US20140372750A1 - Client-side encryption - Google Patents
Client-side encryption Download PDFInfo
- Publication number
- US20140372750A1 US20140372750A1 US14/271,918 US201414271918A US2014372750A1 US 20140372750 A1 US20140372750 A1 US 20140372750A1 US 201414271918 A US201414271918 A US 201414271918A US 2014372750 A1 US2014372750 A1 US 2014372750A1
- Authority
- US
- United States
- Prior art keywords
- key
- organization
- encrypted
- file
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/16—File or folder operations, e.g. details of user interfaces specifically adapted to file systems
- G06F16/164—File meta data generation
- G06F16/166—File name conversion
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/17—Details of further file system functions
- G06F16/178—Techniques for file synchronisation in file systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/18—File system types
- G06F16/182—Distributed file systems
- G06F16/1824—Distributed file systems implemented using Network-attached Storage [NAS] architecture
- G06F16/183—Provision of network file services by network file servers, e.g. by using NFS, CIFS
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
-
- H04L67/42—
Definitions
- This application relates generally to cloud-based file storage. More particularly, this application relates to client-side encryption in a cloud-based file storage.
- FIG. 1 is a block diagram illustrating a system, in accordance with an example embodiment, of securely synchronizing files.
- FIG. 2 is a block diagram illustrating a client device, in accordance with an example embodiment, in more detail.
- FIG. 3 is a block diagram illustrating another client device, in accordance with an example embodiment, in more detail.
- FIG. 4 is a block diagram illustrating a backend, in accordance with an example embodiment, in more detail.
- FIG. 5 is a process flow diagram depicting a method, in accordance with an example embodiment, of client-side encryption prior to upload of a file.
- FIG. 6 is a process flow diagram depicting a method, in accordance with an example embodiment, of client-side decryption subsequent to download of a file.
- FIG. 7 is a flow diagram illustrating a method, in accordance with an example embodiment, of encrypting files at a client in a cloud-based file system.
- FIG. 8 is a flow diagram illustrating a method, in accordance with an example embodiment, of decrypting files at a client in a cloud-based file system.
- FIG. 9 is a block diagram illustrating a mobile device, according to an example embodiment.
- FIG. 10 is a block diagram of machine in the example form of a computer system within which instructions, for causing the machine to perform any one or more of the methodologies discussed herein, can be executed.
- various techniques are utilized in order to allow for efficient, accurate, and secure synchronization of files across multiple devices even in cases where a large number of events are occurring concurrently. This may include using an events-based technique to improve reliability during periods of file modifications being performed concurrently.
- name conflicts between different files may be resolved automatically.
- FIG. 1 is a block diagram illustrating a system 100 , in accordance with an example embodiment, of securely synchronizing files.
- files may be synchronized between one or more servers 102 and one or more client devices 104 A- 104 D.
- the client devices 104 A- 104 D may include various types of devices running various types of platforms with various types of operating systems and applications.
- client device 104 A may be a mobile device running proprietary mobile applications 106 .
- Client device 104 B may be a personal computer running a MacintoshTM operating system from Apple Inc. of Cupertino, Calif. This may include a file system known as Finder 108 , which may include a specialized plug-in 110 to allow Finder 108 to be altered in order to better operate with a proprietary application 112 .
- Client device 104 C may be a personal computer running a WindowsTM operating system from Microsoft Corp. of Redmond, Wash. This may include a file system known as Windows Explorer 114 , which may include a specialized plug-in 116 to allow Windows Explorer 114 to be altered in order to better operate with a proprietary application 118 . Additionally, applications such as Microsoft OfficeTM 120 and Microsoft OutlookTM 122 may also include their own specialized plug-ins 124 , 126 , respectively, which allow them to better operate with the proprietary application 118 . Client device 104 D may be a web-based device that may operate a web browser 128 instead of a traditional operating system.
- Each of the client devices 104 A- 104 D may communicate with a back-end 130 hosted by the one or more servers 102 . This communication may either take place directly between the back-end 130 and the proprietary applications 106 , 112 , 118 , or indirectly through a web application 132 .
- a provisioning service such as HostPilotTM 134 may also be present, and may coordinate with a directory service such as Active Directories 136 .
- FIG. 2 is a block diagram illustrating a client device, in accordance with an example embodiment, in more detail.
- the client device in this figure corresponds to client device 104 C of FIG. 1 , although in some example embodiments this diagram corresponds to a different client device.
- the various components in FIG. 2 are labeled as those components are labeled in FIG. 1 . In some embodiments, however, the components may not be identical.
- Proprietary application 116 may be a desktop application, and may store files in a local database 200 .
- the proprietary application 118 may also communicate with specialized plug-ins 116 , 124 , 126 in Windows Explorer 114 , Microsoft Office 120 and Microsoft OutlookTM 122 , respectively. This communication may take place, for example, using Thrift over TCP.
- the proprietary application 118 may communicate with a storage service 202 on the server 102 .
- FIG. 3 is a block diagram illustrating another client device, in accordance with an example embodiment, in more detail.
- the client device in this figure corresponds to client device 104 B of FIG. 1 , although in some example embodiments this diagram corresponds to a different client device.
- the various components in FIG. 3 are labeled as those components are labeled in FIG. 1 . In some embodiments, however, the components may not be identical.
- Proprietary application 112 may be a desktop application, and may store files in a local database 300 .
- the proprietary application 112 may also communicate with a specialized plugin 108 in Finder 110 . This communication may take place, for example, using Thrift over TCP.
- the proprietary application 118 may communicate with a storage device 302 on the server 102 .
- FIG. 4 is a block diagram illustrating a backend, in accordance with an example embodiment, in more detail.
- the backend in this figure corresponds to backend 130 of FIG. 1 , although in some example embodiments this diagram corresponds to a different backend.
- the various components in FIG. 4 are labeled as those components are labeled in FIG. 1 . In some embodiments, however, the components may not be identical.
- the backend 130 may include a front-end server 400 , which acts to perform much of the server-side storage functions described in this disclosure, as well as interfacing with the various devices. These functions will be discussed in more detail later in this document.
- the front-end server 400 may interface with client devices 104 A- 104 D through a firewall 402 .
- the front-end server 400 may also interface with a database server 404 , which may control access to a database 406 .
- the database 406 may be of many different types of formats.
- the database 406 is a relational database, such as one operated using Structured Query Language (SQL).
- SQL Structured Query Language
- Other formats of database are envisioned, however, as well, including flat-file and multidimensional databases.
- the database may store not just files and folders, but also metadata about the files and folders, including, but not limited to, information about which files and folders are shared, and with whom.
- a central server 408 performs internal tasks such as cleanup, provisioning, and other backend services.
- a key management server 410 provides access for keys created for each user. When a user is created on the central server 408 , a key may be issued by the key server 410 . These keys are also used by an encryption server 412 to encrypt and decrypt files and folders. This is accomplished through the use of the front end server 400 , which understands which organization the keys belong and submits file or folder content to the encryption server 412 for encryption.
- Active Directories 414 is used for integration with ExchangeTM
- server-based encryption in a cloud storage environment is risky in that if one organization's key is cracked, access to the server puts all organizations at risk.
