US20170019377A1 - Secure Network Storage - Google Patents
Secure Network Storage Download PDFInfo
- Publication number
- US20170019377A1 US20170019377A1 US14/799,569 US201514799569A US2017019377A1 US 20170019377 A1 US20170019377 A1 US 20170019377A1 US 201514799569 A US201514799569 A US 201514799569A US 2017019377 A1 US2017019377 A1 US 2017019377A1
- Authority
- US
- United States
- Prior art keywords
- folder
- encrypted
- encryption key
- data
- point device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/24—Key scheduling, i.e. generating round keys or sub-keys for block encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/107—Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/006—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving public key infrastructure [PKI] trust models
Definitions
- This invention relates generally to the field of data storage, and particularly methods, apparatuses, and systems for securely storing data in an unsecure server that can be accessed later from a secure end-point.
- Cloud storage includes networked online storage such as data stored in virtualized pools of storage generally hosted by third parties.
- An entire ecosystem exists including companies that operate large data centers to serve people and entities that require data to be hosted.
- the data center operators may virtualize the resources according to the user's requirements, providing customers to vast storage resources, which the customers can use to store files or data objects.
- the resources may span across multiple physical servers.
- cloud storage There are many advantages to cloud storage including having to only pay for the storage actually used.
- entities may choose between off-premise and on-premise cloud storage options, or a mixture of the two options, to optimize other criteria such as cost savings potential, continuity of operations, disaster recovery, and security.
- Secondary advantages include a reduction in overhead cost as tasks are offloaded to a third party such as storage maintenance tasks, purchasing additional storage devices.
- a major problem with cloud-based storage involves securing the data to prevent the data from being accessed from unauthorized use.
- cloud computing There are a number of security issues associated with cloud computing. Typically the security issues are dealt with by the cloud, or remote storage, providers. However, the data users also face issues and can benefit from taking control of security measures that prevent unauthorized use.
- the cloud provider is generally responsible to ensure that their infrastructure is secure and data is protected. But generally, there are few options the data creator has to protect the data before it is stored on the cloud.
- This invention provides a unique solution for securely storing data wherein the data is encrypted at the source and not at the destination storage device.
- the invention includes a system and methods for encrypting data at the source, i.e. the client device or end-point, as well as storing and managing revisions of the data as it is used and changed by other secure devices and stored in the cloud.
- This invention enables a user of an end-point device to upload files onto network storage for backup and sharing with other end-point devices while providing automatic synchronization of the stored data across many devices.
- the invention also enables sharing with multiple users while using access privileges on a per folder or per object basis.
- the data is enabled to be encrypted locally on the end-point device before the data is sent to the cloud storage, such that the data on the network storage is always encrypted.
- the invention also encrypts the key for the files for each recipient to enable a cryptographically enforced access control.
- the invention enables different permission properties for each folder.
- One embodiment of the invention is a system for securing data comprising an end-point device with an application stored in the end-point device configured to secure an authenticated communication between the end-point device and a synchronized storage server via a communication network.
- a synchronized storage server including an application stored within the server is configured to send the end-point device a notification including a root folder list.
- the synchronized storage server may include any type of data hierarchy storage system such as a file, folder, or database.
- the end-point device's application is further configured to compare the sent root folder list to a previously stored root folder list in the end-point device's memory and determine if there is a new folder either on the synchronized storage server or on the end-point device, a change in content in an existing folder on either device, or if content has been deleted in an existing folder on either device. And when such a determination is made, the end-point device will synchronize with the synchronized storage server. If the change made to the folder originated at the end-point device, then the end-point device uploads the latest encrypted files to the server. Likewise if the change made to the folder originated at another end-point device, i.e.
- the root folder list is different than the end-point device's folder list, then the end-point device downloads the latest encrypted files from the server. The synchronization process is repeated until all changed data is synchronized.
- the synchronized storage server will also update the root folder list and provide an updated root folder list to the end point devices.
- the synchronized storage server may include an access control list to manage permissions to the folders and data.
- the synchronized storage server may send the end-point device a new encrypted folder encryption key, for example, when an end-point device's permissions to the folder and objects have been revoked.
- Another embodiment of the invention is a process for securing data in a remote storage where an end-point device does not have direct access to the storage device to secure the data, or the end-point device does not trust the storage device to adequately secure the data, comprising first securing an authenticated communication link between the end-point device and a synchronized storage server via a communication network.
- the synchronized storage server sends the end-point device a notification including a root folder list.
- the end-point device compares the root folder list to a previously stored root folder list in the end-point device's memory to detect if there is a new folder either on the synchronized storage server or on the end-point device, or a change in content in an existing folder on either device, or if content has been deleted in an existing folder on either device. And when such detection is made, the end-point device will synchronize with the synchronized storage server. If the change made to the folder originated at the end-point device, then the end-point device uploads the latest encrypted files to the server. Likewise if the change made to the folder originated at another end-point device, i.e.
- the root folder list is different than the end-point device's folder list, then the end-point device downloads the latest encrypted files from the server.
- the synchronization process is repeated throughout the folder hierarchy for each root folder until all changed folders and content are synchronized.
- the synchronized storage server will also update the root folder list and provide an updated folder list to the end point devices.
- the synchronized storage server will send the end-point device a new encrypted folder encryption key which includes the encrypted file contents along with identifying information such as the server name and revision information.
- Another embodiment of the invention is a process for packaging encrypted folders for storage on a remote storage server so that changes to the contents of the encrypted folders can be detected without having access to the encrypted folder's contents comprising the source end-point device encrypting the folder using a unique folder encryption key.
- the encrypted data folder and folder encryption key is sent, via a secure tunnel through a communication device, to the synchronized storage server.
- the synchronized storage server then encrypts the folder encryption key multiple times.
- the folder encryption key is encrypted once for each end-point device using the public key for each end point device.
- the synchronized storage server stores the encrypted folder and each encrypted folder encryption key file in the synchronized storage server's memory.
- the synchronized storage server also creates a root folder list which may include non-sensitive (unencrypted) data such as a list of all available objects (e.g. folders), object names (e.g. file names), object size (e.g. file size), and number of objects (e.g. number of files); and sensitive (encrypted) data such as object salt (e.g. file salt), file names (e.g. file names), creation date, modification date, plaintext object contents (e.g. plaintext object contents), and object sizes (e.g. file sizes).
- the synchronized storage server sends the root folder list to all end-point devices so the end-point devices can determine if they need to synchronize folders with the synchronized storage server.
- the end-point device compares the root folder list to a previously stored root folder list in the end-point device's memory to detect if there is a new folder either on the synchronized storage server or on the end-point device, or a change in content in an existing folder on either device, or if content has been deleted in an existing folder on either device. And when such detection is made, the end-point device will synchronize with the synchronized storage server. If the change made to the folder originated at the end-point device, then the end-point device uploads the latest encrypted files to the server. Likewise if the change made to the folder originated at another end-point device, i.e.
- the root folder list is different than the end-point device's folder list, then the end-point device downloads the latest encrypted files from the server.
- the synchronization process is repeated throughout the folder hierarchy in the root folder until all changed folders and content are synchronized.
- the synchronized storage server will also update the root folder list and provide an updated folder list to the end point devices, as needed.
- FIG. 1 is a diagram illustrating a system for securing data in a remote storage in accordance with the teachings of the present invention
- FIG. 2 is a diagram of an exemplary embodiment for a process to secure data in a remote storage in accordance with the teachings of the present invention.
