Managing security in a computing environment

US 9,948,458 B2
Filed: 12/21/2016
Issued: 04/17/2018
Est. Priority Date: 04/10/2013
Status: Active Grant

First Claim

Patent Images

1. A method for managing data security in a computing environment, said method comprising:

in response to at least one message received by a processor of a gateway server from a user device wherein each message requests that an encryption key be downloaded to the user device, said processor generating, for each message, at least one unique encryption key for encrypting and decrypting data, sending each encryption key of the at least one generated encryption key to the user device, and not storing any of the generated encryption keys in a cloud comprising a plurality of interconnected computing systems external to the user device, wherein the at least one generated encryption key comprises a first encryption key;

for each encryption key of the at least one generated encryption key having been sent to the user device, said processor receiving each sent encryption key of the at least one generated encryption key returned from the user device; and

for each received encryption key, said processor validating each received encryption key for use by the processor to encrypt data to be stored in the cloud, wherein said validating each received encryption key comprises storing each received encryption key in the cloud at a time specific to each received encryption key, wherein said storing each received encryption key in the cloud comprises storing the first encryption key in the cloud at a first key storage time.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In response to at least one message received by a processor of a gateway server from a user device wherein each message requests that an encryption key be downloaded to the user device, the processor generates at least one unique encryption key for each message and sends the at least one generated encryption key to the user device, but does not store any of the generated encryption keys in the cloud. For each encryption key having been sent to the user device, the processor receives each encryption key returned from the user device. For each encryption key received from the user device, the processor stores each received encryption key in the cloud.

60 Citations

View as Search Results

20 Claims

1. A method for managing data security in a computing environment, said method comprising:
- in response to at least one message received by a processor of a gateway server from a user device wherein each message requests that an encryption key be downloaded to the user device, said processor generating, for each message, at least one unique encryption key for encrypting and decrypting data, sending each encryption key of the at least one generated encryption key to the user device, and not storing any of the generated encryption keys in a cloud comprising a plurality of interconnected computing systems external to the user device, wherein the at least one generated encryption key comprises a first encryption key;
  
  for each encryption key of the at least one generated encryption key having been sent to the user device, said processor receiving each sent encryption key of the at least one generated encryption key returned from the user device; and
  
  for each received encryption key, said processor validating each received encryption key for use by the processor to encrypt data to be stored in the cloud, wherein said validating each received encryption key comprises storing each received encryption key in the cloud at a time specific to each received encryption key, wherein said storing each received encryption key in the cloud comprises storing the first encryption key in the cloud at a first key storage time.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, said method further comprising:
    - said processor storing first data in the cloud at a first data storage time after the first key storage time; and
      
      said processor encrypting the first data, at a first data encryption time after the first data storage time, by using the first encryption key to encrypt the first data.
  - 3. The method of claim 2, said method further comprising:
    - said processor decrypting the encrypted first data, at a first data decryption time after the first data encryption time, by using the first encryption key to decrypt the encrypted first data.
  - 4. The method of claim 3, wherein said receiving each encryption key returned from the user device comprises receiving a second encryption key returned from the user device, wherein said storing comprises storing the second encryption key in the cloud at a second key storage time after the first data storage time, and wherein the method further comprises:
    - said processor abandoning the first encryption key at a first key abandoning time after the first data decryption time; and
      
      said processor encrypting the first data, at another first data encryption time after the first data abandoning time and after the second key storage time, by using the second encryption key to encrypt the first data.
  - 5. The method of claim 4, wherein the first data decryption time is simultaneous with the second key storage time.
  - 6. The method of claim 4, wherein the method further comprises:
    - said processor storing second data in the cloud at a second data storage time prior to the second key storage time;
      
      said processor encrypting the second data, at a second data encryption time after the second data storage time, by using the second encryption key to encrypt the second data; and
      
      said processor decrypting the encrypted second data, at a second data decryption time after the second data encryption time, by using the second encryption key to decrypt the encrypted second data.
  - 7. The method of claim 2, wherein said receiving each encryption key returned from the user device comprises receiving a second encryption key returned from the user device, wherein said storing comprises storing the second encryption key in the cloud at a second key storage time after the first data storage time, wherein the encrypted first data is denoted as singly encrypted first data, and wherein the method further comprises:
    - said processor encrypting the singly encrypted first data, at another first data encryption time after the second key storage time, by using the second encryption key to encrypt the singly encrypted first data to form a doubly encrypted first data; and
      
      said processor decrypting the doubly encrypted first data, by using the second encryption key to decrypt the doubly encrypted first data to form the singly encrypted first data, followed by using the first encryption key to decrypt the singly encrypted first data to form the first data unencrypted.

8. A computer program product, comprising a computer readable storage device having computer readable program code stored therein, said program code containing instructions which, upon being executed by a processor of a gateway server of a computer system implements a method for managing data security in a computing environment, said method comprising:
- in response to at least one message received by the processor of the gateway server from a user device wherein each message requests that an encryption key be downloaded to the user device, said processor generating, for each message, at least one unique encryption key for encrypting and decrypting data, sending each encryption key of the at least one generated encryption key to the user device, and not storing any of the generated encryption keys in a cloud comprising a plurality of interconnected computing systems external to the user device, wherein the at least one generated encryption key comprises a first encryption key;
  
  for each encryption key of the at least one generated encryption key having been sent to the user device, said processor receiving each sent encryption key of the at least one generated encryption key returned from the user device; and
  