- client-side encryption of data is performed. Each organization may have its own key. In this way, if the server is cracked, then no data is at risk because accessing the encrypted data on the server will not allow a malicious user to view the data.
- FIG. 5 is a process flow diagram depicting a method 500 , in accordance with an example embodiment, of client-side encryption prior to upload of a file.
- a client 502 encrypts data using a key 504 distributed by a key management system (KMS) 506 .
- KMS key management system
- the KMS may be, for example, an external server whose job it is to manage and distribute keys to organizations of the cloud-based service.
- the encrypted data is uploaded through a secure channel 508 to a storage service 510 , which stores the encrypted data in storage 512 via another secure channel 514 .
- a secure channel may be any means of electronic communication that utilizes a mechanism to prevent users not intended to be a recipient of a message from viewing or reading a message. This may include any type of transmission medium, such as wired or wireless.
- HTTPS HyperText Transfer Protocol Secure
- Each organization may have a single key created especially for it, and unique to that organization.
- an organization may have more than one key to allow for even greater security (e.g., the quarantining of sensitive information within the organization, so a hacker obtaining or cracking a key from one division of the organization cannot view or modify information from another division of the organization). If a key is compromised, then that would only affect the one organization—other organizations that share the storage 512 would not have their own files at risk.
- the storage service 510 has no access to the key management service 506 and vice-versa, so if one system is cracked, the data of other organizations cannot be decrypted.
- FIG. 6 is a process flow diagram depicting a method 600 , in accordance with an example embodiment, of client-side decryption subsequent to download of a file.
- the client 602 requests data via a secure channel 604 from the storage service 606 , which retrieves encrypted data via secure channel 608 from the storage 610 .
- the encrypted data may contain a key identifier, which the client 602 uses to obtain a key 612 from the key management system 614 , and then uses the key to decrypt the encrypted data locally.
- one or more of the components 602 - 614 may be identical to components described in FIG. 5 .
- client 602 may be the same client as client 502 .
- Secure channel 604 may be the same channel as secure channel 508 .
- Storage service 606 may be the same service as storage service 510 .
- Secure channel 608 may be the same channel as secure channel 514 .
- Storage 610 may be the same storage as storage 512 .
- Key management system 614 may be the same system as key management system 506 .
- each organization may have its own key. This key may be obtained by or shared with various members of the organization, allowing these members to decrypt files stored on the server.
- a unique key may be created for the combination of organizations that allows access to just those cross-organizationally shared documents. For example, a key for organization A may allow members of organization A to access files of organization A.
- a key for organization B may allow members of organization B to access files of organization B.
- a key for the combination of organization A and organization B may allow members of organization A and members of organization B to access files that are shared between the organizations.
- the key management system is located in a low-risk area, not generally accessible to the Internet, to prevent security breaches. This also allows a system administrator to easily remove compromised keys and reallocate new keys without disrupting services.
- a single “key” assigned to an organization may actually itself comprise a number of different keys.
- the key assigned to an organization may include an encryption key and a decryption key. These keys may be related to each such that the decryption key is used to decrypt files encrypted using the encryption key. Thus, these may be described as using a single key, despite the fact that the decryption key is different than the encryption key.
- FIG. 7 is a flow diagram illustrating a method 700 , in accordance with an example embodiment, of encrypting files at a client in a cloud-based file system.
- a first key corresponding to an organization to which the client belongs is obtained.
- a file is encrypted using the first key.
- the encrypted file is transmitted to a server via a secure channel, for storage in a storage device shared among multiple organizations, the storage device containing one or more files encrypted using keys different than the first key.
- FIG. 8 is a flow diagram illustrating a method 800 , in accordance with an example embodiment, of decrypting files at a client in a cloud-based file system.
- an encrypted file is downloaded from a storage device via a secure channel.
- a key corresponding to an organization to which the client belongs is obtained.
- the encrypted file is decrypted using the key.
- FIG. 9 is a block diagram illustrating a mobile device 900 , according to an example embodiment.
- the mobile device 900 can include a processor 902 .
- the processor 902 can be any of a variety of different types of commercially available processors suitable for mobile devices 900 (for example, an XScale architecture microprocessor, a Microprocessor without Interlocked Pipeline Stages (MIPS) architecture processor, or another type of processor).
- a memory 904 such as a random access memory (RAM), a Flash memory, or other type of memory, is typically accessible to the processor 902 .
- the memory 904 can be adapted to store an operating system (OS) 906 , as well as application programs 908 , such as a mobile location enabled application that can provide LBSs to a user.
- OS operating system
- application programs 908 such as a mobile location enabled application that can provide LBSs to a user.
- the processor 902 can be coupled, either directly or via appropriate intermediary hardware, to a display 910 and to one or more input/output (I/O) devices 912 , such as a keypad, a touch panel sensor, a microphone, and the like.
- the processor 902 can be coupled to a transceiver 914 that interfaces with an antenna 916 .
- the transceiver 914 can be configured to both transmit and receive cellular network signals, wireless data signals, or other types of signals via the antenna 916 , depending on the nature of the mobile device 900 .
- a GPS receiver 918 can also make use of the antenna 916 to receive GPS signals.
- Modules can constitute either software modules (e.g., code embodied (1) on a non-transitory machine-readable medium or (2) in a transmission signal) or hardware-implemented modules.
- a hardware-implemented module is tangible unit capable of performing certain operations and can be configured or arranged in a certain manner.
- one or more computer systems e.g., a standalone, client or server computer system
- one or more processors can be configured by software (e.g., an application or application portion) as a hardware-implemented module that operates to perform certain operations as described herein.
- a hardware-implemented module can be implemented mechanically or electronically.
- a hardware-implemented module can comprise dedicated circuitry or logic that is permanently configured (e.g., as a special-purpose processor, such as a field programmable gate array (FPGA) or an application-specific integrated circuit (ASIC)) to perform certain operations.
- a hardware-implemented module can also comprise programmable logic or circuitry (e.g., as encompassed within a general-purpose processor or other programmable processor) that is temporarily configured by software to perform certain operations. It will be appreciated that the decision to implement a hardware-implemented module mechanically, in dedicated and permanently configured circuitry, or in temporarily configured circuitry (e.g., configured by software) can be driven by cost and time considerations.
- the term “hardware-implemented module” should be understood to encompass a tangible entity, be that an entity that is physically constructed, permanently configured (e.g., hardwired) or temporarily or transitorily configured (e.g., programmed) to operate in a certain manner and/or to perform certain operations described herein.
- hardware-implemented modules are temporarily configured (e.g., programmed)
- each of the hardware-implemented modules need not be configured or instantiated at any one instance in time.
- the hardware-implemented modules comprise a general-purpose processor configured using software
- the general-purpose processor can be configured as respective different hardware-implemented modules at different times.
- Software can accordingly configure a processor, for example, to constitute a particular hardware-implemented module at one instance of time and to constitute a different hardware-implemented module at a different instance of time.
