System and method for secure release of secret information over a network
First Claim
Patent Images
1. A method for a computer system to securely manage secret information over a network, the system having a server being communicatively coupled to one or more trustees, the method being performed by the server and comprising:
- receiving a secret payload from a depositing client, wherein the secret payload is encrypted by a client public key and can only be decrypted with a client private key, which is not possessed by either the server or the trustees;
receiving, from the depositing client, companion information associated with and specific to the secret payload, wherein the companion information is encrypted by a server public key and can only be decrypted with a server private key, which is possessed by the server, and wherein the companion information includes rules for accessing the secret payload, the rules identifying a list of trustees from the one or more trustees and a trustee policy that specifies a manner necessary for the list of trustees to approve access requests to the secret payload;
storing the secret payload along with the companion information;
receiving, from a requesting client, an access request to access the secret payload, the access request being encrypted by the server public key and including a seed, wherein the seed is randomly generated by the server and assigned to the requesting client in a preceding transaction;
decrypting the access request using the server private key;
verifying a validity of the access request based on the seed;
after the access request is verified, sending an authorization request regarding the access request to each trustee in the list of trustees, wherein each authorization request sent to each trustee from the list of trustees is encrypted with a trustee public key that corresponds to a respective trustee;
receiving responses to the authorization requests from the list of trustees;
applying the trustee policy to the received responses to determine whether to disseminate the secret payload; and
selectively disseminating the secret payload to the requesting client based on a result of applying the trustee policy and causing the requesting client to limit storage of the disseminated secret payload to a volatile memory.
5 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of the present disclosure include systems and methods for secure release of secret information over a network. The server can be configured to receive a request from a client to access the deposit of secret information, send an authorization request to at least one designated trustee in the set of designated trustees for the deposit of secret information, receive responses over the network from one or more of the designated trustees in the set of designated trustees and apply a trustee policy to the responses from the one or more designated trustees in the set of trustees to determine if the request is authorized. If the request is authorized, the server can send the secret information to the client. If the request is not authorized, the server denies access by the client to the secret information.
-
Citations
16 Claims
-
1. A method for a computer system to securely manage secret information over a network, the system having a server being communicatively coupled to one or more trustees, the method being performed by the server and comprising:
-
receiving a secret payload from a depositing client, wherein the secret payload is encrypted by a client public key and can only be decrypted with a client private key, which is not possessed by either the server or the trustees; receiving, from the depositing client, companion information associated with and specific to the secret payload, wherein the companion information is encrypted by a server public key and can only be decrypted with a server private key, which is possessed by the server, and wherein the companion information includes rules for accessing the secret payload, the rules identifying a list of trustees from the one or more trustees and a trustee policy that specifies a manner necessary for the list of trustees to approve access requests to the secret payload; storing the secret payload along with the companion information; receiving, from a requesting client, an access request to access the secret payload, the access request being encrypted by the server public key and including a seed, wherein the seed is randomly generated by the server and assigned to the requesting client in a preceding transaction; decrypting the access request using the server private key; verifying a validity of the access request based on the seed; after the access request is verified, sending an authorization request regarding the access request to each trustee in the list of trustees, wherein each authorization request sent to each trustee from the list of trustees is encrypted with a trustee public key that corresponds to a respective trustee; receiving responses to the authorization requests from the list of trustees; applying the trustee policy to the received responses to determine whether to disseminate the secret payload; and selectively disseminating the secret payload to the requesting client based on a result of applying the trustee policy and causing the requesting client to limit storage of the disseminated secret payload to a volatile memory. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer system to securely manage secret information over a network, the system comprising:
a server communicatively coupled to one or more trustees, wherein the server comprises one or more processors and memory and is configured to; receiving a secret payload from a depositing client, wherein the secret payload is encrypted by a client public key and can only be decrypted with a client private key, which is not possessed by either the server or the trustees; receiving, from the depositing client, companion information associated with and specific to the secret payload, wherein the companion information is encrypted by a server public key and can only be decrypted with a server private key, which is possessed by the server, and wherein the companion information includes rules for accessing the secret payload, the rules identifying a list of trustees from the one or more trustees and a trustee policy that specifies a manner necessary for the list of trustees to approve access requests to the secret payload; storing the secret payload along with the companion information; receiving, from a requesting client, an access request to access the secret payload, the access request being encrypted by the server public key and including a seed, wherein the seed is randomly generated by the server and assigned to the requesting client in a preceding transaction; decrypting the access request using the server private key; verifying a validity of the access request based on the seed; after the access request is verified, sending an authorization request regarding the access request to each trustee in the list of trustees, wherein each authorization request sent to each trustee from the list of trustees is encrypted with a trustee public key that corresponds to a respective trustee; receiving responses to the authorization requests from the list of trustees; applying the trustee policy to the received responses to determine whether to disseminate the secret payload; and selectively disseminating the secret payload to the requesting client based on a result of applying the trustee policy and causing the requesting client to limit storage of the disseminated secret payload to a volatile memory. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeCloudera Incorporated
-
Original AssigneeCloudera Incorporated
-
InventorsKirkland, Dustin C., Garcia, Eduardo
-
Primary Examiner(s)LYNCH, SHARON S
-
Application NumberUS15/149,830Publication NumberTime in Patent Office554 DaysField of SearchUS Class CurrentCPC Class CodesH04L 63/0442 wherein the sending and rec...H04L 63/10 for controlling access to d...H04L 9/0825 using asymmetric-key encryp...H04L 9/083 involving central third par...H04L 9/321 involving a third party or ...
