Cloud-based data backup and sync with secure local storage of access keys

摘要

Methods and systems are provided for secure online data access. In one embodiment, three levels of security are provided where user master passwords are not required at a server. A user device may register with a storage service and receive a user device key that is stored on the device and at the service. The user device key may be used to authenticate the user device with the storage service. As data in the storage service is encrypted with a master password, the data may be protected from disclosure. As a user master key or derivative thereof is not used in authentication, the data may be protected from a disclosure or breach of the authentication credentials. Encryption and decryption may thus be performed on the user device with a user master key that may not be disclosed externally from the user device.

主权项

1. A computer-implemented method, the method comprising:
receiving a user master password at a client device on behalf of a user; generating, during a device authentication process, a unique user device key identifier comprising a first portion generated based on a hardware identifier associated with the user device and a second portion generated based on a portion of the user master password, wherein the generated unique user device key identifier is not used to encrypt data on the user device; decrypting the unique user device key identifier with the user master password at the client device, wherein the unique user device key identifier is specific to a unique combination of the user and the client device, and wherein decrypting the unique user device key identifier comprises generating, at the client device, a cryptographic key from the user master password and decrypting, at the client device, a user file containing an encrypted unique user device key identifier using the generated cryptographic key; sending a request to access a storage server from the client device without sending either of the user master password or a hash of the user master password; sending the unique user device key identifier to the storage server; and in response to sending the unique user device key identifier, receiving access to elements of the storage server controlled by the user.