- FIG. 3 is a diagram of an exemplary embodiment for a process to securely package data for remote storage in accordance with the teachings of the present invention.
- the invention deals with data storage and is applicable to all data storage systems such as database and file folder type data systems.
- objects and file folders are used to describe the location and hierarchy of stored data.
- the invention is applicable to all levels of data hierarchy, for example the invention is applicable to any arrangement of data consisting of sets and subsets such that every subset of a set is of lower rank than the set.
- Such terms associated with the various data storage systems are used interchangeably throughout the description and will be apparent to those skilled in the art.
- FIG. 1 is a diagram of an exemplary embodiment for a system 1000 for securing data comprising an end-point device 1300 with an application 1346 stored in the end-point device 1300 configured to secure an authenticated communication between the end-point device 1300 and a synchronized storage server 1100 via a network 1200 .
- the end-point device 1300 Upon start up, or at periodic intervals, or upon request, the end-point device 1300 will establish a secure and authenticated communication link with the synchronized storage server 1100 .
- the secure and authenticated communication links may be established using standard cryptographic techniques.
- the network 1200 may be either a wired or wireless communication network.
- the network 1200 may include a public or private network such as the internet, intranet, telecommunications system, or other network capable of transmitting electronic data.
- the end-point device 1300 includes internal hardware such as a processor 1310 , memory 1320 , and communication 130 devices.
- the end-point device 1300 may include software applications 1346 that enable the end-point device 1300 to encrypt all data locally on the device before sending the data to the remote cloud storage, or synchronized storage server 1100 .
- the data encryption may be accomplished using any data encryption method such as Advanced Encryption Standard (“AES”).
- AES Advanced Encryption Standard
- the end-point device may include smart phones, tablet PC's, notebook PC's, desktop PC's, remote monitoring devices, cameras, sensors, or any other device that transmits data via a network.
- the devices may be used for any type of communication, computing, or electronic operation.
- the invention is also applicable to both mobile devices and fixed devices since either type are commonly used to transmit data to and from other mobile and fixed devices via a network.
- the synchronized storage server 1100 includes an application 1146 stored within the server configured to send the end-point device 1300 a notification including a root folder list 1128 .
- the synchronized storage server 1100 may include hardware such as a processor 1110 , memory 1120 , and communication 1130 devices.
- the synchronized storage server 1100 may include either a file system or database.
- the synchronized storage server 1100 may include an access control list 1129 to manage permissions and synchronization to the folders and data.
- the synchronized storage server 1100 essentially acts like a secure storage device that can be accessed asynchronously as a secure end-point by any number of end-point devices 1300 .
- the synchronized storage server 1100 may comprise a physical storage device such as a hard drive, series of hard drives, SSD memory, SD Card, or any other type of local volatile or volatile memory.
- the synchronized storage server 1100 may also be a remote cloud storage service, such as Amazon Storage, Google Cloud Storage, or any other commercially available remote network storage service.
- the invention is also applicable to a synchronized storage server 1100 that uses cloud storage for the data, but maintains metadata and folder encryption keys locally on the server or device.
- the synchronized storage server 1100 only distributes the encrypted data and does not have any other direct access to the encrypted data.
- the synchronized storage server 1100 provides remote memory for end-point devices 1300 to backup data and to share data with other devices. With respect to shared data, the synchronized storage server 1100 may also provide automatic synchronization to keep the data, or content, consistent across the multiple sharing devices. The synchronized storage server 1100 may also enable sharing data with multiple devices with access privileges managed on a per folder basis. And since the data is encrypted locally on the end-point device 1300 , the synchronized storage server 1100 is always black, that is the synchronized storage server only carries segregated signals of encrypted information, or ciphertext signals, and does not contain sensitive data from end-point devices in any readable form. In addition, the synchronized storage server 1100 encrypts the folder encryption keys 1126 for the encrypted folders 1124 for each recipient to enable cryptographically enforced access control. The permission properties may also be enabled separately for each folder 1124 .
- the synchronized storage server 1100 stores the encrypted folders 1124 within a folder hierarchy as specified by a user. Along with each encrypted folder 1124 the synchronized storage server 1100 stores a signed-encrypted folder encryption key 1126 that is re-encrypted for each authorized user of each folder 1124 . The synchronized storage server 1100 also stores a permission list per folder 1124 , as an access control list 1129 . The synchronized storage server 1100 is able to send an encrypted folder encryption key 1126 to each end-point device 1300 that has permission to access the folder 1124 .
- the folder permissions apply to all files in a folder 1124 equally with no per-file permissions.
- Each file in a folder 1124 shares a unique cryptographic folder encryption key 1124 .
- CBC cipher-block chaining
- new folders have the option to inherit permissions from a parent folder; however, the new folders may still get a unique folder encryption key. Permissions are copied into a local “.perm” file with property status noted the same as the parent folder.
- the invention is still applicable to data subsets, such as files within a folder.
- the synchronized storage server 1100 stores a signed-encrypted file encryption key that is re-encrypted for each authorized user of each file.
- the synchronized storage server 1100 also stores a permission list per file, as an access control list.
- the synchronized storage server 1100 is able to send an encrypted file encryption key to each end-point device 1300 that has permission to access the file.
- Each file may share a unique cryptographic file encryption key. This also reduces permission removal and revocation issues as the change on one file would result in all data in the same file being re-encrypted.
- new files have the option to inherit permissions from a parent file; however, the new files may still get a unique file encryption key. Permissions are copied into a local “.perm” file with property status noted the same as the parent file. In this way, if a root parent file changes, the system will keep flowing down until a child is reached with different permission properties than the parent.
- only read or only write data permissions result in a one-way synchronization. Whereas, read and write data permissions may result in two-way synchronization.
- the end-point device's application 1346 is configured to compare the sent root folder list 1128 to a previously stored root folder list 1328 in the end-point device's memory 1320 .
- the end-point device 1346 compares the root folder list 1128 to a previously stored root folder list 1328 to detect if there is a new folder on either the synchronized storage server 1100 or on the end-point device 1346 , or a change in content in an existing folder on either device, or if content has been deleted in an existing folder on either device. And when such detection is made, the end-point device 1300 will synchronize with the synchronized storage server 1100 .
- the end-point device 1300 uploads the latest encrypted folders to the synchronized storage server 1100 .
- the change made to the folder originated at another end-point device i.e. the root folder list 1128 is different than the end-point device's folder list 1328
- the end-point device 1300 downloads the latest encrypted folders from the synchronized storage server 1100 .
- the synchronization process is repeated throughout the folder hierarchy under the root folder until all changed folders and object content are synchronized.
- the synchronized storage server 1100 will also update the root folder list and provide an updated root folder list to the end point devices.
- the synchronized storage server 1100 will send the end-point devices 1300 a new encrypted folder encryption key.
- the end-point device 1300 is then able to locally decrypt the folder encryption key using the end-point device's private key, using public-key cryptography. With the encrypted folder encryption key 1326 , the end-point device 1300 can decrypt the data.
- FIG. 2 is a diagram of an exemplary embodiment for a method 2000 for securing data in a remote synchronized storage server 2100 where an end-point device 2300 does not have direct access to the synchronized storage server 2100 to secure the data, or the end-point device 2300 does not trust the remote storage to adequately secure the data, comprising first securing an authenticated communication link 2400 between the end-point device 2300 and a synchronized storage server 2100 via a communication network 2200 .
