WO2013087459A1 - Method and system to perform secure data storage of information - Google Patents

Method and system to perform secure data storage of information Download PDF

Info

Publication number
WO2013087459A1
WO2013087459A1 PCT/EP2012/074388 EP2012074388W WO2013087459A1 WO 2013087459 A1 WO2013087459 A1 WO 2013087459A1 EP 2012074388 W EP2012074388 W EP 2012074388W WO 2013087459 A1 WO2013087459 A1 WO 2013087459A1
Authority
WO
WIPO (PCT)
Prior art keywords
data flows
user device
upwards
data
security provider
Prior art date
Application number
PCT/EP2012/074388
Other languages
French (fr)
Inventor
Antonio Manuel Amaya Calvo
Miguel Ochoa Fuentes
Original Assignee
Telefonica, S.A.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonica, S.A. filed Critical Telefonica, S.A.
Publication of WO2013087459A1 publication Critical patent/WO2013087459A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0471Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying encryption by an intermediary, e.g. receiving clear information at the intermediary and encrypting the received information at the intermediary before forwarding
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/061Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying further key derivation, e.g. deriving traffic keys from a pair-wise master key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Abstract

In the method of the invention, said information is exchanged between a user device and a third party data storage provider in the form of data flows and said data flows are intercepted by an encrypted interceptor. It is characterised in that it comprises ciphering upwards data flows and deciphering downwards data flows in a security provider module with a session cipher key retrieved from said user device, said user device previously identified by said security provider module by analysing at least part of said upwards data flows, said upwards and downwards data flows provided to said security provider module by said encrypted interceptor and said session cipher key generated in said user device by means of a Subscriber Identity Module, or SIM, of said user device. The system is arranged to implement the method of the invention.