- Hardware-implemented modules can provide information to, and receive information from, other hardware-implemented modules. Accordingly, the described hardware-implemented modules can be regarded as being communicatively coupled. Where multiple such hardware-implemented modules exist contemporaneously, communications can be achieved through signal transmission (e.g., over appropriate circuits and buses) that connect the hardware-implemented modules. In embodiments in which multiple hardware-implemented modules are configured or instantiated at different times, communications between such hardware-implemented modules can be achieved, for example, through the storage and retrieval of information in memory structures to which the multiple hardware-implemented modules have access. For example, one hardware-implemented module can perform an operation and store the output of that operation in a memory device to which it is communicatively coupled.
- a further hardware-implemented module can then, at a later time, access the memory device to retrieve and process the stored output.
- Hardware-implemented modules can also initiate communications with input or output devices, and can operate on a resource (e.g., a collection of information).
- processors that are temporarily configured (e.g., by software) or permanently configured to perform the relevant operations.
- processors can constitute processor-implemented modules that operate to perform one or more operations or functions.
- the modules referred to herein can, in some example embodiments, comprise processor-implemented modules.
- the methods described herein can be at least partially processor-implemented. For example, at least some of the operations of a method can be performed by one of processors or processor-implemented modules. The performance of certain of the operations can be distributed among the one or more processors, not only residing within a single machine, but deployed across a number of machines. In some example embodiments, the processor or processors can be located in a single location (e.g., within a home environment, an office environment or as a server farm), while in other embodiments the processors can be distributed across a number of locations.
- the one or more processors can also operate to support performance of the relevant operations in a “cloud computing” environment or as a “software as a service” (SaaS). For example, at least some of the operations can be performed by a group of computers (as examples of machines including processors), these operations being accessible via a network (e.g., the Internet) and via one or more appropriate interfaces (e.g., application program interfaces (APIs).)
- SaaS software as a service
- Example embodiments can be implemented in digital electronic circuitry, or in computer hardware, firmware, software, or in combinations of them.
- Example embodiments can be implemented using a computer program product, e.g., a computer program tangibly embodied in an information carrier, e.g., in a machine-readable medium for execution by, or to control the operation of, data processing apparatus, e.g., a programmable processor, a computer, or multiple computers.
- a computer program can be written in any form of programming language, including compiled or interpreted languages, and it can be deployed in any form, including as a stand-alone program or as a module, subroutine, or other unit suitable for use in a computing environment.
- a computer program can be deployed to be executed on one computer or on multiple computers at one site or distributed across multiple sites and interconnected by a communication network.
- operations can be performed by one or more programmable processors executing a computer program to perform functions by operating on input data and generating output.
- Method operations can also be performed by, and apparatus of example embodiments can be implemented as, special purpose logic circuitry, e.g., a FPGA or an ASIC.
- the computing system can include clients and servers.
- a client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.
- both hardware and software architectures require consideration.
- the choice of whether to implement certain functionality in permanently configured hardware e.g., an ASIC
- temporarily configured hardware e.g., a combination of software and a programmable processor
- a combination of permanently and temporarily configured hardware can be a design choice.
- hardware e.g., machine
- software architectures that can be deployed, in various example embodiments.
- FIG. 10 is a block diagram of machine in the example form of a computer system 1000 within which instructions, for causing the machine to perform any one or more of the methodologies discussed herein, can be executed.
- the machine operates as a standalone device or can be connected (e.g., networked) to other machines.
- the machine can operate in the capacity of a server or a client machine in server-client network environment, or as a peer machine in a peer-to-peer (or distributed) network environment.
- the machine can be a personal computer (PC), a tablet PC, a set-top box (STB), a personal digital assistant (PDA), a cellular telephone, a web appliance, a network router, switch or bridge, or any machine capable of executing instructions (sequential or otherwise) that specify actions to be taken by that machine.
- PC personal computer
- PDA personal digital assistant
- STB set-top box
- web appliance web appliance
- network router switch or bridge
- machine any machine capable of executing instructions (sequential or otherwise) that specify actions to be taken by that machine.
- machine shall also be taken to include any collection of machines that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein.
- the example computer system 1000 includes a processor 1002 (e.g., a central processing unit (CPU), a graphics processing unit (GPU), or both), a main memory 1004 and a static memory 1006 , which communicate with each other via a bus 1008 .
- the computer system 1000 can further include a video display unit 1010 (e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)).
- the computer system 1000 also includes an alpha-numeric input device 1012 (e.g., a keyboard or a touch-sensitive display screen), a user interface (UI) navigation device 1014 (e.g., a mouse), a disk drive unit 1016 , a signal generation device 1018 (e.g., a speaker), and a network interface device 1020 .
- an alpha-numeric input device 1012 e.g., a keyboard or a touch-sensitive display screen
- UI user interface
- disk drive unit 1016 e.g., a disk drive unit 1016
- signal generation device 1018 e.g., a speaker
- network interface device 1020 e.g., a network interface device
- the disk drive unit 1016 includes a machine-readable medium 1022 on which is stored one or more sets of instructions and data structures (e.g., software) 1024 embodying or utilized by any one or more of the methodologies or functions described herein.
- the instructions 1024 can also reside, completely or at least partially, within the main memory 1004 and/or within the processor 1002 during execution thereof by the computer system 1000 , with the main memory 1004 and the processor 1002 also constituting machine-readable media 1022 .
- machine-readable medium 1022 is shown in an example embodiment to be a single medium, the term “machine-readable medium” can include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more instructions or data structures 1024 .
- the term “machine-readable medium” shall also be taken to include any tangible medium that is capable of storing, encoding or carrying instructions 1024 for execution by the machine and that cause the machine to perform any one or more of the methodologies of the present disclosure, or that is capable of storing, encoding or carrying data structures utilized by or associated with such instructions 1024 .
- the term “machine-readable medium” shall accordingly be taken to include, but not be limited to, solid-state memories, and optical and magnetic media.
- machine-readable media 1022 include non-volatile memory, including by way of example semiconductor memory devices, e.g., erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), and flash memory devices; magnetic disks such as internal hard disks and removable disks; magneto-optical disks; and CD-ROM and DVD-ROM disks.
- semiconductor memory devices e.g., erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), and flash memory devices
- EPROM erasable programmable read-only memory
- EEPROM electrically erasable programmable read-only memory
- flash memory devices e.g., electrically erasable programmable read-only memory (EEPROM), and flash memory devices
- magnetic disks such as internal hard disks and removable disks
- magneto-optical disks e.g., magneto-optical disks
- the instructions 1024 can further be transmitted or received over a communications network 1026 using a transmission medium.
- the instructions 1024 can be transmitted using the network interface device 1020 and any one of a number of well-known transfer protocols (e.g., HTTP).
- Examples of communication networks include a local area network (LAN), a wide area network (WAN), the Internet, mobile telephone networks, plain old telephone (POTS) networks, and wireless data networks (e.g., WiFi and WiMax networks).
- POTS plain old telephone
- wireless data networks e.g., WiFi and WiMax networks.
- transmission medium shall be taken to include any intangible medium that is capable of storing, encoding, or carrying instructions 1024 for execution by the machine, and includes digital or analog communications signals or other intangible media to facilitate communication of such software.
- inventive subject matter can be referred to herein, individually and/or collectively, by the term “invention” merely for convenience and without intending to voluntarily limit the scope of this application to any single invention or inventive concept if more than one is in fact disclosed.
- inventive concept merely for convenience and without intending to voluntarily limit the scope of this application to any single invention or inventive concept if more than one is in fact disclosed.
