Secure cloud data sharing

US 9,767,299 B2
Filed: 03/11/2014
Issued: 09/19/2017
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for sharing a digital file, wherein the digital file is stored in a cloud-based storage system, wherein the cloud-based storage system comprises a first user node operable by a sending user wherein the sending user is associated with a first user identifier and a first user private identification key known only to the first user node, wherein the cloud-based storage system also comprises a second user node operable by a receiving user associated with a second user identifier and a second user private identification key known only to the second user node, the method comprising:

encrypting, via a processor of the first user node and using a file key generated by the processor of the first user node, a first file wherein a first digitally encrypted file is created,wherein the file key is not retained by the first user node,storing, via the processor of the first user node, the first digitally encrypted file in a cloud server;

regenerating, via the processor of the first user node, the file key, in response to an instruction to share the first digitally encrypted file with the second user node,wherein the file key is usable to decrypt the first digitally encrypted file,generating, via the processor of the first user node, a share message, the share message including the generated file key and identifying at least the second user node and the first digitally encrypted file stored in the cloud server;

transmitting the share message from the processor of the first user node to a network server comprising a network server computer processor that is a component of the first user node and a network server memory that is a component of the second user node,wherein the network server processor and the network server memory are separate and disposed at different locations;

retrieving, from the network server memory that is a component of the second user node, a second user private identification key identified in the share message, wherein the network server memory contains a database comprising;

the first user identifier and the first user private identification key; and

the second user identifier and the second user private identification key,encrypting, via the network server computer processor the regenerated file key using the second user private identification key in the database contained in the network server memory to generate a share key;

transmitting the share key from the network server to the cloud server to store the share key in the cloud server, wherein the share key is stored in the cloud server with a random dynamically-generated storage name,maintaining, by the network server memory, an index record of share keys and random dynamically-generated storage names associated with the share keys;

notifying, by the network server computer processor, the second user node of at least one of the first digitally encrypted file and the random dynamically-generated storage name stored in the cloud server;

retrieving, via a processor of the second user node, the digitally encrypted file and the share key from the cloud server by accessing the random dynamically-generated storage name;

generating, via the processor of the second user node, the second user private identification key;

decrypting, via the processor of the second user node, the share key using the second user private identification key to reconstruct the file key known only to the first user node; and

decrypting, via the processor of the second user node, the first digitally encrypted file using the reconstructed file key.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for sharing an encrypted file stored on a cloud server is disclosed. In certain embodiments, the method includes generating a file key associated with the encrypted file stored in the cloud server; generating a share message, the share message including the generated file key and identifying a recipient user and the encrypted file stored in the cloud server; encrypting the file key using an identification key of the recipient user to generate a share key; storing the share key in the cloud server; notifying the recipient user of the encrypted file and share key stored on the cloud server; retrieving the encrypted file and the share key from the cloud server; decrypting the share key using the identification key of the recipient user to reconstruct the file key; and using the reconstructed file key to decrypt the encrypted file.

136 Citations

12 Claims

1. A computer-implemented method for sharing a digital file, wherein the digital file is stored in a cloud-based storage system, wherein the cloud-based storage system comprises a first user node operable by a sending user wherein the sending user is associated with a first user identifier and a first user private identification key known only to the first user node, wherein the cloud-based storage system also comprises a second user node operable by a receiving user associated with a second user identifier and a second user private identification key known only to the second user node, the method comprising:
- encrypting, via a processor of the first user node and using a file key generated by the processor of the first user node, a first file wherein a first digitally encrypted file is created,wherein the file key is not retained by the first user node,storing, via the processor of the first user node, the first digitally encrypted file in a cloud server;
  
  regenerating, via the processor of the first user node, the file key, in response to an instruction to share the first digitally encrypted file with the second user node,wherein the file key is usable to decrypt the first digitally encrypted file,generating, via the processor of the first user node, a share message, the share message including the generated file key and identifying at least the second user node and the first digitally encrypted file stored in the cloud server;
  