Description

Method and system to perform secure data storage of information
Field of the art
The present invention generally relates, in a first aspect, to perform secure data storage of information, said information exchanged between a user device and a third party data storage provider in the form of data flows, said data flows intercepted by an encrypted interceptor which allows interception of encrypted communications and resides in an access point of a network, and more particularly to a method that comprises ciphering upwards data flows and deciphering downwards data flows in a security provider module with a session cipher key retrieved from said user device, said user device previously identified by said security provider module by analysing at least part of said upwards data flows, said upwards and downwards data flows provided to said security provider module by said encrypted interceptor and said session cipher key generated in said user device by means of a Subscriber Identity Module, or SIM, of said user device.
A second aspect of the invention relates to a system arranged to implement the method of the first aspect.
Prior State of the Art
The boom of Internet services imply an increase of private and confidential information deposited by individuals and companies on the service providers. Web 2.0 services are based upon users providing the content of the services, and much of that content is multimedia (image, sound and/or video) that's private and users would like to have control over who can see their content.
There a special kind of services in which the content should not be available to everyone on the Internet on any case, but just to the user uploading the content in the first place, or the user and a strictly controlled group of user. Such is the case of personal scheduling services, notebook services, and file storage services, such as the one provided by Google, Evernote, and Dropbox to name a few current service providers.
Those servers present two privacy/data security problems:
- Data should be protected in transit against snooping.
- Data should be protected on storage. The first problem is usually tackled by using some kind of in-transit ciphering scheme, such as SSL/TLS, as it will be shown in Figure 1. But the second problem either isn't tackled at all by the providers, or they give a solution that ciphers data on storage but still lets control of the storage system and the cipher keys on the same hands, thus making the ciphering almost irrelevant.
Note that this makes the decision to use the service a hard one when the data are of a very private or confidential nature. Practically, letting control of the ciphering keys and storage system on the same hands means trusting completely the third party service provider with the personal or confidential data.
To alleviate this problem, there are some solutions, designed for some particular services, which cipher the data before it leaves the end user device, as the one shown in Figure 2.
One of such solutions for Dropbox is to use EncFS (Encrypted Filesystem) on the local computer to keep two separate views of the same files:
- An encrypted one, which will be uploaded to the service
- A clear text one, which will be used to work locally with it.
Additionally, there's a product by Navajo Systems called "Virtual Private SaaS" that uses a different approach: instead of ciphering the data locally, it is ciphered by a OSI level 7 (application layer) proxy running on the network, as it will be shown in Figure 3.
Navajo Systems solution keeps the same key for all users of the system on the proxy, and it realizes a ciphering transformation on the data that allows some operations (such as searching) to work locally on the third party server. Problems with existing solutions
- Local ciphering solutions, such as EncFS work well with files, but require the same software and keys to be installed on all the devices the user works with. While this might be feasible to do when all the systems are personal computers, for most smartphones the software isn't available, and even worse, most of them don't allow the installation of the kind of software (system drivers) required for this solution to work.
- Navajo Systems solution is a level 7 application proxy and as such requires user configuration. Furthermore, it presents two additional problems:
1 . Key control is still centralized. There's a central point that has the ciphering key for all users. Even worse, the ciphering key is the same for all users. 2. It is tailored to work on text-like sets of data, and it executes a word-by-word ciphering of the texts. This makes it unsuitable for ciphering files, and at the same time lowers the real security of the solution.
Description of the Invention
It is necessary to offer an alternative to the state of the art which covers the gaps found therein, particularly related to the lack of proposals which really allow the transparent ciphering and deciphering of personal and confidential data sent to third party storage providers.
To that end, the present invention provides in a first aspect a method to perform secure data storage of information, said information exchanged between a user device and a third party data storage provider in the form of data flows and said data flows intercepted by an encrypted interceptor which allows interception of encrypted communications and resides in an access point of a network.
