Storing user data in a service provider cloud without exposing user-specific secrets to the service provider

US 8,788,843 B2
Filed: 10/28/2011
Issued: 07/22/2014
Est. Priority Date: 10/28/2011
Status: Active Grant

First Claim

Patent Images

1. A method of storing and protecting user data in a service provider cloud, comprising:

associating a key pair with an account of an authorized user, the key pair comprising an account public key, and an associated account secret key;

storing a value that has been generated by encrypting the account secret key with a user-specific secret, the value being distinct from the account public key and the associated account secret key of the key pair;

storing in the service provider cloud a file that has been generated by encrypting data associated with the authorized user with a data key that is distinct from the value, and from the account public key and the associated account secret key of the key pair;

encrypting the data key with the account public key to generate an account encrypted data key that is distinct from the value, from the data key, and from the account public key and the associated account secret key of the key pair;

storing the account encrypted data key; and

providing access to the data associated with the authorized user upon receipt at the service provider cloud of the user-specific secret by the following ordered operations;

(i) decrypting the value to obtain the account secret key, then (ii) decrypting, using the account secret key so obtained, the account encrypted data key to obtain the data key, then (iii) decrypting, using the data key so obtained, the file stored in the service provider cloud with the data key.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Subscriber (user) data is encrypted and stored in a service provider cloud in a manner such that the service provider is unable to decrypt and, as a consequence, to view, access or copy the data. Only the user knows a user-specific secret (e.g., a password) that is the basis of the encryption. The techniques herein enable the user to share his or her data, privately or publicly, without exposing the user-specific secret with anyone or any entity (such as the service provider).

12 Citations

View as Search Results

12 Claims

1. A method of storing and protecting user data in a service provider cloud, comprising:
- associating a key pair with an account of an authorized user, the key pair comprising an account public key, and an associated account secret key;
  
  storing a value that has been generated by encrypting the account secret key with a user-specific secret, the value being distinct from the account public key and the associated account secret key of the key pair;
  
  storing in the service provider cloud a file that has been generated by encrypting data associated with the authorized user with a data key that is distinct from the value, and from the account public key and the associated account secret key of the key pair;
  
  encrypting the data key with the account public key to generate an account encrypted data key that is distinct from the value, from the data key, and from the account public key and the associated account secret key of the key pair;
  
  storing the account encrypted data key; and
  
  providing access to the data associated with the authorized user upon receipt at the service provider cloud of the user-specific secret by the following ordered operations;
  
  (i) decrypting the value to obtain the account secret key, then (ii) decrypting, using the account secret key so obtained, the account encrypted data key to obtain the data key, then (iii) decrypting, using the data key so obtained, the file stored in the service provider cloud with the data key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method as described in claim 1 wherein the user-specific secret is not shared with the service provider.
  - 3. The method as described in claim 1 wherein the data key is not stored persistently by the service provider.
  - 4. The method as described in claim 1 wherein the data key is a symmetric key.
  - 5. The method as described in claim 1 wherein the key pair is an RSA public/private key pair.
  - 6. The method as described in claim 1 wherein access to the data associated with the authorized user is provided to an invitee associated with the user without exposing the user-specific secret to the invitee.
  - 7. The method as described in claim 1 wherein access to the data associated with the authorized user is provided publicly without exposing the user-specific secret to any entity accessing the data publicly.
  - 8. The method as described in claim 1 wherein the key pair is associated with the account of an authorized user upon registration of the authorized user to use the service provider cloud.
  - 9. The method as described in claim 1 wherein each authorized user of the service provider cloud obtains a distinct key pair.
  - 10. The method as described in claim 1 wherein the file is received in association with a synchronization operation initiated at a user machine.

11. An article comprising a tangible non-transitory machine-readable medium that stores a program, the program being executable by a machine to store and protect user data in a service provider cloud, the program comprising:
- program code to associate a key pair with an account of an authorized user, the key pair comprising an account public key, and an associated account secret key;
  
  program code to store a value that has been generated by encrypting the account secret key with a user-specific secret, the value being distinct from the account public key and the associated account secret key of the key pair;
  
  program code to store in the service provider cloud a file that has been generated by encrypting data associated with the authorized user with a data key that is distinct from the value, and from the account public key and the associated account secret key of the key pair;
  
  program code to encrypt the data key with the account public key to generate an account encrypted data key that is distinct from the value, from the data key, and from the account public key and the associated account secret key of the key pair;
  
  program code to store the account encrypted data key; and
  
  program code to provide access to the data associated with the authorized user upon receipt at the service provider cloud of the user-specific secret by the following ordered operations;
  
  (i) decrypting the value to obtain the account secret key, then (ii) decrypting, using the account secret key so obtained, the account encrypted data key to obtain the data key, then (iii) decrypting, using the data key so obtained, the file stored in the service provider cloud with the data key.

12. Apparatus, comprising:
- one or more processors;
  
  computer memory holding computer program instructions executed by the one or more processors to provide a method of storing and protecting user data in a service provider cloud, the method comprising;
  
  associating a key pair with an account of an authorized user, the key pair comprising an account public key, and an associated account secret key;
  
  storing a value that has been generated by encrypting the account secret key with a user-specific secret, the value being distinct from the account public key and the associated account secret key of the key pair;
  
  storing in the service provider cloud a file that has been generated by encrypting data associated with the authorized user with a data key that is distinct from the value, and from the account public key and the associated account secret key of the key pair;
  
  encrypting the data key with the account public key to generate an account encrypted data key that is distinct from the value, from the data key, and from the account public key and the associated account secret key of the key pair;
  
  storing the account encrypted data key; and
  
  providing access to the data associated with the authorized user upon receipt at the service provider cloud of the user-specific secret by the following ordered operations;
  
  (i) decrypting the value to obtain the account secret key, then (ii) decrypting, using the account secret key so obtained, the account encrypted data key to obtain the data key, then (iii) decrypting, using the data key so obtained, the file stored in the service provider cloud with the data key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GOTO Group Incorporated (LogMeIn, Inc.)
Original Assignee
Logmeln Incorporated
Inventors
Kopasz, Krisztian, Anka, Marton B.
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Sanders, Stephen

Application Number

US13/284,223
Publication Number

US 20130111217A1
Time in Patent Office

998 Days
Field of Search

713/189
US Class Current

713/189
CPC Class Codes

G06F 21/6245   Protecting personal data, e...

H04L 63/102   Entity profiles

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3006   underlying computational pr...

Storing user data in a service provider cloud without exposing user-specific secrets to the service provider

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Storing user data in a service provider cloud without exposing user-specific secrets to the service provider

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links