  transmitting the share message from the processor of the first user node to a network server comprising a network server computer processor that is a component of the first user node and a network server memory that is a component of the second user node,wherein the network server processor and the network server memory are separate and disposed at different locations;
  
  retrieving, from the network server memory that is a component of the second user node, a second user private identification key identified in the share message, wherein the network server memory contains a database comprising;
  
  the first user identifier and the first user private identification key; and
  
  the second user identifier and the second user private identification key,encrypting, via the network server computer processor the regenerated file key using the second user private identification key in the database contained in the network server memory to generate a share key;
  
  transmitting the share key from the network server to the cloud server to store the share key in the cloud server, wherein the share key is stored in the cloud server with a random dynamically-generated storage name,maintaining, by the network server memory, an index record of share keys and random dynamically-generated storage names associated with the share keys;
  
  notifying, by the network server computer processor, the second user node of at least one of the first digitally encrypted file and the random dynamically-generated storage name stored in the cloud server;
  
  retrieving, via a processor of the second user node, the digitally encrypted file and the share key from the cloud server by accessing the random dynamically-generated storage name;
  
  generating, via the processor of the second user node, the second user private identification key;
  
  decrypting, via the processor of the second user node, the share key using the second user private identification key to reconstruct the file key known only to the first user node; and
  
  decrypting, via the processor of the second user node, the first digitally encrypted file using the reconstructed file key.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein the private identification key of the recipient user is a symmetric key.
  - 3. The computer-implemented method of claim 1, wherein the file key is a symmetric key.
  - 4. The computer-implemented method of claim 1, wherein the file key is an asymmetric key.
  - 5. The computer-implemented method of claim 1, wherein generating the share message includes the first user node identifying the second user node to receive a decrypted version of the first digitally encrypted file.
  - 6. The computer-implemented method of claim 1, wherein the second user private identification key used to encrypt the file key is a public key of an asymmetric key pair.
  - 7. The computer-implemented method of claim 1, wherein the second user private identification key used to decrypt the share key is a private key of an asymmetric key pair.

8. One or more non-transitory computer-readable media embodied with computer-executable instructions that, when executed by one or more processors, perform a computer-implemented method for sharing a digital file, wherein the digital file is stored in a cloud-based storage system, wherein the cloud-based storage system comprises a first user node operable by a sending user wherein the sending user is associated with a first user identifier and a first user private identification key known only to the first user node, wherein the cloud-based storage system also comprises a second user node operable by a receiving user associated with a second user identifier and a second user private identification key known only to the second user node, the method comprising:
- encrypting, via a processor of the first user node and using a file key generated by the processor of the first user node, a first file wherein a first digitally encrypted file is created,wherein the file key is not retained by the first user node,storing, via the processor of the first user node, the first digitally encrypted file in a cloud server;
  
  regenerating, via the processor of the first user node, the file key, in response to an instruction to share the first digitally encrypted file with the second user node,wherein the file key is usable to decrypt the first digitally encrypted file,generating, via the processor of the first user node, a share message, the share message including the generated file key and identifying at least the second user node and the first digitally encrypted file stored in the cloud server;
  
  transmitting the share message from the processor of the first user node to a network server comprising a network server computer processor that is a component of the first user node and a network server memory that is a component of the second user node,wherein the network server processor and the network server memory are separate and disposed at different locations;
  
  retrieving, from the network server memory that is a component of the second user node, a second user private identification key identified in the share message, wherein the network server memory contains a database comprising;
  
  the first user identifier and the first user private identification key; and
  
  the second user identifier and the second user private identification key,encrypting, via the network server computer processor, the regenerated file key using the second user private identification key in the database contained in the network server memory to generate a share key;
  
  transmitting the share key from the network server to the cloud server to store the share key in the cloud server, wherein the share key is stored in the cloud server with a random dynamically-generated storage name,maintaining, by the network server memory, an index record of share keys and random dynamically-generated storage names associated with the share keys;
  