On the contrary to the known proposals, the method of the invention, in a characteristic manner it comprises ciphering upwards data flows and deciphering downwards data flows in a security provider module with a session cipher key retrieved from said user device, said user device previously identified by said security provider module by analysing at least part of said upwards data flows, said upwards and downwards data flows provided to said security provider module by said encrypted interceptor and said session cipher key generated in said user device by means of a Subscriber Identity Module, or SIM, of said user device.
Other embodiments of the method of the first aspect of the invention are described according to appended claims 2 to 14 and in a subsequent section related to the detailed description of several embodiments.
A second aspect of the present invention concerns to a system to perform secure data storage of information, said information exchanged between a user device and a third party data storage provider in the form of data flows and said data flows intercepted by an encrypted interceptor which allows interception of encrypted communications and resides in an access point of a network.
In the system of the second aspect of the invention, on contrary to the known systems mentioned in the prior state of the art section, and in a characteristic manner it comprises a data storage security provider entity which ciphers upwards data flows and deciphers downwards data flows with a session cipher key retrieved from said user device, said session cipher key generated in said user device by means of a Subscriber Identity Module, or SIM, of said user device and said data storage security provider connected to said encrypted interceptor which provides said upwards and downwards data flows to said data storage security provider.
Other embodiments of the system of the second aspect of the invention are described according to appended claims 16 to 19, and in a subsequent section related to the detailed description of several embodiments.
Brief Description of the Drawings
The previous and other advantages and features will be more fully understood from the following detailed description of embodiments, with reference to the attached drawings (some of which have already been described in the Prior State of the Art section), which must be considered in an illustrative and non-limiting manner, in which:
Figure 1 shows current systems that allow storing data coming from a user device in a third party storage provider.
Figure 2 shows current systems that perform a local ciphering of data in order to store the ciphered data of a user device in a third party storage provider.
Figure 3 shows current Navajo systems that allow storing data coming from a user device in a third party storage provider.
Figure 4 shows the Cloud Data Storage Security Provider as an element of the access points of an operator network, as well as Main Mobile Phones connected to said access points, according to an embodiment of the present invention.
Figure 5 shows the data flows exchanged between user devices and the Cloud Data Storage Security Provider and the data flows exchanged between the Cloud Data Storage Security Provider and the third party storage provider, according to an embodiment of the present invention.
Figure 6 shows a general scheme of the process applied to data flows, according to an embodiment of the present invention.
Detailed Description of Several Embodiments
For the uses of the invention, a 'main mobile phone' or MMP will be defined as one device such as a cellular phone that can access a Subscriber Identity Module (SI M) and that can be univocally associated to a user. The MMP will act as key storage point for that user. Note that while the term 'phone' will be used for clarity, on a cellular network what defines a user to the network is really the 'SIM' module. As such, the MMP association is really a SI M association, not a physical phone association. That means that although the term 'phone' is used generically, the MMP can be any device capable of accessing a cellular network equipped with a SI M reader module. It also means that if the user switches the SIM module to another phone— or device— , then the new phone will become the MMP.
The invention has two main components:
- CDSSP - Cloud Data Storage Security Provider: A distributed OSI level 3 (network) packet rewriter, which will execute all the ciphering and deciphering operations. This element will be installed on all the access points to the operator network.
- KW - Key Wrapper: A STK (Sim Toolkit) Application which will execute the key wrapping and unwrapping operations. This application will be installed on the main mobile phone of the user at the point when the user first uses the system. On the first use it will create a main encryption key (MEK), which will be securely stored on the SIM, and which will never leave the SIM
Figure 4 showed a high level view of the network element installation for the invention elements. As can be seen on the image, the CDSSP elements will be installed on all the network access points, both for residential (fixed line) users, and for mobile users. Also in the figure it is shown a MMP accessing the system through an access point, with its associated SIM. All the rest of the mobile devices (phones, tablets, etcetera) have also a SIM (as required for the normal cellular use) but if they have not been defined as MMP by a user they are irrelevant for the current invention, and as such not shown.
Figure 5 showed a high level view of the data flows on the method and system. As can be shown in the figure, data will be unencrypted between the CDSSP and the end user devices, while it will be encrypted between the CDSSP and the third party services. The possible on-transit encryption isn't shown on the figure.
