US20170019377A1 - Secure Network Storage - Google Patents

Secure Network Storage Download PDF

Info

Publication number
US20170019377A1
US20170019377A1 US14/799,569 US201514799569A US2017019377A1 US 20170019377 A1 US20170019377 A1 US 20170019377A1 US 201514799569 A US201514799569 A US 201514799569A US 2017019377 A1 US2017019377 A1 US 2017019377A1
Authority
US
United States
Prior art keywords
folder
encrypted
encryption key
data
point device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US14/799,569
Inventor
Ty Lindteigen
John Curtis
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to US15/385,843 priority Critical patent/US20170126623A1/en
Publication of US20170019377A1 publication Critical patent/US20170019377A1/en
Priority to US15/422,451 priority patent/US20170201382A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/24Key scheduling, i.e. generating round keys or sub-keys for block encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/107Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/006Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving public key infrastructure [PKI] trust models

Definitions

  • This invention relates generally to the field of data storage, and particularly methods, apparatuses, and systems for securely storing data in an unsecure server that can be accessed later from a secure end-point.
  • Cloud storage includes networked online storage such as data stored in virtualized pools of storage generally hosted by third parties.
  • An entire ecosystem exists including companies that operate large data centers to serve people and entities that require data to be hosted.
  • the data center operators may virtualize the resources according to the user's requirements, providing customers to vast storage resources, which the customers can use to store files or data objects.
  • the resources may span across multiple physical servers.
  • cloud storage There are many advantages to cloud storage including having to only pay for the storage actually used.
  • entities may choose between off-premise and on-premise cloud storage options, or a mixture of the two options, to optimize other criteria such as cost savings potential, continuity of operations, disaster recovery, and security.
  • Secondary advantages include a reduction in overhead cost as tasks are offloaded to a third party such as storage maintenance tasks, purchasing additional storage devices.
  • a major problem with cloud-based storage involves securing the data to prevent the data from being accessed from unauthorized use.
  • cloud computing There are a number of security issues associated with cloud computing. Typically the security issues are dealt with by the cloud, or remote storage, providers. However, the data users also face issues and can benefit from taking control of security measures that prevent unauthorized use.
  • the cloud provider is generally responsible to ensure that their infrastructure is secure and data is protected. But generally, there are few options the data creator has to protect the data before it is stored on the cloud.
  • This invention provides a unique solution for securely storing data wherein the data is encrypted at the source and not at the destination storage device.
  • the invention includes a system and methods for encrypting data at the source, i.e. the client device or end-point, as well as storing and managing revisions of the data as it is used and changed by other secure devices and stored in the cloud.
  • This invention enables a user of an end-point device to upload files onto network storage for backup and sharing with other end-point devices while providing automatic synchronization of the stored data across many devices.
  • the invention also enables sharing with multiple users while using access privileges on a per folder or per object basis.
  • the data is enabled to be encrypted locally on the end-point device before the data is sent to the cloud storage, such that the data on the network storage is always encrypted.
  • the invention also encrypts the key for the files for each recipient to enable a cryptographically enforced access control.
  • the invention enables different permission properties for each folder.
  • One embodiment of the invention is a system for securing data comprising an end-point device with an application stored in the end-point device configured to secure an authenticated communication between the end-point device and a synchronized storage server via a communication network.
  • a synchronized storage server including an application stored within the server is configured to send the end-point device a notification including a root folder list.
  • the synchronized storage server may include any type of data hierarchy storage system such as a file, folder, or database.
  • the end-point device's application is further configured to compare the sent root folder list to a previously stored root folder list in the end-point device's memory and determine if there is a new folder either on the synchronized storage server or on the end-point device, a change in content in an existing folder on either device, or if content has been deleted in an existing folder on either device. And when such a determination is made, the end-point device will synchronize with the synchronized storage server. If the change made to the folder originated at the end-point device, then the end-point device uploads the latest encrypted files to the server. Likewise if the change made to the folder originated at another end-point device, i.e.
  • the root folder list is different than the end-point device's folder list, then the end-point device downloads the latest encrypted files from the server. The synchronization process is repeated until all changed data is synchronized.
  • the synchronized storage server will also update the root folder list and provide an updated root folder list to the end point devices.
  • the synchronized storage server may include an access control list to manage permissions to the folders and data.
  • the synchronized storage server may send the end-point device a new encrypted folder encryption key, for example, when an end-point device's permissions to the folder and objects have been revoked.
  • Another embodiment of the invention is a process for securing data in a remote storage where an end-point device does not have direct access to the storage device to secure the data, or the end-point device does not trust the storage device to adequately secure the data, comprising first securing an authenticated communication link between the end-point device and a synchronized storage server via a communication network.
  • the synchronized storage server sends the end-point device a notification including a root folder list.
  • the end-point device compares the root folder list to a previously stored root folder list in the end-point device's memory to detect if there is a new folder either on the synchronized storage server or on the end-point device, or a change in content in an existing folder on either device, or if content has been deleted in an existing folder on either device. And when such detection is made, the end-point device will synchronize with the synchronized storage server. If the change made to the folder originated at the end-point device, then the end-point device uploads the latest encrypted files to the server. Likewise if the change made to the folder originated at another end-point device, i.e.
  • the root folder list is different than the end-point device's folder list, then the end-point device downloads the latest encrypted files from the server.
  • the synchronization process is repeated throughout the folder hierarchy for each root folder until all changed folders and content are synchronized.
  • the synchronized storage server will also update the root folder list and provide an updated folder list to the end point devices.
  • the synchronized storage server will send the end-point device a new encrypted folder encryption key which includes the encrypted file contents along with identifying information such as the server name and revision information.
  • Another embodiment of the invention is a process for packaging encrypted folders for storage on a remote storage server so that changes to the contents of the encrypted folders can be detected without having access to the encrypted folder's contents comprising the source end-point device encrypting the folder using a unique folder encryption key.
  • the encrypted data folder and folder encryption key is sent, via a secure tunnel through a communication device, to the synchronized storage server.
  • the synchronized storage server then encrypts the folder encryption key multiple times.
  • the folder encryption key is encrypted once for each end-point device using the public key for each end point device.
  • the synchronized storage server stores the encrypted folder and each encrypted folder encryption key file in the synchronized storage server's memory.
  • the synchronized storage server also creates a root folder list which may include non-sensitive (unencrypted) data such as a list of all available objects (e.g. folders), object names (e.g. file names), object size (e.g. file size), and number of objects (e.g. number of files); and sensitive (encrypted) data such as object salt (e.g. file salt), file names (e.g. file names), creation date, modification date, plaintext object contents (e.g. plaintext object contents), and object sizes (e.g. file sizes).
  • the synchronized storage server sends the root folder list to all end-point devices so the end-point devices can determine if they need to synchronize folders with the synchronized storage server.