  notifying, by the network server computer processor, the second user node of at least one of the first digitally encrypted file and the random dynamically-generated storage name stored in the cloud server;
  
  retrieving, via a processor of the second user node, the digitally encrypted file and the share key from the cloud server by accessing the random dynamically-generated storage name;
  
  generating, via the processor of the second user node, the second user private identification key;
  
  decrypting, via the processor of the second user node, the share key using the second user private identification key to reconstruct the file key known only to the first user node; and
  
  decrypting, via the processor of the second user node, the first digitally encrypted file using the reconstructed file key.
- View Dependent Claims (9, 10, 11)
- - 9. The one or more non-transitory computer-readable media of claim 8, wherein the second node private identification key is a symmetric key.
  - 10. The one or more non-transitory computer-readable media of claim 8, wherein the second user private identification key used to encrypt the file key is a public key of an asymmetric key pair.
  - 11. The one or more non-transitory computer-readable media of claim 8, wherein the file key.

12. A cloud based storage system comprising:
- a first user node operable by a sending user, and comprising a first user node processor,wherein the sending user is associated with a first user identifier and a first user private identification key,wherein the user private identification key is known only to the first user node;
  
  a second user node operable by a receiving user, and comprising a second user node processor,wherein the receiving user is associated with a second user identifier and a second user private identification key,wherein the second user private identification key is known only to the second user node; and
  
  a network server comprising;
  
  a network server computer processor that is a component of the first user node;
  
  a network server non-transitory memory that is a component of the second user node and comprises;
  
  a database comprising;
  
  the first user identifier and the first user private identification key; and
  
  the second user identifier and the second user private identification key;
  
  an index record comprising;
  
  a share key; and
  
  a random dynamically-generated storage name associated with the share key,wherein the network server computer processor and the network server non-transitory memory are separate and disposed at different locations,wherein the first user node, the second user node are configured to access a cloud server having a first encrypted file stored therein by the first user,wherein the first user node processor is configured to generate a file key and encrypt a first file with the file key wherein a first digitally encrypted file is created,wherein the first user node does not retain the file key,wherein the first user node processor stores the first digitally encrypted file in a cloud server,wherein the first user node processor regenerates the file key in response to an instruction to share the first digitally encrypted file with the second user node,wherein the first user node processor generates a share message comprising the regenerated file key and identifying at least the second user node and the first digitally encrypted file stored in the cloud server,wherein the first user node processor transmits the share message to a network server,wherein the network server computer processor that is a component of the first user node is operable to encrypt the regenerated file key using the second user private identification key in the database contained in the network server memory to generate a share key,wherein the network server transmits the share key to the cloud server to store the share key in the cloud server with the random dynamically-generated storage name,wherein the network server computer processor notifies the second user node of at least one of the first digitally encrypted file and the random dynamically-generated storage name stored in the cloud server,wherein the second user node processor accesses the random dynamically-generated storage name and retrieves the digitally encrypted file and the share key from the cloud server,wherein the second user node processor generates the second user private identification key,wherein the second user node processor decrypts the share key using the second user private identification key and reconstructs the file key known only to the first user node, andwherein the second user node processor decrypts the first digitally encrypted file using the reconstructed file key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Baimmt, LLC
Original Assignee
MyMail Technology, LLC
Inventors
Selgas, Thomas Drennan, Heintz, John D.
Primary Examiner(s)
SIMITOSKI, MICHAEL J

Application Number

US14/203,821
Publication Number

US 20140281520A1
Time in Patent Office

1,288 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 21/6272   by registering files or doc...

G06F 2221/2107   File encryption

G06Q 10/101   Collaborative creation, e.g...

H04L 63/0428   wherein the data content is...

H04L 63/0442   wherein the sending and rec...

H04L 63/105   Multiple levels of security

H04L 9/0825   using asymmetric-key encryp...

Secure cloud data sharing

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

136 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Secure cloud data sharing

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

136 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links