Protecting data in insecure cloud storage

US 9,390,281 B2
Filed: 12/30/2013
Issued: 07/12/2016
Est. Priority Date: 12/30/2013
Status: Active Grant

First Claim

Patent Images

1. A system for processing data, comprising:

a first client configured to;

encrypt a first set of data;

upload the encrypted first set of data to a volume on a cloud storage system; and

create a commit record of the upload, wherein the commit record comprises;

a hash-based message authentication code (HMAC) of a path associated with the data;

a previous state of the data;

a current state of the data;

metadata for the data;

a digital signature from the first client; and

a timestamp; and

a synchronization server configured to;

verify access to the volume by the first client;

include the commit record in a change set comprising a set of commit records associated with the volume;

sign the change set; and

provide the change set for use in synchronizing the upload with a second client.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed embodiments provide a system that processes data. The system includes a first client that encrypts a first set of data, uploads the encrypted first set of data to a volume on a cloud storage system, and creates a commit record of the upload. The system also includes a synchronization server that verifies access to the volume by the first client and includes the commit record in a change set containing a set of commit records associated with the volume. The synchronization server also signs the change set and provides the change set for use in synchronizing the upload with a second client.

18 Citations

View as Search Results

23 Claims

1. A system for processing data, comprising:
- a first client configured to;
  
  encrypt a first set of data;
  
  upload the encrypted first set of data to a volume on a cloud storage system; and
  
  create a commit record of the upload, wherein the commit record comprises;
  
  a hash-based message authentication code (HMAC) of a path associated with the data;
  
  a previous state of the data;
  
  a current state of the data;
  
  metadata for the data;
  
  a digital signature from the first client; and
  
  a timestamp; and
  
  a synchronization server configured to;
  
  verify access to the volume by the first client;
  
  include the commit record in a change set comprising a set of commit records associated with the volume;
  
  sign the change set; and
  
  provide the change set for use in synchronizing the upload with a second client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, further comprising:
    - the second client configured to;
      
      obtain the signed change set from the synchronization server;
      
      verify a set of signatures in the change set;
      
      use the commit record from the change set to update a local data state; and
      
      use the commit record to add a download of the first set of data to a download queue.
  - 3. The system of claim 2, wherein the second client is further configured to:
    - obtain the download from the download queue;
      
      use a path from the download to download the encrypted first set of data from the volume;
      
      decrypt and verify the first set of data; and
      
      write the first set of data to a file on a local filesystem.
  - 4. The system of claim 3, wherein the second client is further configured to:
    - upon detecting an existing version of the file on the local filesystem;
      
      open the existing version with exclusive write access;
      
      obtain one or more file attributes for the existing version;
      
      if the one or more file attributes have not changed, replace the existing version with the first set of data; and
      
      if the one or more file attributes have changed, place the download back in the download queue.
  - 5. The system of claim 2, further comprising:
    - a management server configured to;
      
      provide a set of digital certificates for validating a set of keys used by the first client and the synchronization server; and
      
      provide an access control policy associated with access to the volume by the first and second clients.
  - 6. The system of claim 5, wherein the set of keys comprises:
    - a first key used by the first client to encrypt the data; and
      
      a second key used by the synchronization server to sign the change set.
  - 7. The system of claim 1,wherein the synchronization server is further configured to notify the first client of a conflict between the uploaded first set of data and a second set of data in the volume, andwherein the first client is further configured to resolve the conflict.
  - 8. The system of claim 7, wherein resolving the conflict involves:
    - downloading the second set of data from the cloud storage system to a local filesystem; and
      
      renaming the first set of data in the local filesystem.
  - 9. The system of claim 1, wherein the change set comprises:
    - a set of signed commit records;
      
      an identifier for the volume;
      
      a change set identifier;
      
      a digital signature from the synchronization server; and
      
      a timestamp.

10. A computer-implemented method for processing data, comprising:
- encrypting a first set of data on a first client;
  
  uploading the encrypted first set of data from the first client to a volume on a cloud storage system;
  
  creating a commit record of the upload, wherein the commit record comprises;
  
  a hash-based message authentication code (HMAC) of a path associated with the data;
  
  a previous state of the data;
  
  a current state of the data;
  
  metadata for the data;
  
  a digital signature from the first client; and
  
  a timestamp; and
  
  providing the commit record to a synchronization server, wherein the commit record is used by the synchronization server to synchronize the upload with a second client associated with the volume.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The computer-implemented method of claim 10, further comprising:
    - receiving, at the first client, a notification of a conflict between the uploaded first set of data and a second set of data on the cloud storage system from the synchronization server; and
      
      using the first client to resolve the conflict.
  - 12. The computer-implemented method of claim 11, wherein using the first client to resolve the conflict involves:
    - downloading the second set of data from the cloud storage system to the first client; and
      