  • the end-point device compares the root folder list to a previously stored root folder list in the end-point device's memory to detect if there is a new folder either on the synchronized storage server or on the end-point device, or a change in content in an existing folder on either device, or if content has been deleted in an existing folder on either device. And when such detection is made, the end-point device will synchronize with the synchronized storage server. If the change made to the folder originated at the end-point device, then the end-point device uploads the latest encrypted files to the server. Likewise if the change made to the folder originated at another end-point device, i.e.
  • the root folder list is different than the end-point device's folder list, then the end-point device downloads the latest encrypted files from the server.
  • the synchronization process is repeated throughout the folder hierarchy in the root folder until all changed folders and content are synchronized.
  • the synchronized storage server will also update the root folder list and provide an updated folder list to the end point devices, as needed.
  • FIG. 1 is a diagram illustrating a system for securing data in a remote storage in accordance with the teachings of the present invention
  • FIG. 2 is a diagram of an exemplary embodiment for a process to secure data in a remote storage in accordance with the teachings of the present invention.
  • FIG. 3 is a diagram of an exemplary embodiment for a process to securely package data for remote storage in accordance with the teachings of the present invention.
  • the invention deals with data storage and is applicable to all data storage systems such as database and file folder type data systems.
  • objects and file folders are used to describe the location and hierarchy of stored data.
  • the invention is applicable to all levels of data hierarchy, for example the invention is applicable to any arrangement of data consisting of sets and subsets such that every subset of a set is of lower rank than the set.
  • Such terms associated with the various data storage systems are used interchangeably throughout the description and will be apparent to those skilled in the art.
  • FIG. 1 is a diagram of an exemplary embodiment for a system 1000 for securing data comprising an end-point device 1300 with an application 1346 stored in the end-point device 1300 configured to secure an authenticated communication between the end-point device 1300 and a synchronized storage server 1100 via a network 1200 .
  • the end-point device 1300 Upon start up, or at periodic intervals, or upon request, the end-point device 1300 will establish a secure and authenticated communication link with the synchronized storage server 1100 .
  • the secure and authenticated communication links may be established using standard cryptographic techniques.
  • the network 1200 may be either a wired or wireless communication network.
  • the network 1200 may include a public or private network such as the internet, intranet, telecommunications system, or other network capable of transmitting electronic data.
  • the end-point device 1300 includes internal hardware such as a processor 1310 , memory 1320 , and communication 130 devices.
  • the end-point device 1300 may include software applications 1346 that enable the end-point device 1300 to encrypt all data locally on the device before sending the data to the remote cloud storage, or synchronized storage server 1100 .
  • the data encryption may be accomplished using any data encryption method such as Advanced Encryption Standard (“AES”).
  • AES Advanced Encryption Standard
  • the end-point device may include smart phones, tablet PC's, notebook PC's, desktop PC's, remote monitoring devices, cameras, sensors, or any other device that transmits data via a network.
  • the devices may be used for any type of communication, computing, or electronic operation.
  • the invention is also applicable to both mobile devices and fixed devices since either type are commonly used to transmit data to and from other mobile and fixed devices via a network.
  • the synchronized storage server 1100 includes an application 1146 stored within the server configured to send the end-point device 1300 a notification including a root folder list 1128 .
  • the synchronized storage server 1100 may include hardware such as a processor 1110 , memory 1120 , and communication 1130 devices.
  • the synchronized storage server 1100 may include either a file system or database.
  • the synchronized storage server 1100 may include an access control list 1129 to manage permissions and synchronization to the folders and data.
  • the synchronized storage server 1100 essentially acts like a secure storage device that can be accessed asynchronously as a secure end-point by any number of end-point devices 1300 .
  • the synchronized storage server 1100 may comprise a physical storage device such as a hard drive, series of hard drives, SSD memory, SD Card, or any other type of local volatile or volatile memory.
  • the synchronized storage server 1100 may also be a remote cloud storage service, such as Amazon Storage, Google Cloud Storage, or any other commercially available remote network storage service.
  • the invention is also applicable to a synchronized storage server 1100 that uses cloud storage for the data, but maintains metadata and folder encryption keys locally on the server or device.
  • the synchronized storage server 1100 only distributes the encrypted data and does not have any other direct access to the encrypted data.
  • the synchronized storage server 1100 provides remote memory for end-point devices 1300 to backup data and to share data with other devices. With respect to shared data, the synchronized storage server 1100 may also provide automatic synchronization to keep the data, or content, consistent across the multiple sharing devices. The synchronized storage server 1100 may also enable sharing data with multiple devices with access privileges managed on a per folder basis. And since the data is encrypted locally on the end-point device 1300 , the synchronized storage server 1100 is always black, that is the synchronized storage server only carries segregated signals of encrypted information, or ciphertext signals, and does not contain sensitive data from end-point devices in any readable form. In addition, the synchronized storage server 1100 encrypts the folder encryption keys 1126 for the encrypted folders 1124 for each recipient to enable cryptographically enforced access control. The permission properties may also be enabled separately for each folder 1124 .
  • the synchronized storage server 1100 stores the encrypted folders 1124 within a folder hierarchy as specified by a user. Along with each encrypted folder 1124 the synchronized storage server 1100 stores a signed-encrypted folder encryption key 1126 that is re-encrypted for each authorized user of each folder 1124 . The synchronized storage server 1100 also stores a permission list per folder 1124 , as an access control list 1129 . The synchronized storage server 1100 is able to send an encrypted folder encryption key 1126 to each end-point device 1300 that has permission to access the folder 1124 .
  • the folder permissions apply to all files in a folder 1124 equally with no per-file permissions.
  • Each file in a folder 1124 shares a unique cryptographic folder encryption key 1124 .
  • CBC cipher-block chaining
  • new folders have the option to inherit permissions from a parent folder; however, the new folders may still get a unique folder encryption key. Permissions are copied into a local “.perm” file with property status noted the same as the parent folder.
  • the invention is still applicable to data subsets, such as files within a folder.
  • the synchronized storage server 1100 stores a signed-encrypted file encryption key that is re-encrypted for each authorized user of each file.
  • the synchronized storage server 1100 also stores a permission list per file, as an access control list.
  • the synchronized storage server 1100 is able to send an encrypted file encryption key to each end-point device 1300 that has permission to access the file.
  • Each file may share a unique cryptographic file encryption key. This also reduces permission removal and revocation issues as the change on one file would result in all data in the same file being re-encrypted.
  • new files have the option to inherit permissions from a parent file; however, the new files may still get a unique file encryption key. Permissions are copied into a local “.perm” file with property status noted the same as the parent file. In this way, if a root parent file changes, the system will keep flowing down until a child is reached with different permission properties than the parent.
  • only read or only write data permissions result in a one-way synchronization. Whereas, read and write data permissions may result in two-way synchronization.
  • the end-point device's application 1346 is configured to compare the sent root folder list 1128 to a previously stored root folder list 1328 in the end-point device's memory 1320 .
  • the end-point device 1346 compares the root folder list 1128 to a previously stored root folder list 1328 to detect if there is a new folder on either the synchronized storage server 1100 or on the end-point device 1346 , or a change in content in an existing folder on either device, or if content has been deleted in an existing folder on either device. And when such detection is made, the end-point device 1300 will synchronize with the synchronized storage server 1100 .
  • the end-point device 1300 uploads the latest encrypted folders to the synchronized storage server 1100 .
