Cloud key escrow system
First Claim
1. At a computer system including at least one processor and a memory, in a computer networking environment including a plurality of computing systems, a computer-implemented method for allowing a user to store encrypted, third-party-accessible data in a data store, the method comprising:
- receiving at a data storage system encrypted data from a user, wherein the encrypted data was encrypted prior to having been received and the encryption having been completed prior to being received by the data storage system, wherein the received encrypted data is an encrypted key which is stored as a plurality of shares, the shares being mathematical transformations of the user'"'"'s private key, and wherein each share is provided to one of the verified third parties;
storing the received encrypted data in the data storage system according to a predefined policy, the encryption preventing the storage system from decrypting the encrypted data, the policy allowing the encrypted data to be released upon receiving at least a threshold number of requests from verified third parties; and
the data storage system implementing a verifiable secret sharing scheme to verify that the encrypted data can be decrypted without the data storage system having the ability to decrypt the encrypted data.
3 Assignments
0 Petitions
Accused Products
Abstract
Embodiments are directed to allowing a user to store encrypted, third-party-accessible data in a data store and to providing third party data access to a user'"'"'s encrypted data according to a predefined policy. A data storage system receives encrypted data from a user at a data storage system. The data is encrypted using the user'"'"'s private key. The data storage system stores the received encrypted data according to a predefined policy. The encryption prevents the storage system from gaining access to the encrypted data, while the policy allows the encrypted data to be released upon receiving a threshold number of requests from verified third parties. The data storage system implements a verifiable secret sharing scheme to verify that the encrypted data can be reconstituted without the data storage system accessing the encrypted data. The data storage system synchronously acknowledges that the received encrypted data has been verified and successfully stored.
47 Citations
10 Claims
-
1. At a computer system including at least one processor and a memory, in a computer networking environment including a plurality of computing systems, a computer-implemented method for allowing a user to store encrypted, third-party-accessible data in a data store, the method comprising:
-
receiving at a data storage system encrypted data from a user, wherein the encrypted data was encrypted prior to having been received and the encryption having been completed prior to being received by the data storage system, wherein the received encrypted data is an encrypted key which is stored as a plurality of shares, the shares being mathematical transformations of the user'"'"'s private key, and wherein each share is provided to one of the verified third parties; storing the received encrypted data in the data storage system according to a predefined policy, the encryption preventing the storage system from decrypting the encrypted data, the policy allowing the encrypted data to be released upon receiving at least a threshold number of requests from verified third parties; and the data storage system implementing a verifiable secret sharing scheme to verify that the encrypted data can be decrypted without the data storage system having the ability to decrypt the encrypted data. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer system comprising the following:
-
one or more processors; system memory; one or more computer-readable storage devices having stored thereon computer- executable instructions that, when executed by the one or more processors, causes the computing system to perform a method for allowing a user to store encrypted, third-party-accessible data in a data store, the method comprising the following; receiving at a data storage system encrypted data from a user, wherein the encrypted data was encrypted prior to having been received and the encryption having been completed prior to being received by the data storage system; storing the received encrypted data in the data storage system according to a predefined policy, the encryption preventing the storage system from decrypting the encrypted data, the policy allowing the encrypted data to be released upon receiving at least a threshold number of requests from verified third parties, wherein a received encrypted key is stored as a plurality of shares, the shares being mathematical transformations of the user'"'"'s private key, and wherein each share is provided to one of the verified third parties; the data storage system implementing a verifiable secret sharing scheme to verify that the encrypted data can be decrypted without the data storage system having the ability to decrypt the encrypted data; receiving a request from the user requesting the user'"'"'s encrypted data; and the data storage system providing the user'"'"'s stored encrypted data based at least in part on the user'"'"'s request. - View Dependent Claims (9, 10)
-
Specification
-
- Resources
-
Current AssigneeMicrosoft Technology Licensing LLC (Microsoft Corporation)
-
Original AssigneeMicrosoft Technology Licensing LLC (Microsoft Corporation)
-
InventorsD'Souza, Roy Peter, Pandey, Omkant
-
Primary Examiner(s)SCOTT, RANDY A
-
Application NumberUS14/546,341Publication NumberTime in Patent Office1,190 DaysField of Search713168, 713172, 713185, 713193, 726 2, 726 5, 726 17US Class CurrentCPC Class CodesG06F 21/602 Providing cryptographic fac...G06F 2221/2107 File encryptionG06F 2221/2115 Third partyH04L 63/0428 wherein the data content is...H04L 63/0442 wherein the sending and rec...H04L 63/061 for key exchange, e.g. in p...H04L 9/0825 using asymmetric-key encryp...H04L 9/085 Secret sharing or secret sp...H04L 9/0894 Escrow, recovery or storing...