- the end-point device 2300 Upon start up, or at periodic intervals, or upon request, the end-point device 2300 will establish a secure and authenticated communication link 2400 with the synchronized storage server 2100 .
- the secure and authenticated communication links 2400 may be established using standard cryptographic techniques.
- the synchronized storage server 2100 sends the end-point device 2300 a message including a root folder list.
- the end-point device 2300 compares the root folder list to a previously stored root folder list in the end-point device's memory to detect if there is a new folder either on the synchronized storage server 2100 or on the end-point device 2300 , or a change in content in an existing folder on either device, or if content has been deleted in an existing folder on either device. And when such detection is made, the end-point device 2300 will synchronize with the synchronized storage server 2100 . If the change made to the folder originated at the end-point device 2300 , then the end-point device 2300 uploads the latest encrypted folders to the synchronized storage server 2100 .
- the end-point device 2300 downloads the latest encrypted folders from the synchronized storage server 2100 .
- the synchronization process is repeated until all changed folders are synchronized.
- the synchronized storage server 2100 will also update the root folder list and provide an updated folder list to the end-point devices 2300 .
- the end-point device 2300 In order for the files to be read, the end-point device 2300 must have read permissions to retrieve the files from the synchronized storage server 2100 . Likewise, the end-point device 2300 must have write permissions to send new files or file updates to the synchronized storage server 2100 . In order to remove files from the synchronized storage server 2100 , the end-point device 2300 must have both read and delete permissions.
- deleting data requires that the end-point device 2300 is able to read the data from the synchronized storage server 2100 into the device's local memory, and then the end-point device 2300 must be able to remove the data from the end-point device's local memory for a local change to be detected, and then the change can be replicated on the synchronized storage server 2100 as a delete operation.
- each folder encryption key is encrypted separately for each end-point device and each file within a folder is encrypted with the same folder encryption key.
- the folder encryption key must also change when an end-point device is removed from the access control list.
- the invention also enables previously authorized end-point devices to be restricted from accessing data when the files are re-encrypted with a new key by simply not sending the new keys to unauthorized end-point devices.
- the synchronized storage server 2100 will send the end-point devices 1300 a new encrypted folder encryption key.
- the end-point devices 1300 are then able to locally decrypt the folder encryption key using the end-point devices' private keys, using public-key cryptography. With the encrypted folder encryption keys 1326 , the end-point devices 1300 can decrypt the folders.
- Another embodiment of the invention is a process for packaging encrypted files for storage on a remote synchronized storage server 3100 so that changes to the contents of the encrypted files can be detected without having access to the encrypted file's contents comprising the source end-point device 3300 encrypting the file using a unique folder encryption key.
- the encrypted data folder and folder encryption key is sent, via a secure tunnel 3400 through a communication network, to the synchronized storage server 3100 .
- the synchronized storage server 3100 then encrypts the folder encryption key multiple times.
- the folder encryption key is encrypted once for each end-point device 3300 using the public key for each end point device 3300 .
- the synchronized storage server 3100 stores the encrypted folder and each encrypted folder encryption key file in the synchronized storage server's memory.
- the synchronized storage server 3100 also creates a root folder list which may include non-sensitive (unencrypted) data such as a list of all available folders, file names, file size, and number of files; and sensitive (encrypted) data such as file salt, file names, creation date, modification date, plaintext file contents, and file sizes.
- non-sensitive (unencrypted) data such as a list of all available folders, file names, file size, and number of files
- sensitive (encrypted) data such as file salt, file names, creation date, modification date, plaintext file contents, and file sizes.
- the synchronized storage server 3100 sends the root folder list to all end-point devices 3500 so the end-point devices 3500 can determine if they need to synchronize files with the synchronized storage server 3100 .
- the end-point devices 3500 compare the root folder list to a previously stored root folder list in the end-point devices' 3500 memory to detect if there is a new folder either on the synchronized storage server 3100 or on the end-point devices 3500 , or a change in content in an existing folder on either device, or if content has been deleted in an existing folder on either device. And when such detection is made, the end-point devices 3500 will synchronize with the synchronized storage server 3100 .
- the end-point devices 3500 download the latest encrypted folders from the synchronized storage server 3100 .
- the synchronization process is repeated throughout the folder hierarchy under the root folder until all changed folders and object content are synchronized.
- the synchronized storage server 3100 will also update the root folder list and provide an updated folder list to the end point devices 3500 .
- a traditional dead drop included a method to pass items between at least two individuals using a secret location and thus does not require them to meet directly.
- a dead drop may permit a case officer and agent to exchange objects and information while maintaining operational security.
- the virtual dead drop is accomplished when a first end-point device is enabled with write but not read permissions, and a second end-point device is enabled with read but not write permissions.
- the first end-point device can create a new, or update an existing data file in the synchronized storage server.
- the second device which would have access to the same folder in the synchronized storage server, would then be able to read the files provided by the first end-point device. In this scenario, the first end-point device would be able to exchange digital objects and information with the second end-point device without “meeting directly” while maintaining operational security.
- the invention also enables unique content rules to manage the use and distribution of the folders on the end-point devices.
- the folders may include rules such as temporal, location, identity, and activity/inactivity rules. Such rules may enhance the inventions ability to distribute data to end-point devices while preventing the data from spreading to unauthorized users.
- the folders may include a rule to remove access to the folder when the folders have been inactive for a predetermined amount of time.
- Another such rule may include temporal rules where access to the folders is removed after a predetermined amount of time.
- the folder may be made accessible to an end-point device for a limited time and when the limited time lapses access to the folder lapses.
- Another example of such a rule is when access to the folders is based on geospatial limitations. For example, an end-point device may be given access to folders only when the end-point device is within a geospatial boundary and access removed when the end-point device goes outside the geospatial boundary. It is important to note that access to the folders can be accomplished by deleting the folders, or access can be removed with a new encrypted folder encryption key distributed to all devices, except those with revoked access to the folders.
- the devices may be coupled with electrical circuitry, or through wireless networks that allow the devices to transfer data, receive power, execute the operations described, and provide structural integrity.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Databases & Information Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Storage Device Security (AREA)
Abstract
This invention includes apparatus, systems, and methods to secure data in a remote storage device where an end-point device does not have direct access to the storage device to secure the data, or the end-point device does not trust the storage device to adequately secure the data, comprising securing an authenticated communication between the end-point device and a synchronized storage server via a communication network. The synchronized storage server sends the end-point device a notification including the root folder list. The end-point device compares the sent root folder list to a previously stored root folder list in the end-point devices' memory. If the end-point device detects either a new root folder on the synchronized storage server, a change in an existing folder, or deleted content in a folder the end-point device will determine that a change is required to the stored data. Next the end-point device will synchronize with the synchronized storage server and create a new storage list. Finally, the synchronized storage server will send the end-point device a new encrypted folder encryption key which includes the encrypted file contents along with identifying information such as the server name and revision information.
Description
- This application is a continuation and claims priority to Ser. No. 13/838,024 filed Mar. 15, 2013 the contents of which are incorporated herein by reference.
- This invention relates generally to the field of data storage, and particularly methods, apparatuses, and systems for securely storing data in an unsecure server that can be accessed later from a secure end-point.
