Encryption-based data access management

US 8,997,197 B2
Filed: 12/12/2012
Issued: 03/31/2015
Est. Priority Date: 12/12/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a data storage server storing encrypted data, a user authentication request for decrypting the encrypted data from a client device;

transmitting, by the data storage server, a validation token associated with the user authentication request to the client device, wherein the validation token indicates that the client device successfully authenticated;

receiving, by the data storage server, a confirmation request associated with the validation token from a second device that is different from the client device; and

transmitting, by the data storage server, a confirmation to the second device indicating that the client device is authenticated to the data storage server.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Encryption-based data access management may include a variety of processes. In one example, a device may transmit a user authentication request for decrypting encrypted data to a data storage server storing the encrypted data. The computing device may then receive a validation token associated with the user'"'"'s authentication request, the validation token indicating that the user is authenticated to a domain. Subsequently, the computing device may transmit the validation token to a first key server different from the data storage server. Then, in response to transmitting the validation token the computing device may receive, from the first key server, a key required for decrypting the encrypted data. The device may then decrypt at least a portion of the encrypted data using the key.

22 Citations

View as Search Results

24 Claims

1. A method comprising:
- receiving, by a data storage server storing encrypted data, a user authentication request for decrypting the encrypted data from a client device;
  
  transmitting, by the data storage server, a validation token associated with the user authentication request to the client device, wherein the validation token indicates that the client device successfully authenticated;
  
  receiving, by the data storage server, a confirmation request associated with the validation token from a second device that is different from the client device; and
  
  transmitting, by the data storage server, a confirmation to the second device indicating that the client device is authenticated to the data storage server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising, prior to transmitting the validation token:
    - authenticating the client device to a domain; and
      
      determining, based on a domain group membership of the client device, data accessible to the client device,wherein a domain group comprises a plurality of domain group memberships respectively associated with a plurality of client devices.
  - 3. The method of claim 1, wherein the second device comprises a first key server, and the confirmation request is sent by the first key server in response to receiving the validation token from a computing device, the first key server configured to store at least a portion of a decryption key for decrypting the encrypted data.
  - 4. The method of claim 3, further comprising:
    - receiving, by the data storage server, from a second key server, a second confirmation request associated with the validation token; and
      
      transmitting, by the data storage server, to a second key server, a second confirmation indicating that the client device is authenticated to the data storage server.
  - 5. The method of claim 3, wherein one or more of the first key server and a second key server transmits a kill pill to the computing device, the kill pill including instructions to delete one or more of the key and the encrypted data.
  - 6. The method of claim 1, wherein the confirmation is associated with a key required for decrypting the encrypted data.
  - 7. The method of claim 5, wherein the kill pill is authorized by a key-server administrator.
  - 8. The method of claim 3, comprising:
    - receiving, by the client device, from the first key server, a first key required for decrypting the encrypted data;
      
      receiving, by the client device, from a second key server, a second key required for decrypting the encrypted data; and
      
      using the first key and the second key to generate a decryption key that is used for decrypting the encrypted data.

9. A data storage server comprising:
- at least one processor; and
  
  non-transitory memory storing executable instructions configured to, when executed by the at least one processor, cause the data storage server to;
  
  receive, from a client device, a user authentication request for decrypting encrypted data;
  
  transmit, to the client device, a validation token associated with the user authentication request, the validation token indicating that the client device successfully authenticated;
  
  receive, from a second device that is different than the client device, a confirmation request associated with the validation token; and
  
  transmit, to the second device, a confirmation indicating that the client device is authenticated.
- View Dependent Claims (10, 11, 12, 13, 14, 23, 24)
- - 10. The data storage server of claim 9, wherein the non-transitory memory stores executable instructions configured to, when executed by the at least one processor, cause the data storage server to:
    - authenticate the client device to a domain; and
      
      determine, based on membership of the client device in a domain group of the domain, data accessible to the client device,wherein the domain group comprises a plurality of memberships respectively associated with a plurality of client devices.
  - 11. The data storage server of claim 9, wherein the second device comprises a first key server, and the first key server sends the confirmation request in response to receiving the validation token from a computing device, the first key server configured to store at least a portion of a decryption key for decrypting the encrypted data.
  - 12. The data storage server of claim 11, wherein the non-transitory memory stores executable instructions configured to, when executed by the at least one processor, cause the data storage server to:
    - receive, from a second key server, a request for a second confirmation associated with the validation token; and
      