As can be seen on Figure 5, the CDSSP will execute a key exchange with the MMP whenever it requires a session key to cipher or decipher data. The master key to wrap/unwrap all the session keys will be stored only on the SI M card associated to the main mobile phone.
Figure 6 shows a general scheme of a communication between a mobile application and a third party server in order to access third party services in which some personal or confidential data might be exchanged. In the scheme it's shown the insertion point of the invention, in order to execute its function.
In the general scheme the following high level data flows are defined: - Upload Flow (A): A flow that might contain data of a personal or confidential nature. This data will be unencrypted, since it's been sent from the user's end point.
- Modified Flow (B): A data flow that has been processed by the invention. The data contained on the data flow will be encrypted or in clear form, depending on the direction of the data flow: encrypted upwards from the user's point of view, in clear form downwards from the user's point of view.
- Download Flow (C): This data flow represents data sent from the Third Party Server to the end user. If it contains personal or confidential data, it will be on encrypted form.
- Captured Flow (D): This data flow represents both A and B flows when they're sent to the system.
The following elements are also defined:
- Third Party Application (010): Any off-the-shelf application that accesses data storing third party services, hosted on a third party server. This element is an external part (not part of the invention, but part of its use case).
- Encrypted Interceptor (01 1 ): A module, external to the invention, which must allow the interception of encrypted communications, in a way that also allows the communications to proceed un-intercepted after a defined point. While this element is actually external to the invention, it is required by the invention to work on current authentication schemes that use a ciphered channel to protect credential confidentiality on-transit. This element is an external part (not part of the invention, but part of its use case).
- Third Party Server (012): Module that provides one or more data storing services. This element is an external part (not part of the invention, but part of its use case).
- IP to Id (013): This module will be provided by the network operator and it receive an IP address and will return a unique identifier (customer identifier or similar) for that IP address. The format of the unique identifier is unimportant, but it has to be unique for a customer, regardless of his access method (fixed line or any of his mobile lines).
- Identity Manger (020): This element will receive an IP address and port and it will return the MMP associated to that IP. To be able to execute this function, the element will depend both on an external system (013) to get a unique identifier associated to a given IP address/port at a given time (current time) and on an internally managed database that will store the relationship unique identifier/MMP. - Cipher Engine (030): This element will analyze all traffic flows and will execute two actions on the traffic: encrypt upwards data, and decrypt downward data. It will also execute the minimum needed buffering to execute the ciphering/deciphering successfully.
- Key Controller (040): This element will implement the session key generation, as well as interface with the SIM card in the MMP to execute the key wrapping and unwrapping operations. As part of the session key generation, element 040 will interface with element 020 to obtain the MMP associated to a given session. The defining element to get an MMP is the combination of source IP address and source port.
The global operating process of the invention when the user sends data will be as follows:
1. Before using any application to access data storing third party services, the user will define his MMP. This will store the relationship unique customer identifier/MMP on module 020.
2. A STK application will be installed on his SIM, and a MEK (Main Encryption Key) will be generated on the SIM.
3. On a later time, the user accesses the system to store some data.
4. The data will be sent raw (unencrypted) on the network.
5. Element 01 1 will (optionally, if the data flow is encrypted on transit) decrypt all the messages (data packets) and pass them to element 030.
6. Element 030 will analyze the packets (data flow A) and extract the data elements. If a session key for the user is already established, it will cipher the data. Otherwise it will request a session cipher key from module 040. To that extent, it will provide the source IP address. Once Element 030 has a session key, it will cipher the data element. If the packet doesn't have any data component, it will be left untouched.
7. The modified message (or the original one, if it was untouched) will be returned to element 01 1. Additionally, Element 030 might indicate element 01 1 that this communication flow should not be monitored any more.
8. Module 01 1 will cipher (optionally, if in transit ciphering is being used) the modified message received by module 030, and will propagate it towards the third party server (012). If element 030 indicated that the communication flow should not be monitored any more, element 01 1 will cease decrypting the communication flow (and thus, it will also stop passing the messages to element 030). When the user receives data, the process is the same, only it will be applied to data flow C instead of data flow A on step 6.
A detailed description of each element is given next. · Identity Manager (020)