- The use of cloud base storage has increased tremendously. Cloud storage includes networked online storage such as data stored in virtualized pools of storage generally hosted by third parties. An entire ecosystem exists including companies that operate large data centers to serve people and entities that require data to be hosted. The data center operators may virtualize the resources according to the user's requirements, providing customers to vast storage resources, which the customers can use to store files or data objects. The resources may span across multiple physical servers.
- There are many advantages to cloud storage including having to only pay for the storage actually used. In addition, entities may choose between off-premise and on-premise cloud storage options, or a mixture of the two options, to optimize other criteria such as cost savings potential, continuity of operations, disaster recovery, and security. Secondary advantages include a reduction in overhead cost as tasks are offloaded to a third party such as storage maintenance tasks, purchasing additional storage devices. These benefits allow entities to focus on their core business. However, cloud computing security is a tradeoff that users face.
- A major problem with cloud-based storage involves securing the data to prevent the data from being accessed from unauthorized use. There are a number of security issues associated with cloud computing. Typically the security issues are dealt with by the cloud, or remote storage, providers. However, the data users also face issues and can benefit from taking control of security measures that prevent unauthorized use. The cloud provider is generally responsible to ensure that their infrastructure is secure and data is protected. But generally, there are few options the data creator has to protect the data before it is stored on the cloud.
- This invention provides a unique solution for securely storing data wherein the data is encrypted at the source and not at the destination storage device. The invention includes a system and methods for encrypting data at the source, i.e. the client device or end-point, as well as storing and managing revisions of the data as it is used and changed by other secure devices and stored in the cloud. This invention enables a user of an end-point device to upload files onto network storage for backup and sharing with other end-point devices while providing automatic synchronization of the stored data across many devices. The invention also enables sharing with multiple users while using access privileges on a per folder or per object basis. The data is enabled to be encrypted locally on the end-point device before the data is sent to the cloud storage, such that the data on the network storage is always encrypted. The invention also encrypts the key for the files for each recipient to enable a cryptographically enforced access control. In addition, the invention enables different permission properties for each folder.
- One embodiment of the invention is a system for securing data comprising an end-point device with an application stored in the end-point device configured to secure an authenticated communication between the end-point device and a synchronized storage server via a communication network. Next a synchronized storage server including an application stored within the server is configured to send the end-point device a notification including a root folder list. The synchronized storage server may include any type of data hierarchy storage system such as a file, folder, or database. Next, the end-point device's application is further configured to compare the sent root folder list to a previously stored root folder list in the end-point device's memory and determine if there is a new folder either on the synchronized storage server or on the end-point device, a change in content in an existing folder on either device, or if content has been deleted in an existing folder on either device. And when such a determination is made, the end-point device will synchronize with the synchronized storage server. If the change made to the folder originated at the end-point device, then the end-point device uploads the latest encrypted files to the server. Likewise if the change made to the folder originated at another end-point device, i.e. the root folder list is different than the end-point device's folder list, then the end-point device downloads the latest encrypted files from the server. The synchronization process is repeated until all changed data is synchronized. The synchronized storage server will also update the root folder list and provide an updated root folder list to the end point devices.
- In addition the synchronized storage server may include an access control list to manage permissions to the folders and data. Finally, the synchronized storage server may send the end-point device a new encrypted folder encryption key, for example, when an end-point device's permissions to the folder and objects have been revoked.
- Another embodiment of the invention is a process for securing data in a remote storage where an end-point device does not have direct access to the storage device to secure the data, or the end-point device does not trust the storage device to adequately secure the data, comprising first securing an authenticated communication link between the end-point device and a synchronized storage server via a communication network. Next the synchronized storage server sends the end-point device a notification including a root folder list. Next, the end-point device compares the root folder list to a previously stored root folder list in the end-point device's memory to detect if there is a new folder either on the synchronized storage server or on the end-point device, or a change in content in an existing folder on either device, or if content has been deleted in an existing folder on either device. And when such detection is made, the end-point device will synchronize with the synchronized storage server. If the change made to the folder originated at the end-point device, then the end-point device uploads the latest encrypted files to the server. Likewise if the change made to the folder originated at another end-point device, i.e. the root folder list is different than the end-point device's folder list, then the end-point device downloads the latest encrypted files from the server. The synchronization process is repeated throughout the folder hierarchy for each root folder until all changed folders and content are synchronized. The synchronized storage server will also update the root folder list and provide an updated folder list to the end point devices.
- Finally, the synchronized storage server will send the end-point device a new encrypted folder encryption key which includes the encrypted file contents along with identifying information such as the server name and revision information.
- Another embodiment of the invention is a process for packaging encrypted folders for storage on a remote storage server so that changes to the contents of the encrypted folders can be detected without having access to the encrypted folder's contents comprising the source end-point device encrypting the folder using a unique folder encryption key. Next the encrypted data folder and folder encryption key is sent, via a secure tunnel through a communication device, to the synchronized storage server. The synchronized storage server then encrypts the folder encryption key multiple times. The folder encryption key is encrypted once for each end-point device using the public key for each end point device. The synchronized storage server stores the encrypted folder and each encrypted folder encryption key file in the synchronized storage server's memory. The synchronized storage server also creates a root folder list which may include non-sensitive (unencrypted) data such as a list of all available objects (e.g. folders), object names (e.g. file names), object size (e.g. file size), and number of objects (e.g. number of files); and sensitive (encrypted) data such as object salt (e.g. file salt), file names (e.g. file names), creation date, modification date, plaintext object contents (e.g. plaintext object contents), and object sizes (e.g. file sizes). The synchronized storage server sends the root folder list to all end-point devices so the end-point devices can determine if they need to synchronize folders with the synchronized storage server. Next, the end-point device compares the root folder list to a previously stored root folder list in the end-point device's memory to detect if there is a new folder either on the synchronized storage server or on the end-point device, or a change in content in an existing folder on either device, or if content has been deleted in an existing folder on either device. And when such detection is made, the end-point device will synchronize with the synchronized storage server. If the change made to the folder originated at the end-point device, then the end-point device uploads the latest encrypted files to the server. Likewise if the change made to the folder originated at another end-point device, i.e. the root folder list is different than the end-point device's folder list, then the end-point device downloads the latest encrypted files from the server. The synchronization process is repeated throughout the folder hierarchy in the root folder until all changed folders and content are synchronized. The synchronized storage server will also update the root folder list and provide an updated folder list to the end point devices, as needed.
- Features and advantages of the claimed subject matter will be apparent from the following detailed description of embodiments consistent therewith, which description should be considered with reference to the accompanying drawings, wherein:
-
FIG. 1 is a diagram illustrating a system for securing data in a remote storage in accordance with the teachings of the present invention; -
FIG. 2 is a diagram of an exemplary embodiment for a process to secure data in a remote storage in accordance with the teachings of the present invention; and -
FIG. 3 is a diagram of an exemplary embodiment for a process to securely package data for remote storage in accordance with the teachings of the present invention. - The following describes the details of the invention. Although the following description will proceed with reference being made to illustrative embodiments, many alternatives, modifications, and variations thereof will be apparent to those skilled in the art. Accordingly, it is intended that the claimed subject matter be viewed broadly. Examples are provided as reference and should not be construed as limiting. The term “such as” when used should be interpreted as “such as, but not limited to.”