      transmit, to a second key server, a second confirmation indicating that the client device is authenticated.
  - 13. The data storage server of claim 11, wherein one or more of the first key server and a second key server transmits a kill pill to the computing device, the kill pill comprising instructions to the computing device to delete one or more of the key and the encrypted data.
  - 14. The data storage server of claim 9, wherein the confirmation is associated with a key required for decrypting the encrypted data.
  - 23. The data storage server of claim 13, wherein the kill pill is authorized by a key-server administrator.
  - 24. The data storage server of claim 11, wherein the non-transitory memory stores executable instructions configured to, when executed by the at least one processor, cause the data storage server to:
    - receive, by the client device, from the first key server, a first key required for decrypting the encrypted data;
      
      receive, by the client device, from a second key server, a second key required for decrypting the encrypted data; and
      
      use the first key and the second key to generate a decryption key that is used for decrypting the encrypted data.

15. One or more non-transitory computer-readable media storing computer-readable instructions that, when executed by at least one processor, cause one or more data storage servers to:
- receive, from a client device, a user authentication request for decrypting encrypted data;
  
  transmit, to the client device, a validation token associated with the user authentication request, the validation token indicating that the client device successfully authenticated;
  
  receive, from a second device that is different than the client device, a confirmation request associated with the validation token; and
  
  transmit, to the second device, a confirmation indicating that the client device is authenticated.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
- - 16. The one or more non-transitory computer-readable media of claim 15, storing computer-readable instructions that, when executed by the at least one processor, cause the one or more data storage servers to:
    - authenticate the client device to a domain; and
      
      determine, based on membership of the client device in a domain group of the domain, data accessible to the client device,wherein the domain group comprises a plurality of memberships respectively associated with a plurality of client devices.
  - 17. The one or more non-transitory computer-readable media of claim 15, wherein the second device comprises a first key server, and the first key server sends the confirmation request in response to receiving the validation token from a computing device, the first key server configured to store at least a portion of a decryption key for decrypting the encrypted data.
  - 18. The one or more non-transitory computer-readable media of claim 17, storing computer-readable instructions that, when executed by the at least one processor, cause the one or more data storage servers to:
    - receive, from a second key server, a request for a second confirmation associated with the validation token; and
      
      transmit, to a second key server, a second confirmation indicating that the client device is authenticated.
  - 19. The one or more non-transitory computer-readable media of claim 17, wherein one or more of the first key server and a second key server transmits a kill pill to the computing device, the kill pill comprising instructions to the computing device to delete one or more of the key and the encrypted data.
  - 20. The one or more non-transitory computer-readable media of claim 15, wherein the confirmation is associated with a key required for decrypting the encrypted data.
  - 21. The one or more non-transitory computer-readable media of claim 19, wherein the kill pill is authorized by a key-server administrator.
  - 22. The one or more non-transitory computer-readable media of claim 17, storing computer-readable instructions that, when executed by the at least one processor, cause the one or more data storage servers to:
    - receive, by the client device, from the first key server, a first key required for decrypting the encrypted data;
      
      receive, by the client device, from a second key server, a second key required for decrypting the encrypted data; and
      
      use the first key and the second key to generate a decryption key that is used for decrypting the encrypted data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Nord, Joseph, Tucker, Benjamin Elliot, Gaylor, Timothy
Primary Examiner(s)
Williams, Jeffrey

Application Number

US13/712,333
Publication Number

US 20140164774A1
Time in Patent Office

839 Days
Field of Search

None
US Class Current

726/9
CPC Class Codes

G06F 16/00   Information retrieval; Data...

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 9/00   Arrangements for program co...

H04L 63/064   Hierarchical key distributi...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 63/105   Multiple levels of security

H04L 9/0861   Generation of secret inform...

H04L 9/0869   involving random numbers or...

H04L 9/12   Transmitting and receiving ...

Encryption-based data access management

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Encryption-based data access management

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others