Abstract
Description
- This application claims priority to U.S. Provisional Application No. 61/820,793 filed May 8, 2013, which is hereby incorporated herein by reference in its entirety.
- This application relates generally to cloud-based file storage. More particularly, this application relates to client-side encryption in a cloud-based file storage.
- With the dramatic increase in use of mobile devices in recent years, it has become more important now than ever before that a user's files be synchronized between multiple devices. A single user may operate on a desktop computer, laptop computer, tablet computer, and mobile phone, editing the same document at different times on different devices. This issue is only going to become even more important as additional mobile devices, such as wearable computers and vehicle-based computers become popular mechanisms for editing files.
- Problems, however, may be encountered as the synchronization of files across devices become more complex. Typically, encryption of objects in a cloud-based storage system is performed on the server-side. Such a system allows for the sharing of documents among multiple users, who each can utilize a key, certificate, or other security object to access a file, folder, or other object in a shared folder on the server. The key, certificate, or other security object may be managed and distributed by the server. The problem is that if one system is cracked, then all the data is potentially at risk. Thus, for example, if hackers obtain access to the server, then all files across all organizations can be cracked.
- The present disclosure is illustrated by way of example and not limitation in the figures of the accompanying drawings, in which like references indicate similar elements and in which:
-
FIG. 1 is a block diagram illustrating a system, in accordance with an example embodiment, of securely synchronizing files. -
FIG. 2 is a block diagram illustrating a client device, in accordance with an example embodiment, in more detail. -
FIG. 3 is a block diagram illustrating another client device, in accordance with an example embodiment, in more detail. -
FIG. 4 is a block diagram illustrating a backend, in accordance with an example embodiment, in more detail. -
FIG. 5 is a process flow diagram depicting a method, in accordance with an example embodiment, of client-side encryption prior to upload of a file. -
FIG. 6 is a process flow diagram depicting a method, in accordance with an example embodiment, of client-side decryption subsequent to download of a file. -
FIG. 7 is a flow diagram illustrating a method, in accordance with an example embodiment, of encrypting files at a client in a cloud-based file system. -
FIG. 8 is a flow diagram illustrating a method, in accordance with an example embodiment, of decrypting files at a client in a cloud-based file system. -
FIG. 9 is a block diagram illustrating a mobile device, according to an example embodiment. -
FIG. 10 is a block diagram of machine in the example form of a computer system within which instructions, for causing the machine to perform any one or more of the methodologies discussed herein, can be executed. - The description that follows includes illustrative systems, methods, techniques, instruction sequences, and machine-readable media (e.g., computing machine program products) that embody illustrative embodiments. In the following description, for purposes of explanation, numerous specific details are set forth in order to provide an understanding of various embodiments of the inventive subject matter. It will be evident, however, to those skilled in the art that embodiments of the inventive subject matter may be practiced without these specific details. In general, well-known instruction instances, protocols, structures, and techniques have not been shown in detail.
- In an example embodiment, various techniques are utilized in order to allow for efficient, accurate, and secure synchronization of files across multiple devices even in cases where a large number of events are occurring concurrently. This may include using an events-based technique to improve reliability during periods of file modifications being performed concurrently. In another example embodiment, name conflicts between different files may be resolved automatically.
-
FIG. 1 is a block diagram illustrating asystem 100, in accordance with an example embodiment, of securely synchronizing files. In thesystem 100, files may be synchronized between one ormore servers 102 and one ormore client devices 104A-104D. Theclient devices 104A-104D may include various types of devices running various types of platforms with various types of operating systems and applications. For example,client device 104A may be a mobile device running proprietarymobile applications 106.Client device 104B may be a personal computer running a Macintosh™ operating system from Apple Inc. of Cupertino, Calif. This may include a file system known as Finder 108, which may include a specialized plug-in 110 to allow Finder 108 to be altered in order to better operate with aproprietary application 112. -
Client device 104C may be a personal computer running a Windows™ operating system from Microsoft Corp. of Redmond, Wash. This may include a file system known as Windows Explorer 114, which may include a specialized plug-in 116 to allow Windows Explorer 114 to be altered in order to better operate with aproprietary application 118. Additionally, applications such as Microsoft Office™ 120 and Microsoft Outlook™ 122 may also include their own specialized plug-ins proprietary application 118.Client device 104D may be a web-based device that may operate aweb browser 128 instead of a traditional operating system. - Each of the
client devices 104A-104D may communicate with a back-end 130 hosted by the one ormore servers 102. This communication may either take place directly between the back-end 130 and theproprietary applications web application 132. A provisioning service, such as HostPilot™ 134 may also be present, and may coordinate with a directory service such asActive Directories 136. -
FIG. 2 is a block diagram illustrating a client device, in accordance with an example embodiment, in more detail. In an example embodiment, the client device in this figure corresponds toclient device 104C ofFIG. 1 , although in some example embodiments this diagram corresponds to a different client device. Additionally, the various components inFIG. 2 are labeled as those components are labeled inFIG. 1 . In some embodiments, however, the components may not be identical.Proprietary application 116 may be a desktop application, and may store files in alocal database 200. Theproprietary application 118 may also communicate with specialized plug-ins proprietary application 118 may communicate with astorage service 202 on theserver 102. -
FIG. 3 is a block diagram illustrating another client device, in accordance with an example embodiment, in more detail. In an example embodiment, the client device in this figure corresponds toclient device 104B ofFIG. 1 , although in some example embodiments this diagram corresponds to a different client device. Additionally, the various components inFIG. 3 are labeled as those components are labeled inFIG. 1 . In some embodiments, however, the components may not be identical.Proprietary application 112 may be a desktop application, and may store files in alocal database 300. Theproprietary application 112 may also communicate with aspecialized plugin 108 in Finder 110. This communication may take place, for example, using Thrift over TCP. Theproprietary application 118 may communicate with astorage device 302 on theserver 102. -
FIG. 4 is a block diagram illustrating a backend, in accordance with an example embodiment, in more detail. In an example embodiment, the backend in this figure corresponds to backend 130 ofFIG. 1 , although in some example embodiments this diagram corresponds to a different backend. Additionally, the various components inFIG. 4 are labeled as those components are labeled inFIG. 1 . In some embodiments, however, the components may not be identical. Thebackend 130 may include a front-end server 400, which acts to perform much of the server-side storage functions described in this disclosure, as well as interfacing with the various devices. These functions will be discussed in more detail later in this document. The front-end server 400 may interface withclient devices 104A-104D through afirewall 402. The front-end server 400 may also interface with adatabase server 404, which may control access to adatabase 406. Thedatabase 406 may be of many different types of formats. In one example embodiment, thedatabase 406 is a relational database, such as one operated using Structured Query Language (SQL). Other formats of database are envisioned, however, as well, including flat-file and multidimensional databases. The database may store not just files and folders, but also metadata about the files and folders, including, but not limited to, information about which files and folders are shared, and with whom. - A
central server 408 performs internal tasks such as cleanup, provisioning, and other backend services. Akey management server 410 provides access for keys created for each user. When a user is created on thecentral server 408, a key may be issued by thekey server 410. These keys are also used by anencryption server 412 to encrypt and decrypt files and folders. This is accomplished through the use of thefront end server 400, which understands which organization the keys belong and submits file or folder content to theencryption server 412 for encryption.Active Directories 414 is used for integration with Exchange™ - As described earlier, server-based encryption in a cloud storage environment is risky in that if one organization's key is cracked, access to the server puts all organizations at risk. In an example embodiment, client-side encryption of data is performed. Each organization may have its own key. In this way, if the server is cracked, then no data is at risk because accessing the encrypted data on the server will not allow a malicious user to view the data.