- The invention deals with data storage and is applicable to all data storage systems such as database and file folder type data systems. For example, objects and file folders are used to describe the location and hierarchy of stored data. The invention is applicable to all levels of data hierarchy, for example the invention is applicable to any arrangement of data consisting of sets and subsets such that every subset of a set is of lower rank than the set. Such terms associated with the various data storage systems are used interchangeably throughout the description and will be apparent to those skilled in the art.
-
FIG. 1 is a diagram of an exemplary embodiment for a system 1000 for securing data comprising an end-point device 1300 with an application 1346 stored in the end-point device 1300 configured to secure an authenticated communication between the end-point device 1300 and asynchronized storage server 1100 via a network 1200. Upon start up, or at periodic intervals, or upon request, the end-point device 1300 will establish a secure and authenticated communication link with thesynchronized storage server 1100. The secure and authenticated communication links may be established using standard cryptographic techniques. - The network 1200 may be either a wired or wireless communication network. The network 1200 may include a public or private network such as the internet, intranet, telecommunications system, or other network capable of transmitting electronic data.
- The end-
point device 1300 includes internal hardware such as a processor 1310, memory 1320, and communication 130 devices. The end-point device 1300 may include software applications 1346 that enable the end-point device 1300 to encrypt all data locally on the device before sending the data to the remote cloud storage, orsynchronized storage server 1100. The data encryption may be accomplished using any data encryption method such as Advanced Encryption Standard (“AES”). - The end-point device may include smart phones, tablet PC's, notebook PC's, desktop PC's, remote monitoring devices, cameras, sensors, or any other device that transmits data via a network. The devices may be used for any type of communication, computing, or electronic operation. The invention is also applicable to both mobile devices and fixed devices since either type are commonly used to transmit data to and from other mobile and fixed devices via a network.
- Next the
synchronized storage server 1100 includes an application 1146 stored within the server configured to send the end-point device 1300 a notification including a root folder list 1128. Thesynchronized storage server 1100 may include hardware such as aprocessor 1110, memory 1120, andcommunication 1130 devices. Thesynchronized storage server 1100 may include either a file system or database. In addition thesynchronized storage server 1100 may include an access control list 1129 to manage permissions and synchronization to the folders and data. - The
synchronized storage server 1100 essentially acts like a secure storage device that can be accessed asynchronously as a secure end-point by any number of end-point devices 1300. Thesynchronized storage server 1100 may comprise a physical storage device such as a hard drive, series of hard drives, SSD memory, SD Card, or any other type of local volatile or volatile memory. Thesynchronized storage server 1100 may also be a remote cloud storage service, such as Amazon Storage, Google Cloud Storage, or any other commercially available remote network storage service. The invention is also applicable to asynchronized storage server 1100 that uses cloud storage for the data, but maintains metadata and folder encryption keys locally on the server or device. Thesynchronized storage server 1100 only distributes the encrypted data and does not have any other direct access to the encrypted data. - The
synchronized storage server 1100 provides remote memory for end-point devices 1300 to backup data and to share data with other devices. With respect to shared data, thesynchronized storage server 1100 may also provide automatic synchronization to keep the data, or content, consistent across the multiple sharing devices. Thesynchronized storage server 1100 may also enable sharing data with multiple devices with access privileges managed on a per folder basis. And since the data is encrypted locally on the end-point device 1300, thesynchronized storage server 1100 is always black, that is the synchronized storage server only carries segregated signals of encrypted information, or ciphertext signals, and does not contain sensitive data from end-point devices in any readable form. In addition, thesynchronized storage server 1100 encrypts the folder encryption keys 1126 for the encrypted folders 1124 for each recipient to enable cryptographically enforced access control. The permission properties may also be enabled separately for each folder 1124. - The
synchronized storage server 1100 stores the encrypted folders 1124 within a folder hierarchy as specified by a user. Along with each encrypted folder 1124 thesynchronized storage server 1100 stores a signed-encrypted folder encryption key 1126 that is re-encrypted for each authorized user of each folder 1124. Thesynchronized storage server 1100 also stores a permission list per folder 1124, as an access control list 1129. Thesynchronized storage server 1100 is able to send an encrypted folder encryption key 1126 to each end-point device 1300 that has permission to access the folder 1124. - In one embodiment, the folder permissions apply to all files in a folder 1124 equally with no per-file permissions. Each file in a folder 1124 shares a unique cryptographic folder encryption key 1124. This reduces the over use issues associated with encrypting several files with the same key in cipher-block chaining (CBC) mode. This also reduces permission removal and revocation issues as the change on one folder would result in all files in the same folder being re-encrypted. In addition, new folders have the option to inherit permissions from a parent folder; however, the new folders may still get a unique folder encryption key. Permissions are copied into a local “.perm” file with property status noted the same as the parent folder. In this way, if a root parent folder changes, the system will keep flowing down until a child is reached with different permission properties than the parent. In addition, only read or only write file permissions result in a one-way synchronization. Whereas, read and write file permissions may result in two-way synchronization.
- In another embodiment, the invention is still applicable to data subsets, such as files within a folder. Along with each encrypted file the
synchronized storage server 1100 stores a signed-encrypted file encryption key that is re-encrypted for each authorized user of each file. Thesynchronized storage server 1100 also stores a permission list per file, as an access control list. Thesynchronized storage server 1100 is able to send an encrypted file encryption key to each end-point device 1300 that has permission to access the file. - Each file may share a unique cryptographic file encryption key. This also reduces permission removal and revocation issues as the change on one file would result in all data in the same file being re-encrypted. In addition, new files have the option to inherit permissions from a parent file; however, the new files may still get a unique file encryption key. Permissions are copied into a local “.perm” file with property status noted the same as the parent file. In this way, if a root parent file changes, the system will keep flowing down until a child is reached with different permission properties than the parent. In addition, only read or only write data permissions result in a one-way synchronization. Whereas, read and write data permissions may result in two-way synchronization.
- Next, the end-point device's application 1346 is configured to compare the sent root folder list 1128 to a previously stored root folder list 1328 in the end-point device's memory 1320. The end-point device 1346 compares the root folder list 1128 to a previously stored root folder list 1328 to detect if there is a new folder on either the
synchronized storage server 1100 or on the end-point device 1346, or a change in content in an existing folder on either device, or if content has been deleted in an existing folder on either device. And when such detection is made, the end-point device 1300 will synchronize with thesynchronized storage server 1100. If the change made to the folder originated at the source end-point device 1300, then the end-point device 1300 uploads the latest encrypted folders to thesynchronized storage server 1100. Likewise if the change made to the folder originated at another end-point device, i.e. the root folder list 1128 is different than the end-point device's folder list 1328, then the end-point device 1300 downloads the latest encrypted folders from thesynchronized storage server 1100. The synchronization process is repeated throughout the folder hierarchy under the root folder until all changed folders and object content are synchronized. Thesynchronized storage server 1100 will also update the root folder list and provide an updated root folder list to the end point devices. - Finally, the
synchronized storage server 1100 will send the end-point devices 1300 a new encrypted folder encryption key. The end-point device 1300 is then able to locally decrypt the folder encryption key using the end-point device's private key, using public-key cryptography. With the encrypted folder encryption key 1326, the end-point device 1300 can decrypt the data. -
FIG. 2 is a diagram of an exemplary embodiment for amethod 2000 for securing data in a remote synchronized storage server 2100 where an end-point device 2300 does not have direct access to the synchronized storage server 2100 to secure the data, or the end-point device 2300 does not trust the remote storage to adequately secure the data, comprising first securing an authenticated communication link 2400 between the end-point device 2300 and a synchronized storage server 2100 via a communication network 2200. Upon start up, or at periodic intervals, or upon request, the end-point device 2300 will establish a secure and authenticated communication link 2400 with the synchronized storage server 2100. The secure and authenticated communication links 2400 may be established using standard cryptographic techniques. - The synchronized storage server 2100 sends the end-point device 2300 a message including a root folder list. The end-point device 2300 compares the root folder list to a previously stored root folder list in the end-point device's memory to detect if there is a new folder either on the synchronized storage server 2100 or on the end-point device 2300, or a change in content in an existing folder on either device, or if content has been deleted in an existing folder on either device. And when such detection is made, the end-point device 2300 will synchronize with the synchronized storage server 2100. If the change made to the folder originated at the end-point device 2300, then the end-point device 2300 uploads the latest encrypted folders to the synchronized storage server 2100. Likewise if the change made to the folder originated at another end-point device, i.e. the root folder list is different than the end-point device's folder list, then the end-point device 2300 downloads the latest encrypted folders from the synchronized storage server 2100. The synchronization process is repeated until all changed folders are synchronized.
