encrypted file entity; if it is determined that the fourth computerized system is entitled to decrypt the file entity then; the processor is arranged to decrypt the double encrypted file entity key to provide the first encrypted file entity key; the interface is arranged to send the first encrypted file entity key to the second computerized system and to receive a fourth computerized system encrypted file entity key;
wherein the fourth computerized system encrypted file entity key is created by the second computerized system by (a) decrypting the first encrypted file entity key to provide the file entity key, and (b) encrypting the file entity key with an encryption key of the fourth computerized system; and
to send to the fourth computerized system the fourth computerized system encrypted file entity key.
- the computer is configured to selectively assist in a decryption of an encrypted file entity by a fourth computerized system;
Specification