Systems and methods for encryption and provision of information security using platform services

US 10,020,935 B1
Filed: 03/27/2017
Issued: 07/10/2018
Est. Priority Date: 02/05/2015
Status: Active Grant

First Claim

Patent Images

1. A method for enrolling a user of an electronic computing device in a multi-party encryption and key management system, comprising the steps of:

receiving, at a server, an enrollment request from the electronic computing device corresponding to a user of the electronic computing device for enrollment in the multi-party encryption and key management system, the enrollment request comprising identity data corresponding to the user and routing data for routing the enrollment request, wherein at least the identity data is authenticated;

determining, based on the routing data, a key space corresponding to a tenant affiliated with the user;

transmitting the enrollment request from the server to a key service corresponding to the determined key space;

receiving, at the server, a response from the key service, wherein the response comprises a tenant-specific device identifier and cryptographic enrollment data for enrolling the user, wherein the response was generated at the key service based on the enrollment request; and

transmitting the cryptographic enrollment data and tenant-specific device identifier from the server to the electronic computing device for enrollment of the user with the multi-party encryption and key management system.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for securing or encrypting data or other information arising from a user'"'"'s interaction with software and/or hardware, resulting in transformation of original data into ciphertext. Generally, the ciphertext is generated using context-based keys that depend on the environment in which the original data originated and/or was accessed. The ciphertext can be stored in a user'"'"'s storage device or in an enterprise database (e.g., at-rest encryption) or shared with other users (e.g., cryptographic communication). The system generally allows for secure federation across organizations, including mechanisms to ensure that the system itself and any other actor with pervasive access to the network cannot compromise the confidentially of the protected data.

93 Citations

View as Search Results

33 Claims

1. A method for enrolling a user of an electronic computing device in a multi-party encryption and key management system, comprising the steps of:
- receiving, at a server, an enrollment request from the electronic computing device corresponding to a user of the electronic computing device for enrollment in the multi-party encryption and key management system, the enrollment request comprising identity data corresponding to the user and routing data for routing the enrollment request, wherein at least the identity data is authenticated;
  
  determining, based on the routing data, a key space corresponding to a tenant affiliated with the user;
  
  transmitting the enrollment request from the server to a key service corresponding to the determined key space;
  
  receiving, at the server, a response from the key service, wherein the response comprises a tenant-specific device identifier and cryptographic enrollment data for enrolling the user, wherein the response was generated at the key service based on the enrollment request; and
  
  transmitting the cryptographic enrollment data and tenant-specific device identifier from the server to the electronic computing device for enrollment of the user with the multi-party encryption and key management system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the identity data further comprises cryptographic information corresponding to the enrollment request.
  - 3. The method of claim 2, wherein the cryptographic enrollment data is encrypted by the key service using the cryptographic information corresponding to the enrollment request prior to transmission to the server.
  - 4. The method of claim 2, wherein the response further comprises the cryptographic information corresponding to the enrollment request.
  - 5. The method of claim 4, further comprising the steps of:
    - generating, at the server, cryptographic server enrollment data;
      
      transforming the cryptographic server enrollment data using the cryptographic information corresponding to the enrollment request; and
      
      transmitting the transformed cryptographic server enrollment data along with the transformed cryptographic enrollment data and tenant-specific device identifier from the server to the electronic computing device.
  - 6. The method of claim 5, further comprising the step of storing the cryptographic server enrollment data in association with the tenant-specific device identifier.
  - 7. The method of claim 1, wherein the identity data further comprises an enrollment request identifier.
  - 8. The method of claim 7, further comprising the steps of:
    - prior to receiving the enrollment request, generating, at an enrollment server, the enrollment request identifier;
      
      generating an enrollment package comprising the enrollment request identifier and cryptographic information corresponding to the key service; and
      
      transmitting the enrollment package to the electronic computing device, wherein at least the identity data is authenticated using the cryptographic information corresponding to the key service.
  - 9. The method of claim 7, further comprising the steps of:
    - prior to receiving the enrollment request, generating, at an enrollment server, the enrollment request identifier;
      
      generating an enrollment package comprising the enrollment request identifier and cryptographic information corresponding to the key service;
      
      receiving, at the enrollment server, a request for the enrollment package from the electronic computing device;
      
      authenticating the request for the enrollment package; and
      
      transmitting, based on the authentication, the enrollment package from the enrollment server to the electronic computing device, wherein the identity data is authenticated using the cryptographic information corresponding to the key service.
  - 10. The method of claim 1, wherein the multi-party encryption and key management system comprises the server.
  - 11. The method of claim 1, further comprising the step of extracting, at the server prior to the step of determining the key space, the routing data from the enrollment request.
  - 12. The method of claim 11, wherein the step of determining the key space further comprises analyzing the extracted routing data to determine the tenant affiliated with the user and then identifying the key space associated with the tenant affiliated with the user.
  - 13. The method of claim 1, wherein the step of determining the key space further comprises the step of determining, based on the key space, the key service corresponding to the determined key space.
  - 14. The method of claim 1, wherein the user comprises a computing service.