  • the change made to the folder originated at another end-point device i.e. the root folder list 1128 is different than the end-point device's folder list 1328
  • the end-point device 1300 downloads the latest encrypted folders from the synchronized storage server 1100 .
  • the synchronization process is repeated throughout the folder hierarchy under the root folder until all changed folders and object content are synchronized.
  • the synchronized storage server 1100 will also update the root folder list and provide an updated root folder list to the end point devices.
  • the synchronized storage server 1100 will send the end-point devices 1300 a new encrypted folder encryption key.
  • the end-point device 1300 is then able to locally decrypt the folder encryption key using the end-point device's private key, using public-key cryptography. With the encrypted folder encryption key 1326 , the end-point device 1300 can decrypt the data.
  • FIG. 2 is a diagram of an exemplary embodiment for a method 2000 for securing data in a remote synchronized storage server 2100 where an end-point device 2300 does not have direct access to the synchronized storage server 2100 to secure the data, or the end-point device 2300 does not trust the remote storage to adequately secure the data, comprising first securing an authenticated communication link 2400 between the end-point device 2300 and a synchronized storage server 2100 via a communication network 2200 .
  • the end-point device 2300 Upon start up, or at periodic intervals, or upon request, the end-point device 2300 will establish a secure and authenticated communication link 2400 with the synchronized storage server 2100 .
  • the secure and authenticated communication links 2400 may be established using standard cryptographic techniques.
  • the synchronized storage server 2100 sends the end-point device 2300 a message including a root folder list.
  • the end-point device 2300 compares the root folder list to a previously stored root folder list in the end-point device's memory to detect if there is a new folder either on the synchronized storage server 2100 or on the end-point device 2300 , or a change in content in an existing folder on either device, or if content has been deleted in an existing folder on either device. And when such detection is made, the end-point device 2300 will synchronize with the synchronized storage server 2100 . If the change made to the folder originated at the end-point device 2300 , then the end-point device 2300 uploads the latest encrypted folders to the synchronized storage server 2100 .
  • the end-point device 2300 downloads the latest encrypted folders from the synchronized storage server 2100 .
  • the synchronization process is repeated until all changed folders are synchronized.
  • the synchronized storage server 2100 will also update the root folder list and provide an updated folder list to the end-point devices 2300 .
  • the end-point device 2300 In order for the files to be read, the end-point device 2300 must have read permissions to retrieve the files from the synchronized storage server 2100 . Likewise, the end-point device 2300 must have write permissions to send new files or file updates to the synchronized storage server 2100 . In order to remove files from the synchronized storage server 2100 , the end-point device 2300 must have both read and delete permissions.
  • deleting data requires that the end-point device 2300 is able to read the data from the synchronized storage server 2100 into the device's local memory, and then the end-point device 2300 must be able to remove the data from the end-point device's local memory for a local change to be detected, and then the change can be replicated on the synchronized storage server 2100 as a delete operation.
  • each folder encryption key is encrypted separately for each end-point device and each file within a folder is encrypted with the same folder encryption key.
  • the folder encryption key must also change when an end-point device is removed from the access control list.
  • the invention also enables previously authorized end-point devices to be restricted from accessing data when the files are re-encrypted with a new key by simply not sending the new keys to unauthorized end-point devices.
  • the synchronized storage server 2100 will send the end-point devices 1300 a new encrypted folder encryption key.
  • the end-point devices 1300 are then able to locally decrypt the folder encryption key using the end-point devices' private keys, using public-key cryptography. With the encrypted folder encryption keys 1326 , the end-point devices 1300 can decrypt the folders.
  • Another embodiment of the invention is a process for packaging encrypted files for storage on a remote synchronized storage server 3100 so that changes to the contents of the encrypted files can be detected without having access to the encrypted file's contents comprising the source end-point device 3300 encrypting the file using a unique folder encryption key.
  • the encrypted data folder and folder encryption key is sent, via a secure tunnel 3400 through a communication network, to the synchronized storage server 3100 .
  • the synchronized storage server 3100 then encrypts the folder encryption key multiple times.
  • the folder encryption key is encrypted once for each end-point device 3300 using the public key for each end point device 3300 .
  • the synchronized storage server 3100 stores the encrypted folder and each encrypted folder encryption key file in the synchronized storage server's memory.
  • the synchronized storage server 3100 also creates a root folder list which may include non-sensitive (unencrypted) data such as a list of all available folders, file names, file size, and number of files; and sensitive (encrypted) data such as file salt, file names, creation date, modification date, plaintext file contents, and file sizes.
  • non-sensitive (unencrypted) data such as a list of all available folders, file names, file size, and number of files
  • sensitive (encrypted) data such as file salt, file names, creation date, modification date, plaintext file contents, and file sizes.
  • the synchronized storage server 3100 sends the root folder list to all end-point devices 3500 so the end-point devices 3500 can determine if they need to synchronize files with the synchronized storage server 3100 .
  • the end-point devices 3500 compare the root folder list to a previously stored root folder list in the end-point devices' 3500 memory to detect if there is a new folder either on the synchronized storage server 3100 or on the end-point devices 3500 , or a change in content in an existing folder on either device, or if content has been deleted in an existing folder on either device. And when such detection is made, the end-point devices 3500 will synchronize with the synchronized storage server 3100 .
  • the end-point devices 3500 download the latest encrypted folders from the synchronized storage server 3100 .
  • the synchronization process is repeated throughout the folder hierarchy under the root folder until all changed folders and object content are synchronized.
  • the synchronized storage server 3100 will also update the root folder list and provide an updated folder list to the end point devices 3500 .
  • a traditional dead drop included a method to pass items between at least two individuals using a secret location and thus does not require them to meet directly.
  • a dead drop may permit a case officer and agent to exchange objects and information while maintaining operational security.
  • the virtual dead drop is accomplished when a first end-point device is enabled with write but not read permissions, and a second end-point device is enabled with read but not write permissions.
  • the first end-point device can create a new, or update an existing data file in the synchronized storage server.
  • the second device which would have access to the same folder in the synchronized storage server, would then be able to read the files provided by the first end-point device. In this scenario, the first end-point device would be able to exchange digital objects and information with the second end-point device without “meeting directly” while maintaining operational security.
  • the invention also enables unique content rules to manage the use and distribution of the folders on the end-point devices.
  • the folders may include rules such as temporal, location, identity, and activity/inactivity rules. Such rules may enhance the inventions ability to distribute data to end-point devices while preventing the data from spreading to unauthorized users.
  • the folders may include a rule to remove access to the folder when the folders have been inactive for a predetermined amount of time.
  • Another such rule may include temporal rules where access to the folders is removed after a predetermined amount of time.
  • the folder may be made accessible to an end-point device for a limited time and when the limited time lapses access to the folder lapses.
  • Another example of such a rule is when access to the folders is based on geospatial limitations. For example, an end-point device may be given access to folders only when the end-point device is within a geospatial boundary and access removed when the end-point device goes outside the geospatial boundary. It is important to note that access to the folders can be accomplished by deleting the folders, or access can be removed with a new encrypted folder encryption key distributed to all devices, except those with revoked access to the folders.
  • the devices may be coupled with electrical circuitry, or through wireless networks that allow the devices to transfer data, receive power, execute the operations described, and provide structural integrity.

