Encryption-based data access management

US 9,805,210 B2
Filed: 02/26/2015
Issued: 10/31/2017
Est. Priority Date: 12/12/2012
Status: Active Grant

First Claim

Patent Images

1. One or more non-transitory computer-readable media storing computer-readable instructions that, when executed by a hardware processor, cause a system to:

receive a request to decrypt data stored at a first network location in encrypted format;

request a validation token from a second network location using an identifier and a password;

request a first encryption secret from a third network location, a first portion of the data having been encrypted using the first encryption secret, the first portion of the data comprising directory data and file header information for the data;

request a second encryption secret from a fourth network location, a second portion of the data having been encrypted using the second encryption secret, the second portion of the data comprising file data;

generate a decryption key using the first encryption secret and the second encryption secret; and

decrypt the data using the decryption key.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Encryption-based data access management may include a variety of processes. In one example, a device may transmit a user authentication request for decrypting encrypted data to a data storage server storing the encrypted data. The computing device may then receive a validation token associated with the user'"'"'s authentication request, the validation token indicating that the user is authenticated to a domain. Subsequently, the computing device may transmit the validation token to a first key server different from the data storage server. Then, in response to transmitting the validation token the computing device may receive, from the first key server, a key required for decrypting the encrypted data. The device may then decrypt at least a portion of the encrypted data using the key.

Citations

20 Claims

1. One or more non-transitory computer-readable media storing computer-readable instructions that, when executed by a hardware processor, cause a system to:
- receive a request to decrypt data stored at a first network location in encrypted format;
  
  request a validation token from a second network location using an identifier and a password;
  
  request a first encryption secret from a third network location, a first portion of the data having been encrypted using the first encryption secret, the first portion of the data comprising directory data and file header information for the data;
  
  request a second encryption secret from a fourth network location, a second portion of the data having been encrypted using the second encryption secret, the second portion of the data comprising file data;
  
  generate a decryption key using the first encryption secret and the second encryption secret; and
  
  decrypt the data using the decryption key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The one or more non-transitory computer-readable media of claim 1, wherein the validation token indicates that a device at the second network location completed performance of authenticating the system to a domain and determining one or more domain group memberships of the system.
  - 3. The one or more non-transitory computer-readable media of claim 2, wherein the one or more domain group memberships of the system define one or more file-access privileges for the decrypted data.
  - 4. The one or more non-transitory computer-readable media of claim 1, wherein the first encryption secret and the second encryption secret are both required to generate the decryption key.
  - 5. The one or more non-transitory computer-readable media of claim 1, storing further computer-readable instructions that, when executed by the hardware processor, cause the system to:
    - receive a notification that access to the data is denied based on at least one of the first encryption secret having been deleted from the third network location or the second encryption secret having been deleted from the fourth network location.
  - 6. The one or more non-transitory computer-readable media of claim 1, wherein a request for the first encryption secret from the third network location comprises the validation token from the second network location, and a request for the second encryption secret from the fourth network location comprises the validation token from the second network location.
  - 7. The one or more non-transitory computer-readable media of claim 6, storing further computer-readable instructions that, when executed by the hardware processor, cause the system to:
    - receive the first encryption secret after the third network location confirms the validation token with the first network location.
  - 8. The one or more non-transitory computer-readable media of claim 1, wherein the first network location is at a first physical location controlled by a first entity, and wherein the second network location is at a second physical location controlled by a second entity.
  - 9. The one or more non-transitory computer-readable media of claim 8, wherein the third network location is at a third physical location, and the fourth network location is at a fourth physical location.
  - 10. The one or more non-transitory computer-readable media of claim 1, storing further computer-readable instructions that, when executed by the hardware processor, cause the system to:
    - discard the first encryption secret and the second encryption secret after the decryption key is generated using the first encryption secret and the second encryption secret.
  - 11. The one or more non-transitory computer-readable media of claim 1, storing further computer-readable instructions that, when executed by the hardware processor, cause the system to:
    - receive a kill pill from one of the third network location or the fourth network location; and
      
      delete from the system, in response to receiving the kill pill from the one of the third network location or the fourth network location, one or more of the decryption key or the data.
  - 12. The one or more non-transitory computer-readable media of claim 1, wherein the system comprises random-access memory and long-term storage, wherein the decrypted data is only written to the random-access memory of the system, and wherein the data is written to the long-term storage of the system in encrypted format.
  - 13. The one or more non-transitory computer-readable media of claim 1, wherein the file header information is required to read the file data, andwherein the directory data comprises a file name in encrypted format and a file size, the file size representing a combined size of the directory data, the file header information, the file data, and pad data.
  - 14. The one or more non-transitory computer-readable media of claim 1, storing further computer-readable instructions that, when executed by the hardware processor, cause the system to:
    - store the first encryption secret using a first secure storage method; and
      
      store the second encryption secret using a second secure storage method, the second secure storage method being different from the first secure storage method.
  - 15. The one or more non-transitory computer-readable media of claim 14, wherein the first secure storage method comprises a secure storage method provided by an operating system of the system, and wherein the second secure storage method comprises encrypting the second encryption secret using a password received via an interface of the system.
  - 16. The one or more non-transitory computer-readable media of claim 1, storing further computer-readable instructions that, when executed by the hardware processor, cause the system to:
    - create an identifier;
      
      transmit the identifier to the third network location; and
      
      receive, from the third network location, a secret associated with the identifier.

17. A system comprising:
- one or more hardware processors;
  
  non-transitory memory storing instructions that, when executed by the one or more hardware processors, cause the system to;
  
  receive a request to decrypt data stored at a first network location in encrypted format;
  
  request a validation token from a second network location using an identifier and a password;
  
  request a first encryption secret from a third network location, a first portion of the data having been encrypted using the first encryption secret, the first portion of the data comprising directory data and file header information for the data;
  
  request a second encryption secret from a fourth network location, a second portion of the data having been encrypted using the second encryption secret, the second portion of the data comprising file data;
  
  generate a decryption key using the first encryption secret and the second encryption secret; and
  
  decrypt the data using the decryption key.
- View Dependent Claims (20)
- - 20. The system of claim 17, wherein the file header information is required to read the file data, andwherein the directory data comprises a file name in encrypted format and a file size, the file size representing a combined size of the directory data, the file header information, the file data, and pad data.

18. A method comprising:
- receiving a request to decrypt data, the data stored at a first network location in encrypted format;
  
  requesting a validation token from a second network location using an identifier and a password;
  
  requesting a first encryption secret from a third network location, a first portion of the data having been encrypted using the first encryption secret, the first portion of the data comprising directory data and file header information for the data;
  
  requesting a second encryption secret from a fourth network location, a second portion of the data having been encrypted using the second encryption secret, the second portion of the data comprising file data;
  
  generating a decryption key using the first encryption secret and the second encryption secret; and
  
  decrypting the data using the decryption key.
- View Dependent Claims (19)
- - 19. The method of claim 18, wherein the file header information is required to read the file data, andwherein the directory data comprises a file name in encrypted format and a file size, the file size representing a combined size of the directory data, the file header information, the file data, and pad data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Nord, Joseph, Tucker, Benjamin Elliot, Gaylor, Timothy
Primary Examiner(s)
Williams, Jeffery

Application Number

US14/632,601
Publication Number

US 20150169892A1
Time in Patent Office

978 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 16/00   Information retrieval; Data...

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 9/00   Arrangements for program co...

H04L 63/064   Hierarchical key distributi...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 63/105   Multiple levels of security

H04L 9/0861   Generation of secret inform...

H04L 9/0869   involving random numbers or...

H04L 9/12   Transmitting and receiving ...

Encryption-based data access management

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Encryption-based data access management

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links