CLOUD KEY ESCROW SYSTEM

US 20150074402A1
Filed: 11/18/2014
Published: 03/12/2015
Est. Priority Date: 06/17/2011
Status: Active Grant

First Claim

Patent Images

1. At a computer system including at least one processor and a memory, in a computer networking environment including a plurality of computing systems, a computer-implemented method for allowing a user to store encrypted, third-party-accessible data in a data store, the method comprising:

receiving at a data storage system encrypted data from a user, wherein the encrypted data was encrypted using the user'"'"'s private key prior to having been received and the encryption having been completed prior to being received by the computer system;

storing the received encrypted data in the data storage system according to a predefined policy, the encryption preventing the storage system from decrypting the encrypted data, the policy allowing the encrypted data to be released upon receiving at least a threshold number of requests from verified third parties; and

the data storage system implementing a verifiable secret sharing scheme to verify that the encrypted data can be decrypted without the data storage system having the ability to decrypt the encrypted data.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to allowing a user to store encrypted, third-party-accessible data in a data store and to providing third party data access to a user'"'"'s encrypted data according to a predefined policy. A data storage system receives encrypted data from a user at a data storage system. The data is encrypted using the user'"'"'s private key. The data storage system stores the received encrypted data according to a predefined policy. The encryption prevents the storage system from gaining access to the encrypted data, while the policy allows the encrypted data to be released upon receiving a threshold number of requests from verified third parties. The data storage system implements a verifiable secret sharing scheme to verify that the encrypted data can be reconstituted without the data storage system accessing the encrypted data. The data storage system synchronously acknowledges that the received encrypted data has been verified and successfully stored.

17 Citations

View as Search Results

15 Claims

1. At a computer system including at least one processor and a memory, in a computer networking environment including a plurality of computing systems, a computer-implemented method for allowing a user to store encrypted, third-party-accessible data in a data store, the method comprising:
- receiving at a data storage system encrypted data from a user, wherein the encrypted data was encrypted using the user'"'"'s private key prior to having been received and the encryption having been completed prior to being received by the computer system;
  
  storing the received encrypted data in the data storage system according to a predefined policy, the encryption preventing the storage system from decrypting the encrypted data, the policy allowing the encrypted data to be released upon receiving at least a threshold number of requests from verified third parties; and
  
  the data storage system implementing a verifiable secret sharing scheme to verify that the encrypted data can be decrypted without the data storage system having the ability to decrypt the encrypted data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the received, encrypted data comprises a cryptographic key belonging to the user.
  - 3. The method of claim 2, wherein the user'"'"'s cryptographic key is encrypted on the user'"'"'s private computer system.
  - 4. The method of claim 1, wherein the user modifies the threshold number of requests from verified third parties in the policy that are to be received before the user'"'"'s encrypted data is released.
  - 5. The method of claim 1, wherein the user has a public key that is made public in a secure manner using a secure service that runs on the user'"'"'s private computer system.
  - 6. The method of claim 1, wherein the received encrypted key is stored as a plurality of shares, the shares being mathematical transformations of the user'"'"'s private key, and wherein each share is provided to one of the verified third parties.
  - 7. The method of claim 6, wherein each verified third party publishes their own public keys and encrypts their share of the encrypted key using their published public key.
  - 8. The method of claim 7, wherein the verified third party shares encrypted according to the third parties'"'"' public keys are stored in the data storage system, the encrypted shares preventing the data storage system from accessing the user'"'"'s data.
  - 9. The method of claim 8, wherein the shares are generated in such a way that a threshold gate is used to recreate the original key from those shares.
  - 10. The method of claim 9, wherein the predefined policy indicates that the threshold gate is a specified number or percentage of the total number of shares, such that when that specified number of verified third party share holders has requested release of the encrypted data, the data storage system provides the encrypted data.
  - 11. The method of claim 10, wherein the predefined policy indicates a set of rules comprising Boolean logic indicating which specific verified third parties are to request release of the encrypted data before the data storage system will release the encrypted data.
  - 12. The method of claim 1, wherein the verifiable secret sharing scheme performs the verification without opening or looking at the encrypted data.

13. A computer system comprising the following:
- one or more processors;
  
  system memory;
  
  one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by the one or more processors, causes the computing system to perform a method for allowing a user to store encrypted, third-party-accessible data in a data store, the method comprising the following;
  
  receiving at a data storage system encrypted data from a user, wherein the encrypted data was encrypted using the user'"'"'s private key prior to having been received and the encryption having been completed prior to being received by the computer system;
  
  storing the received encrypted data in the data storage system according to a predefined policy, the encryption preventing the storage system from decrypting the encrypted data, the policy allowing the encrypted data to be released upon receiving at least a threshold number of requests from verified third parties, wherein a received encrypted key is stored as a plurality of shares, the shares being mathematical transformations of the user'"'"'s private key, and wherein each share is provided to one of the verified third parties;
  
  the data storage system implementing a verifiable secret sharing scheme to verify that the encrypted data can be decrypted without the data storage system having the ability to decrypt the encrypted data;
  
  receiving a request from the user requesting the user'"'"'s encrypted data; and
  
  the data storage system providing the user'"'"'s stored encrypted data based at least in part on the user'"'"'s request.
- View Dependent Claims (14, 15)
- - 14. The system of claim 13, wherein each verified third party publishes their own public keys and encrypts their share of the encrypted key using their published public key, such that the verified third party shares encrypted according to third parties'"'"' public keys are stored in the data storage system.
  - 15. The system of claim 13, wherein one or more of the trusted third parties are themselves users of the system of claim 18, wherein the trusted third party system users'"'"' own public keys are escrowed to other trusted third parties in the system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
D'Souza, Roy Peter, Pandey, Omkant

Granted Patent

US 9,900,288 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 2221/2107   File encryption

G06F 2221/2115   Third party

H04L 63/0428   wherein the data content is...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0894   Escrow, recovery or storing...

CLOUD KEY ESCROW SYSTEM

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

CLOUD KEY ESCROW SYSTEM

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links