System and method for providing secure execution environments using virtualization technology
US-2020134171-A1 · Apr 30, 2020 · US
Secure group file sharing
US2021266329A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2021266329-A1 |
| Application number | US-202016791761-A |
| Country | US |
| Kind code | A1 |
| Filing date | Feb 14, 2020 |
| Priority date | Feb 14, 2020 |
| Publication date | Aug 26, 2021 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Aspects of the current subject matter are directed to secure group file sharing. An architecture for end-to-end encrypted, group-based file sharing using a trusted execution environment (TEE) is provided to protect confidentiality and integrity of data and management of files, enforce immediate permission and membership revocations, support deduplication, and mitigate rollback attacks.
First claim
Opening claim text (preview).
What is claimed is: 1 . A system, comprising: at least one data processor; and at least one memory storing instructions which, when executed by the at least one data processor, result in operations comprising: establishing, by an enclave executed by a trusted execution environment that runs at an untrusted provider, a trusted relationship with a user accessing a user application, wherein the establishment is at least partially based on a trust measurement communicated between the enclave and a certificate authority component associated with the user; associating, by the enclave, one or more access control permissions to a file linked from the user application to a remote file system at the untrusted provider, wherein the one or more access control permissions define one or more parameters of access related to the file and defined by the user for individual users and/or groups of users, and wherein the file is linked to the remote file system over a secure interface between the user application and the enclave; and providing, by the enclave, access to the file, wherein the providing is in response to a verification that a request for the file satisfies the one or more access control permissions, and wherein the providing comprises the enclave receiving the file in an encrypted form from the remote file system, decrypting the encrypted file, and sending the file over a protected channel to provide access to the file. 2 . The system of claim 1 , wherein establishing the trusted relationship comprises: providing, by the enclave and to the certificate authority component, a server token request comprising a public key; receiving, by the enclave and from the certificate authority component, a server token signed with a certificate authority public key; and verifying, by the enclave, the received server token, wherein the verification is based upon the certificate authority public key. 3 . The system of claim 2 , wherein the certificate authority public key is hard-coded into the enclave, and wherein the server token is persisted to memory of the enclave upon verification of the received server token. 4 . The system of claim 2 , wherein establishing the trusted relationship further comprises: receiving, by the enclave and from the user application, an authentication token; and verifying, by the enclave, the authentication token based upon the certificate authority public key. 5 . The system of claim 1 , wherein the one or more parameters of access related to the file comprise a level of permission for the individual users and/or the groups of users. 6 . The system of claim 1 , wherein an external, untrusted interface establishes a secure connection comprising the secure interface between the user application and the enclave. 7 . The system of claim 1 , wherein the file is encrypted with a file key, the file key unique to the file and derived from a root key generated by the enclave. 8 . The system of claim 7 , wherein the encryption of the file with the file key occurs within the enclave. 9 . The system of claim 8 , wherein the encrypted file is decrypted in the enclave and sent to the user application over a channel comprising a secure interface. 10 . The system of claim 1 , wherein providing, by the enclave, access to the file is further in response to establishment of a second trusted relationship with a second user having individual access rights or being part of a group with access rights. 11 . A method, comprising: establishing, by an enclave executed by a trusted execution environment that runs at an untrusted provider, a trusted relationship with a user accessing a user application, wherein the establishment is at least partially based on a trust measurement communicated between the enclave and a certificate authority component associated with the user; associating, by the enclave, one or more access control permissions to a file linked from the user application to a remote file system at the untrusted provider, wherein the one or more access control permissions define one or more parameters of access related to the file and defined by the user for individual users and/or groups of users, and wherein the file is linked to the remote file system over a secure interface between the user application and the enclave; and providing, by the enclave, access to the file, wherein the providing is in response to a verification that a request for the file satisfies the one or more access control permissions, and wherein the providing comprises the enclave receiving the file in an encrypted form from the remote file system, decrypting the encrypted file, and sending the file over a protected channel to provide access to the file. 12 . The method of claim 11 , wherein establishing the trusted relationship comprises: providing, by the enclave and to the certificate authority component, a server token request comprising a public key; receiving, by the enclave and from the certificate authority component, a server token signed with a certificate authority public key; and verifying, by the enclave, the received server token, wherein the verification is based upon the certificate authority public key. 13 . The method of claim 12 , wherein the certificate authority public key is hard-coded into the enclave, and wherein the server token is persisted to memory of the enclave upon verification of the received server token. 14 . The method of claim 12 , wherein establishing the trusted relationship further comprises: receiving, by the enclave and from the user application, an authentication token; and verifying, by the enclave, the authentication token based upon the certificate authority public key. 15 . The method of claim 11 , wherein the one or more parameters of access related to the file comprise a level of permission for the individual users and/or the groups of users. 16 . The method of claim 11 , wherein an external, untrusted interface establishes a secure connection comprising the secure interface between the user application and the enclave. 17 . The method of claim 11 , wherein the file is encrypted with a file key, the file key unique to the file and derived from a root key generated by the enclave. 18 . The method of claim 17 , wherein the encryption of the file with the file key occurs within the enclave. 19 . The method of claim 18 , wherein the encrypted file is decrypted in the enclave and sent to the user application over a channel comprising a secure interface. 20 . The method of claim 11 , wherein providing, by the enclave, access to the file is further in response to establishment of a second trusted relationship with a second user having individual access rights or being part of a group with access rights.
Assignees
Inventors
Classifications
- H04L63/105Primary
Multiple levels of security · CPC title
by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title
Access rights, e.g. capability lists, access control lists, access tables, access matrices · CPC title
Providing cryptographic facilities or services · CPC title
using certificates · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2021266329A1 cover?
- Aspects of the current subject matter are directed to secure group file sharing. An architecture for end-to-end encrypted, group-based file sharing using a trusted execution environment (TEE) is provided to protect confidentiality and integrity of data and management of files, enforce immediate permission and membership revocations, support deduplication, and mitigate rollback attacks.
- Who is the assignee on this patent?
- Sap Se
- What technology area does this patent fall under?
- Primary CPC classification H04L63/105. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Aug 26 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).