This element will receive queries to return the MMP associated to a given connection. To this extent, connections will be identified by their source IP address and source port. Since this element cannot, by itself, identify changes of IP for the same customer (due to the customer accessing through different mediums, or due to the network having changed his IP address, it will depend on an external system to make the association ((source IP, source port), unique customer identifier).
The element will keep internally the association (unique customer identifier, MMP). Thus the workflow that the element will follow for each query is:
1. Receive an IP address/source port.
2. Query element 013 for the unique customer identity currently associated for that IP address/source port.
3. Check on the internal database for the MMP associated for the customer identity received on step 2.
4. Return that MMP to the calling module.
• Cipher Engine (030)
This element will analyse all traffic flows and will execute two actions on the traffic: encrypt upwards data, and decrypt downward data. It will also execute the minimum needed buffering to execute the ciphering/deciphering successfully.
This element mode of operation will be as follows:
- For upwards flows (Data flow A)
1. Check if the data flow is part of an ongoing communication and if a Session Key (SK) is already available. Otherwise, request a Session Key (SK) and Session Identifier (SI) from module 040. To this extent, the source IP and port will be passed to module 040 also.
2. Extract the data portion of the data packet.
3. Divide the data portion in blocks,
4. Cipher each block using a symmetric ciphering algorithm E' with key SK. 5. Concatenate the SI to the first data block. 6. Rewrite the data packet to form flow B.
7. Pass flow B back to module 01 1.
- For downwards flows (Data flow C)
1. Extract the data portion of the data packet.
2. Check if the data portion has a SI. If it doesn't have one, return the data flow untouched and end the process. Otherwise
3. Check if a Session Key (SK) for the extracted SI is already available to the process. Otherwise, request a Session Key (SK) from module 040, indicating the SI. To this extent, the source IP and port will be passed to module 040 also.
4. Decipher each block using a symmetric ciphering algorithm E' with key SK.
5. Rewrite the data packet to form flow B with the deciphered data.
6. Pass flow B back to module 01 1.
• Key Controller (040)
This element will implement the session key generation, as well as interface with the SIM card in the MMP to execute the key wrapping and unwrapping operations.
To get the MMP that is required to execute the key generation/deriving activities, module 040 will use module 020, as described previously.
This process will accept key requests from module 030. Key requests can have two different forms:
a) Unformed requests, where process 030 still doesn't have a session identifier. In this case, the process that will be executed is as follows:
1. Generate a Session Identifier. The session identifier can be a random number, or a sequential number can be used for each session. If a sequential number is used, then the system can just recover the last used number and increase it by one, by a fixed number, or by a random number. This number will be called SI (Session Identifier).
2. Send the SI to the MMP for key deriving.
3. The SI M module will execute:
SK=E(MK, SI) , where
- E(A,B): is a symmetric encryption or one-way-only transformation where A is the encryption key and B the data being encrypted.
- MK: is the Main Key of the user
- SK: is the Session Key that will be used to encrypt the data
- SI: is the session identifier generated as previously specified 4. Once the MMP return a derived SK, return the new SI and the SK to process
030.
b) Formed requests, in which process 030 already has a session key. In this case, the process that will be executed is as follows:
1. Send the SI to the MMP for key deriving.
2. The SI M module will execute:
SK=E(MK, SI) , where
- E(A,B): is a symmetric encryption or one-way-only transformation where A is the encryption key and B the data being encrypted.
- MK: is the Main Key of the user
- SK: is the Session Key that will be used to encrypt the data
- SI: is the session identifier generated as previously specified
3. Once the MMP return a derived SK, return the SK to process 030.
Note that there are no conditions on the encryption transformation E() used. Particularly, note only the Encryption function of the transformation is used -usually transformations come in pairs E/D where E is the Encryption transformation, D the decryption transformation, and the relationship D(K,E(K,d))=d is true for all valid values of K and d. Since only the encryption transformation is used, one-way functions (such as hash functions) can be used also to implement the key derivation step.
The invention will allow end users and corporate users to use third party data storing services without privacy or confidential fears. By using on the fly encryption data control will be kept on the hands on the users, thus avoiding the possibility of any data leakage on the part of the third party service providers. A person skilled in the art could introduce changes and modifications in the embodiments described without departing from the scope of the invention as it is defined in the attached claims. ACRONYMS
ADSL Asymmetric Digital Subscriber Line
CDSSP Cloud Data Storage Security Provider DDoS Distributed Denial of Service
KW Key Wrapper
SIM Subscriber Identifier Module
STK Sim ToolKit
UMTS Universal Mobile Telecommunication System

