Encrypted key cache
First Claim
1. One or more non-transitory computer storage media having stored thereon a plurality of instructions that, when executed by one or more processors of a computer, cause the one or more processors to perform the following acts:
- receive a request, corresponding to a user, to access an encrypted file;
obtain an access control entry (ACE) from an access control list (ACL) of a plurality of ACEs, the ACE corresponding to both the user and the requested encrypted file, wherein the ACE includes an encrypted version of a symmetric key that was used to encrypt the encrypted file;
access an encrypted key cache, the encrypted key cache having multiple ACE-to-symmetric-key-mapped entries, each entry having a reference to one or more ACEs mapped to at least one unencrypted symmetric key;
identify at least one entry of the multiple ACE-to-symmetric-key-mapped entries of the encrypted key cache that has a reference to an ACE that both matches the ACE of the ACL and is mapped to an unencrypted symmetric key that matches the symmetric key that was used to encrypt the encrypted file;
responsive to identifying the at least one identified entry, decrypt the encrypted file using the mapped unencrypted symmetric key from the identified entry of the encrypted key cache; and
responsive to failing to identify the at least one identified entry, decrypt the encrypted symmetric key from the ACE of the ACL and decrypt the unencrypted file using the decrypted symmetric key.
1 Assignment
0 Petitions
Accused Products
Abstract
A file that has been encrypted using a symmetric key and that has a corresponding access control entry with the symmetric key encrypted using the public key of a public/private key pair can be accessed. An encrypted key cache is also accessed to determine whether an access control entry to symmetric key mapping exists in the cache for the access control entry corresponding to the file. If such a mapping exists in the cache, then the mapped-to symmetric key is obtained form the cache, otherwise the encrypted symmetric key is decrypted using the private key of the public/private key pair. The encrypted key cache itself can also be encrypted and stored as an encrypted file.
164 Citations
20 Claims
-
1. One or more non-transitory computer storage media having stored thereon a plurality of instructions that, when executed by one or more processors of a computer, cause the one or more processors to perform the following acts:
-
receive a request, corresponding to a user, to access an encrypted file;
obtain an access control entry (ACE) from an access control list (ACL) of a plurality of ACEs, the ACE corresponding to both the user and the requested encrypted file, wherein the ACE includes an encrypted version of a symmetric key that was used to encrypt the encrypted file;access an encrypted key cache, the encrypted key cache having multiple ACE-to-symmetric-key-mapped entries, each entry having a reference to one or more ACEs mapped to at least one unencrypted symmetric key; identify at least one entry of the multiple ACE-to-symmetric-key-mapped entries of the encrypted key cache that has a reference to an ACE that both matches the ACE of the ACL and is mapped to an unencrypted symmetric key that matches the symmetric key that was used to encrypt the encrypted file; responsive to identifying the at least one identified entry, decrypt the encrypted file using the mapped unencrypted symmetric key from the identified entry of the encrypted key cache; and responsive to failing to identify the at least one identified entry, decrypt the encrypted symmetric key from the ACE of the ACL and decrypt the unencrypted file using the decrypted symmetric key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15, 16)
-
-
14. A method comprising:
-
receiving a request, from a user, to access an encrypted file; accessing an encrypted key cache in encrypted form from a memory configured to store the encrypted key cache, the encrypted key cache corresponding to the user and containing multiple entries, each entry corresponding to the user and one or more of multiple encrypted files, each entry having an unencrypted symmetric key used to encrypt the one or more multiple encrypted files that correspond to the unencrypted symmetric key'"'"'s entry; decrypting the encrypted key cache using a private key of a public/private key pair, the public/private key pair corresponding to the user; and identifying at least one entry of the multiple entries of the encrypted key cache having an unencrypted symmetric key that was used to encrypt the requested encrypted file. - View Dependent Claims (17, 18, 19)
-
-
20. A method comprising:
-
accessing a key cache from a memory configured to store the key cache, wherein the key cache maintains a plurality of access control entry to symmetric key mappings corresponding to a plurality of files accessible to a user in a distributed file system, wherein each of the plurality of mappings identifies a symmetric key used to decrypt a file corresponding to the mapping; generating an encrypted file that includes the key cache and that is encrypted using a symmetric key associated with the key cache; encrypting the symmetric key associated with the key cache using a public key of a public/private key pair, the public/private key pair corresponding to the user; storing the encrypted symmetric key associated with the key cache in an access control entry corresponding to the encrypted file; and storing both the encrypted file and the access control entry corresponding to the encrypted file in the distributed file system.
-
Specification