Abstract

This invention includes apparatus, systems, and methods to secure data in a remote storage device where an end-point device does not have direct access to the storage device to secure the data, or the end-point device does not trust the storage device to adequately secure the data, comprising securing an authenticated communication between the end-point device and a synchronized storage server via a communication network. The synchronized storage server sends the end-point device a notification including the root folder list. The end-point device compares the sent root folder list to a previously stored root folder list in the end-point devices' memory. If the end-point device detects either a new root folder on the synchronized storage server, a change in an existing folder, or deleted content in a folder the end-point device will determine that a change is required to the stored data. Next the end-point device will synchronize with the synchronized storage server and create a new storage list. Finally, the synchronized storage server will send the end-point device a new encrypted folder encryption key which includes the encrypted file contents along with identifying information such as the server name and revision information.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • This application is a continuation and claims priority to Ser. No. 13/838,024 filed Mar. 15, 2013 the contents of which are incorporated herein by reference.
  • FIELD OF THE INVENTION
  • This invention relates generally to the field of data storage, and particularly methods, apparatuses, and systems for securely storing data in an unsecure server that can be accessed later from a secure end-point.
  • BACKGROUND OF THE INVENTION
  • The use of cloud base storage has increased tremendously. Cloud storage includes networked online storage such as data stored in virtualized pools of storage generally hosted by third parties. An entire ecosystem exists including companies that operate large data centers to serve people and entities that require data to be hosted. The data center operators may virtualize the resources according to the user's requirements, providing customers to vast storage resources, which the customers can use to store files or data objects. The resources may span across multiple physical servers.
  • There are many advantages to cloud storage including having to only pay for the storage actually used. In addition, entities may choose between off-premise and on-premise cloud storage options, or a mixture of the two options, to optimize other criteria such as cost savings potential, continuity of operations, disaster recovery, and security. Secondary advantages include a reduction in overhead cost as tasks are offloaded to a third party such as storage maintenance tasks, purchasing additional storage devices. These benefits allow entities to focus on their core business. However, cloud computing security is a tradeoff that users face.
  • A major problem with cloud-based storage involves securing the data to prevent the data from being accessed from unauthorized use. There are a number of security issues associated with cloud computing. Typically the security issues are dealt with by the cloud, or remote storage, providers. However, the data users also face issues and can benefit from taking control of security measures that prevent unauthorized use. The cloud provider is generally responsible to ensure that their infrastructure is secure and data is protected. But generally, there are few options the data creator has to protect the data before it is stored on the cloud.
  • This invention provides a unique solution for securely storing data wherein the data is encrypted at the source and not at the destination storage device. The invention includes a system and methods for encrypting data at the source, i.e. the client device or end-point, as well as storing and managing revisions of the data as it is used and changed by other secure devices and stored in the cloud. This invention enables a user of an end-point device to upload files onto network storage for backup and sharing with other end-point devices while providing automatic synchronization of the stored data across many devices. The invention also enables sharing with multiple users while using access privileges on a per folder or per object basis. The data is enabled to be encrypted locally on the end-point device before the data is sent to the cloud storage, such that the data on the network storage is always encrypted. The invention also encrypts the key for the files for each recipient to enable a cryptographically enforced access control. In addition, the invention enables different permission properties for each folder.
  • BRIEF SUMMARY OF THE INVENTION
  • One embodiment of the invention is a system for securing data comprising an end-point device with an application stored in the end-point device configured to secure an authenticated communication between the end-point device and a synchronized storage server via a communication network. Next a synchronized storage server including an application stored within the server is configured to send the end-point device a notification including a root folder list. The synchronized storage server may include any type of data hierarchy storage system such as a file, folder, or database. Next, the end-point device's application is further configured to compare the sent root folder list to a previously stored root folder list in the end-point device's memory and determine if there is a new folder either on the synchronized storage server or on the end-point device, a change in content in an existing folder on either device, or if content has been deleted in an existing folder on either device. And when such a determination is made, the end-point device will synchronize with the synchronized storage server. If the change made to the folder originated at the end-point device, then the end-point device uploads the latest encrypted files to the server. Likewise if the change made to the folder originated at another end-point device, i.e. the root folder list is different than the end-point device's folder list, then the end-point device downloads the latest encrypted files from the server. The synchronization process is repeated until all changed data is synchronized. The synchronized storage server will also update the root folder list and provide an updated root folder list to the end point devices.
  • In addition the synchronized storage server may include an access control list to manage permissions to the folders and data. Finally, the synchronized storage server may send the end-point device a new encrypted folder encryption key, for example, when an end-point device's permissions to the folder and objects have been revoked.
  • Another embodiment of the invention is a process for securing data in a remote storage where an end-point device does not have direct access to the storage device to secure the data, or the end-point device does not trust the storage device to adequately secure the data, comprising first securing an authenticated communication link between the end-point device and a synchronized storage server via a communication network. Next the synchronized storage server sends the end-point device a notification including a root folder list. Next, the end-point device compares the root folder list to a previously stored root folder list in the end-point device's memory to detect if there is a new folder either on the synchronized storage server or on the end-point device, or a change in content in an existing folder on either device, or if content has been deleted in an existing folder on either device. And when such detection is made, the end-point device will synchronize with the synchronized storage server. If the change made to the folder originated at the end-point device, then the end-point device uploads the latest encrypted files to the server. Likewise if the change made to the folder originated at another end-point device, i.e. the root folder list is different than the end-point device's folder list, then the end-point device downloads the latest encrypted files from the server. The synchronization process is repeated throughout the folder hierarchy for each root folder until all changed folders and content are synchronized. The synchronized storage server will also update the root folder list and provide an updated folder list to the end point devices.
  • Finally, the synchronized storage server will send the end-point device a new encrypted folder encryption key which includes the encrypted file contents along with identifying information such as the server name and revision information.
  • Another embodiment of the invention is a process for packaging encrypted folders for storage on a remote storage server so that changes to the contents of the encrypted folders can be detected without having access to the encrypted folder's contents comprising the source end-point device encrypting the folder using a unique folder encryption key. Next the encrypted data folder and folder encryption key is sent, via a secure tunnel through a communication device, to the synchronized storage server. The synchronized storage server then encrypts the folder encryption key multiple times. The folder encryption key is encrypted once for each end-point device using the public key for each end point device. The synchronized storage server stores the encrypted folder and each encrypted folder encryption key file in the synchronized storage server's memory. The synchronized storage server also creates a root folder list which may include non-sensitive (unencrypted) data such as a list of all available objects (e.g. folders), object names (e.g. file names), object size (e.g. file size), and number of objects (e.g. number of files); and sensitive (encrypted) data such as object salt (e.g. file salt), file names (e.g. file names), creation date, modification date, plaintext object contents (e.g. plaintext object contents), and object sizes (e.g. file sizes). The synchronized storage server sends the root folder list to all end-point devices so the end-point devices can determine if they need to synchronize folders with the synchronized storage server. Next, the end-point device compares the root folder list to a previously stored root folder list in the end-point device's memory to detect if there is a new folder either on the synchronized storage server or on the end-point device, or a change in content in an existing folder on either device, or if content has been deleted in an existing folder on either device. And when such detection is made, the end-point device will synchronize with the synchronized storage server. If the change made to the folder originated at the end-point device, then the end-point device uploads the latest encrypted files to the server. Likewise if the change made to the folder originated at another end-point device, i.e. the root folder list is different than the end-point device's folder list, then the end-point device downloads the latest encrypted files from the server. The synchronization process is repeated throughout the folder hierarchy in the root folder until all changed folders and content are synchronized. The synchronized storage server will also update the root folder list and provide an updated folder list to the end point devices, as needed.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • Features and advantages of the claimed subject matter will be apparent from the following detailed description of embodiments consistent therewith, which description should be considered with reference to the accompanying drawings, wherein:
