Storing user data in a service provider cloud without exposing user-specific secrets to the service provider

摘要

Subscriber (user) data is encrypted and stored in a service provider cloud in a manner such that the service provider is unable to decrypt and, as a consequence, to view, access or copy the data. Only the user knows a user-specific secret (e.g., a password) that is the basis of the encryption. The techniques herein enable the user to share his or her data, privately or publicly, without exposing the user-specific secret with anyone or any entity (such as the service provider).

主权项

1. A service provider cloud apparatus, comprising:
at least one hardware processor; computer memory holding computer program instructions executed by the processor to store and protect user data in the service provider cloud by:
storing a value that has been generated by encrypting an account secret key with a user-specific secret, the value being distinct from an account public key and the associated account secret key, the account secret key and the account public key comprising a key pair uniquely associated with an account of an authorized user;storing a file that has been generated by encrypting data associated with the authorized user with a data key;storing an account encrypted data key, the account encrypted data key having been generated by encrypting the data key with the account public key; andproviding access to the data associated with the authorized user upon receipt of the user-specific secret by the following ordered operations: (i) decrypting the value to obtain the account secret key, then (ii) decrypting, using the account secret key so obtained, the account encrypted data key to obtain the data key, then (iii) decrypting, using the data key so obtained, the file.