Process to access a data storage device of a cloud computer system with the help of a modified Domain Name System (DNS)

US 10,050,944 B2
Filed: 10/27/2014
Issued: 08/14/2018
Est. Priority Date: 12/05/2013
Status: Active Grant

First Claim

Patent Images

1. A method for accessing a data storage device of a cloud computer system through a gateway computer system configured to connect with the cloud computer system over a network, the gateway computer system storing at least one cryptographic key, the at least one cryptographic key being a file-specific symmetric key, the cloud computer system being associated with a URL and the gateway computer system being associated with an IP address, the method comprising:

storing, in an association file on a first user terminal, an association of a domain contained in the URL with the IP address, the first user terminal corresponding to a user associated with an asymmetric cryptographic key pair including a public key and a private key;

creating a first protected connection between the first user terminal and the gateway computer system over the network by,inputting the URL into a program of the first user terminal,obtaining, by an operating system of the first user terminal, the IP address in response to receiving a request from the program, the request addressed to a DNS server, the request being for name resolution of the URL, the obtaining including,first accessing the association file to determine whether the association file contains an association for the domain contained in the URL,second accessing the association file to read the IP address associated with the domain contained in the URL in response to determining that the association file contains an association of the domain contained in the URL in the first accessing,transferring the IP address to the program in response to the second accessing, andsetting up, by the program, the first protected connection between the first user terminal and the gateway computer system using the IP address in response to the obtaining, the setting up being performed in accordance with TCP/IP protocol;

transferring a file from the first user terminal to the gateway computer system over the first protected connection;

setting up a first session between the gateway computer system and the cloud computer system over the network;

encrypting the file by the gateway computer system using the at least one cryptographic key;

transferring the encrypted file from the gateway computer system to the cloud computer system through the first session;

encrypting, by the gateway computer system, the file-specific symmetric key using the public key of the user to generate a first ciphertext;

transferring the first ciphertext to the cloud computer system through the first session;

storing the first ciphertext in association with the encrypted file in the data storage device of the cloud computer system;

deleting the file-specific symmetric key from the gateway computer system;

inputting, by the user, an identifier of another user to the first user terminal, the other user being associated with an asymmetric cryptographic key pair including a public key and a private key;

transferring the identifier from the first user terminal to the gateway computer system over the first protected connection;

specifying, by the user over the first protected connection, access privileges for the other user corresponding to the file stored in the data storage device of the cloud computer system; and

storing, by the gateway computer system, the specified access privileges in association with the identifier by,reading, by the gateway computer system, the first ciphertext from the cloud computer system,decrypting the first ciphertext using the private key of the user to obtain the file-specific symmetric key with which the file was encrypted,producing, by the gateway computer system, a second ciphertext by encrypting the file-specific symmetric key using the public key of the other user,transferring the second ciphertext from the gateway computer system to the cloud computer system, andstoring the second ciphertext in association with the encrypted file in the data storage device of the cloud computer system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A process for accessing a data storage device of a CCS through a GCS includes setting up a protected connection over the Internet between a first piece of terminal equipment of the user and the GCS by inputting the URL of the CCS into a program of the piece of terminal equipment, and using the modified DNS for name resolution of the URL, so that the protected connection is set up with the GCS instead of with the CCS; transferring a file over the protected connection from the terminal equipment to the GCS; setting up a session over the network between the GCS and the CCS; encrypting the file by the gateway computer system using the cryptographic key; transferring the encrypted file through the session from the GCS to the CCS; and storing the encrypted file in the data storage device of the CCS.

9 Citations

View as Search Results

9 Claims

1. A method for accessing a data storage device of a cloud computer system through a gateway computer system configured to connect with the cloud computer system over a network, the gateway computer system storing at least one cryptographic key, the at least one cryptographic key being a file-specific symmetric key, the cloud computer system being associated with a URL and the gateway computer system being associated with an IP address, the method comprising:
- storing, in an association file on a first user terminal, an association of a domain contained in the URL with the IP address, the first user terminal corresponding to a user associated with an asymmetric cryptographic key pair including a public key and a private key;
  
  creating a first protected connection between the first user terminal and the gateway computer system over the network by,inputting the URL into a program of the first user terminal,obtaining, by an operating system of the first user terminal, the IP address in response to receiving a request from the program, the request addressed to a DNS server, the request being for name resolution of the URL, the obtaining including,first accessing the association file to determine whether the association file contains an association for the domain contained in the URL,second accessing the association file to read the IP address associated with the domain contained in the URL in response to determining that the association file contains an association of the domain contained in the URL in the first accessing,transferring the IP address to the program in response to the second accessing, andsetting up, by the program, the first protected connection between the first user terminal and the gateway computer system using the IP address in response to the obtaining, the setting up being performed in accordance with TCP/IP protocol;
  
  transferring a file from the first user terminal to the gateway computer system over the first protected connection;
  
  setting up a first session between the gateway computer system and the cloud computer system over the network;
  
  encrypting the file by the gateway computer system using the at least one cryptographic key;
  
  transferring the encrypted file from the gateway computer system to the cloud computer system through the first session;
  
  encrypting, by the gateway computer system, the file-specific symmetric key using the public key of the user to generate a first ciphertext;
  
  transferring the first ciphertext to the cloud computer system through the first session;
  
  storing the first ciphertext in association with the encrypted file in the data storage device of the cloud computer system;
  
  deleting the file-specific symmetric key from the gateway computer system;
  
  inputting, by the user, an identifier of another user to the first user terminal, the other user being associated with an asymmetric cryptographic key pair including a public key and a private key;
  
  transferring the identifier from the first user terminal to the gateway computer system over the first protected connection;
  
  specifying, by the user over the first protected connection, access privileges for the other user corresponding to the file stored in the data storage device of the cloud computer system; and
  
  storing, by the gateway computer system, the specified access privileges in association with the identifier by,reading, by the gateway computer system, the first ciphertext from the cloud computer system,decrypting the first ciphertext using the private key of the user to obtain the file-specific symmetric key with which the file was encrypted,producing, by the gateway computer system, a second ciphertext by encrypting the file-specific symmetric key using the public key of the other user,transferring the second ciphertext from the gateway computer system to the cloud computer system, andstoring the second ciphertext in association with the encrypted file in the data storage device of the cloud computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method according to claim 1, whereinthe gateway computer system stores authentication data of the user for authentication with respect to the cloud computer system;
    - andthe setting up the first session includes,accessing, by the gateway computer system, the stored authentication data of the user, andauthenticating the user using the stored authentication data of the user.
  - 3. The method according to claim 1, wherein the cloud computer system stores a file directory for files stored in the data storage device of the cloud computer system, and the gateway computer system stores a replica of the file directory, the method further comprising:
    - producing, by the gateway computer system, a web page displaying the replica of the file directory;
      
      transferring the web page to the first user terminal over the first protected connection;
      
      displaying, by the first user terminal, the web page,inputting at the first user terminal, a selection of a file path in the displayed web page for storage of the file;
      
      transferring the selection of the file path over the first protected connection from the first user terminal to the gateway computer system;
      
      transferring a storage command from the gateway computer system to the cloud computer system to store the encrypted file in the data storage device in accordance with the selection of the file path;
      
      receiving, by the gateway computer system, an acknowledgment signal from the cloud computer system, the acknowledgment signal indicating successful execution of the storage command; and
      
      updating the replica of the file directory in response to the receiving the acknowledgment signal.
  - 4. The method according to claim 1, further comprising:
    - producing, by the gateway computer system, a message for the other user in response to the storing the specified access privileges;
      
      transferring the message from gateway computer system to a second user terminal of the other user using the identifier; and
      
      providing the file to the second user terminal in response to the transferring the message by,setting up a second protected connection between the gateway computer system and the second user terminal,setting up a second session for the other user over the network, between the gateway computer system and the cloud computer system,authenticating, by the gateway computer system, the other user with respect to the cloud computer system by accessing, through the second session, authentication data of the other user stored in the gateway computer system,transferring the encrypted file from the cloud computer system to the gateway computer system through the second session,decrypting the file by the gateway computer system using the at least one cryptographic key, the at least one cryptographic key being associated with the user, andtransferring the decrypted file from the gateway computer system to the second user terminal over the second protected connection.
  - 5. The method according to claim 1, wherein the specifying includes:
    - inputting, by the user, a file path in the first user terminal; and
      
      transferring the file path over the first protected connection to the gateway computer system.
  - 6. The method according to claim 1, wherein the first protected connection is a Virtual Private Network set up over the network.
  - 7. The method according to claim 1, wherein the at least one cryptographic key is associated with the user.
  - 8. The method according to claim 1, wherein the setting up the first protected connection includes an APN setting up the first protected connection with the gateway computer system over a mobile telephony connection in response to the inputting the URL.

9. A computer system, comprising:
- a gateway computer system associated with an IP address, the gateway computer system including,a first memory storing first computer-readable instructions and at least one cryptographic key, the at least one cryptographic key being a file-specific symmetric key, andat least one first hardware processor operably coupled to the first memory, the at least one first hardware processor configured to execute the first computer-readable instructions to,receive a file from a user terminal over a protected connection, the user terminal corresponding to a user associated with an asymmetric cryptographic key pair including a public key and a private key,set up a first session between the gateway computer system and a cloud computer system over a network,encrypt the file using the at least one cryptographic key,transfer the encrypted file to the cloud computer system through the first session,encrypt the file-specific symmetric key using the public key of the user to generate a first ciphertext,transfer the first ciphertext to the cloud computer system through the first session,delete the file-specific symmetric key from the gateway computer system,receive an identifier and specified access privileges from the user terminal over the protected connection, andstore the specified access privileges in association with the identifier by,reading the first ciphertext from the cloud computer system,decrypting the first ciphertext using the private key of the user to obtain the file-specific symmetric key with which the file was encrypted,producing a second ciphertext by encrypting the file-specific symmetric key using the public key of the other user, andtransferring the second ciphertext to the cloud computer system;
  
  the cloud computer system associated with a URL, the cloud computer system including,a second memory storing second computer-readable instructions, andat least one second hardware processor operably coupled to the second memory, the at least one second hardware processor configured to execute the second computer-readable instructions to,receive the encrypted file and the first ciphertext from the gateway computer system,store the encrypted file in the second memory,store the first ciphertext in association with the encrypted file in the second memory, andstore the second ciphertext in association with the encrypted file in the second memory; and
  
  the user terminal storing an association file, the association file including an association of a domain contained in the URL with the IP address, the user terminal including,a third memory storing a program and an operating system, andat least one third hardware processor configured to execute the program to,receive an input including the URL,output a request for name resolution of the URL, the request addressed to a DNS server,receive the IP address, andset up the protected connection between the user terminal and the gateway computer system using the IP address, the protected connection being set up in accordance with TCP/IP protocol,receive an input from the user including an identifier of another user, the other user being associated with an asymmetric cryptographic key pair including a public key and a private key,transfer the identifier to the gateway computer system over the protected connection, andspecify, by the user over the protected connection, the access privileges for the other user corresponding to the file stored in the second memory,the user terminal being further configured to execute the operating system to,obtain the IP address in response to receiving the request from the program, the IP address being obtained by,first accessing the association file to determine whether the association file contains an association for the domain contained in the URL,second accessing the association file to read the IP address associated with the domain contained in the URL in response to determining that the association file contains an association of the domain contained in the URL in the first accessing, andtransferring the IP address to the program in response to the second accessing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bundesdruckerei GmbH (Government of Germany)
Original Assignee
Bundesdruckerei GmbH (Government of Germany)
Inventors
Byszio, Frank
Primary Examiner(s)
Nipa, Wasika

Application Number

US15/100,724
Publication Number

US 20160315915A1
Time in Patent Office

1,387 Days
Field of Search
US Class Current
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 63/083   using passwords cryptograph...

H04L 63/166   at the transport layer

H04L 67/1097   for distributed storage of ...

Process to access a data storage device of a cloud computer system with the help of a modified Domain Name System (DNS)

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

9 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Process to access a data storage device of a cloud computer system with the help of a modified Domain Name System (DNS)

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links