METHOD TO MANAGE MODIFICATION OF ENCRYPTION CREDENTIALS

摘要

A method to manage modification of encryption credentials for an encryption server. The encryption server is used to encrypt data uploaded by a user after provision of user encryption credentials associated with an encryption account. The data is encrypted by using a user encryption key stored in a cloud storage server.

主权项

1. A method to manage modification of encryption credentials for an encryption server, said encryption server being configured to encrypt data uploaded by a user after provision of encryption credentials of the user that are associated with an encryption account, said encrypted data using a user encryption key stored in a cloud storage server,
said method comprising the initialization steps of, for the encryption server, authenticating the user to the encryption account using encryption credentials and binding the encryption account to a user's storage account in the cloud storage server through the following sub-steps: for the storage server, authenticating the user to his/her storage account using storage credentials, issuing an initial access token based on an online authentication protocol and sending the initial access token to the encryption server, and for the encryption server, encrypting the initial access token and the user encryption key using the encryption credentials and storing the encrypted initial access token and user encryption key for further use to decrypt the uploaded data under request of the user and provision of his/her encryption credentials, encrypting the user encryption key using an encryption server recovery master key and sending, for storage, the encrypted user encryption key to the storage server, said method further comprising the following steps, when user triggers an encryption credentials reset, for the storage server, authenticating the user to his/her storage account using storage credentials, issuing a new access token based on an online authentication protocol and sending the new access token to the encryption server, and for the encryption server, using the new access token to retrieve the encrypted user encryption key from the storage server, decrypting the encrypted user encryption key using the encryption server recovery master key, requiring new encryption credentials to be input by the user, encrypting the new access token and the plain decrypted user encryption key using the new encryption credentials and storing them for further use to decrypt the uploaded data under request of the user and provision of his/her new encryption credentials.