-
FIG. 5 is a process flow diagram depicting amethod 500, in accordance with an example embodiment, of client-side encryption prior to upload of a file. Aclient 502 encrypts data using a key 504 distributed by a key management system (KMS) 506. The KMS may be, for example, an external server whose job it is to manage and distribute keys to organizations of the cloud-based service. The encrypted data is uploaded through asecure channel 508 to astorage service 510, which stores the encrypted data instorage 512 via anothersecure channel 514. For purposes of this disclosure, a secure channel may be any means of electronic communication that utilizes a mechanism to prevent users not intended to be a recipient of a message from viewing or reading a message. This may include any type of transmission medium, such as wired or wireless. One example secure channel is HyperText Transfer Protocol Secure (HTTPS), although this is merely one example and is not intended to be limiting. - Each organization may have a single key created especially for it, and unique to that organization. In some example embodiments, an organization may have more than one key to allow for even greater security (e.g., the quarantining of sensitive information within the organization, so a hacker obtaining or cracking a key from one division of the organization cannot view or modify information from another division of the organization). If a key is compromised, then that would only affect the one organization—other organizations that share the
storage 512 would not have their own files at risk. In an example embodiment, thestorage service 510 has no access to thekey management service 506 and vice-versa, so if one system is cracked, the data of other organizations cannot be decrypted. -
FIG. 6 is a process flow diagram depicting amethod 600, in accordance with an example embodiment, of client-side decryption subsequent to download of a file. Here, theclient 602 requests data via asecure channel 604 from thestorage service 606, which retrieves encrypted data viasecure channel 608 from thestorage 610. The encrypted data may contain a key identifier, which theclient 602 uses to obtain a key 612 from the key management system 614, and then uses the key to decrypt the encrypted data locally. In one or more example embodiments, one or more of the components 602-614 may be identical to components described inFIG. 5 . For example,client 602 may be the same client asclient 502.Secure channel 604 may be the same channel assecure channel 508.Storage service 606 may be the same service asstorage service 510.Secure channel 608 may be the same channel assecure channel 514.Storage 610 may be the same storage asstorage 512. Key management system 614 may be the same system askey management system 506. - As described above, each organization may have its own key. This key may be obtained by or shared with various members of the organization, allowing these members to decrypt files stored on the server. In the event that a file needs to be shared among members of two (or more) different organizations, a unique key may be created for the combination of organizations that allows access to just those cross-organizationally shared documents. For example, a key for organization A may allow members of organization A to access files of organization A. A key for organization B may allow members of organization B to access files of organization B. A key for the combination of organization A and organization B may allow members of organization A and members of organization B to access files that are shared between the organizations.
- In an example embodiment, the key management system is located in a low-risk area, not generally accessible to the Internet, to prevent security breaches. This also allows a system administrator to easily remove compromised keys and reallocate new keys without disrupting services.
- It should be noted that, based on the type of encryption used, a single “key” assigned to an organization may actually itself comprise a number of different keys. For example, in some example embodiments, the key assigned to an organization may include an encryption key and a decryption key. These keys may be related to each such that the decryption key is used to decrypt files encrypted using the encryption key. Thus, these may be described as using a single key, despite the fact that the decryption key is different than the encryption key.
-
FIG. 7 is a flow diagram illustrating amethod 700, in accordance with an example embodiment, of encrypting files at a client in a cloud-based file system. Atoperation 702, a first key corresponding to an organization to which the client belongs is obtained. Atoperation 704, a file is encrypted using the first key. Atoperation 706, the encrypted file is transmitted to a server via a secure channel, for storage in a storage device shared among multiple organizations, the storage device containing one or more files encrypted using keys different than the first key. -
FIG. 8 is a flow diagram illustrating amethod 800, in accordance with an example embodiment, of decrypting files at a client in a cloud-based file system. Atoperation 802, an encrypted file is downloaded from a storage device via a secure channel. Atoperation 804, a key corresponding to an organization to which the client belongs is obtained. Atoperation 806, the encrypted file is decrypted using the key. -
FIG. 9 is a block diagram illustrating amobile device 900, according to an example embodiment. Themobile device 900 can include aprocessor 902. Theprocessor 902 can be any of a variety of different types of commercially available processors suitable for mobile devices 900 (for example, an XScale architecture microprocessor, a Microprocessor without Interlocked Pipeline Stages (MIPS) architecture processor, or another type of processor). Amemory 904, such as a random access memory (RAM), a Flash memory, or other type of memory, is typically accessible to theprocessor 902. Thememory 904 can be adapted to store an operating system (OS) 906, as well asapplication programs 908, such as a mobile location enabled application that can provide LBSs to a user. Theprocessor 902 can be coupled, either directly or via appropriate intermediary hardware, to adisplay 910 and to one or more input/output (I/O)devices 912, such as a keypad, a touch panel sensor, a microphone, and the like. Similarly, in some embodiments, theprocessor 902 can be coupled to atransceiver 914 that interfaces with anantenna 916. Thetransceiver 914 can be configured to both transmit and receive cellular network signals, wireless data signals, or other types of signals via theantenna 916, depending on the nature of themobile device 900. Further, in some configurations, aGPS receiver 918 can also make use of theantenna 916 to receive GPS signals. - Certain embodiments are described herein as including logic or a number of components, modules, or mechanisms. Modules can constitute either software modules (e.g., code embodied (1) on a non-transitory machine-readable medium or (2) in a transmission signal) or hardware-implemented modules. A hardware-implemented module is tangible unit capable of performing certain operations and can be configured or arranged in a certain manner. In example embodiments, one or more computer systems (e.g., a standalone, client or server computer system) or one or more processors can be configured by software (e.g., an application or application portion) as a hardware-implemented module that operates to perform certain operations as described herein.
- In various embodiments, a hardware-implemented module can be implemented mechanically or electronically. For example, a hardware-implemented module can comprise dedicated circuitry or logic that is permanently configured (e.g., as a special-purpose processor, such as a field programmable gate array (FPGA) or an application-specific integrated circuit (ASIC)) to perform certain operations. A hardware-implemented module can also comprise programmable logic or circuitry (e.g., as encompassed within a general-purpose processor or other programmable processor) that is temporarily configured by software to perform certain operations. It will be appreciated that the decision to implement a hardware-implemented module mechanically, in dedicated and permanently configured circuitry, or in temporarily configured circuitry (e.g., configured by software) can be driven by cost and time considerations.