Claims

Claims
1. - A method to perform secure data storage of information, said information exchanged between a user device and a third party data storage provider in the form of data flows, said data flows intercepted by an encrypted interceptor which allows interception of encrypted communications and resides in an access point of a network, characterised in that it comprises ciphering upwards data flows and deciphering downwards data flows in a security provider module with a session cipher key retrieved from said user device, said user device previously identified by said security provider module by analysing at least part of said upwards data flows, said upwards and downwards data flows provided to said security provider module by said encrypted interceptor and said session cipher key generated in said user device by means of a Subscriber Identity Module, or SIM, of said user device.
2. - A method as per claim 1 , comprising installing on said user device a SIM Toolkit application used to perform key wrapping and unwrapping operations, said SIM
Toolkit application generating a Main Encryption Key the first time that said SIM Toolkit application is used and said Main Encryption Key remaining stored in said SIM of said user device.
3. - A method as per claim 2, comprising:
- sending, said encrypted interceptor, upwards data flows to said security provider module, said upwards data flows comprising data flows sent from said user device to said third party storage provider;
- analyzing, said security provider module, said upwards data flows received from said encrypted interceptor;
- ciphering, said security provider module, said upwards data flows with said session cipher key if said upwards data flows contain any data component;
- sending, said security provider module, ciphered upwards data flows or said upwards data flows to said encrypted interceptor; and
- forwarding, said encrypted interceptor, said ciphered upwards data flows or said upwards data flows to said third party storage provider.
4. - A method as per claim 3, further comprising performing, said secure provider module, the following steps when performing said ciphering of said upwards data flows if said upwards data flows contain any data component:
- extracting data portion of said upwards data flows;
- dividing said data portion in blocks; - ciphering each block using a symmetric ciphering algorithm with said session cipher key;
- concatenating a session identifier to the first ciphered block; and
- rewriting said upwards data flows forming said ciphered upwards data flows.
5.- A method as per claims 2, 3 or 4, comprising:
- sending, said encrypted interceptor, downwards data flows to said security provider module, said downwards data flows comprising data flows sent from said third party storage provider to said user device;
- analyzing, said security provider module, said downwards data flows received from said encrypted interceptor;
- deciphering, said security provider module, said downwards data flows with said session cipher key if said downwards data flows contain any data component;
- sending, said security provider module, deciphered downwards data flows or said downwards data flows to said encrypted interceptor; and
- forwarding, said encrypted interceptor, said deciphered downwards data flows or said downwards data flows to said user device.
6.- A method as per claim 5, further comprising performing, said secure provider module, the following steps when performing said deciphering of said downwards data flows if said downwards data flows contain any data component:
- extracting data portion of said downwards data flows;
- checking if said data portion contains a session identifier;
- performing the next steps if said portion contains said session identifier:
- retrieving a session key for said session identifier if it is not already available;
- dividing said data portion in blocks;
- deciphering each block using a symmetric ciphering algorithm with said session cipher key; and
- rewriting said downwards data flows forming said deciphered downwards data flows.
7.- A method as per claims 5 or 6 when depending on claims 3 or 4, comprising performing, said security provider module, the following steps before ciphering said upwards data flows or deciphering said downwards data flows if said session cipher key has not been already established:
- performing an identification of said user device by means of at least a source I P address extracted from said analysis of said upwards data flows; and - retrieving from said user device said session cipher key.
8. - A method as per any of previous claims 3 to 7, comprising deciphering, said encrypted interceptor, said upwards data flows intercepted from said user device before sending said upwards data flows to said security provider module and ciphering said ciphered upwards data flows or said upwards data flows after receiving them from said security provider module if in transit ciphering is used.
9. - A method as per claim 8, comprising ceasing, said encrypted interceptor, deciphering and ciphering upwards data flows and sending upwards and/or downwards data flows to said security provider module by indication of said security provider module.
10. - A method as per claim 7, comprising returning, an external entity, a unique user identification associated to a received query, said received query containing source IP address and source port and sent by said security provider module when performing said identification of said user device.
1 1 .- A method as per claim 10, comprising, said security provider module, associating said unique user identification with a user device according to an internal database.
12. - A method as per claims 4 or 6, comprising generating, a sub-module of said security provider module, said session identifier, said session identifier being a random number or a sequential number and sending said session identifier to said user device in order to perform said key wrapping and unwrapping operations.
13. - A method as per claim 12, comprising generating, said user device, said session cipher key if said security provider module requests said session cipher key according to the following formula:
SK = E(MK, SI)
where
E is a symmetric encryption or a one-way-only transformation;
MK is said Main Encryption Key;
SI is said session identifier; and
SK is said session cipher key.
14. - A method as per claim 13, comprising sending, said user device, said session key to said security provider module and said session identifier if requested.
15. - A system to perform secure data storage of information, said information exchanged between a user device and a third party data storage provider in the form of data flows, said data flows intercepted by an encrypted interceptor which allows interception of encrypted communications and resides in an access point of a network, characterised in that it comprises a data storage security provider entity which ciphers upwards data flows and deciphers downwards data flows with a session cipher key retrieved from said user device, said session cipher key generated in said user device by means of a Subscriber Identity Module, or SIM, of said user device and said data storage security provider entity connected to said encrypted interceptor which provides said upwards and downwards data flows to said data storage security provider entity.
16. - A system as per claim 15, further comprising a SIM Toolkit application to be installed in said SIM of said user device in order to perform key wrapping and unwrapping operations.
17. - A system as per claims 15 or 16, wherein said data storage security provider entity is a distributed OSI level 3 packet rewriter and is installed in multiple access points of a operator network.
18.- A system as per claims 15, 16 or 17, wherein said data storage security provider entity comprises the following sub-modules:
- an identity manager to perform an identification of said user device according to at least a source IP address contained in said data flows;
- a cipher engine to analyse said data flows and performing said ciphering of upwards data flows and deciphering said downwards data flows; and
- a key controller to implement session cipher key generation, said key controller being used as interface with said SIM of said user device.
19.- A system as per any of claims 15 to 18, characterised in that it comprises means for implementing the method as per any of claims 1 to 14, where said data storage security provider entity constitutes said security provider module.
PCT/EP2012/074388 2011-12-13 2012-12-04 Method and system to perform secure data storage of information WO2013087459A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
ESP201132001 2011-12-13
ES201132001A ES2409532B1 (en) 2011-12-13 2011-12-13 METHOD AND SYSTEM FOR PERFORMING SECURE INFORMATION DATA STORAGE