- The synchronized storage server 2100 will also update the root folder list and provide an updated folder list to the end-point devices 2300. In order for the files to be read, the end-point device 2300 must have read permissions to retrieve the files from the synchronized storage server 2100. Likewise, the end-point device 2300 must have write permissions to send new files or file updates to the synchronized storage server 2100. In order to remove files from the synchronized storage server 2100, the end-point device 2300 must have both read and delete permissions. In other words, deleting data requires that the end-point device 2300 is able to read the data from the synchronized storage server 2100 into the device's local memory, and then the end-point device 2300 must be able to remove the data from the end-point device's local memory for a local change to be detected, and then the change can be replicated on the synchronized storage server 2100 as a delete operation.
- Again it is important to note the significance with file permissions. Recall that there is only one folder encryption key per folder. Each folder encryption key is encrypted separately for each end-point device and each file within a folder is encrypted with the same folder encryption key. The folder encryption key must also change when an end-point device is removed from the access control list. The invention also enables previously authorized end-point devices to be restricted from accessing data when the files are re-encrypted with a new key by simply not sending the new keys to unauthorized end-point devices.
- Finally, the synchronized storage server 2100 will send the end-point devices 1300 a new encrypted folder encryption key. The end-
point devices 1300 are then able to locally decrypt the folder encryption key using the end-point devices' private keys, using public-key cryptography. With the encrypted folder encryption keys 1326, the end-point devices 1300 can decrypt the folders. - Another embodiment of the invention is a process for packaging encrypted files for storage on a remote synchronized storage server 3100 so that changes to the contents of the encrypted files can be detected without having access to the encrypted file's contents comprising the source end-
point device 3300 encrypting the file using a unique folder encryption key. - Next the encrypted data folder and folder encryption key is sent, via a secure tunnel 3400 through a communication network, to the synchronized storage server 3100. The synchronized storage server 3100 then encrypts the folder encryption key multiple times. The folder encryption key is encrypted once for each end-
point device 3300 using the public key for eachend point device 3300. The synchronized storage server 3100 stores the encrypted folder and each encrypted folder encryption key file in the synchronized storage server's memory. The synchronized storage server 3100 also creates a root folder list which may include non-sensitive (unencrypted) data such as a list of all available folders, file names, file size, and number of files; and sensitive (encrypted) data such as file salt, file names, creation date, modification date, plaintext file contents, and file sizes. - The synchronized storage server 3100 sends the root folder list to all end-point devices 3500 so the end-point devices 3500 can determine if they need to synchronize files with the synchronized storage server 3100. Next, the end-point devices 3500 compare the root folder list to a previously stored root folder list in the end-point devices' 3500 memory to detect if there is a new folder either on the synchronized storage server 3100 or on the end-point devices 3500, or a change in content in an existing folder on either device, or if content has been deleted in an existing folder on either device. And when such detection is made, the end-point devices 3500 will synchronize with the synchronized storage server 3100. Then the end-point devices 3500 download the latest encrypted folders from the synchronized storage server 3100. The synchronization process is repeated throughout the folder hierarchy under the root folder until all changed folders and object content are synchronized. The synchronized storage server 3100 will also update the root folder list and provide an updated folder list to the end point devices 3500.
- The invention also enables a virtual dead drop. A traditional dead drop included a method to pass items between at least two individuals using a secret location and thus does not require them to meet directly. For example, a dead drop may permit a case officer and agent to exchange objects and information while maintaining operational security. The virtual dead drop is accomplished when a first end-point device is enabled with write but not read permissions, and a second end-point device is enabled with read but not write permissions. The first end-point device can create a new, or update an existing data file in the synchronized storage server. The second device, which would have access to the same folder in the synchronized storage server, would then be able to read the files provided by the first end-point device. In this scenario, the first end-point device would be able to exchange digital objects and information with the second end-point device without “meeting directly” while maintaining operational security.
- The invention also enables unique content rules to manage the use and distribution of the folders on the end-point devices. The folders may include rules such as temporal, location, identity, and activity/inactivity rules. Such rules may enhance the inventions ability to distribute data to end-point devices while preventing the data from spreading to unauthorized users. For example, the folders may include a rule to remove access to the folder when the folders have been inactive for a predetermined amount of time. Another such rule may include temporal rules where access to the folders is removed after a predetermined amount of time. For example, the folder may be made accessible to an end-point device for a limited time and when the limited time lapses access to the folder lapses. Another example of such a rule is when access to the folders is based on geospatial limitations. For example, an end-point device may be given access to folders only when the end-point device is within a geospatial boundary and access removed when the end-point device goes outside the geospatial boundary. It is important to note that access to the folders can be accomplished by deleting the folders, or access can be removed with a new encrypted folder encryption key distributed to all devices, except those with revoked access to the folders.
- Throughout this description, references were made to devices coupled together. Such coupling includes a manner that allows the exchange and interaction of data, such that the operations and processes described may be carried out. For example, the devices may be coupled with electrical circuitry, or through wireless networks that allow the devices to transfer data, receive power, execute the operations described, and provide structural integrity. Reference was also made to interactions between end-
point device 1300 inFIG. 1 and asynchronized storage server 1100 via a network 1200, however the invention is scalable to be enabled with more devices than described in the specification. For example, any number of end-point devices 1300, networks 1200, andsynchronized storage servers 1100, may be utilized to enable this invention. - The terms and expressions which have been employed herein are used as terms of description and not of limitation, and there is no intention, in the use of such terms and expressions, of excluding any equivalents of the features shown and described (or portions thereof), and it is recognized that various modifications are possible within the scope of the claims. Other modifications, variations, and alternatives are also possible. Accordingly, the claims are intended to cover all such equivalents.
Claims (18)
1. A system for securing data comprising:
a first device with a data folder, wherein the first device is enabled to encrypt the data folder with a folder encryption key and send a resulting encrypted data folder and the folder encryption key to a server;
an access control list used by the server to identify that a second device is authorized to access the encrypted data folder and the folder encryption key;
the server enabled to encrypt the folder encryption key with a public key of the second device to produce an encrypted folder encryption key, and send the encrypted data folder, and the encrypted folder encryption key to the second device; and
the second device enabled to decrypt the encrypted folder encryption key with a private key of the second device to produce the folder encryption key, and use the folder encryption key to decrypt the encrypted data folder to produce the data folder.
