Client(s) to cloud or remote server secure data or file object encryption gateway

US 9,794,064 B2
Filed: 09/14/2016
Issued: 10/17/2017
Est. Priority Date: 09/17/2015
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

at least one memory to store at least one key associated to a first client of a plurality of clients;

a first computing device configured as an encryption gateway to communicate with the first client using a client-side transport protocol, and to communicate with a remote cloud storage or server using a remote-side transport protocol, the first computing device comprising at least one processor, and the first computing device further configured to;

authenticate the first client using at least one authentication factor,receive data in a payload from the first client,decrypt the received data using the client-side transport protocol to provide first decrypted data,encrypt the first decrypted data using the at least one key to provide first encrypted data,encrypt the first encrypted data using the remote-side transport protocol to provide second encrypted data, andsend the second encrypted data to the remote cloud storage or server; and

a key manager configured to provide the at least one key to the encryption gateway for storage in the at least one memory.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods to send or write data or file objects to a remote cloud storage or data server using an encryption gateway. In one embodiment, a communication system includes: an encryption gateway configured to receive TLS (or an equivalent security) encrypted data in a payload from a client application, to terminate the client TLS connection, and to extract the payload and encrypt the payload data with keys from the key manager. The encryption gateway establishes a TLS connection and inserts the encrypted-authenticated data into the TLS payload and sends or writes the TLS encrypted data to a remote cloud storage or data server for storage. The system further includes a key manager configured to provide at least one key to the encryption gateway for encryption of the data in the payload.

131 Citations

19 Claims

1. A system, comprising:
- at least one memory to store at least one key associated to a first client of a plurality of clients;
  
  a first computing device configured as an encryption gateway to communicate with the first client using a client-side transport protocol, and to communicate with a remote cloud storage or server using a remote-side transport protocol, the first computing device comprising at least one processor, and the first computing device further configured to;
  
  authenticate the first client using at least one authentication factor,receive data in a payload from the first client,decrypt the received data using the client-side transport protocol to provide first decrypted data,encrypt the first decrypted data using the at least one key to provide first encrypted data,encrypt the first encrypted data using the remote-side transport protocol to provide second encrypted data, andsend the second encrypted data to the remote cloud storage or server; and
  
  a key manager configured to provide the at least one key to the encryption gateway for storage in the at least one memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, wherein the remote-side transport protocol is transport layer security or Internet protocol security.
  - 3. The system of claim 1, wherein the encryption gateway receives authentication information from the first client for requesting at least one key from the key manager.
  - 4. The system of claim 1, wherein the encryption gateway uses symmetric encryption with authentication to encrypt the first decrypted data using the at least one key.
  - 5. The system of claim 1, wherein the key manager loads the at least one key into the encryption gateway via a secure port of the first computing device or over a client-side network.
  - 6. The system of claim 5, wherein the at least one key is associated to the first client when loaded by the key manager.
  - 7. The system of claim 1, wherein the key manager communicates with the remote-side transport protocol to determine at least one key for use in the encryption of the data.
  - 8. The system of claim 7, wherein the data is encrypted at a file object level, and at least one key is associated to a file object.
  - 9. The system of claim 1, wherein the encryption gateway negotiates an encrypted connection to the remote cloud storage or server, the encryption gateway negotiates an encrypted connection to the first client, and the first client communicates with the encryption gateway in a client session using the client-side transport protocol.
  - 10. The system of claim 9, wherein the encryption gateway decrypts the received data from the first client using a client session key of the client session.
  - 11. The system of claim 10, wherein the first encrypted data is encrypted by the encryption gateway using a cloud session key associated with the encrypted connection to the remote cloud storage or server.
  - 12. The system of claim 1, wherein the encryption gateway sets up a transport session with the remote cloud storage or server prior to receiving the payload from the first client, and the encryption gateway uses the transport session for sending data from each of the plurality of clients, including the first client, to the remote cloud storage or server.
  - 13. The system of claim 12, wherein the encryption gateway modifies or inserts a header in a transport connection to associate the first client on a remote connection, or the encryption gateway modifies or inserts a header in a file object to associate the first client on a remote connection.
  - 14. The system of claim 1, wherein the key manager is implemented using the first computing device or a second computing device.

15. A method, comprising:
- storing, in a memory of an encryption gateway, a key associated to a first client of a plurality of clients, the first client communicating with the encryption gateway using a client-side transport protocol;
  
  receiving, by the encryption gateway from the first client, a first request to read data or a file object from a remote cloud storage or server, the remote cloud storage or server communicating with the encryption gateway using a remote-side transport protocol;
  
  in response to the first request, sending, by the encryption gateway, a second request to the remote cloud storage or server for the data or file object;
  
  in response to the second request, receiving, by the encryption gateway, the data or the file object in a first payload from the remote cloud storage or server, wherein the data or the file object has been encrypted using the remote-side transport protocol;
  
  decrypting, by at least one processor of the encryption gateway, the received data or the file object in the first payload using the remote-side transport protocol to provide first decrypted data;
  
  decrypting, by the encryption gateway, the first decrypted data using the key associated to the first client to provide second decrypted data, wherein the key is retrieved from the memory of the encryption gateway;
  
  encrypting, by the encryption gateway, the second decrypted data using the client-side transport protocol to provide first encrypted data; and
  
  sending, from the encryption gateway to the first client, the first encrypted data.
- View Dependent Claims (16)
- - 16. The method of claim 15, further comprising:
    - terminating, by the encryption gateway, client-side communication with the first client;
      
      performing decryption on a transmission control protocol stream of data associated with an encryption algorithm; and
      
      receiving data for transport encryption of a second payload that is independent of the first payload.

17. A system, comprising:
- at least one processor of an encryption gateway; and
  
  memory storing instructions configured to instruct the at least one processor to;
  
  receive, from a first client communicating with the encryption gateway using a client-side transport protocol, data in a payload;
  
  decrypt the received data using the client-side transport protocol to provide first decrypted data;
  
  receive, from a key manager, at least one key associated to the first client;
  
  encrypt the first decrypted data using the at least one key to provide first encrypted data;
  
  encrypt the first encrypted data using a remote-side transport protocol associated with a remote cloud storage or server to provide second encrypted data; and
  
  send the second encrypted data to the remote cloud storage or server.
- View Dependent Claims (18, 19)
- - 18. The system of claim 17, wherein the data in the payload from the first client is received by a multiplexer or a packet engine of the encryption gateway.
  - 19. The system of claim 17, wherein the second encrypted data is sent to the remote cloud storage or server by a packet engine of the encryption gateway.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Secturion Systems, Inc.
Original Assignee
Secturion Systems, Inc.
Inventors
Anderson, Jordan, Takahashi, Richard J., Little, Sean, Noehring, Lee
Primary Examiner(s)
Siddiqi, Mohammad A

Application Number

US15/264,840
Publication Number

US 20170085372A1
Time in Patent Office

398 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0435   wherein the sending and rec...

H04L 63/0471   applying encryption by an i...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/166   at the transport layer

H04L 9/08   Key distribution or managem...

H04L 9/0822   using key encryption key

H04L 9/088   Usage controlling of secret...

H04L 9/0894   Escrow, recovery or storing...

Client(s) to cloud or remote server secure data or file object encryption gateway

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

131 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Client(s) to cloud or remote server secure data or file object encryption gateway

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

131 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links