  • FIG. 1 is a diagram illustrating a system for securing data in a remote storage in accordance with the teachings of the present invention;
  • FIG. 2 is a diagram of an exemplary embodiment for a process to secure data in a remote storage in accordance with the teachings of the present invention; and
  • FIG. 3 is a diagram of an exemplary embodiment for a process to securely package data for remote storage in accordance with the teachings of the present invention.
  • DETAILED DESCRIPTION OF THE INVENTION
  • The following describes the details of the invention. Although the following description will proceed with reference being made to illustrative embodiments, many alternatives, modifications, and variations thereof will be apparent to those skilled in the art. Accordingly, it is intended that the claimed subject matter be viewed broadly. Examples are provided as reference and should not be construed as limiting. The term “such as” when used should be interpreted as “such as, but not limited to.”
  • The invention deals with data storage and is applicable to all data storage systems such as database and file folder type data systems. For example, objects and file folders are used to describe the location and hierarchy of stored data. The invention is applicable to all levels of data hierarchy, for example the invention is applicable to any arrangement of data consisting of sets and subsets such that every subset of a set is of lower rank than the set. Such terms associated with the various data storage systems are used interchangeably throughout the description and will be apparent to those skilled in the art.
  • FIG. 1 is a diagram of an exemplary embodiment for a system 1000 for securing data comprising an end-point device 1300 with an application 1346 stored in the end-point device 1300 configured to secure an authenticated communication between the end-point device 1300 and a synchronized storage server 1100 via a network 1200. Upon start up, or at periodic intervals, or upon request, the end-point device 1300 will establish a secure and authenticated communication link with the synchronized storage server 1100. The secure and authenticated communication links may be established using standard cryptographic techniques.
  • The network 1200 may be either a wired or wireless communication network. The network 1200 may include a public or private network such as the internet, intranet, telecommunications system, or other network capable of transmitting electronic data.
  • The end-point device 1300 includes internal hardware such as a processor 1310, memory 1320, and communication 130 devices. The end-point device 1300 may include software applications 1346 that enable the end-point device 1300 to encrypt all data locally on the device before sending the data to the remote cloud storage, or synchronized storage server 1100. The data encryption may be accomplished using any data encryption method such as Advanced Encryption Standard (“AES”).
  • The end-point device may include smart phones, tablet PC's, notebook PC's, desktop PC's, remote monitoring devices, cameras, sensors, or any other device that transmits data via a network. The devices may be used for any type of communication, computing, or electronic operation. The invention is also applicable to both mobile devices and fixed devices since either type are commonly used to transmit data to and from other mobile and fixed devices via a network.
  • Next the synchronized storage server 1100 includes an application 1146 stored within the server configured to send the end-point device 1300 a notification including a root folder list 1128. The synchronized storage server 1100 may include hardware such as a processor 1110, memory 1120, and communication 1130 devices. The synchronized storage server 1100 may include either a file system or database. In addition the synchronized storage server 1100 may include an access control list 1129 to manage permissions and synchronization to the folders and data.
  • The synchronized storage server 1100 essentially acts like a secure storage device that can be accessed asynchronously as a secure end-point by any number of end-point devices 1300. The synchronized storage server 1100 may comprise a physical storage device such as a hard drive, series of hard drives, SSD memory, SD Card, or any other type of local volatile or volatile memory. The synchronized storage server 1100 may also be a remote cloud storage service, such as Amazon Storage, Google Cloud Storage, or any other commercially available remote network storage service. The invention is also applicable to a synchronized storage server 1100 that uses cloud storage for the data, but maintains metadata and folder encryption keys locally on the server or device. The synchronized storage server 1100 only distributes the encrypted data and does not have any other direct access to the encrypted data.
  • The synchronized storage server 1100 provides remote memory for end-point devices 1300 to backup data and to share data with other devices. With respect to shared data, the synchronized storage server 1100 may also provide automatic synchronization to keep the data, or content, consistent across the multiple sharing devices. The synchronized storage server 1100 may also enable sharing data with multiple devices with access privileges managed on a per folder basis. And since the data is encrypted locally on the end-point device 1300, the synchronized storage server 1100 is always black, that is the synchronized storage server only carries segregated signals of encrypted information, or ciphertext signals, and does not contain sensitive data from end-point devices in any readable form. In addition, the synchronized storage server 1100 encrypts the folder encryption keys 1126 for the encrypted folders 1124 for each recipient to enable cryptographically enforced access control. The permission properties may also be enabled separately for each folder 1124.
  • The synchronized storage server 1100 stores the encrypted folders 1124 within a folder hierarchy as specified by a user. Along with each encrypted folder 1124 the synchronized storage server 1100 stores a signed-encrypted folder encryption key 1126 that is re-encrypted for each authorized user of each folder 1124. The synchronized storage server 1100 also stores a permission list per folder 1124, as an access control list 1129. The synchronized storage server 1100 is able to send an encrypted folder encryption key 1126 to each end-point device 1300 that has permission to access the folder 1124.
  • In one embodiment, the folder permissions apply to all files in a folder 1124 equally with no per-file permissions. Each file in a folder 1124 shares a unique cryptographic folder encryption key 1124. This reduces the over use issues associated with encrypting several files with the same key in cipher-block chaining (CBC) mode. This also reduces permission removal and revocation issues as the change on one folder would result in all files in the same folder being re-encrypted. In addition, new folders have the option to inherit permissions from a parent folder; however, the new folders may still get a unique folder encryption key. Permissions are copied into a local “.perm” file with property status noted the same as the parent folder. In this way, if a root parent folder changes, the system will keep flowing down until a child is reached with different permission properties than the parent. In addition, only read or only write file permissions result in a one-way synchronization. Whereas, read and write file permissions may result in two-way synchronization.
  • In another embodiment, the invention is still applicable to data subsets, such as files within a folder. Along with each encrypted file the synchronized storage server 1100 stores a signed-encrypted file encryption key that is re-encrypted for each authorized user of each file. The synchronized storage server 1100 also stores a permission list per file, as an access control list. The synchronized storage server 1100 is able to send an encrypted file encryption key to each end-point device 1300 that has permission to access the file.
  • Each file may share a unique cryptographic file encryption key. This also reduces permission removal and revocation issues as the change on one file would result in all data in the same file being re-encrypted. In addition, new files have the option to inherit permissions from a parent file; however, the new files may still get a unique file encryption key. Permissions are copied into a local “.perm” file with property status noted the same as the parent file. In this way, if a root parent file changes, the system will keep flowing down until a child is reached with different permission properties than the parent. In addition, only read or only write data permissions result in a one-way synchronization. Whereas, read and write data permissions may result in two-way synchronization.
  • Next, the end-point device's application 1346 is configured to compare the sent root folder list 1128 to a previously stored root folder list 1328 in the end-point device's memory 1320. The end-point device 1346 compares the root folder list 1128 to a previously stored root folder list 1328 to detect if there is a new folder on either the synchronized storage server 1100 or on the end-point device 1346, or a change in content in an existing folder on either device, or if content has been deleted in an existing folder on either device. And when such detection is made, the end-point device 1300 will synchronize with the synchronized storage server 1100. If the change made to the folder originated at the source end-point device 1300, then the end-point device 1300 uploads the latest encrypted folders to the synchronized storage server 1100. Likewise if the change made to the folder originated at another end-point device, i.e. the root folder list 1128 is different than the end-point device's folder list 1328, then the end-point device 1300 downloads the latest encrypted folders from the synchronized storage server 1100. The synchronization process is repeated throughout the folder hierarchy under the root folder until all changed folders and object content are synchronized. The synchronized storage server 1100 will also update the root folder list and provide an updated root folder list to the end point devices.
