Storing encrypted objects

US 8,650,657 B1
Filed: 05/18/2011
Issued: 02/11/2014
Est. Priority Date: 05/18/2010
Status: Active Grant

First Claim

Patent Images

1. A method performed by one or more processors, the method comprising:

receiving, in a request from an application server system and at a key server system, a resource in unencrypted form and a wrapped key, the wrapped key including a resource encryption key and a user identifier that have been encrypted using a master key, wherein the user identifier identifies a user that is permitted to use the resource encryption key to decrypt the resource, and wherein the request does not include a plaintext of the user identifier;

decrypting the wrapped key to access the resource encryption key;

encrypting the resource in unencrypted form into an encrypted resource with the resource encryption key;

sending, to the application server system, the encrypted resource;

receiving, from an application server system and at the key server system, authentication credentials and a second wrapped key, the second wrapped key including the resource encryption key and the user identifier that have been encrypted using the master key;

decrypting the second wrapped key to generate an unwrapped key that includes the resource encryption key and the user identifier in unencrypted form;

accessing the user identifier from the unwrapped key;

determining that the received authentication credentials correspond to the accessed user identifier; and

in response to determining that the received authentication credentials correspond to the accessed user identifier, sending the resource encryption key in unecrypted form to an application server system such that that application server system can decrypt the encrypted resource using the resource encryption key in unencrypted form.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A resource in unencrypted form and a wrapped key are received in a request from an application server system and at a key server system. The wrapped key includes a resource encryption key and a user identifier that have been encrypted using a master key. The user identifier identifies a user that is permitted to use the resource encryption key to decrypt the resource. The request does not include the user identifier. The wrapped key is decrypted to access the resource encryption key. The resource in unencrypted form is encrypted into an encrypted resource with the resource encryption key. The encrypted resource is sent to the application server system.

53 Citations

View as Search Results

33 Claims

1. A method performed by one or more processors, the method comprising:
- receiving, in a request from an application server system and at a key server system, a resource in unencrypted form and a wrapped key, the wrapped key including a resource encryption key and a user identifier that have been encrypted using a master key, wherein the user identifier identifies a user that is permitted to use the resource encryption key to decrypt the resource, and wherein the request does not include a plaintext of the user identifier;
  
  decrypting the wrapped key to access the resource encryption key;
  
  encrypting the resource in unencrypted form into an encrypted resource with the resource encryption key;
  
  sending, to the application server system, the encrypted resource;
  
  receiving, from an application server system and at the key server system, authentication credentials and a second wrapped key, the second wrapped key including the resource encryption key and the user identifier that have been encrypted using the master key;
  
  decrypting the second wrapped key to generate an unwrapped key that includes the resource encryption key and the user identifier in unencrypted form;
  
  accessing the user identifier from the unwrapped key;
  
  determining that the received authentication credentials correspond to the accessed user identifier; and
  
  in response to determining that the received authentication credentials correspond to the accessed user identifier, sending the resource encryption key in unecrypted form to an application server system such that that application server system can decrypt the encrypted resource using the resource encryption key in unencrypted form.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, the method further comprising:
    - identifying a service associated with the second wrapped key; and
      
      wherein decrypting the second wrapped key includes decrypting the second wrapped key using a master key associated with the service.
  - 3. The method of claim 1, the method further comprising:
    - receiving, from an application server and at the key server system, a sharing request that includes i) the authentication credentials, ii) the second wrapped key, and iii) a second user identifier;
      
      decrypting the second wrapped key included in the request to generate the unwrapped key;
      
      accessing the user identifier from the unwrapped key;
      
      determining that the received authentication credentials correspond to the accessed user identifier; and
      
      in response to determining that the received authentication credentials correspond to the accessed user identifier;
      
      replacing the user identifier in the unwrapped key with the second user identifier;
      
      encrypting the unwrapped key to generate a third wrapped key; and
      
      sending the third wrapped key to an application server system.
  - 4. The method of claim 1, wherein the user identifier indicates no more than one user.
  - 5. The method of claim 1, the method further comprising:
    - identifying a format of the authentication credentials and the user identifier; and
      
      determining that the received authentication credentials correspond to the accessed user identifier according to the identified format.
  - 6. The method of claim 1, the method further comprising:
    - receiving, from an application server system, a seed value;
      
      generating the resource encryption key from the seed value; and
      
      sending, to an application server system, the resource encryption key.
  - 7. The method of claim 6, the method further comprising:
    - encrypting the resource using the resource encryption key to generate an encrypted version of the resource;
      
      detecting duplicates of the encrypted version of the resource stored in a storage system; and
      
      removing the detected duplicates from the storage system.
  - 8. The method of claim 7 wherein removing the detected duplicates from the storage system comprises deleting the detected duplicates and replacing the deleted duplicates with a pointer to the encrypted version of the resource.
  - 9. The method of claim 7 wherein encrypting the resource using the resource encryption key to generate the encrypted version of the resource comprises encrypting the resource using the resource encryption key and a deterministic encryption technique.
  - 10. The method of claim 6 wherein the seed value is based on the resource.
  - 11. The method of claim 8 wherein the seed value is a hash calculated from the resource.

12. A computer system comprising:
- a key server system comprising a processor and memory and configured to;
  
  receive, in a request from an application server system and at a key server system, a resource in unencrypted form and a wrapped key, the wrapped key including a resource encryption key and a user identifier that have been encrypted using a master key, wherein the user identifier identifies a user that is permitted to use the resource encryption key to decrypt the resource, and wherein the request does not include a plaintext of the user identifier;
  
  decrypt the wrapped key to access the resource encryption key;
  
  encrypt the resource in unencrypted form into an encrypted resource with the resource encryption key;
  
  send, to the application server system, the encrypted resource;
  
  receive, from an application server system and at the key server system, authentication credentials and a second wrapped key, the second wrapped key including the resource encryption key and the user identifier that have been encrypted using the master key;
  
  decrypt the second wrapped key to generate an unwrapped key that includes the resource encryption key and the user identifier in unencrypted form;
  
  access the user identifier from the unwrapped key;
  
  determine that the received authentication credentials correspond to the accessed user identifier; and
  
  in response to determining that the received authentication credentials correspond to the accessed user identifier, send the resource encryption key in unecrypted form to an application server system such that that application server system can decrypt the encrypted resource using the resource encryption key in unencrypted form.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12, the key server system further configured to:
    - identify a service associated with the second wrapped key; and
      
      wherein decrypting the second wrapped key includes decrypting the second wrapped key using a master key associated with the service.
  - 14. The system of claim 12, the key server system further configured to:
    - receive, from an application server and at the key server system, a sharing request that includes i) the authentication credentials, ii) the second wrapped key, and iii) a second user identifier;
      
      decrypt the second wrapped key included in the request to generate the unwrapped key;
      
      access the user identifier from the unwrapped key;
      
      determine that the received authentication credentials correspond to the accessed user identifier; and
      
      in response to determining that the received authentication credentials correspond to the accessed user identifier;
      
      replace the user identifier in the unwrapped key with the second user identifier;
      
      encrypt the unwrapped key to generate a third wrapped key; and
      
      send the third wrapped key to an application server system.
  - 15. The system of claim 12, wherein the user identifier indicates no more than one user.
  - 16. The system of claim 12, the key server system further configured to:
    - identify a format of the authentication credentials and the user identifier; and
      
      determine that the received authentication credentials correspond to the accessed user identifier according to the identified format.
  - 17. The system of claim 12, the key server system further configured to:
    - receive, from an application server system, a seed value;
      
      generate the resource encryption key from the seed value; and
      
      send, to an application server system, the resource encryption key.
  - 18. The system of claim 17, wherein the application server is configured to:
    - encrypt the resource using the resource encryption key to generate an encrypted version of the resource;
      
      detect duplicates of the encrypted version of the resource stored in a storage system; and
      
      remove the detected duplicates from the storage system.
  - 19. The system of claim 18 wherein, to remove the detected duplicates from the storage system, the application server is configured to delete the detected duplicates and replace the deleted duplicates with a pointer to the encrypted version of the resource.
  - 20. The system of claim 18 wherein, to encrypt the resource using the resource encryption key to generate the encrypted version of the resource, the application server is configured to encrypt the resource using the resource encryption key and a deterministic encryption technique.
  - 21. The system of claim 17 wherein the seed value is based on the resource.
  - 22. The system of claim 19 wherein the seed value is a hash calculated from the resource.

23. A non-transitory computer readable medium storing instructions that, when executed by one or more processing devices, cause the one or more processing devices to perform operations including:
- receiving, in a request from an application server system and at a key server system, a resource in unencrypted form and a wrapped key, the wrapped key including a resource encryption key and a user identifier that have been encrypted using a master key, wherein the user identifier identifies a user that is permitted to use the resource encryption key to decrypt the resource, and wherein the request does not include a plaintext of the user identifier;
  
  decrypting the wrapped key to access the resource encryption key;
  
  encrypting the resource in unencrypted form into an encrypted resource with the resource encryption key;
  
  sending, to the application server system, the encrypted resource;
  
  receiving, from an application server system and at the key server system, authentication credentials and a second wrapped key, the second wrapped key including the resource encryption key and the user identifier that have been encrypted using the master key;
  
  decrypting the second wrapped key to generate an unwrapped key that includes the resource encryption key and the user identifier in unencrypted form;
  
  accessing the user identifier from the unwrapped key;
  
  determining that the received authentication credentials correspond to the accessed user identifier; and
  
  in response to determining that the received authentication credentials correspond to the accessed user identifier, sending the resource encryption key in unecrypted form to an application server system such that that application server system can decrypt the encrypted resource using the resource encryption key in unencrypted form.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 24. The medium of claim 23, the operations further including:
    - identifying a service associated with the second wrapped key; and
      
      wherein decrypting the second wrapped key includes decrypting the second wrapped key using a master key associated with the service.
  - 25. The medium of claim 23, the operations further including:
    - receiving, from an application server and at the key server system, a sharing request that includes i) the authentication credentials, ii) the second wrapped key, and iii) a second user identifier;
      
      decrypting the second wrapped key included in the request to generate the unwrapped key;
      
      accessing the user identifier from the unwrapped key;
      
      determining that the received authentication credentials correspond to the accessed user identifier; and
      
      in response to determining that the received authentication credentials correspond to the accessed user identifier;
      
      replacing the user identifier in the unwrapped key with the second user identifier;
      
      encrypting the unwrapped key to generate a third wrapped key; and
      
      sending the third wrapped key to an application server system.
  - 26. The medium of claim 23, wherein the user identifier indicates no more than one user.
  - 27. The medium of claim 23, the operations further including:
    - identifying a format of the authentication credentials and the user identifier; and
      
      determining that the received authentication credentials correspond to the accessed user identifier according to the identified format.
  - 28. The medium of claim 23, the operations further including:
    - receiving, from an application server system, a seed value;
      
      generating the resource encryption key from the seed value; and
      
      sending, to an application server system, the resource encryption key.
  - 29. The medium of claim 28, the operations further including:
    - encrypting the resource using the resource encryption key to generate an encrypted version of the resource;
      
      detecting duplicates of the encrypted version of the resource stored in a storage system; and
      
      removing the detected duplicates from the storage system.
  - 30. The medium of claim 29 wherein removing the detected duplicates from the storage system comprises deleting the detected duplicates and replacing the deleted duplicates with a pointer to the encrypted version of the resource.
  - 31. The medium of claim 29 wherein encrypting the resource using the resource encryption key to generate the encrypted version of the resource comprises encrypting the resource using the resource encryption key and a deterministic encryption technique.
  - 32. The medium of claim 28 wherein the seed value is based on the resource.
  - 33. The medium of claim 30 wherein the seed value is a hash calculated from the resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Shankar, Umesh, Kulik, Andrei, Moller, Bodo, Patel, Sarvar
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Durham, Imhotep

Application Number

US13/110,336
Time in Patent Office

1,000 Days
Field of Search

726/5, 726/6, 380/277, 380/278, 380/279, 713/150, 713/153
US Class Current

726/27
CPC Class Codes

H04L 2463/062   applying encryption of the ...

H04L 63/0428   wherein the data content is...

H04L 63/101   Access control lists [ACL]

H04L 63/104   Grouping of entities

H04L 67/1097   for distributed storage of ...

H04L 9/0819   Key transport or distributi...

H04L 9/321   involving a third party or ...

Storing encrypted objects

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

53 Citations

33 Claims

Specification

Use Cases

Quick Links

Others

Storing encrypted objects

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

33 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others