Multiply-encrypting data requiring multiple keys for decryption

US 9,942,044 B2
Filed: 05/02/2017
Issued: 04/10/2018
Est. Priority Date: 11/18/2014
Status: Active Grant

First Claim

Patent Images

1. A method executed on a server, comprising:

receiving a request to encrypt a piece of data;

encrypting the piece of data such that no single key can decrypt the encrypted piece of data and any unique combination of a first plurality of unique keys taken a first number at a time are capable of decrypting the encrypted piece of data, wherein the first number is greater than one, wherein each particular one of the first plurality of unique keys is tied to account credentials of a particular user of a plurality of users respectively, wherein the first number is less than or equal to the first plurality, and wherein the step of encrypting the piece of data includes;

encrypting the piece of data with a data key,generating a unique encrypted data key for each unique combination of the first plurality of unique keys taken the first number at a time by performing the following for each unique combination;

encrypting the data key multiple times each of which using a different one of the first plurality of unique keys, wherein the multiple times is equal to the first number, andencrypting each different one of the first plurality of unique keys with the account credentials of the corresponding particular user;

returning the encrypted piece of data;

receiving, at the server, account credentials of at least a second number of the plurality of users equivalent to the first number;

receiving a request to decrypt the encrypted piece of data;

decrypting, for each particular one of at least the second number of the plurality of users equivalent to the first number, the one of the first plurality of unique keys that correspond to that particular one of the at least the second number of the plurality of users;

decrypting the encrypted piece of data using the decrypted ones of the first plurality of unique keys; and

returning the decrypted piece of data.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A server receives a piece of data for encryption. The server encrypts the piece of data such that no single key can decrypt the encrypted piece of data and any combination of a first multiple of unique keys taken a second multiple at a time are capable of decrypting the encrypted piece of data. Each of the first multiple of unique keys is tied to account credentials of a different user. The second multiple is less than or equal to the first multiple. The encrypted piece of data is returned.

57 Citations

View as Search Results

14 Claims

1. A method executed on a server, comprising:
- receiving a request to encrypt a piece of data;
  
  encrypting the piece of data such that no single key can decrypt the encrypted piece of data and any unique combination of a first plurality of unique keys taken a first number at a time are capable of decrypting the encrypted piece of data, wherein the first number is greater than one, wherein each particular one of the first plurality of unique keys is tied to account credentials of a particular user of a plurality of users respectively, wherein the first number is less than or equal to the first plurality, and wherein the step of encrypting the piece of data includes;
  
  encrypting the piece of data with a data key,generating a unique encrypted data key for each unique combination of the first plurality of unique keys taken the first number at a time by performing the following for each unique combination;
  
  encrypting the data key multiple times each of which using a different one of the first plurality of unique keys, wherein the multiple times is equal to the first number, andencrypting each different one of the first plurality of unique keys with the account credentials of the corresponding particular user;
  
  returning the encrypted piece of data;
  
  receiving, at the server, account credentials of at least a second number of the plurality of users equivalent to the first number;
  
  receiving a request to decrypt the encrypted piece of data;
  
  decrypting, for each particular one of at least the second number of the plurality of users equivalent to the first number, the one of the first plurality of unique keys that correspond to that particular one of the at least the second number of the plurality of users;
  
  decrypting the encrypted piece of data using the decrypted ones of the first plurality of unique keys; and
  
  returning the decrypted piece of data.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the account credentials from the at least the second number of the plurality of users have been delegated by the at least the second number of the plurality of users to the server for decrypting data on their behalf.
  - 3. The method of claim 2, wherein the delegation of the account credentials from the at least the second number of the plurality of users is for a limited amount of time.
  - 4. The method of claim 1, wherein the request to encrypt the piece of data indicates the following:
    - the piece of data to encrypt;
      
      a list of a plurality of users that are associated with the first plurality of unique keys; and
      
      a minimum number of the first plurality of unique keys that are required to decrypt the data, wherein the minimum number is equal to the first number, and wherein the minimum number is at least two.
  - 5. The method of claim 1, wherein the data key is a random symmetric key.

6. An apparatus for encrypting and decrypting data, comprising:
- a set of one or more processors;
  
  a non-transitory machine-readable storage medium that stores instructions that, when executed by the set of processors, generate the following;
  
  an encryption module that is configured to encrypt a piece of data such that no single key can decrypt the encrypted piece of data and any unique combination of a first plurality of unique keys taken a first number at a time are capable of decrypting the encrypted piece of data, wherein the first number is greater than one, wherein each particular one of the first plurality of unique keys is tied to account credentials of a particular user of a plurality of users respectively,wherein the first number is less than or equal to the first plurality, and wherein the encryption module is configured to encrypt the piece of data through performance of the following;
  
  encrypt the piece of data with a data key,generate a unique encrypted data key for each unique combination of the first plurality of unique keys taken the first number at a time by performing the following for each unique combination;
  