2. The system of claim 1 , wherein the end-point device include smart phones, tablet PC's, notebook PC's, desktop PC's, remote monitoring devices, cameras, sensors, or any other device that transmits data via a network.
3. The system of claim 1 , wherein the synchronized storage server comprises physical storage devices such as a hard drive, series of hard drives, SSD memory, SD Card, or any other type of local volatile or volatile memory.
4. The system of claim 1 , wherein the synchronized storage server comprises a cloud storage device, such as Amazon Storage, Google Cloud Storage, or any other commercially available remote network storage service.
5. The system of claim 1 , wherein the synchronized storage server uses cloud storage to store the data, but maintains metadata and folder encryption keys locally on the synchronized storage server.
6. A method for securing data comprising:
a server receiving an encrypted folder and a first folder encryption key from a first device, wherein the encrypted folder is encrypted using the first folder encryption key;
the server referring to an access control list to identify a second device that is authorized to access the encrypted folder;
the server encrypting the first folder encryption key with a public key of the second device to produce an encrypted first folder encryption key;
the server creating a root folder list; and
the server sending the root folder list, encrypted folder, and encrypted first folder encryption key to the second device enabling the second device to decrypt the encrypted first folder encryption key to produce the first folder encryption key and use the first folder encryption key to decrypt the encrypted folder and produce a folder.
7. The method of claim 6 , wherein the synchronized storage server encrypts each folder encryption key uniquely for each end-point device using the public keys for each end-point device.
8. The method of claim 6 , wherein the access control list and folder encryption key apply to all files in a folder.
9. The method of claim 6 , wherein new folders have the option to inherit the permissions and folder encryption key from a parent folder or get unique permissions and a unique folder encryption key.
10. The method of claim 6 , wherein a change made to the folder originating at the first device, results in the first device uploading the latest encrypted folder to the server.
11. The method of claim 6 , wherein a change made to the folder originating at the second device, results in the first device downloading the latest encrypted folder from the server.
12. The method of claim 6 , wherein an unauthorized device is restricted from accessing an encrypted folder when the folder is encrypted with a new folder encryption key and the unauthorized device is not provided the second folder encryption key.
13. A method for securing data comprising:
a device comparing an updated root folder list to a previously stored root folder list wherein a difference in the updated root folder list compared to the previously stored root folder list indicates a changed folder;
the device receiving an encrypted changed folder and an encrypted folder encryption key from the server;
the device decrypting the encrypted folder encryption key to produce a folder encryption key;
the device using the folder encryption key to decrypt the encrypted changed folder to produce the changed folder.
14. The method of claim 13 , wherein the folder includes management rules based on factors such as temporal, location, identity, and activity to prevent the folder from spreading to an unauthorized device, the temporal rules used to trigger the distribution of the root folder list and the synchronization process to revoke access to the folder.
15. The method of claim 13 , wherein the folder includes a rule to revoke access to the folder when the folder has been inactive for a predetermined amount of time.
16. The method of claim 13 , wherein the folder includes a temporal rule where access to the folder is revoked after a predetermined amount of time.
17. The method of claim 13 , wherein the folder includes a rule where access to the folder is based on geospatial limitations including the device given access to the folder only when the device is within a geospatial boundary and access revoked when the device goes outside the geospatial boundary.
18. The method of claim 13 , wherein an unauthorized device is restricted from accessing an encrypted folder when the folder is encrypted with a new folder encryption key and the unauthorized device is not sent the new folder encryption key.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/385,843 US20170126623A1 (en) | 2013-04-03 | 2016-12-20 | Protected Subnet Interconnect |
US15/422,451 US20170201382A1 (en) | 2013-04-03 | 2017-02-01 | Secure Endpoint Devices |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/838,024 US9088538B2 (en) | 2013-03-15 | 2013-03-15 | Secure network storage |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/193,026 Continuation-In-Part US9692605B2 (en) | 2012-10-15 | 2016-06-25 | Certificate authority server protection |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/623,497 Continuation-In-Part US9794270B2 (en) | 2012-01-29 | 2015-02-16 | Data security and integrity by remote attestation |
Publications (1)
Publication Number | Publication Date |
---|---|
US20170019377A1 true US20170019377A1 (en) | 2017-01-19 |
Family
ID=51534053
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/838,024 Active - Reinstated 2033-09-06 US9088538B2 (en) | 2013-03-15 | 2013-03-15 | Secure network storage |
US14/799,569 Abandoned US20170019377A1 (en) | 2013-03-15 | 2015-07-14 | Secure Network Storage |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/838,024 Active - Reinstated 2033-09-06 US9088538B2 (en) | 2013-03-15 | 2013-03-15 | Secure network storage |
Country Status (1)
Country | Link |
---|---|
US (2) | US9088538B2 (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10708236B2 (en) | 2015-10-26 | 2020-07-07 | Secturion Systems, Inc. | Multi-independent level secure (MILS) storage encryption |
US10902155B2 (en) | 2013-03-29 | 2021-01-26 | Secturion Systems, Inc. | Multi-tenancy architecture |
US11063914B1 (en) | 2013-03-29 | 2021-07-13 | Secturion Systems, Inc. | Secure end-to-end communication system |
US11283774B2 (en) | 2015-09-17 | 2022-03-22 | Secturion Systems, Inc. | Cloud storage using encryption gateway with certificate authority identification |
US11288402B2 (en) | 2013-03-29 | 2022-03-29 | Secturion Systems, Inc. | Security device with programmable systolic-matrix cryptographic module and programmable input/output interface |
EP4020875A1 (en) | 2020-12-23 | 2022-06-29 | Thales DIS France SA | Method, first server, second server, and system for transmitting securely a key |
US11429540B2 (en) | 2013-04-01 | 2022-08-30 | Secturion Systems, Inc. | Multi-level independent security architecture |
US11831759B1 (en) * | 2022-08-09 | 2023-11-28 | Uab 360 It | Optimized authentication system for a multiuser device |
Families Citing this family (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9141820B2 (en) * | 2013-07-25 | 2015-09-22 | Adobe Systems Incorporated | Network-based service content protection |
US9369445B2 (en) * | 2013-11-08 | 2016-06-14 | MustBin Inc. | Bin enabled data object encryption and storage apparatuses, methods and systems |
US9378262B2 (en) * | 2013-12-06 | 2016-06-28 | SoftNAS, LLC | Synchronization storage solution |
US9390281B2 (en) * | 2013-12-30 | 2016-07-12 | Open Invention Network, Llc | Protecting data in insecure cloud storage |
