| CPC H04L 63/0428 (2013.01) [H04L 9/0894 (2013.01); H04L 9/14 (2013.01); H04L 9/30 (2013.01)] | 20 Claims |
|
1. A computer-implemented method, comprising:
at a data producer device of a first user:
determining, by first one or more processors of the data producer device, a content encryption key (CEK);
encrypting, by the first one or more processors and using the CEK, content to produce encrypted content;
determining, by the first one or more processors, a public key associated with a second user different from the first user;
determining, by the first one or more processors and based at least in part on the public key, a first end-to-end encryption key (E2EK);
encrypting, by the first one or more processors and using the first E2EK, the CEK to produce an encrypted CEK (ECEK);
determining, by the first one or more processors, a cloud privacy control (CPC) public key;
encrypting, by the first one or more processors and using the CPC public key, the ECEK to produce a double-encrypted CEK (DECEK); and
storing, by the first one or more processors, the DECEK in association with a manifest of the encrypted content;
at the cloud privacy control:
obtaining, by second one or more processors of the cloud privacy control, a request to access the content by the second user;
obtaining, by the second one or more processors, the manifest;
obtaining, by the second one or more processors, content owner policies;
evaluating, by the second one or more processors, the content owner policies to determine whether to fulfill the request;
decrypting, by the second one or more processors and using a CPC private key, the DECEK to produce the ECEK; and
providing, by the second one or more processors, the ECEK to the second user.
|