Secure cloud data sharing
First Claim
1. A computer-implemented method for sharing a digital file, wherein the digital file is stored in a cloud-based storage system, wherein the cloud-based storage system comprises a first user node operable by a sending user wherein the sending user is associated with a first user identifier and a first user private identification key known only to the first user node, wherein the cloud-based storage system also comprises a second user node operable by a receiving user associated with a second user identifier and a second user private identification key known only to the second user node, the method comprising:
- encrypting, via a processor of the first user node and using a file key generated by the processor of the first user node, a first file wherein a first digitally encrypted file is created,wherein the file key is not retained by the first user node,storing, via the processor of the first user node, the first digitally encrypted file in a cloud server;
regenerating, via the processor of the first user node, the file key, in response to an instruction to share the first digitally encrypted file with the second user node,wherein the file key is usable to decrypt the first digitally encrypted file,generating, via the processor of the first user node, a share message, the share message including the generated file key and identifying at least the second user node and the first digitally encrypted file stored in the cloud server;
transmitting the share message from the processor of the first user node to a network server comprising a network server computer processor that is a component of the first user node and a network server memory that is a component of the second user node,wherein the network server processor and the network server memory are separate and disposed at different locations;
retrieving, from the network server memory that is a component of the second user node, a second user private identification key identified in the share message, wherein the network server memory contains a database comprising;
the first user identifier and the first user private identification key; and
the second user identifier and the second user private identification key,encrypting, via the network server computer processor the regenerated file key using the second user private identification key in the database contained in the network server memory to generate a share key;
transmitting the share key from the network server to the cloud server to store the share key in the cloud server, wherein the share key is stored in the cloud server with a random dynamically-generated storage name,maintaining, by the network server memory, an index record of share keys and random dynamically-generated storage names associated with the share keys;
notifying, by the network server computer processor, the second user node of at least one of the first digitally encrypted file and the random dynamically-generated storage name stored in the cloud server;
retrieving, via a processor of the second user node, the digitally encrypted file and the share key from the cloud server by accessing the random dynamically-generated storage name;
generating, via the processor of the second user node, the second user private identification key;
decrypting, via the processor of the second user node, the share key using the second user private identification key to reconstruct the file key known only to the first user node; and
decrypting, via the processor of the second user node, the first digitally encrypted file using the reconstructed file key.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method for sharing an encrypted file stored on a cloud server is disclosed. In certain embodiments, the method includes generating a file key associated with the encrypted file stored in the cloud server; generating a share message, the share message including the generated file key and identifying a recipient user and the encrypted file stored in the cloud server; encrypting the file key using an identification key of the recipient user to generate a share key; storing the share key in the cloud server; notifying the recipient user of the encrypted file and share key stored on the cloud server; retrieving the encrypted file and the share key from the cloud server; decrypting the share key using the identification key of the recipient user to reconstruct the file key; and using the reconstructed file key to decrypt the encrypted file.
136 Citations
12 Claims
-
1. A computer-implemented method for sharing a digital file, wherein the digital file is stored in a cloud-based storage system, wherein the cloud-based storage system comprises a first user node operable by a sending user wherein the sending user is associated with a first user identifier and a first user private identification key known only to the first user node, wherein the cloud-based storage system also comprises a second user node operable by a receiving user associated with a second user identifier and a second user private identification key known only to the second user node, the method comprising:
-
encrypting, via a processor of the first user node and using a file key generated by the processor of the first user node, a first file wherein a first digitally encrypted file is created, wherein the file key is not retained by the first user node, storing, via the processor of the first user node, the first digitally encrypted file in a cloud server; regenerating, via the processor of the first user node, the file key, in response to an instruction to share the first digitally encrypted file with the second user node, wherein the file key is usable to decrypt the first digitally encrypted file, generating, via the processor of the first user node, a share message, the share message including the generated file key and identifying at least the second user node and the first digitally encrypted file stored in the cloud server; transmitting the share message from the processor of the first user node to a network server comprising a network server computer processor that is a component of the first user node and a network server memory that is a component of the second user node, wherein the network server processor and the network server memory are separate and disposed at different locations; retrieving, from the network server memory that is a component of the second user node, a second user private identification key identified in the share message, wherein the network server memory contains a database comprising; the first user identifier and the first user private identification key; and the second user identifier and the second user private identification key, encrypting, via the network server computer processor the regenerated file key using the second user private identification key in the database contained in the network server memory to generate a share key; transmitting the share key from the network server to the cloud server to store the share key in the cloud server, wherein the share key is stored in the cloud server with a random dynamically-generated storage name, maintaining, by the network server memory, an index record of share keys and random dynamically-generated storage names associated with the share keys; notifying, by the network server computer processor, the second user node of at least one of the first digitally encrypted file and the random dynamically-generated storage name stored in the cloud server; retrieving, via a processor of the second user node, the digitally encrypted file and the share key from the cloud server by accessing the random dynamically-generated storage name; generating, via the processor of the second user node, the second user private identification key; decrypting, via the processor of the second user node, the share key using the second user private identification key to reconstruct the file key known only to the first user node; and decrypting, via the processor of the second user node, the first digitally encrypted file using the reconstructed file key. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. One or more non-transitory computer-readable media embodied with computer-executable instructions that, when executed by one or more processors, perform a computer-implemented method for sharing a digital file, wherein the digital file is stored in a cloud-based storage system, wherein the cloud-based storage system comprises a first user node operable by a sending user wherein the sending user is associated with a first user identifier and a first user private identification key known only to the first user node, wherein the cloud-based storage system also comprises a second user node operable by a receiving user associated with a second user identifier and a second user private identification key known only to the second user node, the method comprising:
-
encrypting, via a processor of the first user node and using a file key generated by the processor of the first user node, a first file wherein a first digitally encrypted file is created, wherein the file key is not retained by the first user node, storing, via the processor of the first user node, the first digitally encrypted file in a cloud server; regenerating, via the processor of the first user node, the file key, in response to an instruction to share the first digitally encrypted file with the second user node, wherein the file key is usable to decrypt the first digitally encrypted file, generating, via the processor of the first user node, a share message, the share message including the generated file key and identifying at least the second user node and the first digitally encrypted file stored in the cloud server; transmitting the share message from the processor of the first user node to a network server comprising a network server computer processor that is a component of the first user node and a network server memory that is a component of the second user node, wherein the network server processor and the network server memory are separate and disposed at different locations; retrieving, from the network server memory that is a component of the second user node, a second user private identification key identified in the share message, wherein the network server memory contains a database comprising; the first user identifier and the first user private identification key; and the second user identifier and the second user private identification key, encrypting, via the network server computer processor, the regenerated file key using the second user private identification key in the database contained in the network server memory to generate a share key; transmitting the share key from the network server to the cloud server to store the share key in the cloud server, wherein the share key is stored in the cloud server with a random dynamically-generated storage name, maintaining, by the network server memory, an index record of share keys and random dynamically-generated storage names associated with the share keys; notifying, by the network server computer processor, the second user node of at least one of the first digitally encrypted file and the random dynamically-generated storage name stored in the cloud server; retrieving, via a processor of the second user node, the digitally encrypted file and the share key from the cloud server by accessing the random dynamically-generated storage name; generating, via the processor of the second user node, the second user private identification key; decrypting, via the processor of the second user node, the share key using the second user private identification key to reconstruct the file key known only to the first user node; and decrypting, via the processor of the second user node, the first digitally encrypted file using the reconstructed file key. - View Dependent Claims (9, 10, 11)
-
-
12. A cloud based storage system comprising:
-
a first user node operable by a sending user, and comprising a first user node processor, wherein the sending user is associated with a first user identifier and a first user private identification key, wherein the user private identification key is known only to the first user node; a second user node operable by a receiving user, and comprising a second user node processor, wherein the receiving user is associated with a second user identifier and a second user private identification key, wherein the second user private identification key is known only to the second user node; and a network server comprising; a network server computer processor that is a component of the first user node; a network server non-transitory memory that is a component of the second user node and comprises; a database comprising; the first user identifier and the first user private identification key; and the second user identifier and the second user private identification key; an index record comprising; a share key; and a random dynamically-generated storage name associated with the share key, wherein the network server computer processor and the network server non-transitory memory are separate and disposed at different locations, wherein the first user node, the second user node are configured to access a cloud server having a first encrypted file stored therein by the first user, wherein the first user node processor is configured to generate a file key and encrypt a first file with the file key wherein a first digitally encrypted file is created, wherein the first user node does not retain the file key, wherein the first user node processor stores the first digitally encrypted file in a cloud server, wherein the first user node processor regenerates the file key in response to an instruction to share the first digitally encrypted file with the second user node, wherein the first user node processor generates a share message comprising the regenerated file key and identifying at least the second user node and the first digitally encrypted file stored in the cloud server, wherein the first user node processor transmits the share message to a network server, wherein the network server computer processor that is a component of the first user node is operable to encrypt the regenerated file key using the second user private identification key in the database contained in the network server memory to generate a share key, wherein the network server transmits the share key to the cloud server to store the share key in the cloud server with the random dynamically-generated storage name, wherein the network server computer processor notifies the second user node of at least one of the first digitally encrypted file and the random dynamically-generated storage name stored in the cloud server, wherein the second user node processor accesses the random dynamically-generated storage name and retrieves the digitally encrypted file and the share key from the cloud server, wherein the second user node processor generates the second user private identification key, wherein the second user node processor decrypts the share key using the second user private identification key and reconstructs the file key known only to the first user node, and wherein the second user node processor decrypts the first digitally encrypted file using the reconstructed file key.
-
Specification