US20160253662A1 (en) * | 2015-02-27 | 2016-09-01 | Visa International Service Association | Method to use a payment gateway as contextual enabler between different parties |
WO2016172600A1 (en) | 2015-04-22 | 2016-10-27 | LARC Networks, Inc. | Dead drop network architecture |
US9904629B2 (en) | 2015-05-31 | 2018-02-27 | Apple Inc. | Backup system with multiple recovery keys |
US9699197B2 (en) | 2015-07-17 | 2017-07-04 | LARC Networks, Inc. | Double write data exchange in a dead drop network architecture |
US10019460B2 (en) * | 2015-09-14 | 2018-07-10 | Microsoft Technology Licensing, Llc | Hosted file sync with direct access to hosted files |
US9602477B1 (en) * | 2016-04-14 | 2017-03-21 | Wickr Inc. | Secure file transfer |
CN107623662B (en) * | 2016-07-15 | 2021-06-01 | 阿里巴巴集团控股有限公司 | Access control method, device and system |
CN108062327B (en) * | 2016-11-08 | 2020-10-13 | 北京国双科技有限公司 | Matching method and device for client |
CN107517269B (en) * | 2017-09-07 | 2020-09-08 | 深圳市酷开网络科技有限公司 | Remote synchronous push file caching method and system based on VR equipment |
CN110263553B (en) * | 2019-05-13 | 2021-07-13 | 清华大学 | Database access control method and device based on public key verification and electronic equipment |
US10997101B1 (en) * | 2019-11-01 | 2021-05-04 | EMC IP Holding Company LLC | Accessing secondary storage |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6061692A (en) * | 1997-11-04 | 2000-05-09 | Microsoft Corporation | System and method for administering a meta database as an integral component of an information server |
US20120144464A1 (en) * | 2010-12-06 | 2012-06-07 | Delaram Fakhrai | Method and system for improved security |
US20120297189A1 (en) * | 2011-05-18 | 2012-11-22 | Citrix Systems, Inc. | Systems and Methods for Secure Handling of Data |
US20120317077A1 (en) * | 2011-06-10 | 2012-12-13 | Microsoft Corporation | Identification of moved or renamed files in file synchronization |
US20140165167A1 (en) * | 2012-12-12 | 2014-06-12 | Microsoft Corporation | Scalable and automated secret management |
US8825597B1 (en) * | 2009-08-13 | 2014-09-02 | Dropbox, Inc. | Network folder synchronization |
US20150052353A1 (en) * | 2013-08-14 | 2015-02-19 | Seon Geun Kang | System and Method For Synchronizing An Encrypted File With A Remote Storage |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7861005B2 (en) * | 2006-06-12 | 2010-12-28 | Research In Motion Limited | Method and apparatus for folder synchronization and management |
US9218406B2 (en) * | 2012-04-26 | 2015-12-22 | Connected Data, Inc. | System and method for managing user data in a plurality of storage appliances over a wide area network for collaboration, protection, publication, or sharing |
-
2013
- 2013-03-15 US US13/838,024 patent/US9088538B2/en active Active - Reinstated
-
2015
- 2015-07-14 US US14/799,569 patent/US20170019377A1/en not_active Abandoned
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6061692A (en) * | 1997-11-04 | 2000-05-09 | Microsoft Corporation | System and method for administering a meta database as an integral component of an information server |
US8825597B1 (en) * | 2009-08-13 | 2014-09-02 | Dropbox, Inc. | Network folder synchronization |
US20120144464A1 (en) * | 2010-12-06 | 2012-06-07 | Delaram Fakhrai | Method and system for improved security |
US20120297189A1 (en) * | 2011-05-18 | 2012-11-22 | Citrix Systems, Inc. | Systems and Methods for Secure Handling of Data |
US20120317077A1 (en) * | 2011-06-10 | 2012-12-13 | Microsoft Corporation | Identification of moved or renamed files in file synchronization |
US20140165167A1 (en) * | 2012-12-12 | 2014-06-12 | Microsoft Corporation | Scalable and automated secret management |
US20150052353A1 (en) * | 2013-08-14 | 2015-02-19 | Seon Geun Kang | System and Method For Synchronizing An Encrypted File With A Remote Storage |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10902155B2 (en) | 2013-03-29 | 2021-01-26 | Secturion Systems, Inc. | Multi-tenancy architecture |
US11063914B1 (en) | 2013-03-29 | 2021-07-13 | Secturion Systems, Inc. | Secure end-to-end communication system |
US11921906B2 (en) | 2013-03-29 | 2024-03-05 | Secturion Systems, Inc. | Security device with programmable systolic-matrix cryptographic module and programmable input/output interface |
US11288402B2 (en) | 2013-03-29 | 2022-03-29 | Secturion Systems, Inc. | Security device with programmable systolic-matrix cryptographic module and programmable input/output interface |
US11783089B2 (en) | 2013-03-29 | 2023-10-10 | Secturion Systems, Inc. | Multi-tenancy architecture |
US11429540B2 (en) | 2013-04-01 | 2022-08-30 | Secturion Systems, Inc. | Multi-level independent security architecture |
US11283774B2 (en) | 2015-09-17 | 2022-03-22 | Secturion Systems, Inc. | Cloud storage using encryption gateway with certificate authority identification |
US11792169B2 (en) | 2015-09-17 | 2023-10-17 | Secturion Systems, Inc. | Cloud storage using encryption gateway with certificate authority identification |
US11750571B2 (en) | 2015-10-26 | 2023-09-05 | Secturion Systems, Inc. | Multi-independent level secure (MILS) storage encryption |
US10708236B2 (en) | 2015-10-26 | 2020-07-07 | Secturion Systems, Inc. | Multi-independent level secure (MILS) storage encryption |
WO2022136282A1 (en) | 2020-12-23 | 2022-06-30 | Thales Dis France Sas | Method, first server, second server and system for secure key transmission |
EP4020875A1 (en) | 2020-12-23 | 2022-06-29 | Thales DIS France SA | Method, first server, second server, and system for transmitting securely a key |
US11831759B1 (en) * | 2022-08-09 | 2023-11-28 | Uab 360 It | Optimized authentication system for a multiuser device |
US11962704B1 (en) * | 2022-08-09 | 2024-04-16 | Uab 360 It | Optimized authentication system for a multiuser device |
Also Published As
Publication number | Publication date |
---|---|
US9088538B2 (en) | 2015-07-21 |
US20140281526A1 (en) | 2014-09-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9088538B2 (en) | Secure network storage | |
US10691817B2 (en) | Encryption for distributed storage and processing | |
US8707035B2 (en) | High privacy of file synchronization with sharing functionality | |
US8842841B2 (en) | Cryptographic method and system | |
US9626527B2 (en) | Server and method for secure and economical sharing of data | |
US20190087432A1 (en) | Secure searchable and shareable remote storage system and method | |
US10685141B2 (en) | Method for storing data blocks from client devices to a cloud storage system | |
US20160011990A1 (en) | System and Method for Conflict-Free Cloud Storage Encryption | |
CN112581126A (en) | Block chain-based platform data management method and device and storage medium | |
Pradeep et al. | An efficient framework for sharing a file in a secure manner using asymmetric key distribution management in cloud environment | |
US10505905B2 (en) | Transport envelope | |
CN107113164B (en) | Method, apparatus and computer readable medium for deduplication of encrypted data | |
WO2018208786A1 (en) | Method and system for secure delegated access to encrypted data in big data computing clusters | |
AU2014274590B2 (en) | Cryptographic Method and System | |
Hoffmann et al. | Towards an architecture for end-to-end-encrypted file synchronization systems | |
Thota et al. | Split key management framework for Open Stack Swift object storage cloud | |
Sánchez‐Artigas et al. | StackSync: Attribute‐based data sharing in file synchronization services | |
SRIRAMULU et al. | A Hybrid Cloud Approach for Message Encryption and Secure Deduplication | |
MADHAVI et al. | Fast and Secure Authorized Deduplication in Hybrid Cloud Architecture | |
Totolici | CRYPSTOR: a platform for secure storage |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |