Secure Cloud Storage and Encryption Management System
First Claim
1. A system of computing nodes comprising:
- a first computing node comprising a first secure cryptoprocessor having out-of-band non-volatile first memory that stores a hardware-based first private key that is non-visible to a first operating system (OS) for the first computing node;
a second computing node comprising a second secure cryptoprocessor having out-of-band non-volatile second memory that stores a hardware-based second private key that is non-visible to a second OS for the second computing node and that corresponds to a second public key; and
at least one storage medium having instructions stored thereon to cause;
the first computing node to;
receive the second public key;
determine a first session key and encrypt first information with the first session key;
encrypt the first session key with the second public key;
bind the encrypted first session key to the encrypted first information; and
communicate the bound encrypted first session key and encrypted first information to cloud based storage; and
the second computing node to receive and decrypt the bound encrypted first session key with the second private key, while the second private key is still located within the second cryptoprocessor, and the encrypted first information with the decrypted first session key.
1 Assignment
0 Petitions
Accused Products
Abstract
An embodiment of the invention allows a user to back-up/store data to a cloud-based storage system and synchronize that data on the user'"'"'s devices coupled to the storage system. The devices have secure out-of-band cryptoprocessors that conceal a private key. The private key corresponds to a public key that is used to encrypt a session key and information, both of which are passed to and through cloud based storage, all while remaining encrypted. The encrypted material is communicated from the cloud to another of the user'"'"'s devices where the encrypted material is decrypted within a secure out-of-band cryptoprocessor (using the private key that corresponds to the aforementioned public key) located within the device. The embodiment allows for secure provisioning of the private key to the devices. The private key is only decrypted within the cryptoprocessor so the private key is not “in the open”. Other embodiments are described herein.
103 Citations
20 Claims
-
1. A system of computing nodes comprising:
-
a first computing node comprising a first secure cryptoprocessor having out-of-band non-volatile first memory that stores a hardware-based first private key that is non-visible to a first operating system (OS) for the first computing node; a second computing node comprising a second secure cryptoprocessor having out-of-band non-volatile second memory that stores a hardware-based second private key that is non-visible to a second OS for the second computing node and that corresponds to a second public key; and at least one storage medium having instructions stored thereon to cause; the first computing node to;
receive the second public key;
determine a first session key and encrypt first information with the first session key;
encrypt the first session key with the second public key;
bind the encrypted first session key to the encrypted first information; and
communicate the bound encrypted first session key and encrypted first information to cloud based storage; andthe second computing node to receive and decrypt the bound encrypted first session key with the second private key, while the second private key is still located within the second cryptoprocessor, and the encrypted first information with the decrypted first session key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. At least one storage medium having instructions stored thereon to cause a system to:
-
receive an encrypted first session key bound to an encrypted first information from a first computing node via cloud based storage;
wherein the first information is encrypted with the first session key and the first session key is encrypted with a second public key;decrypt the bound encrypted first session key with a second private key, and decrypt the encrypted first information with the decrypted first session key; wherein the first computing node comprises the second public key and a secure out-of-band non-volatile first memory; wherein the system includes a second computing node comprising a secure out-of-band non-volatile second memory that stores the second private key non-visibly to a second operating system (OS) for the second computing node, the second private key corresponding to the second public key. - View Dependent Claims (14, 15, 16)
-
-
17. A method executed by at least one processor comprising:
-
a first computing node, comprising a secure out-of-band non-volatile first memory that stores a hardware-based first private key that is non-visible to a first operating system (OS) for the first computing node, (a)(1) receiving a second public key;
(a)(2) determining a first session key and encrypting first information with the first session key;
(a)(3) encrypting the first session key with the second public key;
(a)(4) binding the encrypted first session key to the encrypted first information; and
(a)(5) communicating the bound encrypted first session key and encrypted first information to cloud based storage; anda second computing node, comprising a secure out-of-band non-volatile second memory that stores a hardware-based second private key that is non-visible to a second OS for the second computing node and that corresponds to the second public key, (b)(1) receiving and decrypting the bound encrypted first session key with the second private key while the second private key is stored in the second memory, and (b)(2) decrypting the encrypted first information with the decrypted first session key. - View Dependent Claims (18, 19, 20)
-
Specification