  encrypt the data key multiple times each of which using a different one of the first plurality of unique keys, wherein the multiple times is equal to the first number,encrypt each different one of the first plurality of unique keys with the account credentials of the corresponding particular user, andreturn the encrypted piece of data;
  
  a decryption module that is configured to decrypt the encrypted piece of data through performance of the following;
  
  receive a request to decrypt the encrypted piece of data,decrypt, for each particular one of at least a second number of the plurality of users equivalent to the first number and using account credentials of that particular one of the at least the second number of the plurality of users, the one of the first plurality of unique keys that correspond to that particular one of the at least the second number of the plurality of users,decrypt the encrypted piece of data using the decrypted ones of the first plurality of unique keys, andreturn the decrypted piece of data.
- View Dependent Claims (7, 8, 9)
- - 7. The apparatus of claim 6, wherein the non-transitory machine-readable storage medium further stores instructions that, when executed by the set of processors, generate the following:
    - an account creation module that is configured to;
      
      for each of the plurality of users,create an account,create a key pair including a public key and a private key,encrypt the private key using a password key derived from a password, andcause the encrypted private key to be stored in association with the account for that user.
  - 8. The apparatus of claim 7, wherein the non-transitory machine-readable storage medium further stores instructions that, when executed by the set of processors, generate the following:
    - a delegation module that is configured to permit each of the plurality of users to delegate use of the account credentials for that user for decrypting data for a limited amount of time.
  - 9. The apparatus of claim 8, wherein the delegation module further is configured to permit each of the plurality of users to delegate use of the account credentials for that user for decrypting data for a limited number of decryptions.

10. A method executed on a server for encrypting and decrypting data, comprising:
- receiving a request to encrypt data from a requester, the request indicating at least the following;
  
  the data to encrypt,a list of a plurality of users, anda minimum number of the plurality of users whose credentials are required in order to decrypt the data, wherein the minimum number is at least two;
  
  encrypting the data with a data key;
  
  for each of the plurality of users, generating a unique data key encryption key;
  
  for each unique combination of the minimum number of the plurality of users whose credentials are required in order to decrypt the data, generating a unique encrypted data key including encrypting the data key multiple times according to the minimum number of users in that unique combination, each time with a different unique data key encryption key of the minimum number of users in that unique combination;
  
  for each of the plurality of users, encrypting the unique data key encryption key of that user using account credentials of that user;
  
  returning to the requester the encrypted data, the unique encrypted data key for each unique combination, and the unique data key encryption key for each of the plurality of users;
  
  after encrypting the data with the data key, discarding the data and the data key;
  
  receiving, at the server, account credentials of the at least a first number of users equivalent to the minimum number of users;
  
  receiving a request for decryption that includes the encrypted data;
  
  for each particular one of the at least first number of users, decrypting the unique data key encryption key for that user using the account credentials of that user;
  
  generating a decrypted unique encrypted data key including using those decrypted unique data key encryption keys to decrypt one of the unique encrypted data keys that correspond with that combination of the at least first number of users;
  
  decrypting the data key with the decrypted unique encrypted data key; and
  
  decrypting the encrypted data with the decrypted data key.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method of claim 10, further comprising:
    - receiving, from the at least the number of users equivalent to the minimum number of users, permission to use the account credentials of the at least the number of users to decrypt the unique data key encryption keys for the at least first number of users.
  - 12. The method of claim 10, wherein the data key is a random symmetric data key generated by the server.
  - 13. The method of claim 10, wherein each of the unique data key encryption keys is a symmetric key generated by the server.
  - 14. The method of claim 13, wherein each respective one the unique data key encryption keys are encrypted using a public key belonging to the respective user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CloudFlare Incorporated
Original Assignee
CloudFlare Incorporated
Inventors
Sullivan, Nicholas Thomas
Primary Examiner(s)
Schwartz, Darren B

Application Number

US15/585,079
Publication Number

US 20170237566A1
Time in Patent Office

343 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/40   by quorum, i.e. whereby two...

G06F 21/45   Structures or tools for the...

G06F 21/60   Protecting data

G06F 21/62   Protecting access to data v...

G06F 21/6209   to a single file or object,...

G06F 2221/2147   Locking files

H04L 2463/062   applying encryption of the ...

H04L 63/0435   wherein the sending and rec...

H04L 63/0478   applying multiple layers of...

H04L 63/065   for group communications cr...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/104   Grouping of entities

H04L 9/0822   using key encryption key

H04L 9/085   Secret sharing or secret sp...

H04L 9/0861   Generation of secret inform...

H04L 9/0863   involving passwords or one-...

H04L 9/3226   using a predetermined code,...

Multiply-encrypting data requiring multiple keys for decryption

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

57 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Multiply-encrypting data requiring multiple keys for decryption

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

57 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links