      renaming the first set of data on the first client.
  - 13. The computer-implemented method of claim 10, further comprising:
    - obtaining, at the first client, a change set from the synchronization server, wherein the change set comprises one or more commit records from one or more other clients associated with the volume;
      
      verifying a set of signatures in the change set;
      
      using the one or more commit records to update a local data state on the first client; and
      
      using the one or more commit records to add a download of a second set of data to a download queue on the first client.
  - 14. The computer-implemented method of claim 13, further comprising:
    - obtaining the download from the download queue;
      
      using a path from the download to download the second set of data from the volume to the first client;
      
      decrypting and verifying the second set of data at the first client; and
      
      writing the second set of data to a file in a local filesystem of the first client.
  - 15. The computer-implemented method of claim 14, further comprising:
    - upon detecting an existing version of the file on the local filesystem;
      
      opening the existing version with exclusive write access;
      
      obtaining one or more file attributes for the existing version;
      
      if the one or more file attributes have not changed, replacing the existing version with the second set of data; and
      
      if the one or more file attributes have changed, placing the download back in the download queue.

16. A computer-implemented method for synchronizing data, comprising:
- obtaining, from a first client, a commit record of data uploaded to a volume on a cloud storage system, wherein the commit record comprises;
  
  a hash-based message authentication code (HMAC) of a path associated with the data,a previous state of the data;
  
  a current state of the data;
  
  metadata for the data;
  
  a digital signature from the first client; and
  
  a timestamp;
  
  using the digital signature in the commit record to verify access to the volume by the first client;
  
  including the commit record in a change set;
  
  signing the change set; and
  
  providing the change set for use in synchronizing the upload with a second client associated with the volume.
- View Dependent Claims (17, 18)
- - 17. The computer-implemented method of claim 16, further comprising:
    - notifying the first client of a conflict between the uploaded data and existing data in the volume.
  - 18. The computer-implemented method of claim 16, wherein the change set comprises:
    - a set of signed commit records;
      
      an identifier for the volume;
      
      a change set identifier;
      
      a digital signature from the synchronization server; and
      
      a timestamp.

19. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for processing data, the method comprising:
- encrypting a first set of data on a first client;
  
  uploading the encrypted first set of data from the first client to a volume on a cloud storage system;
  
  creating a commit record of the upload, wherein the commit record comprises;
  
  a hash-based message authentication code (HMAC) of a path associated with the data,a previous state of the data;
  
  a current state of the data;
  
  metadata for the data;
  
  a digital signature from the first client; and
  
  a timestamp; and
  
  providing the commit record to a synchronization server, wherein the commit record is used by the synchronization server to synchronize the upload with a second client associated with the volume.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The non-transitory computer-readable storage medium of claim 19, the method further comprising:
    - receiving, at the first client, a notification of a conflict between the uploaded first set of data and a second set of data on the cloud storage system from the synchronization server; and
      
      using the first client to resolve the conflict.
  - 21. The non-transitory computer-readable storage medium of claim 19, the method further comprising:
    - obtaining, at the first client, a change set comprising one or more commit records from one or more other clients associated with the volume;
      
      verifying a set of signatures in the change set;
      
      using the one or more commit records to update a local data state on the first client; and
      
      using the one or more commit records to add a download of a second set of data to a download queue on the first client.
  - 22. The non-transitory computer-readable storage medium of claim 19, the method further comprising:
    - obtaining the download from the download queue;
      
      using a path from the download to download the second set of data from the volume to the first client;
      
      decrypting and verifying the second set of data at the first client; and
      
      writing the second set of data to a file in a local filesystem of the first client.
  - 23. The non-transitory computer-readable storage medium of claim 19, the method further comprising:
    - upon detecting an existing version of the file on the local filesystem;
      
      opening the existing version with exclusive write access;
      
      obtaining one or more file attributes for the existing version;
      
      if the one or more file attributes have not changed, replacing the existing version with the second set of data; and
      
      if the one or more file attributes have changed, placing the download back in the download queue.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Open Invention Network LLC
Original Assignee
Open Invention Network LLC
Inventors
Whaley, John, Purtell, Thomas Joseph II, Thomas, Geoffrey G.
Primary Examiner(s)
DADA, BEEMNET W

Application Number

US14/143,328
Publication Number

US 20150186668A1
Time in Patent Office

925 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/134   Distributed indices

G06F 16/16   File or folder operations, ...

G06F 16/178   Techniques for file synchro...

G06F 16/2329   using versioning

G06F 16/2379   Updates performed during on...

G06F 21/6218   to a system of files or obj...

H04L 2463/121   Timestamp cryptographic mec...

H04L 63/0428   wherein the data content is...

H04L 63/0442   wherein the sending and rec...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/20   for managing network securi...

H04L 67/1095   Replication or mirroring of...

H04L 67/1097   for distributed storage of ...

H04L 9/3242   involving keyed hash functi...

H04L 9/3247   involving digital signatures

Protecting data in insecure cloud storage

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

18 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting data in insecure cloud storage

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links