- Accordingly, the term “hardware-implemented module” should be understood to encompass a tangible entity, be that an entity that is physically constructed, permanently configured (e.g., hardwired) or temporarily or transitorily configured (e.g., programmed) to operate in a certain manner and/or to perform certain operations described herein. Considering embodiments in which hardware-implemented modules are temporarily configured (e.g., programmed), each of the hardware-implemented modules need not be configured or instantiated at any one instance in time. For example, where the hardware-implemented modules comprise a general-purpose processor configured using software, the general-purpose processor can be configured as respective different hardware-implemented modules at different times. Software can accordingly configure a processor, for example, to constitute a particular hardware-implemented module at one instance of time and to constitute a different hardware-implemented module at a different instance of time.
- Hardware-implemented modules can provide information to, and receive information from, other hardware-implemented modules. Accordingly, the described hardware-implemented modules can be regarded as being communicatively coupled. Where multiple such hardware-implemented modules exist contemporaneously, communications can be achieved through signal transmission (e.g., over appropriate circuits and buses) that connect the hardware-implemented modules. In embodiments in which multiple hardware-implemented modules are configured or instantiated at different times, communications between such hardware-implemented modules can be achieved, for example, through the storage and retrieval of information in memory structures to which the multiple hardware-implemented modules have access. For example, one hardware-implemented module can perform an operation and store the output of that operation in a memory device to which it is communicatively coupled. A further hardware-implemented module can then, at a later time, access the memory device to retrieve and process the stored output. Hardware-implemented modules can also initiate communications with input or output devices, and can operate on a resource (e.g., a collection of information).
- The various operations of example methods described herein can be performed, at least partially, by one or more processors that are temporarily configured (e.g., by software) or permanently configured to perform the relevant operations. Whether temporarily or permanently configured, such processors can constitute processor-implemented modules that operate to perform one or more operations or functions. The modules referred to herein can, in some example embodiments, comprise processor-implemented modules.
- Similarly, the methods described herein can be at least partially processor-implemented. For example, at least some of the operations of a method can be performed by one of processors or processor-implemented modules. The performance of certain of the operations can be distributed among the one or more processors, not only residing within a single machine, but deployed across a number of machines. In some example embodiments, the processor or processors can be located in a single location (e.g., within a home environment, an office environment or as a server farm), while in other embodiments the processors can be distributed across a number of locations.
- The one or more processors can also operate to support performance of the relevant operations in a “cloud computing” environment or as a “software as a service” (SaaS). For example, at least some of the operations can be performed by a group of computers (as examples of machines including processors), these operations being accessible via a network (e.g., the Internet) and via one or more appropriate interfaces (e.g., application program interfaces (APIs).)
- Example embodiments can be implemented in digital electronic circuitry, or in computer hardware, firmware, software, or in combinations of them. Example embodiments can be implemented using a computer program product, e.g., a computer program tangibly embodied in an information carrier, e.g., in a machine-readable medium for execution by, or to control the operation of, data processing apparatus, e.g., a programmable processor, a computer, or multiple computers.
- A computer program can be written in any form of programming language, including compiled or interpreted languages, and it can be deployed in any form, including as a stand-alone program or as a module, subroutine, or other unit suitable for use in a computing environment. A computer program can be deployed to be executed on one computer or on multiple computers at one site or distributed across multiple sites and interconnected by a communication network.
- In example embodiments, operations can be performed by one or more programmable processors executing a computer program to perform functions by operating on input data and generating output. Method operations can also be performed by, and apparatus of example embodiments can be implemented as, special purpose logic circuitry, e.g., a FPGA or an ASIC.
- The computing system can include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. In embodiments deploying a programmable computing system, it will be appreciated that both hardware and software architectures require consideration. Specifically, it will be appreciated that the choice of whether to implement certain functionality in permanently configured hardware (e.g., an ASIC), in temporarily configured hardware (e.g., a combination of software and a programmable processor), or a combination of permanently and temporarily configured hardware can be a design choice. Below are set out hardware (e.g., machine) and software architectures that can be deployed, in various example embodiments.
-
FIG. 10 is a block diagram of machine in the example form of acomputer system 1000 within which instructions, for causing the machine to perform any one or more of the methodologies discussed herein, can be executed. In alternative embodiments, the machine operates as a standalone device or can be connected (e.g., networked) to other machines. In a networked deployment, the machine can operate in the capacity of a server or a client machine in server-client network environment, or as a peer machine in a peer-to-peer (or distributed) network environment. The machine can be a personal computer (PC), a tablet PC, a set-top box (STB), a personal digital assistant (PDA), a cellular telephone, a web appliance, a network router, switch or bridge, or any machine capable of executing instructions (sequential or otherwise) that specify actions to be taken by that machine. Further, while only a single machine is illustrated, the term “machine” shall also be taken to include any collection of machines that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein. - The
example computer system 1000 includes a processor 1002 (e.g., a central processing unit (CPU), a graphics processing unit (GPU), or both), amain memory 1004 and astatic memory 1006, which communicate with each other via abus 1008. Thecomputer system 1000 can further include a video display unit 1010 (e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)). Thecomputer system 1000 also includes an alpha-numeric input device 1012 (e.g., a keyboard or a touch-sensitive display screen), a user interface (UI) navigation device 1014 (e.g., a mouse), adisk drive unit 1016, a signal generation device 1018 (e.g., a speaker), and anetwork interface device 1020. - The
disk drive unit 1016 includes a machine-readable medium 1022 on which is stored one or more sets of instructions and data structures (e.g., software) 1024 embodying or utilized by any one or more of the methodologies or functions described herein. Theinstructions 1024 can also reside, completely or at least partially, within themain memory 1004 and/or within theprocessor 1002 during execution thereof by thecomputer system 1000, with themain memory 1004 and theprocessor 1002 also constituting machine-readable media 1022. - While the machine-
readable medium 1022 is shown in an example embodiment to be a single medium, the term “machine-readable medium” can include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more instructions ordata structures 1024. The term “machine-readable medium” shall also be taken to include any tangible medium that is capable of storing, encoding or carryinginstructions 1024 for execution by the machine and that cause the machine to perform any one or more of the methodologies of the present disclosure, or that is capable of storing, encoding or carrying data structures utilized by or associated withsuch instructions 1024. The term “machine-readable medium” shall accordingly be taken to include, but not be limited to, solid-state memories, and optical and magnetic media. Specific examples of machine-readable media 1022 include non-volatile memory, including by way of example semiconductor memory devices, e.g., erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), and flash memory devices; magnetic disks such as internal hard disks and removable disks; magneto-optical disks; and CD-ROM and DVD-ROM disks. - The
instructions 1024 can further be transmitted or received over acommunications network 1026 using a transmission medium. Theinstructions 1024 can be transmitted using thenetwork interface device 1020 and any one of a number of well-known transfer protocols (e.g., HTTP). Examples of communication networks include a local area network (LAN), a wide area network (WAN), the Internet, mobile telephone networks, plain old telephone (POTS) networks, and wireless data networks (e.g., WiFi and WiMax networks). The term “transmission medium” shall be taken to include any intangible medium that is capable of storing, encoding, or carryinginstructions 1024 for execution by the machine, and includes digital or analog communications signals or other intangible media to facilitate communication of such software. - Although an embodiment has been described with reference to specific example embodiments, it will be evident that various modifications and changes can be made to these embodiments without departing from the broader spirit and scope of the disclosure. Accordingly, the specification and drawings are to be regarded in an illustrative rather than a restrictive sense. The accompanying drawings that form a part hereof, show by way of illustration, and not of limitation, specific embodiments in which the subject matter can be practiced. The embodiments illustrated are described in sufficient detail to enable those skilled in the art to practice the teachings disclosed herein. Other embodiments can be utilized and derived therefrom, such that structural and logical substitutions and changes can be made without departing from the scope of this disclosure. This Detailed Description, therefore, is not to be taken in a limiting sense, and the scope of various embodiments is defined only by the appended claims, along with the full range of equivalents to which such claims are entitled.
