Process to access a data storage device of a cloud computer system with the help of a modified Domain Name System (DNS)
First Claim
1. A method for accessing a data storage device of a cloud computer system through a gateway computer system configured to connect with the cloud computer system over a network, the gateway computer system storing at least one cryptographic key, the at least one cryptographic key being a file-specific symmetric key, the cloud computer system being associated with a URL and the gateway computer system being associated with an IP address, the method comprising:
- storing, in an association file on a first user terminal, an association of a domain contained in the URL with the IP address, the first user terminal corresponding to a user associated with an asymmetric cryptographic key pair including a public key and a private key;
creating a first protected connection between the first user terminal and the gateway computer system over the network by,inputting the URL into a program of the first user terminal,obtaining, by an operating system of the first user terminal, the IP address in response to receiving a request from the program, the request addressed to a DNS server, the request being for name resolution of the URL, the obtaining including,first accessing the association file to determine whether the association file contains an association for the domain contained in the URL,second accessing the association file to read the IP address associated with the domain contained in the URL in response to determining that the association file contains an association of the domain contained in the URL in the first accessing,transferring the IP address to the program in response to the second accessing, andsetting up, by the program, the first protected connection between the first user terminal and the gateway computer system using the IP address in response to the obtaining, the setting up being performed in accordance with TCP/IP protocol;
transferring a file from the first user terminal to the gateway computer system over the first protected connection;
setting up a first session between the gateway computer system and the cloud computer system over the network;
encrypting the file by the gateway computer system using the at least one cryptographic key;
transferring the encrypted file from the gateway computer system to the cloud computer system through the first session;
encrypting, by the gateway computer system, the file-specific symmetric key using the public key of the user to generate a first ciphertext;
transferring the first ciphertext to the cloud computer system through the first session;
storing the first ciphertext in association with the encrypted file in the data storage device of the cloud computer system;
deleting the file-specific symmetric key from the gateway computer system;
inputting, by the user, an identifier of another user to the first user terminal, the other user being associated with an asymmetric cryptographic key pair including a public key and a private key;
transferring the identifier from the first user terminal to the gateway computer system over the first protected connection;
specifying, by the user over the first protected connection, access privileges for the other user corresponding to the file stored in the data storage device of the cloud computer system; and
storing, by the gateway computer system, the specified access privileges in association with the identifier by,reading, by the gateway computer system, the first ciphertext from the cloud computer system,decrypting the first ciphertext using the private key of the user to obtain the file-specific symmetric key with which the file was encrypted,producing, by the gateway computer system, a second ciphertext by encrypting the file-specific symmetric key using the public key of the other user,transferring the second ciphertext from the gateway computer system to the cloud computer system, andstoring the second ciphertext in association with the encrypted file in the data storage device of the cloud computer system.
1 Assignment
0 Petitions
Accused Products
Abstract
A process for accessing a data storage device of a CCS through a GCS includes setting up a protected connection over the Internet between a first piece of terminal equipment of the user and the GCS by inputting the URL of the CCS into a program of the piece of terminal equipment, and using the modified DNS for name resolution of the URL, so that the protected connection is set up with the GCS instead of with the CCS; transferring a file over the protected connection from the terminal equipment to the GCS; setting up a session over the network between the GCS and the CCS; encrypting the file by the gateway computer system using the cryptographic key; transferring the encrypted file through the session from the GCS to the CCS; and storing the encrypted file in the data storage device of the CCS.
9 Citations
9 Claims
-
1. A method for accessing a data storage device of a cloud computer system through a gateway computer system configured to connect with the cloud computer system over a network, the gateway computer system storing at least one cryptographic key, the at least one cryptographic key being a file-specific symmetric key, the cloud computer system being associated with a URL and the gateway computer system being associated with an IP address, the method comprising:
-
storing, in an association file on a first user terminal, an association of a domain contained in the URL with the IP address, the first user terminal corresponding to a user associated with an asymmetric cryptographic key pair including a public key and a private key; creating a first protected connection between the first user terminal and the gateway computer system over the network by, inputting the URL into a program of the first user terminal, obtaining, by an operating system of the first user terminal, the IP address in response to receiving a request from the program, the request addressed to a DNS server, the request being for name resolution of the URL, the obtaining including, first accessing the association file to determine whether the association file contains an association for the domain contained in the URL, second accessing the association file to read the IP address associated with the domain contained in the URL in response to determining that the association file contains an association of the domain contained in the URL in the first accessing, transferring the IP address to the program in response to the second accessing, and setting up, by the program, the first protected connection between the first user terminal and the gateway computer system using the IP address in response to the obtaining, the setting up being performed in accordance with TCP/IP protocol; transferring a file from the first user terminal to the gateway computer system over the first protected connection; setting up a first session between the gateway computer system and the cloud computer system over the network; encrypting the file by the gateway computer system using the at least one cryptographic key; transferring the encrypted file from the gateway computer system to the cloud computer system through the first session; encrypting, by the gateway computer system, the file-specific symmetric key using the public key of the user to generate a first ciphertext; transferring the first ciphertext to the cloud computer system through the first session; storing the first ciphertext in association with the encrypted file in the data storage device of the cloud computer system; deleting the file-specific symmetric key from the gateway computer system; inputting, by the user, an identifier of another user to the first user terminal, the other user being associated with an asymmetric cryptographic key pair including a public key and a private key; transferring the identifier from the first user terminal to the gateway computer system over the first protected connection; specifying, by the user over the first protected connection, access privileges for the other user corresponding to the file stored in the data storage device of the cloud computer system; and storing, by the gateway computer system, the specified access privileges in association with the identifier by, reading, by the gateway computer system, the first ciphertext from the cloud computer system, decrypting the first ciphertext using the private key of the user to obtain the file-specific symmetric key with which the file was encrypted, producing, by the gateway computer system, a second ciphertext by encrypting the file-specific symmetric key using the public key of the other user, transferring the second ciphertext from the gateway computer system to the cloud computer system, and storing the second ciphertext in association with the encrypted file in the data storage device of the cloud computer system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer system, comprising:
-
a gateway computer system associated with an IP address, the gateway computer system including, a first memory storing first computer-readable instructions and at least one cryptographic key, the at least one cryptographic key being a file-specific symmetric key, and at least one first hardware processor operably coupled to the first memory, the at least one first hardware processor configured to execute the first computer-readable instructions to, receive a file from a user terminal over a protected connection, the user terminal corresponding to a user associated with an asymmetric cryptographic key pair including a public key and a private key, set up a first session between the gateway computer system and a cloud computer system over a network, encrypt the file using the at least one cryptographic key, transfer the encrypted file to the cloud computer system through the first session, encrypt the file-specific symmetric key using the public key of the user to generate a first ciphertext, transfer the first ciphertext to the cloud computer system through the first session, delete the file-specific symmetric key from the gateway computer system, receive an identifier and specified access privileges from the user terminal over the protected connection, and store the specified access privileges in association with the identifier by, reading the first ciphertext from the cloud computer system, decrypting the first ciphertext using the private key of the user to obtain the file-specific symmetric key with which the file was encrypted, producing a second ciphertext by encrypting the file-specific symmetric key using the public key of the other user, and transferring the second ciphertext to the cloud computer system; the cloud computer system associated with a URL, the cloud computer system including, a second memory storing second computer-readable instructions, and at least one second hardware processor operably coupled to the second memory, the at least one second hardware processor configured to execute the second computer-readable instructions to, receive the encrypted file and the first ciphertext from the gateway computer system, store the encrypted file in the second memory, store the first ciphertext in association with the encrypted file in the second memory, and store the second ciphertext in association with the encrypted file in the second memory; and the user terminal storing an association file, the association file including an association of a domain contained in the URL with the IP address, the user terminal including, a third memory storing a program and an operating system, and at least one third hardware processor configured to execute the program to, receive an input including the URL, output a request for name resolution of the URL, the request addressed to a DNS server, receive the IP address, and set up the protected connection between the user terminal and the gateway computer system using the IP address, the protected connection being set up in accordance with TCP/IP protocol, receive an input from the user including an identifier of another user, the other user being associated with an asymmetric cryptographic key pair including a public key and a private key, transfer the identifier to the gateway computer system over the protected connection, and specify, by the user over the protected connection, the access privileges for the other user corresponding to the file stored in the second memory, the user terminal being further configured to execute the operating system to, obtain the IP address in response to receiving the request from the program, the IP address being obtained by, first accessing the association file to determine whether the association file contains an association for the domain contained in the URL, second accessing the association file to read the IP address associated with the domain contained in the URL in response to determining that the association file contains an association of the domain contained in the URL in the first accessing, and transferring the IP address to the program in response to the second accessing.
-
Specification