System, processing device, computer program and method, to transparently encrypt and store data objects such that owners of the data object and permitted viewers are able to view decrypted data objects after entering user selected passwords

US 9,419,797 B2
Filed: 11/14/2014
Issued: 08/16/2016
Est. Priority Date: 12/19/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a data object from a first user;

receiving a private key of the first user;

retrieving a public key of a user specifically permitted to view the data object;

encrypting the data object using an object key;

wrapping the object key with a paired key generated using the private key of the first user and the public key of the user specifically permitted to view the data object;

storing the encrypted data object with the wrapped object key;

receiving a request to access the encrypted data object from a second user;

obtaining a private key of the second user;

unwrapping the object key using a duplicate key computed from the private key of the second user and a public key of the first user;

decrypting the encrypted data object using the object key; and

providing the decrypted data object to the second user;

wherein the private key of the first user contains the dataset (a, g, p), wherein a is a randomly generated number, g is the generator, and p is a safe prime.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cryptographic system makes everyday data objects, such as a document or conversation, unreadable to anyone other than the owner or those currently having permission to access the data objects. The cryptographic system is transparent by requiring no additional effort on the part of any user in the encryption/decryption process other than entering a user identifier and password. Each document is encrypted with a unique encryption key. Changes to data object access permissions are immediately honored and enforced by enabling or disabling access to certain decryption keys. Decryption of data objects requires information known only to the owner of the data object or those permitted to access the data object. This decryption information is not stored anywhere in the system.

20 Citations

View as Search Results

22 Claims

1. A method comprising:
- receiving a data object from a first user;
  
  receiving a private key of the first user;
  
  retrieving a public key of a user specifically permitted to view the data object;
  
  encrypting the data object using an object key;
  
  wrapping the object key with a paired key generated using the private key of the first user and the public key of the user specifically permitted to view the data object;
  
  storing the encrypted data object with the wrapped object key;
  
  receiving a request to access the encrypted data object from a second user;
  
  obtaining a private key of the second user;
  
  unwrapping the object key using a duplicate key computed from the private key of the second user and a public key of the first user;
  
  decrypting the encrypted data object using the object key; and
  
  providing the decrypted data object to the second user;
  
  wherein the private key of the first user contains the dataset (a, g, p), wherein a is a randomly generated number, g is the generator, and p is a safe prime.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the first and second users are not notified of the encrypting and decrypting, and wherein only the first user and one or more permitted users, including the second user, are able decrypt the encrypted data object.
  - 3. The method of claim 1, wherein the first and second users do not select any keys in a set of encryption and decryption keys used in the encrypting and decrypting.
  - 4. The method of claim 1, further comprising receiving identification information about the first user and a password from the first user.
  - 5. The method of claim 4, wherein the information and the password are received by way of a log in page, and the method further comprises:
    - receiving information indicating user identification from the second user; and
      
      receiving a password associated with the information indicating user identification from the second user,providing other decrypted data objects provided by the first user to the second user when permitted by the first user after receiving the information indicating user identification from the second user and the associated password.
  - 6. The method of claim 4, wherein the decrypting of the data object does not occur without providing the password associated with the information from the first user to the decrypting or permitting the second user access by the first user.
  - 7. The method of claim 6, wherein the permitting includes enabling access to the key information from the first user to the second user.

8. A system to decrypt a data object, the system comprising:
- at least one storage device to store one or more keys;
  
  at least one processor, coupled to the storage device;
  
  the at least one storage device to store executable machine readable instructions for controlling the processor; and
  
  the at least one processor is operative with the executable machine readable instructions to;
  
  receive a data object from a first user;
  
  receive a private key of the first user;
  
  retrieve a public key of a user specifically permitted to view the data object;
  
  encrypt the data object using an object key;
  
  wrap the object key with a paired key generated using the private key of the first user and the public key of the user specifically permitted to view the data object;
  
  store the encrypted data object with the wrapped object key;
  
  receive a request to access the encrypted data object from a second user;
  
  obtain a private key of the second user;
  
  unwrap the object key using a duplicate key computed from the private key of the second user and a public key of the first user a key providing a decryption key to decrypt the encrypted data object using key information from the first user and key information from the second user;
  
  decrypt the encrypted data object using the object key; and
  
  provide the decrypted data object to the second user wherein the private key of the first user contains the dataset (a, g, p), wherein a is a randomly generated number, g is the generator, and p is a safe prime.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The system of claim 8, further comprising obtaining an identification and password from the first user and storing the information and password.
  - 10. The system of claim 8, wherein the public key of the first user includes the dataset (A, g, p), where A=g^a(mod p).
  - 11. The system of claim 8, wherein encrypting the data object includes using Advanced Encryption Standard encryption function in counter mode (CTR) with a 64 bit nonce of a data object id of the data object, a 64 bit counter and a randomly generated 256-bit cypher key as the data object key.
  - 12. The system of claim 8, wherein the duplicable key is created using a Diffie-Hellman Key Agreement method (RFC 263) for the private key of the second user and the public key of the second user to obtain a result, wherein a cryptographic hash function is used with the result to obtain the duplicate key.