- Such embodiments of the inventive subject matter can be referred to herein, individually and/or collectively, by the term “invention” merely for convenience and without intending to voluntarily limit the scope of this application to any single invention or inventive concept if more than one is in fact disclosed. Thus, although specific embodiments have been illustrated and described herein, it should be appreciated that any arrangement calculated to achieve the same purpose can be substituted for the specific embodiments shown. This disclosure is intended to cover any and all adaptations or variations of various embodiments. Combinations of the above embodiments, and other embodiments not specifically described herein, will be apparent to those of skill in the art upon reviewing the above description.
Claims (20)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/271,918 US20140372750A1 (en) | 2013-05-08 | 2014-05-07 | Client-side encryption |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201361820793P | 2013-05-08 | 2013-05-08 | |
US14/271,918 US20140372750A1 (en) | 2013-05-08 | 2014-05-07 | Client-side encryption |
Publications (1)
Publication Number | Publication Date |
---|---|
US20140372750A1 true US20140372750A1 (en) | 2014-12-18 |
Family
ID=51865582
Family Applications (4)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/271,846 Active 2037-04-06 US10248803B2 (en) | 2013-05-08 | 2014-05-07 | Internal folder sharing |
US14/271,918 Abandoned US20140372750A1 (en) | 2013-05-08 | 2014-05-07 | Client-side encryption |
US14/271,798 Abandoned US20140337290A1 (en) | 2013-05-08 | 2014-05-07 | Secure synchronization of files |
US16/278,321 Pending US20190180044A1 (en) | 2013-05-08 | 2019-02-18 | Internal folder sharing |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/271,846 Active 2037-04-06 US10248803B2 (en) | 2013-05-08 | 2014-05-07 | Internal folder sharing |
Family Applications After (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/271,798 Abandoned US20140337290A1 (en) | 2013-05-08 | 2014-05-07 | Secure synchronization of files |
US16/278,321 Pending US20190180044A1 (en) | 2013-05-08 | 2019-02-18 | Internal folder sharing |
Country Status (2)
Country | Link |
---|---|
US (4) | US10248803B2 (en) |
WO (1) | WO2015171846A1 (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104579690A (en) * | 2015-01-23 | 2015-04-29 | 济南同智伟业软件股份有限公司 | Cloud terminal KEY system and using method |
CN107395612A (en) * | 2017-08-08 | 2017-11-24 | 四川长虹电器股份有限公司 | Realize the System and method for of network disk data safety |
US10248803B2 (en) | 2013-05-08 | 2019-04-02 | Intermedia.Net, Inc. | Internal folder sharing |
US11088829B2 (en) * | 2018-09-04 | 2021-08-10 | International Business Machines Corporation | Securing a path at a node |
US11444754B1 (en) * | 2021-12-30 | 2022-09-13 | Monday.com Ltd. | Tenant level encryption |
US11563588B2 (en) | 2018-09-04 | 2023-01-24 | International Business Machines Corporation | Securing a path at a selected node |
US11610012B1 (en) * | 2019-11-26 | 2023-03-21 | Gobeep, Inc. | Systems and processes for providing secure client controlled and managed exchange of data between parties |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160140139A1 (en) * | 2014-11-17 | 2016-05-19 | Microsoft Technology Licensing, Llc | Local representation of shared files in disparate locations |
US10277601B1 (en) | 2015-05-11 | 2019-04-30 | Google Llc | System and method for recursive propagating application access control |
US11470131B2 (en) * | 2017-07-07 | 2022-10-11 | Box, Inc. | User device processing of information from a network-accessible collaboration system |
US11055261B2 (en) * | 2018-02-28 | 2021-07-06 | Microsoft Technology Licensing, Llc | In-application support for topological changes to files during remote synchronization |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120166818A1 (en) * | 2010-08-11 | 2012-06-28 | Orsini Rick L | Systems and methods for secure multi-tenant data storage |
US20120265976A1 (en) * | 2011-04-18 | 2012-10-18 | Bank Of America Corporation | Secure Network Cloud Architecture |
Family Cites Families (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6324587B1 (en) * | 1997-12-23 | 2001-11-27 | Microsoft Corporation | Method, computer program product, and data structure for publishing a data object over a store and forward transport |
US6564369B1 (en) * | 1998-08-20 | 2003-05-13 | Pearson Technical Software, Inc. | Conflict checking using configuration images |
US6401079B1 (en) * | 1999-10-01 | 2002-06-04 | Inleague, Inc. | System for web-based payroll and benefits administration |
US8793374B2 (en) * | 1999-12-02 | 2014-07-29 | Western Digital Technologies, Inc. | Managed peer-to-peer applications, systems and methods for distributed data access and storage |
US7761497B1 (en) | 2001-07-13 | 2010-07-20 | Vignette Software, LLC | Storage medium having a manageable file directory structure |
JP2005078612A (en) * | 2003-09-04 | 2005-03-24 | Hitachi Ltd | File sharing system, and file transfer method between file sharing systems |
US20070130143A1 (en) * | 2005-12-05 | 2007-06-07 | Wenbing Zhang | System and Method for File Sharing and Collaboration on the Internet |
US7860825B2 (en) * | 2006-05-08 | 2010-12-28 | Palm, Inc. | Method for synchronizing software application and user data for asynchronous client-server and peer to peer computer networks |
US8099605B1 (en) * | 2006-06-05 | 2012-01-17 | InventSec AB | Intelligent storage device for backup system |
US20080005195A1 (en) * | 2006-06-30 | 2008-01-03 | Microsoft Corporation | Versioning synchronization for mass p2p file sharing |
US20080163743A1 (en) * | 2007-01-07 | 2008-07-10 | Freedman Gordon J | Synchronization methods and systems |
US8204856B2 (en) * | 2007-03-15 | 2012-06-19 | Google Inc. | Database replication |
US9401957B2 (en) * | 2007-09-14 | 2016-07-26 | International Business Machines Corporation | System and method for synchronization between servers |
WO2012070930A1 (en) * | 2010-11-24 | 2012-05-31 | Greenflower Intercode Holding B.V. | User -friendly method and system for compiling a unique sample code for a digital sample with the help of a user - interface |
US20120180073A1 (en) * | 2011-01-06 | 2012-07-12 | Hung Hin Leung | Mobile Device Application Framework |
EP2729877A4 (en) * | 2011-07-08 | 2015-06-17 | Box Inc | Desktop application for access and interaction with workspaces in a cloud-based content management system and synchronization mechanisms thereof |