  for each received encryption key, said processor validating each received encryption key for use by the processor to encrypt data to be stored in the cloud, wherein said validating each received encryption key comprises storing each received encryption key in the cloud at a time specific to each received encryption key, wherein said storing each received encryption key in the cloud comprises storing the first encryption key in the cloud at a first key storage time.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer program product of claim 8, said method further comprising:
    - said processor storing first data in the cloud at a first data storage time after the first key storage time; and
      
      said processor encrypting the first data, at a first data encryption time after the first data storage time, by using the first encryption key to encrypt the first data.
  - 10. The computer program product of claim 9, said method further comprising:
    - said processor decrypting the encrypted first data, at a first data decryption time after the first data encryption time, by using the first encryption key to decrypt the encrypted first data.
  - 11. The computer program product of claim 10, wherein said receiving each encryption key returned from the user device comprises receiving a second encryption key returned from the user device, wherein said storing comprises storing the second encryption key in the cloud at a second key storage time after the first data storage time, and wherein the method further comprises:
    - said processor abandoning the first encryption key at a first key abandoning time after the first data decryption time; and
      
      said processor encrypting the first data, at another first data encryption time after the first data abandoning time and after the second key storage time, by using the second encryption key to encrypt the first data.
  - 12. The computer program product of claim 11, wherein the first data decryption time is simultaneous with the second key storage time.
  - 13. The computer program product of claim 11, wherein the method further comprises:
    - said processor storing second data in the cloud at a second data storage time prior to the second key storage time;
      
      said processor encrypting the second data, at a second data encryption time after the second data storage time, by using the second encryption key to encrypt the second data; and
      
      said processor decrypting the encrypted second data, at a second data decryption time after the second data encryption time, by using the second encryption key to decrypt the encrypted second data.
  - 14. The computer program product of claim 9, wherein said receiving each encryption key returned from the user device comprises receiving a second encryption key returned from the user device, wherein said storing comprises storing the second encryption key in the cloud at a second key storage time after the first data storage time, wherein the encrypted first data is denoted as singly encrypted first data, and wherein the method further comprises:
    - said processor encrypting the singly encrypted first data, at another first data encryption time after the second key storage time, by using the second encryption key to encrypt the singly encrypted first data to form a doubly encrypted first data; and
      
      said processor decrypting the doubly encrypted first data, by using the second encryption key to decrypt the doubly encrypted first data to form the singly encrypted first data, followed by using the first encryption key to decrypt the singly encrypted first data to form the first data unencrypted.

15. A computer system comprising a gateway server that includes a processor, a memory coupled to the processor, and a computer readable storage device coupled to the processor, said storage device containing program code which, upon being executed by the processor, implements a method for managing data security in a computing environment, said method comprising:
- in response to at least one message received by the processor of the gateway server from a user device wherein each message requests that an encryption key be downloaded to the user device, said processor generating, for each message, at least one unique encryption key for encrypting and decrypting data, sending each encryption key of the at least one generated encryption key to the user device, and not storing any of the generated encryption keys in a cloud comprising a plurality of interconnected computing systems external to the user device, wherein the at least one generated encryption key comprises a first encryption key;
  
  for each encryption key of the at least one generated encryption key having been sent to the user device, said processor receiving each sent encryption key of the at least one generated encryption key returned from the user device; and
  
  for each received encryption key, said processor validating each received encryption key for use by the processor to encrypt data to be stored in the cloud, wherein said validating each received encryption key comprises storing each received encryption key in the cloud at a time specific to each received encryption key, wherein said storing each received encryption key in the cloud comprises storing the first encryption key in the cloud at a first key storage time.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer system of claim 15, said method further comprising:
    - said processor storing first data in the cloud at a first data storage time after the first key storage time; and
      
      said processor encrypting the first data, at a first data encryption time after the first data storage time, by using the first encryption key to encrypt the first data.
  - 17. The computer system of claim 16, said method further comprising:
    - said processor decrypting the encrypted first data, at a first data decryption time after the first data encryption time, by using the first encryption key to decrypt the encrypted first data.
  - 18. The computer system of claim 17, wherein said receiving each encryption key returned from the user device comprises receiving a second encryption key returned from the user device, wherein said storing comprises storing the second encryption key in the cloud at a second key storage time after the first data storage time, and wherein the method further comprises:
    - said processor abandoning the first encryption key at a first key abandoning time after the first data decryption time; and
      
      said processor encrypting the first data, at another first data encryption time after the first data abandoning time and after the second key storage time, by using the second encryption key to encrypt the first data.
  - 19. The computer system of claim 18, wherein the first data decryption time is simultaneous with the second key storage time.
  - 20. The computer system of claim 18, wherein the method further comprises:
    - said processor storing second data in the cloud at a second data storage time prior to the second key storage time;
      
      said processor encrypting the second data, at a second data encryption time after the second data storage time, by using the second encryption key to encrypt the second data; and
      
      said processor decrypting the encrypted second data, at a second data decryption time after the second data encryption time, by using the second encryption key to decrypt the encrypted second data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Barney, Jonathan M., Mega, Cataldo, Plattier, Edmond, Suski, Daniel
Primary Examiner(s)
Su, Sarah

Application Number

US15/386,693
Publication Number

US 20170104587A1
Time in Patent Office

482 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/0471   applying encryption by an i...

H04L 63/0478   applying multiple layers of...

H04L 63/062   for key distribution, e.g. ...

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/083   involving central third par...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/0869   involving random numbers or...

H04L 9/32   including means for verifyi...

Managing security in a computing environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

60 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Managing security in a computing environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others