US 9,813,414 B2
Password-based management of encrypted files
Jan L. Camenisch, Zurich (CH); Daniel Kovacs, Zurich (CH); Anja Lehmann, Zurich (CH); and Gregory Neven, Zurich (CH)
Assigned to INTERNATIONAL BUSINESS MACHINES CORPORATION, Armonk, NY (US)
Filed by International Business Machines Corporation, Armonk, NY (US)
Filed on Nov. 30, 2015, as Appl. No. 14/953,454.
Prior Publication US 2017/0155634 A1, Jun. 1, 2017
Int. Cl. H04L 29/06 (2006.01); H04L 9/08 (2006.01)
CPC H04L 63/083 (2013.01) [H04L 9/088 (2013.01)] 16 Claims
OG exemplary drawing
 
1. A server system comprising a file management server for communication with user computers via a network and managing encrypted files, each encrypting a user file associated with a user ID under a respective encryption key Kfencoding a user password associated with that user ID, and n≧1 authentication servers for communication with the file management server via the network, wherein:
each file management server of the system stores a respective secret key ki;
the file management server stores, for each the user ID, a user password hash comprising a predetermined function of the user password associated with that user ID and the secret keys ki; and
the file management servers of the system are adapted such that, in response to receipt from the user computer of an input password and the user ID for a required encrypted file, the file management server communicates with λ authentication servers, 1≤λ≤n, to implement a key-reconstruction protocol in which
each file management server computes first and second hash values, including the secret key ki, thereof, for the required encrypted file;
the file management server uses the first hash values to compute an input password hash comprising the predetermined function of the input password and the secret keys ki checks if the input password hash matches the user password hash for a received user ID, and, if so, reconstructs the encryption key Kf for the required encrypted file, the reconstructed key Kf encoding the input password and the reconstruction requiring use of the second hash values,
the file management server decrypts the required encrypted file using the reconstructed key Kf;
the encryption key Kf, further encodes a random salt s for the encrypted file;
the file management server stores a salt mask X which encodes the salt s and the second hash values; and
the file management server is adapted, in the key-reconstruction protocol, to reconstruct the salt s from the salt mask X and the second hash values computed by the servers, and to reconstruct the encryption key Kf by encoding the input password and the reconstructed salt;
each file management server of the system is adapted to periodically replace a current secret key ki, thereof with a new secret key, and to compute first and second update values for each encrypted file, the first update value being a modulo-2 sum of the first hash value computed using the current secret key and the first hash value computed using the new secret key, and the second update value being a modulo-2 sum of the second hash value computed using the current secret key and the second hash value computed using the new secret key; and
the file management server is adapted to update the user password hash for the encrypted file by modulo-2 addition with the first update value, and to update the salt mask X for the encrypted file by modulo-2 addition with the second update value.