US9307006B2 (en) | 2012-04-11 | 2016-04-05 | Salesforce.Com, Inc. | System and method for synchronizing data objects in a cloud based social networking environment |
US20130282830A1 (en) | 2012-04-23 | 2013-10-24 | Google, Inc. | Sharing and synchronizing electronically stored files |
US8862561B1 (en) * | 2012-08-30 | 2014-10-14 | Google Inc. | Detecting read/write conflicts |
US9400800B2 (en) * | 2012-11-19 | 2016-07-26 | Palo Alto Research Center Incorporated | Data transport by named content synchronization |
US10248803B2 (en) | 2013-05-08 | 2019-04-02 | Intermedia.Net, Inc. | Internal folder sharing |
-
2014
- 2014-05-07 US US14/271,846 patent/US10248803B2/en active Active
- 2014-05-07 US US14/271,918 patent/US20140372750A1/en not_active Abandoned
- 2014-05-07 US US14/271,798 patent/US20140337290A1/en not_active Abandoned
-
2015
- 2015-05-07 WO PCT/US2015/029586 patent/WO2015171846A1/en active Application Filing
-
2019
- 2019-02-18 US US16/278,321 patent/US20190180044A1/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120166818A1 (en) * | 2010-08-11 | 2012-06-28 | Orsini Rick L | Systems and methods for secure multi-tenant data storage |
US20120265976A1 (en) * | 2011-04-18 | 2012-10-18 | Bank Of America Corporation | Secure Network Cloud Architecture |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10248803B2 (en) | 2013-05-08 | 2019-04-02 | Intermedia.Net, Inc. | Internal folder sharing |
CN104579690A (en) * | 2015-01-23 | 2015-04-29 | 济南同智伟业软件股份有限公司 | Cloud terminal KEY system and using method |
CN107395612A (en) * | 2017-08-08 | 2017-11-24 | 四川长虹电器股份有限公司 | Realize the System and method for of network disk data safety |
US11088829B2 (en) * | 2018-09-04 | 2021-08-10 | International Business Machines Corporation | Securing a path at a node |
US11522681B2 (en) | 2018-09-04 | 2022-12-06 | International Business Machines Corporation | Securing a path at a node |
US11563588B2 (en) | 2018-09-04 | 2023-01-24 | International Business Machines Corporation | Securing a path at a selected node |
US11610012B1 (en) * | 2019-11-26 | 2023-03-21 | Gobeep, Inc. | Systems and processes for providing secure client controlled and managed exchange of data between parties |
US11841960B1 (en) * | 2019-11-26 | 2023-12-12 | Gobeep, Inc. | Systems and processes for providing secure client controlled and managed exchange of data between parties |
US11444754B1 (en) * | 2021-12-30 | 2022-09-13 | Monday.com Ltd. | Tenant level encryption |
Also Published As
Publication number | Publication date |
---|---|
US20190180044A1 (en) | 2019-06-13 |
US20140337386A1 (en) | 2014-11-13 |
WO2015171846A1 (en) | 2015-11-12 |
US20140337290A1 (en) | 2014-11-13 |
US10248803B2 (en) | 2019-04-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20140372750A1 (en) | Client-side encryption | |
US20220376910A1 (en) | Encrypted file storage | |
US10762229B2 (en) | Secure searchable and shareable remote storage system and method | |
US11374749B2 (en) | Key encryption key (KEK) rotation for multi-tenant (MT) system | |
US9647836B2 (en) | Secure storage for shared documents | |
US9137222B2 (en) | Crypto proxy for cloud storage services | |
US9430211B2 (en) | System and method for sharing information in a private ecosystem | |
US9141647B2 (en) | Configuration protection for providing security to configuration files | |
US9129112B2 (en) | Methods, systems and machine-readable media for providing security services | |
US20140115327A1 (en) | Trust services data encryption for multiple parties | |
KR20190103159A (en) | System and method for streaming media | |
US20170279720A1 (en) | Real-Time Logs | |
US10142100B2 (en) | Managing user-controlled security keys in cloud-based scenarios | |
US9954828B1 (en) | Protection of data stored in the cloud | |
AU2023219920A1 (en) | Utilizing encryption key exchange and rotation to share passwords via a shared folder | |
US10540522B2 (en) | Storing data securely in a database | |
US11455103B2 (en) | Cloud secured storage system utilizing multiple cloud servers with processes of file segmentation, encryption and generation of data chunks | |
WO2022240728A1 (en) | Location-key encryption system | |
TW201315191A (en) | Re-encryption method based on full row matrix |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: INTERMEDIA.NET, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:ANTONENKOV, LEONID;ROMANOVSKIY, SERGEY;URALTSEV, NIKITA;AND OTHERS;SIGNING DATES FROM 20140502 TO 20140505;REEL/FRAME:032841/0798 |
|
AS | Assignment |
Owner name: SUNTRUST BANK, AS ADMINISTRATIVE AGENT, GEORGIA Free format text: FIRST LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:INTERMEDIA.NET, INC.;REEL/FRAME:041590/0122 Effective date: 20170201 Owner name: SUNTRUST BANK, AS ADMINISTRATIVE AGENT, GEORGIA Free format text: SECOND LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:INTERMEDIA.NET, INC.;REEL/FRAME:041590/0158 Effective date: 20170201 |
|
AS | Assignment |
Owner name: TORONTO DOMINION (TEXAS) LLC, CANADA Free format text: INTELLECTUAL PROPERTY SECURITY INTEREST ASSIGNMENT AGREEMENT REEL/FRAME 041590/0122;ASSIGNOR:SUNTRUST BANK;REEL/FRAME:047411/0415 Effective date: 20180719 |
|
AS | Assignment |
Owner name: INTERMEDIA.NET, INC., CALIFORNIA Free format text: TERMINATION AND RELEASE OF SECOND LIEN SECURITY INTEREST IN PATENTS, RECORDED AT REEL 014590, FRAME 0192;ASSIGNOR:SUNTRUST BANK;REEL/FRAME:046610/0041 Effective date: 20180719 Owner name: INTERMEDIA.NET, INC., CALIFORNIA Free format text: TERMINATION AND RELEASE OF SECOND LIEN SECURITY INTEREST IN PATENTS;ASSIGNOR:SUNTRUST BANK;REEL/FRAME:046619/0417 Effective date: 20180723 Owner name: ACCESSLINE COMMUNICATIONS CORPORATION, CALIFORNIA Free format text: TERMINATION AND RELEASE OF SECOND LIEN SECURITY INTEREST IN PATENTS;ASSIGNOR:SUNTRUST BANK;REEL/FRAME:046619/0417 Effective date: 20180723 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STCV | Information on status: appeal procedure |
Free format text: NOTICE OF APPEAL FILED |
|
STCV | Information on status: appeal procedure |
Free format text: APPEAL BRIEF (OR SUPPLEMENTAL BRIEF) ENTERED AND FORWARDED TO EXAMINER |
|
STCV | Information on status: appeal procedure |
Free format text: EXAMINER'S ANSWER TO APPEAL BRIEF MAILED |
|
STCV | Information on status: appeal procedure |
Free format text: ON APPEAL -- AWAITING DECISION BY THE BOARD OF APPEALS |
|
STCV | Information on status: appeal procedure |
Free format text: BOARD OF APPEALS DECISION RENDERED |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- AFTER EXAMINER'S ANSWER OR BOARD OF APPEALS DECISION |