  • Finally, the synchronized storage server 1100 will send the end-point devices 1300 a new encrypted folder encryption key. The end-point device 1300 is then able to locally decrypt the folder encryption key using the end-point device's private key, using public-key cryptography. With the encrypted folder encryption key 1326, the end-point device 1300 can decrypt the data.
  • FIG. 2 is a diagram of an exemplary embodiment for a method 2000 for securing data in a remote synchronized storage server 2100 where an end-point device 2300 does not have direct access to the synchronized storage server 2100 to secure the data, or the end-point device 2300 does not trust the remote storage to adequately secure the data, comprising first securing an authenticated communication link 2400 between the end-point device 2300 and a synchronized storage server 2100 via a communication network 2200. Upon start up, or at periodic intervals, or upon request, the end-point device 2300 will establish a secure and authenticated communication link 2400 with the synchronized storage server 2100. The secure and authenticated communication links 2400 may be established using standard cryptographic techniques.
  • The synchronized storage server 2100 sends the end-point device 2300 a message including a root folder list. The end-point device 2300 compares the root folder list to a previously stored root folder list in the end-point device's memory to detect if there is a new folder either on the synchronized storage server 2100 or on the end-point device 2300, or a change in content in an existing folder on either device, or if content has been deleted in an existing folder on either device. And when such detection is made, the end-point device 2300 will synchronize with the synchronized storage server 2100. If the change made to the folder originated at the end-point device 2300, then the end-point device 2300 uploads the latest encrypted folders to the synchronized storage server 2100. Likewise if the change made to the folder originated at another end-point device, i.e. the root folder list is different than the end-point device's folder list, then the end-point device 2300 downloads the latest encrypted folders from the synchronized storage server 2100. The synchronization process is repeated until all changed folders are synchronized.
  • The synchronized storage server 2100 will also update the root folder list and provide an updated folder list to the end-point devices 2300. In order for the files to be read, the end-point device 2300 must have read permissions to retrieve the files from the synchronized storage server 2100. Likewise, the end-point device 2300 must have write permissions to send new files or file updates to the synchronized storage server 2100. In order to remove files from the synchronized storage server 2100, the end-point device 2300 must have both read and delete permissions. In other words, deleting data requires that the end-point device 2300 is able to read the data from the synchronized storage server 2100 into the device's local memory, and then the end-point device 2300 must be able to remove the data from the end-point device's local memory for a local change to be detected, and then the change can be replicated on the synchronized storage server 2100 as a delete operation.
  • Again it is important to note the significance with file permissions. Recall that there is only one folder encryption key per folder. Each folder encryption key is encrypted separately for each end-point device and each file within a folder is encrypted with the same folder encryption key. The folder encryption key must also change when an end-point device is removed from the access control list. The invention also enables previously authorized end-point devices to be restricted from accessing data when the files are re-encrypted with a new key by simply not sending the new keys to unauthorized end-point devices.
  • Finally, the synchronized storage server 2100 will send the end-point devices 1300 a new encrypted folder encryption key. The end-point devices 1300 are then able to locally decrypt the folder encryption key using the end-point devices' private keys, using public-key cryptography. With the encrypted folder encryption keys 1326, the end-point devices 1300 can decrypt the folders.
  • Another embodiment of the invention is a process for packaging encrypted files for storage on a remote synchronized storage server 3100 so that changes to the contents of the encrypted files can be detected without having access to the encrypted file's contents comprising the source end-point device 3300 encrypting the file using a unique folder encryption key.
  • Next the encrypted data folder and folder encryption key is sent, via a secure tunnel 3400 through a communication network, to the synchronized storage server 3100. The synchronized storage server 3100 then encrypts the folder encryption key multiple times. The folder encryption key is encrypted once for each end-point device 3300 using the public key for each end point device 3300. The synchronized storage server 3100 stores the encrypted folder and each encrypted folder encryption key file in the synchronized storage server's memory. The synchronized storage server 3100 also creates a root folder list which may include non-sensitive (unencrypted) data such as a list of all available folders, file names, file size, and number of files; and sensitive (encrypted) data such as file salt, file names, creation date, modification date, plaintext file contents, and file sizes.
  • The synchronized storage server 3100 sends the root folder list to all end-point devices 3500 so the end-point devices 3500 can determine if they need to synchronize files with the synchronized storage server 3100. Next, the end-point devices 3500 compare the root folder list to a previously stored root folder list in the end-point devices' 3500 memory to detect if there is a new folder either on the synchronized storage server 3100 or on the end-point devices 3500, or a change in content in an existing folder on either device, or if content has been deleted in an existing folder on either device. And when such detection is made, the end-point devices 3500 will synchronize with the synchronized storage server 3100. Then the end-point devices 3500 download the latest encrypted folders from the synchronized storage server 3100. The synchronization process is repeated throughout the folder hierarchy under the root folder until all changed folders and object content are synchronized. The synchronized storage server 3100 will also update the root folder list and provide an updated folder list to the end point devices 3500.
  • The invention also enables a virtual dead drop. A traditional dead drop included a method to pass items between at least two individuals using a secret location and thus does not require them to meet directly. For example, a dead drop may permit a case officer and agent to exchange objects and information while maintaining operational security. The virtual dead drop is accomplished when a first end-point device is enabled with write but not read permissions, and a second end-point device is enabled with read but not write permissions. The first end-point device can create a new, or update an existing data file in the synchronized storage server. The second device, which would have access to the same folder in the synchronized storage server, would then be able to read the files provided by the first end-point device. In this scenario, the first end-point device would be able to exchange digital objects and information with the second end-point device without “meeting directly” while maintaining operational security.
  • The invention also enables unique content rules to manage the use and distribution of the folders on the end-point devices. The folders may include rules such as temporal, location, identity, and activity/inactivity rules. Such rules may enhance the inventions ability to distribute data to end-point devices while preventing the data from spreading to unauthorized users. For example, the folders may include a rule to remove access to the folder when the folders have been inactive for a predetermined amount of time. Another such rule may include temporal rules where access to the folders is removed after a predetermined amount of time. For example, the folder may be made accessible to an end-point device for a limited time and when the limited time lapses access to the folder lapses. Another example of such a rule is when access to the folders is based on geospatial limitations. For example, an end-point device may be given access to folders only when the end-point device is within a geospatial boundary and access removed when the end-point device goes outside the geospatial boundary. It is important to note that access to the folders can be accomplished by deleting the folders, or access can be removed with a new encrypted folder encryption key distributed to all devices, except those with revoked access to the folders.
  • Throughout this description, references were made to devices coupled together. Such coupling includes a manner that allows the exchange and interaction of data, such that the operations and processes described may be carried out. For example, the devices may be coupled with electrical circuitry, or through wireless networks that allow the devices to transfer data, receive power, execute the operations described, and provide structural integrity. Reference was also made to interactions between end-point device 1300 in FIG. 1 and a synchronized storage server 1100 via a network 1200, however the invention is scalable to be enabled with more devices than described in the specification. For example, any number of end-point devices 1300, networks 1200, and synchronized storage servers 1100, may be utilized to enable this invention.
  • The terms and expressions which have been employed herein are used as terms of description and not of limitation, and there is no intention, in the use of such terms and expressions, of excluding any equivalents of the features shown and described (or portions thereof), and it is recognized that various modifications are possible within the scope of the claims. Other modifications, variations, and alternatives are also possible. Accordingly, the claims are intended to cover all such equivalents.

