Envelope-based encryption method
First Claim
1. A system, comprising:
- one or more processors; and
memory that stores computer-executable instructions that, as a result of being executed, cause the system to;
receive, in a request, an envelope from a client, the envelope including;
a data encryption key reference; and
data encrypted with a data encryption key;
provide the data encryption key reference to a server;
receive, from the server, in accordance with a set of access controls maintained by the server, an encrypted data encryption key that is associated with the data encryption key reference;
decrypt the encrypted data encryption key with a key encrypting key to produce the data encryption key;
on a condition that a trust score for the client is of an amount relative to a threshold value that indicates to trust the client, provide the data to the client in response to the request in unencrypted form decrypted using the data encryption key; and
on a condition that the trust score for the client is of an amount relative to the threshold value that indicates a lack of trust in the client provide the data to the client in encrypted form.
1 Assignment
0 Petitions
Accused Products
Abstract
The present document describes systems and methods that, in some situations, improve data security. In one embodiment, communications between a client and a server are encrypted using an envelope-based encryption scheme. The envelope includes: a data encryption key reference; and data encrypted with a corresponding data encryption key. A data encryption key server maintains a collection of data encryption keys that are accessible using corresponding data encryption key references. In another embodiment, a storage server maintains stored data using the envelope-based encryption scheme. The stored data is made available to particular clients in encrypted or plaintext form based at least in part on a trust score determined for each client'"'"'s request. In yet another embodiment, as a result of a secure transport handshake, a client is provided with a pluggable cipher suite.
38 Citations
20 Claims
-
1. A system, comprising:
-
one or more processors; and memory that stores computer-executable instructions that, as a result of being executed, cause the system to; receive, in a request, an envelope from a client, the envelope including; a data encryption key reference; and data encrypted with a data encryption key; provide the data encryption key reference to a server; receive, from the server, in accordance with a set of access controls maintained by the server, an encrypted data encryption key that is associated with the data encryption key reference; decrypt the encrypted data encryption key with a key encrypting key to produce the data encryption key; on a condition that a trust score for the client is of an amount relative to a threshold value that indicates to trust the client, provide the data to the client in response to the request in unencrypted form decrypted using the data encryption key; and on a condition that the trust score for the client is of an amount relative to the threshold value that indicates a lack of trust in the client provide the data to the client in encrypted form. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of execution by one or more processors of a computer system, cause the computer system to at least:
-
receive a request from a client, the request including a data encryption key reference and data encrypted with a data encryption key; provide the data encryption key reference to a server; receive, from the server, in accordance with a set of access controls maintained by the server, a data encryption key that is associated with the data encryption key reference; and on a condition that a trust score is of an amount relative to a threshold value that indicates to trust the client, provide the data to the client in response to the request in unencrypted form decrypted using the data encryption key; and on a condition that the trust score is of an amount relative to the threshold value that indicates a lack of trust in the client, provide the data to the client in encrypted form. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
-
-
16. A computer-implemented method, comprising:
-
receiving, in a request, an envelope from a client, the envelope including; a data encryption key reference; and data encrypted with a data encryption key; providing the data encryption key reference to a server; receiving, from the server, in accordance with a set of access controls maintained by the server, an encrypted data encryption key that is associated with the data encryption key reference; decrypting the encrypted data encryption key with a key encrypting key to produce the data encryption key; and providing the data in accordance with a trust score by; on a condition that a trust score for the client is of an amount relative to a threshold value that indicates to trust the client, provide the data to the client in response to the request in unencrypted form decrypted using the data encryption key; and on a condition that the trust score for the client is of an amount relative to the threshold value that indicates a lack of trust in the client, provide the data to the client in encrypted form. - View Dependent Claims (17, 18, 19, 20)
-
Specification