Multiply-encrypting data requiring multiple keys for decryption

摘要

A server receives a piece of data for encryption. The server encrypts the piece of data such that no single key can decrypt the encrypted piece of data and any combination of a first multiple of unique keys taken a second multiple at a time are capable of decrypting the encrypted piece of data. Each of the first multiple of unique keys is tied to account credentials of a different user. The second multiple is less than or equal to the first multiple. The encrypted piece of data is returned.

主权项

1. A method executed on a server, comprising:
receiving a request to encrypt a piece of data; encrypting the piece of data such that no single key can decrypt the encrypted piece of data and any unique combination of a first plurality of unique keys taken a first number at a time are capable of decrypting the encrypted piece of data, wherein the first number is greater than one, wherein each particular one of the first plurality of unique keys is tied to account credentials of a particular user of a plurality of users respectively, wherein the first number is less than or equal to the first plurality, and wherein the step of encrypting the piece of data includes:
encrypting the piece of data with a data key,generating a unique encrypted data key for each unique combination of the first plurality of unique keys taken the first number at a time by performing the following for each unique combination:
encrypting the data key multiple times each of which using a different one of the first plurality of unique keys, wherein the multiple times is equal to the first number, andencrypting each different one of the first plurality of unique keys with the account credentials of the corresponding particular user; returning the encrypted piece of data; receiving, at the server, a delegation submission from at least a second number of the plurality of users equivalent to the first number that grants the server permission to use the account credentials of the at least second number of the plurality of users to decrypt data on their behalf; receiving a request to decrypt the encrypted piece of data; decrypting, for each particular one of at least the second number of the plurality of users equivalent to the first number that granted the server permission to use the account credentials of the at least second number of the plurality users, the one of the first plurality of unique keys that correspond to that particular one of the at least the second number of the plurality of users; decrypting the encrypted piece of data using the decrypted ones of the first plurality of unique keys; andreturning the decrypted piece of data.