Storing encrypted objects
First Claim
Patent Images
1. A method performed by one or more processors, the method comprising:
- receiving, in a request from an application server system and at a key server system, a resource in unencrypted form and a wrapped key, the wrapped key including a resource encryption key and a user identifier that have been encrypted using a master key, wherein the user identifier identifies a user that is permitted to use the resource encryption key to decrypt the resource, and wherein the request does not include a plaintext of the user identifier;
decrypting the wrapped key to access the resource encryption key;
encrypting the resource in unencrypted form into an encrypted resource with the resource encryption key;
sending, to the application server system, the encrypted resource;
receiving, from an application server system and at the key server system, authentication credentials and a second wrapped key, the second wrapped key including the resource encryption key and the user identifier that have been encrypted using the master key;
decrypting the second wrapped key to generate an unwrapped key that includes the resource encryption key and the user identifier in unencrypted form;
accessing the user identifier from the unwrapped key;
determining that the received authentication credentials correspond to the accessed user identifier; and
in response to determining that the received authentication credentials correspond to the accessed user identifier, sending the resource encryption key in unecrypted form to an application server system such that that application server system can decrypt the encrypted resource using the resource encryption key in unencrypted form.
2 Assignments
0 Petitions
Accused Products
Abstract
A resource in unencrypted form and a wrapped key are received in a request from an application server system and at a key server system. The wrapped key includes a resource encryption key and a user identifier that have been encrypted using a master key. The user identifier identifies a user that is permitted to use the resource encryption key to decrypt the resource. The request does not include the user identifier. The wrapped key is decrypted to access the resource encryption key. The resource in unencrypted form is encrypted into an encrypted resource with the resource encryption key. The encrypted resource is sent to the application server system.
53 Citations
33 Claims
-
1. A method performed by one or more processors, the method comprising:
-
receiving, in a request from an application server system and at a key server system, a resource in unencrypted form and a wrapped key, the wrapped key including a resource encryption key and a user identifier that have been encrypted using a master key, wherein the user identifier identifies a user that is permitted to use the resource encryption key to decrypt the resource, and wherein the request does not include a plaintext of the user identifier; decrypting the wrapped key to access the resource encryption key; encrypting the resource in unencrypted form into an encrypted resource with the resource encryption key; sending, to the application server system, the encrypted resource; receiving, from an application server system and at the key server system, authentication credentials and a second wrapped key, the second wrapped key including the resource encryption key and the user identifier that have been encrypted using the master key; decrypting the second wrapped key to generate an unwrapped key that includes the resource encryption key and the user identifier in unencrypted form; accessing the user identifier from the unwrapped key; determining that the received authentication credentials correspond to the accessed user identifier; and in response to determining that the received authentication credentials correspond to the accessed user identifier, sending the resource encryption key in unecrypted form to an application server system such that that application server system can decrypt the encrypted resource using the resource encryption key in unencrypted form. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer system comprising:
a key server system comprising a processor and memory and configured to; receive, in a request from an application server system and at a key server system, a resource in unencrypted form and a wrapped key, the wrapped key including a resource encryption key and a user identifier that have been encrypted using a master key, wherein the user identifier identifies a user that is permitted to use the resource encryption key to decrypt the resource, and wherein the request does not include a plaintext of the user identifier; decrypt the wrapped key to access the resource encryption key; encrypt the resource in unencrypted form into an encrypted resource with the resource encryption key; send, to the application server system, the encrypted resource; receive, from an application server system and at the key server system, authentication credentials and a second wrapped key, the second wrapped key including the resource encryption key and the user identifier that have been encrypted using the master key; decrypt the second wrapped key to generate an unwrapped key that includes the resource encryption key and the user identifier in unencrypted form; access the user identifier from the unwrapped key; determine that the received authentication credentials correspond to the accessed user identifier; and in response to determining that the received authentication credentials correspond to the accessed user identifier, send the resource encryption key in unecrypted form to an application server system such that that application server system can decrypt the encrypted resource using the resource encryption key in unencrypted form. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
23. A non-transitory computer readable medium storing instructions that, when executed by one or more processing devices, cause the one or more processing devices to perform operations including:
-
receiving, in a request from an application server system and at a key server system, a resource in unencrypted form and a wrapped key, the wrapped key including a resource encryption key and a user identifier that have been encrypted using a master key, wherein the user identifier identifies a user that is permitted to use the resource encryption key to decrypt the resource, and wherein the request does not include a plaintext of the user identifier; decrypting the wrapped key to access the resource encryption key; encrypting the resource in unencrypted form into an encrypted resource with the resource encryption key; sending, to the application server system, the encrypted resource; receiving, from an application server system and at the key server system, authentication credentials and a second wrapped key, the second wrapped key including the resource encryption key and the user identifier that have been encrypted using the master key; decrypting the second wrapped key to generate an unwrapped key that includes the resource encryption key and the user identifier in unencrypted form; accessing the user identifier from the unwrapped key; determining that the received authentication credentials correspond to the accessed user identifier; and in response to determining that the received authentication credentials correspond to the accessed user identifier, sending the resource encryption key in unecrypted form to an application server system such that that application server system can decrypt the encrypted resource using the resource encryption key in unencrypted form. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
-
Specification