Claims (18)

What is claimed is:
1. A system for securing data comprising:
a first device with a data folder, wherein the first device is enabled to encrypt the data folder with a folder encryption key and send a resulting encrypted data folder and the folder encryption key to a server;
an access control list used by the server to identify that a second device is authorized to access the encrypted data folder and the folder encryption key;
the server enabled to encrypt the folder encryption key with a public key of the second device to produce an encrypted folder encryption key, and send the encrypted data folder, and the encrypted folder encryption key to the second device; and
the second device enabled to decrypt the encrypted folder encryption key with a private key of the second device to produce the folder encryption key, and use the folder encryption key to decrypt the encrypted data folder to produce the data folder.
2. The system of claim 1, wherein the end-point device include smart phones, tablet PC's, notebook PC's, desktop PC's, remote monitoring devices, cameras, sensors, or any other device that transmits data via a network.
3. The system of claim 1, wherein the synchronized storage server comprises physical storage devices such as a hard drive, series of hard drives, SSD memory, SD Card, or any other type of local volatile or volatile memory.
4. The system of claim 1, wherein the synchronized storage server comprises a cloud storage device, such as Amazon Storage, Google Cloud Storage, or any other commercially available remote network storage service.
5. The system of claim 1, wherein the synchronized storage server uses cloud storage to store the data, but maintains metadata and folder encryption keys locally on the synchronized storage server.
6. A method for securing data comprising:
a server receiving an encrypted folder and a first folder encryption key from a first device, wherein the encrypted folder is encrypted using the first folder encryption key;
the server referring to an access control list to identify a second device that is authorized to access the encrypted folder;
the server encrypting the first folder encryption key with a public key of the second device to produce an encrypted first folder encryption key;
the server creating a root folder list; and
the server sending the root folder list, encrypted folder, and encrypted first folder encryption key to the second device enabling the second device to decrypt the encrypted first folder encryption key to produce the first folder encryption key and use the first folder encryption key to decrypt the encrypted folder and produce a folder.
7. The method of claim 6, wherein the synchronized storage server encrypts each folder encryption key uniquely for each end-point device using the public keys for each end-point device.
8. The method of claim 6, wherein the access control list and folder encryption key apply to all files in a folder.
9. The method of claim 6, wherein new folders have the option to inherit the permissions and folder encryption key from a parent folder or get unique permissions and a unique folder encryption key.
10. The method of claim 6, wherein a change made to the folder originating at the first device, results in the first device uploading the latest encrypted folder to the server.
11. The method of claim 6, wherein a change made to the folder originating at the second device, results in the first device downloading the latest encrypted folder from the server.
12. The method of claim 6, wherein an unauthorized device is restricted from accessing an encrypted folder when the folder is encrypted with a new folder encryption key and the unauthorized device is not provided the second folder encryption key.
13. A method for securing data comprising:
a device comparing an updated root folder list to a previously stored root folder list wherein a difference in the updated root folder list compared to the previously stored root folder list indicates a changed folder;
the device receiving an encrypted changed folder and an encrypted folder encryption key from the server;
the device decrypting the encrypted folder encryption key to produce a folder encryption key;
the device using the folder encryption key to decrypt the encrypted changed folder to produce the changed folder.
14. The method of claim 13, wherein the folder includes management rules based on factors such as temporal, location, identity, and activity to prevent the folder from spreading to an unauthorized device, the temporal rules used to trigger the distribution of the root folder list and the synchronization process to revoke access to the folder.
15. The method of claim 13, wherein the folder includes a rule to revoke access to the folder when the folder has been inactive for a predetermined amount of time.
16. The method of claim 13, wherein the folder includes a temporal rule where access to the folder is revoked after a predetermined amount of time.
17. The method of claim 13, wherein the folder includes a rule where access to the folder is based on geospatial limitations including the device given access to the folder only when the device is within a geospatial boundary and access revoked when the device goes outside the geospatial boundary.
18. The method of claim 13, wherein an unauthorized device is restricted from accessing an encrypted folder when the folder is encrypted with a new folder encryption key and the unauthorized device is not sent the new folder encryption key.
US14/799,569 2013-03-15 2015-07-14 Secure Network Storage Abandoned US20170019377A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US15/385,843 US20170126623A1 (en) 2013-04-03 2016-12-20 Protected Subnet Interconnect
US15/422,451 US20170201382A1 (en) 2013-04-03 2017-02-01 Secure Endpoint Devices

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US13/838,024 US9088538B2 (en) 2013-03-15 2013-03-15 Secure network storage

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US15/193,026 Continuation-In-Part US9692605B2 (en) 2012-10-15 2016-06-25 Certificate authority server protection

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US14/623,497 Continuation-In-Part US9794270B2 (en) 2012-01-29 2015-02-16 Data security and integrity by remote attestation

Publications (1)

Publication Number Publication Date
US20170019377A1 true US20170019377A1 (en) 2017-01-19

Family

ID=51534053

Family Applications (2)

Application Number Title Priority Date Filing Date
US13/838,024 Active - Reinstated 2033-09-06 US9088538B2 (en) 2013-03-15 2013-03-15 Secure network storage
US14/799,569 Abandoned US20170019377A1 (en) 2013-03-15 2015-07-14 Secure Network Storage

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US13/838,024 Active - Reinstated 2033-09-06 US9088538B2 (en) 2013-03-15 2013-03-15 Secure network storage

Country Status (1)

Country Link
US (2) US9088538B2 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10708236B2 (en) 2015-10-26 2020-07-07 Secturion Systems, Inc. Multi-independent level secure (MILS) storage encryption
US10902155B2 (en) 2013-03-29 2021-01-26 Secturion Systems, Inc. Multi-tenancy architecture
US11063914B1 (en) 2013-03-29 2021-07-13 Secturion Systems, Inc. Secure end-to-end communication system
US11283774B2 (en) 2015-09-17 2022-03-22 Secturion Systems, Inc. Cloud storage using encryption gateway with certificate authority identification
US11288402B2 (en) 2013-03-29 2022-03-29 Secturion Systems, Inc. Security device with programmable systolic-matrix cryptographic module and programmable input/output interface
EP4020875A1 (en) 2020-12-23 2022-06-29 Thales DIS France SA Method, first server, second server, and system for transmitting securely a key
US11429540B2 (en) 2013-04-01 2022-08-30 Secturion Systems, Inc. Multi-level independent security architecture
US11831759B1 (en) * 2022-08-09 2023-11-28 Uab 360 It Optimized authentication system for a multiuser device

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9141820B2 (en) * 2013-07-25 2015-09-22 Adobe Systems Incorporated Network-based service content protection
WO2015070160A1 (en) * 2013-11-08 2015-05-14 MustBin Inc. Bin enabled data object encryption and storage apparatuses, methods and systems
US9378262B2 (en) * 2013-12-06 2016-06-28 SoftNAS, LLC Synchronization storage solution
US9390281B2 (en) * 2013-12-30 2016-07-12 Open Invention Network, Llc Protecting data in insecure cloud storage
US20160253662A1 (en) * 2015-02-27 2016-09-01 Visa International Service Association Method to use a payment gateway as contextual enabler between different parties
EP3286651A4 (en) 2015-04-22 2018-12-19 Larc Networks Inc. Dead drop network architecture
US9842062B2 (en) 2015-05-31 2017-12-12 Apple Inc. Backup accessible by subset of related devices
CN108027802A (en) * 2015-07-17 2018-05-11 拉克网络公司 Data exchange is write twice in the network architecture of dead point
US10019460B2 (en) * 2015-09-14 2018-07-10 Microsoft Technology Licensing, Llc Hosted file sync with direct access to hosted files
US9590958B1 (en) * 2016-04-14 2017-03-07 Wickr Inc. Secure file transfer
CN107623662B (en) * 2016-07-15 2021-06-01 阿里巴巴集团控股有限公司 Access control method, device and system
CN108062327B (en) * 2016-11-08 2020-10-13 北京国双科技有限公司 Matching method and device for client
CN107517269B (en) * 2017-09-07 2020-09-08 深圳市酷开网络科技有限公司 Remote synchronous push file caching method and system based on VR equipment
CN110263553B (en) * 2019-05-13 2021-07-13 清华大学 Database access control method and device based on public key verification and electronic equipment
US10997101B1 (en) * 2019-11-01 2021-05-04 EMC IP Holding Company LLC Accessing secondary storage

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6061692A (en) * 1997-11-04 2000-05-09 Microsoft Corporation System and method for administering a meta database as an integral component of an information server
US20120144464A1 (en) * 2010-12-06 2012-06-07 Delaram Fakhrai Method and system for improved security
US20120297189A1 (en) * 2011-05-18 2012-11-22 Citrix Systems, Inc. Systems and Methods for Secure Handling of Data
US20120317077A1 (en) * 2011-06-10 2012-12-13 Microsoft Corporation Identification of moved or renamed files in file synchronization
US20140165167A1 (en) * 2012-12-12 2014-06-12 Microsoft Corporation Scalable and automated secret management
US8825597B1 (en) * 2009-08-13 2014-09-02 Dropbox, Inc. Network folder synchronization
US20150052353A1 (en) * 2013-08-14 2015-02-19 Seon Geun Kang System and Method For Synchronizing An Encrypted File With A Remote Storage

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7861005B2 (en) * 2006-06-12 2010-12-28 Research In Motion Limited Method and apparatus for folder synchronization and management
US9218406B2 (en) * 2012-04-26 2015-12-22 Connected Data, Inc. System and method for managing user data in a plurality of storage appliances over a wide area network for collaboration, protection, publication, or sharing

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6061692A (en) * 1997-11-04 2000-05-09 Microsoft Corporation System and method for administering a meta database as an integral component of an information server
US8825597B1 (en) * 2009-08-13 2014-09-02 Dropbox, Inc. Network folder synchronization
US20120144464A1 (en) * 2010-12-06 2012-06-07 Delaram Fakhrai Method and system for improved security
US20120297189A1 (en) * 2011-05-18 2012-11-22 Citrix Systems, Inc. Systems and Methods for Secure Handling of Data
US20120317077A1 (en) * 2011-06-10 2012-12-13 Microsoft Corporation Identification of moved or renamed files in file synchronization
US20140165167A1 (en) * 2012-12-12 2014-06-12 Microsoft Corporation Scalable and automated secret management
US20150052353A1 (en) * 2013-08-14 2015-02-19 Seon Geun Kang System and Method For Synchronizing An Encrypted File With A Remote Storage

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10902155B2 (en) 2013-03-29 2021-01-26 Secturion Systems, Inc. Multi-tenancy architecture
US11063914B1 (en) 2013-03-29 2021-07-13 Secturion Systems, Inc. Secure end-to-end communication system
US11921906B2 (en) 2013-03-29 2024-03-05 Secturion Systems, Inc. Security device with programmable systolic-matrix cryptographic module and programmable input/output interface
US11288402B2 (en) 2013-03-29 2022-03-29 Secturion Systems, Inc. Security device with programmable systolic-matrix cryptographic module and programmable input/output interface
US11783089B2 (en) 2013-03-29 2023-10-10 Secturion Systems, Inc. Multi-tenancy architecture
US11429540B2 (en) 2013-04-01 2022-08-30 Secturion Systems, Inc. Multi-level independent security architecture
US11283774B2 (en) 2015-09-17 2022-03-22 Secturion Systems, Inc. Cloud storage using encryption gateway with certificate authority identification
US11792169B2 (en) 2015-09-17 2023-10-17 Secturion Systems, Inc. Cloud storage using encryption gateway with certificate authority identification
US11750571B2 (en) 2015-10-26 2023-09-05 Secturion Systems, Inc. Multi-independent level secure (MILS) storage encryption
US10708236B2 (en) 2015-10-26 2020-07-07 Secturion Systems, Inc. Multi-independent level secure (MILS) storage encryption
WO2022136282A1 (en) 2020-12-23 2022-06-30 Thales Dis France Sas Method, first server, second server and system for secure key transmission
EP4020875A1 (en) 2020-12-23 2022-06-29 Thales DIS France SA Method, first server, second server, and system for transmitting securely a key
US11831759B1 (en) * 2022-08-09 2023-11-28 Uab 360 It Optimized authentication system for a multiuser device

Also Published As

Publication number Publication date
US9088538B2 (en) 2015-07-21
US20140281526A1 (en) 2014-09-18

Similar Documents

Publication Publication Date Title
US9088538B2 (en) Secure network storage
US10691817B2 (en) Encryption for distributed storage and processing
US8996884B2 (en) High privacy of file synchronization with sharing functionality
US8842841B2 (en) Cryptographic method and system
US9626527B2 (en) Server and method for secure and economical sharing of data
US20190087432A1 (en) Secure searchable and shareable remote storage system and method
US20160011990A1 (en) System and Method for Conflict-Free Cloud Storage Encryption
US10685141B2 (en) Method for storing data blocks from client devices to a cloud storage system
CN112581126A (en) Block chain-based platform data management method and device and storage medium
US10505905B2 (en) Transport envelope
KR101285281B1 (en) Security system and its security method for self-organization storage
CN107113164B (en) Method, apparatus and computer readable medium for deduplication of encrypted data
WO2018208786A1 (en) Method and system for secure delegated access to encrypted data in big data computing clusters
AU2014274590B2 (en) Cryptographic Method and System
Thota et al. Split key management framework for Open Stack Swift object storage cloud
Hoffmann et al. Towards an architecture for end-to-end-encrypted file synchronization systems
Sánchez‐Artigas et al. StackSync: Attribute‐based data sharing in file synchronization services
SUBBARAO A Hybrid Cloud Approach for Message Encryption and Secure Deduplication
MADHAVI et al. Fast and Secure Authorized Deduplication in Hybrid Cloud Architecture
Totolici CRYPSTOR: a platform for secure storage

Legal Events

Date Code Title Description
STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION