Encrypted key cache
First Claim
1. One or more computer-readable media having stored thereon a plurality of instructions that, when executed by one or more processors of a computer, causes the one or more processors to perform the following acts:
- receive a request, corresponding to a user, to access a file;
obtain an access control entry that corresponds to both the user and the file, wherein the access control entry includes an encrypted symmetric key that was used to encrypt the file;
check whether a mapping of the access control entry to the symmetric key exists in an encrypted key cache; and
if the mapping exists, then use the mapped symmetric key from the encrypted key cache to decrypt the file, otherwise decrypt the encrypted symmetric key and use the decrypted symmetric key to decrypt the file.
2 Assignments
0 Petitions
Accused Products
Abstract
A file that has been encrypted using a symmetric key and that has a corresponding access control entry with the symmetric key encrypted using the public key of a public/private key pair can be accessed. An encrypted key cache is also accessed to determine whether an access control entry to symmetric key mapping exists in the cache for the access control entry corresponding to the file. If such a mapping exists in the cache, then the mapped-to symmetric key is obtained form the cache, otherwise the encrypted symmetric key is decrypted using the private key of the public/private key pair. The encrypted key cache itself can also be encrypted and stored as an encrypted file.
104 Citations
44 Claims
-
1. One or more computer-readable media having stored thereon a plurality of instructions that, when executed by one or more processors of a computer, causes the one or more processors to perform the following acts:
-
receive a request, corresponding to a user, to access a file;
obtain an access control entry that corresponds to both the user and the file, wherein the access control entry includes an encrypted symmetric key that was used to encrypt the file;
check whether a mapping of the access control entry to the symmetric key exists in an encrypted key cache; and
if the mapping exists, then use the mapped symmetric key from the encrypted key cache to decrypt the file, otherwise decrypt the encrypted symmetric key and use the decrypted symmetric key to decrypt the file. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 26, 27, 28, 30, 31, 32, 33, 34, 35, 36, 38, 39, 40, 41)
-
-
14. A method comprising:
-
receiving an access control entry corresponding to a file and including a symmetric key encrypted with a public key;
checking whether an access control entry to symmetric key mapping exists in a key cache; and
obtaining the symmetric key from the key cache if the mapping exists, otherwise decrypting the encrypted symmetric key using a private key corresponding to the public key.
-
-
25. A method comprising:
-
accessing an encrypted key cache, corresponding to a user, in encrypted form;
obtaining an encrypted symmetric key from an access control entry corresponding to the encrypted key cache;
decrypting the encrypted symmetric key using a private key corresponding to the user;
decrypting the encrypted key cache using the decrypted symmetric key; and
using the encrypted key cache to identify, based on access control entries corresponding to other files, symmetric keys used to encrypt the other files.
-
-
29. A system comprising:
-
a control module to obtain an access control entry corresponding to a file to be accessed by the system, wherein the access control entry includes a symmetric key encrypted with a public key of a public/private key pair;
a key cache to maintain a plurality of mappings each of which maps an access control entry to a symmetric key;
a comparator, communicatively coupled to the control module, to check whether one of the plurality of mappings corresponds to the received access control entry; and
a cryptographic engine, communicatively coupled to the control module, to;
use, if one of the plurality of mappings corresponds to the received access control entry, the symmetric key to which the received access control entry maps to decrypt the file, and use, if one of the plurality of mappings does not correspond to the received access control entry, the private key of the public/private key pair to decrypt the symmetric key, and then use the decrypted symmetric key to decrypt the file.
-
-
37. A method comprising:
-
accessing an encrypted key cache, corresponding to a user, in encrypted form;
decrypting the encrypted key cache using a private key corresponding to the user; and
using the encrypted key cache to identify, based on access control entries corresponding to other files, symmetric keys used to encrypt the other files.
-
-
42. A method comprising:
-
accessing a key cache that maintains a plurality of access control entry to symmetric key mappings corresponding to a plurality of files accessible to a user in a distributed file system, wherein each of the plurality of mappings identifies a symmetric key that can be used to decrypt a file corresponding to the mapping;
generating an encrypted file that includes the key cache and that is encrypted using a symmetric key;
encrypting the symmetric key using a public key corresponding to the user;
storing the encrypted symmetric key in an access control entry corresponding to the encrypted file; and
storing both the encrypted file and the access control entry corresponding to the encrypted file in the distributed file system. - View Dependent Claims (43)
-
-
44. A system comprising:
-
means for storing a plurality of access control entry to symmetric key mappings;
means for retrieving an access control entry corresponding to a requested file;
means for comparing the retrieved access control entry to the plurality of access control entry to symmetric key mappings and for determining whether any of the plurality of mappings match the retrieved access control entry; and
means for obtaining, from the means for storing, a symmetric key to be used to decrypt the requested file if one of the plurality of mappings matches the retrieved access control entry, and otherwise for decrypting the symmetric key, in encrypted form, using a private key of a public/private key pair corresponding to the public key used to encrypt the symmetric key.
-
Specification