13. A non-transitory computer-readable storage medium comprising instructions that, when executed by at least one processor of a machine, cause the machine to perform operations comprising:
- receiving a data object from a first user;
  
  receiving a private key of the first user;
  
  retrieving a public key of a user specifically permitted to view the data object;
  
  encrypting the data object using an object key;
  
  wrapping the object key with a paired key generated using the private key of the first user and the public key of the user specifically permitted to view the data object;
  
  storing the encrypted data object with the wrapped object key;
  
  receiving a request to access the encrypted data object from a second user;
  
  obtaining a private key of the second user;
  
  unwrapping the object key using a duplicate key computed from the private key of the second user and a public key of the first user a key providing a decryption key to decrypt the encrypted data object using key information from the first user and key information from the second user;
  
  decrypting the encrypted data object using the object key; and
  
  providing the decrypted data object to the second user wherein the private key of the first user contains the dataset (a, g, p), wherein a is a randomly generated number, g is the generator, and p is a safe prime.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The non-transitory computer-readable storage medium of claim 13, wherein the first and second users are not notified of the encrypting and decrypting, and wherein only the first user and one or more permitted users, including the second user, are able decrypt the encrypted data object.
  - 15. The non-transitory computer-readable storage medium of claim 13, wherein the first and second users do not select any keys in a set of encryption and decryption keys used in the encrypting and decrypting.
  - 16. The non-transitory computer-readable storage medium of claim 13, wherein the operations further comprise receiving identification information about the first user and a password from the first user.
  - 17. The non-transitory computer-readable storage medium of claim 16, wherein the information and the password are received by way of a log in page, and the operations further comprise:
    - receiving information indicating user identification from the second user; and
      
      receiving a password associated with the information indicating user identification from the second user,providing other decrypted data objects provided by the first user to the second user when permitted by the first user after receiving the information indicating user identification from the second user and the associated password.
  - 18. The non-transitory computer-readable storage medium of claim 16, wherein the decrypting of the data object does not occur without providing the password associated with the information from the first user to the decrypting or permitting the second user access by the first user.
  - 19. The non-transitory computer-readable storage medium of claim 18, wherein the permitting includes enabling access to the key information from the first user to the second user.

20. A method comprising:
- receiving a data object from a first user;
  
  receiving a private key of the first user;
  
  retrieving a public key of a user specifically permitted to view the data object;
  
  encrypting the data object using an object key;
  
  wrapping the object key with a paired key generated using the private key of the first user and the public key of the user specifically permitted to view the data object;
  
  storing the encrypted data object with the wrapped object key;
  
  receiving a request to access the encrypted data object from a second user;
  
  obtaining a private key of the second user;
  
  unwrapping the object key using a duplicate key computed from the private key of the second user and a public key of the first user;
  
  decrypting the encrypted data object using the object key; and
  
  providing the decrypted data object to the second user;
  
  wherein the public key of the first user includes the dataset (A, g, p), where A=g^a(mod p).

21. A system to decrypt a data object, the system comprising:
- at least one storage device to store one or more keys;
  
  at least one processor, coupled to the storage device;
  
  the at least one storage device to store executable machine readable instructions for controlling the processor; and
  
  the at least one processor is operative with the executable machine readable instructions to;
  
  receive a data object from a first user;
  
  receive a private key of the first user;
  
  retrieve a public key of a user specifically permitted to view the data object;
  
  encrypt the data object using an object key;
  
  wrap the object key with a paired key generated using the private key of the first user and the public key of the user specifically permitted to view the data object;
  
  store the encrypted data object with the wrapped object key;
  
  receive a request to access the encrypted data object from a second user;
  
  obtain a private key of the second user;
  
  unwrap the object key using a duplicate key computed from the private key of the second user and a public key of the first user a key providing a decryption key to decrypt the encrypted data object using key information from the first user and key information from the second user;
  
  decrypt the encrypted data object using the object key; and
  
  provide the decrypted data object to the second user;
  
  wherein the public key of the first user includes the dataset (A, g, p), where A=g^a(mod p).

22. A non-transitory computer-readable storage medium comprising instructions that, when executed by at least one processor of a machine, cause the machine to perform operations comprising:
- receiving a data object from a first user;
  
  receiving a private key of the first user;
  
  retrieving a public key of a user specifically permitted to view the data object;
  
  encrypting the data object using an object key;
  
  wrapping the object key with a paired key generated using the private key of the first user and the public key of the user specifically permitted to view the data object;
  
  storing the encrypted data object with the wrapped object key;
  
  receiving a request to access the encrypted data object from a second user;
  
  obtaining a private key of the second user;
  
  unwrapping the object key using a duplicate key computed from the private key of the second user and a public key of the first user a key providing a decryption key to decrypt the encrypted data object using key information from the first user and key information from the second user;
  
  decrypting the encrypted data object using the object key; and
  
  providing the decrypted data object to the second user;
  
  wherein the public key of the first user includes the dataset (A, g, p), where A=g^a(mod p).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verifyle, Inc.
Original Assignee
Verifyle, Inc.
Inventors
Scarisbrick, Aaron M., Martin, Roy E., Root, Thomas M., Pierce, Stephen J.
Primary Examiner(s)
HO, DAO Q

Application Number

US14/541,338
Publication Number

US 20150074410A1
Time in Patent Office

641 Days
Field of Search

380/28, 380/277
US Class Current

1/1
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 9/0822   using key encryption key

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/0863   involving passwords or one-...

H04L 9/0894   Escrow, recovery or storing...

System, processing device, computer program and method, to transparently encrypt and store data objects such that owners of the data object and permitted viewers are able to view decrypted data objects after entering user selected passwords

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

System, processing device, computer program and method, to transparently encrypt and store data objects such that owners of the data object and permitted viewers are able to view decrypted data objects after entering user selected passwords

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links