Publications (1)

Publication Number Publication Date
WO2013087459A1 true WO2013087459A1 (en) 2013-06-20

Family

ID=47428597

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2012/074388 WO2013087459A1 (en) 2011-12-13 2012-12-04 Method and system to perform secure data storage of information

Country Status (2)

Country Link
ES (1) ES2409532B1 (en)
WO (1) WO2013087459A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001054342A1 (en) * 2000-01-18 2001-07-26 Yodlee.Com. Inc. Method and apparatus for secure storage of personal data in web-based applications using symmetric encryption and distributed key components
US20110264906A1 (en) * 2010-04-27 2011-10-27 Telefonaktiebolaget L M Ericsson (Publ) Method and nodes for providing secure access to cloud computing for mobile users

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001054342A1 (en) * 2000-01-18 2001-07-26 Yodlee.Com. Inc. Method and apparatus for secure storage of personal data in web-based applications using symmetric encryption and distributed key components
US20110264906A1 (en) * 2010-04-27 2011-10-27 Telefonaktiebolaget L M Ericsson (Publ) Method and nodes for providing secure access to cloud computing for mobile users

Also Published As

Publication number Publication date
ES2409532A2 (en) 2013-06-26
ES2409532B1 (en) 2014-07-30
ES2409532R1 (en) 2013-12-03

Similar Documents

Publication Publication Date Title
CN108471432B (en) Method for preventing network application program interface from being attacked maliciously
CN103314551B (en) Method and apparatus for content guiding network creation and management differentiation security framework
Garg et al. An efficient and secure data storage in Mobile Cloud Computing through RSA and Hash function
US9219709B2 (en) Multi-wrapped virtual private network
CN108347419A (en) Data transmission method and device
CN103270718A (en) Method and apparatus to use identify information for digital signing and encrypting content integrity and authenticity in content oriented networks
US11316671B2 (en) Accelerated encryption and decryption of files with shared secret and method therefor
CN105429962B (en) A kind of general go-between service construction method and system towards encryption data
US20170279807A1 (en) Safe method to share data and control the access to these in the cloud
CN101971559A (en) Method and apparatus to enable lawful intercept of encrypted traffic
CN110493367B (en) Address-free IPv6 non-public server, client and communication method
Ellard et al. Rebound: Decoy routing on asymmetric routes via error messages
CN101521667B (en) Method and device for safety data communication
CN110855695A (en) Improved SDN network security authentication method and system
CN110868291A (en) Data encryption transmission method, device, system and storage medium
JP2017112604A (en) Method for improving encryption/decryption speed by complexly applying symmetric key encryption and asymmetric key double encryption
EP3242444A1 (en) Service processing method and device
Singh et al. Hybrid two-tier framework for improved security in cloud environment
WO2011067139A1 (en) System and method for accessing private digital content
CN111224968A (en) Secure communication method for randomly selecting transfer server
Malik et al. Cloud computing security improvement using Diffie Hellman and AES
Will et al. Anonymous data sharing between organisations with elliptic curve cryptography
Patel A survey on security techniques used for confidentiality in cloud computing
JP2000112860A (en) Method for safe information transmitting/sharing service
WO2013087459A1 (en) Method and system to perform secure data storage of information

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12805644

Country of ref document: EP

Kind code of ref document: A1

DPE1 Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101)
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12805644

Country of ref document: EP

Kind code of ref document: A1