15. A system for enrolling a user of an electronic computing device in a multi-party encryption and key management system, comprising:
- the electronic computing device that transmits, to a key service, an enrollment request corresponding to a user of the electronic computing device for enrollment in the multi-party encryption and key management system, the enrollment request comprising identity data corresponding to the user and routing data for routing the enrollment request, wherein at least the identity data is authenticated;
  
  the key service that receives the enrollment request, wherein the key service generates, based on the enrollment request, a response comprising a tenant-specific device identifier and cryptographic enrollment data for enrolling the user and transmits the response to the electronic computing device; and
  
  the electronic computing device that receives the response from the key service, wherein the electronic computing device enrolls the user, based on the cryptographic enrollment data and tenant-specific device identifier, in the multi-party encryption and key management system.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 16. The system of claim 15, wherein the electronic computing device, to transmit the enrollment request to the key service, transmits the enrollment request to a server, further comprising:
    - the server that receives the enrollment request from the electronic computing device, wherein the server determines, based on the routing data, a key space corresponding to a tenant affiliated with the user and transmits the enrollment request to the key service, wherein the key service corresponds to the determined key space.
  - 17. The system of claim 16, wherein the key service, to transmit the response to the electronic computing device, transmits the response to the server, further comprising:
    - the server that receives the response from the key service, wherein the server transmits the response to the electronic computing device.
  - 18. The system of claim 17, wherein the identity data further comprises cryptographic information corresponding to the enrollment request.
  - 19. The system of claim 18, wherein the key service encrypts, prior to transmission to the server, the cryptographic enrollment data using the cryptographic information corresponding to the enrollment request.
  - 20. The system of claim 18, wherein the response further comprises the cryptographic information corresponding to the enrollment request.
  - 21. The system of claim 20, wherein the server, after receiving the response from the key service:
    - generates cryptographic server enrollment data;
      
      encrypts the cryptographic server enrollment data using the cryptographic information corresponding to the enrollment request; and
      
      transmits the transformed cryptographic server enrollment data along with the transformed cryptographic enrollment data and tenant-specific device identifier to the electronic computing device.
  - 22. The system of claim 17, wherein the identity data further comprises an enrollment request identifier.
  - 23. The system of claim 22, further comprising an enrollment server, wherein the enrollment server, prior to receiving the enrollment request:
    - generates the enrollment request identifier;
      
      generates an enrollment package comprising the enrollment request identifier and cryptographic information corresponding to the key service; and
      
      transmits the enrollment package to the electronic computing device, wherein at least the identity data is authenticated using the cryptographic information corresponding to the key service.
  - 24. The system of claim 22, further comprising an enrollment server, wherein the enrollment server, prior to receiving the enrollment request:
    - generates the enrollment request identifier;
      
      generates an enrollment package comprising the enrollment request identifier and cryptographic information corresponding to the key service;
      
      receives a request for the enrollment package from the electronic computing device;
      
      authenticates the request for the enrollment package; and
      
      transmits, based on the authentication, the enrollment package to the electronic computing device, wherein the identity data is authenticated using the cryptographic information corresponding to the key service.
  - 25. The system of claim 17, wherein the multi-party encryption and key management system comprises the server.
  - 26. The system of claim 17, wherein the user comprises a computing service.

27. A method for enrolling a user of an electronic computing device in a multi-party encryption and key management system, comprising the steps of:
- generating, at the electronic computing device, an enrollment request corresponding to a user of the electronic computing device for enrollment in the multi-party encryption and key management system, wherein the enrollment request comprises identity data corresponding to the user and routing data for routing the enrollment request;
  
  cryptographically signing, at the electronic computing device, at least the identity data with cryptographic information;
  
  transmitting the enrollment request from the electronic computing device to a server; and
  
  receiving, at the electronic computing device, a response from the server, wherein the response comprises a tenant-specific device identifier and cryptographic enrollment data for enrolling the user, wherein the response was generated both at the server and a key service capable of verifying the cryptographically-signed identity data.
- View Dependent Claims (28, 29, 30, 31, 32, 33)
- - 28. The method of claim 27, wherein the identity data further comprises first cryptographic information corresponding to the enrollment request.
  - 29. The method of claim 28, wherein the cryptographic enrollment data comprises cryptographic key service enrollment data and cryptographic server enrollment data, wherein at least the cryptographic key service enrollment data was authenticated by the key service using the first cryptographic information corresponding to the enrollment request and at least the cryptographic server enrollment data was authenticated by the server.
  - 30. The method of claim 29, wherein the electronic computing device decrypts at least the cryptographic key service enrollment data and the cryptographic server enrollment data using second cryptographic information corresponding to the enrollment request.
  - 31. The method of claim 27, wherein the identity data further comprises an enrollment request identifier.
  - 32. The method of claim 31, further comprising the steps of:
    - prior to generating the enrollment request, generating a request for an enrollment package from an enrollment server;
      
      transmitting the request for the enrollment package from the electronic computing device to the enrollment server;
      
      receiving, at the electronic computing device, the enrollment package from the server, wherein the enrollment package comprises the enrollment request identifier and cryptographic information corresponding to the key service; and
      
      encrypting the identity data using the cryptographic information corresponding to the key service.
  - 33. The method of claim 27, wherein the multi-party encryption and key management system comprises the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ionic Security, Inc. (Twilio, Inc.)
Original Assignee
Ionic Security, Inc. (Twilio, Inc.)
Inventors
Ghetti, Adam, Howard, Jeffrey, Jordan, James, Smith, Nicholas, Eckman, Jeremy, Speers, Ryan, Bhatti, Sohaib
Primary Examiner(s)
Smithers, Matthew

Application Number

US15/469,871
Time in Patent Office

470 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/602   Providing cryptographic fac...

G06F 21/62   Protecting access to data v...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2133   Verifying human interaction...

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 63/065   for group communications cr...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 9/0819   Key transport or distributi...

H04L 9/0822   using key encryption key

H04L 9/083   involving central third par...

H04L 9/0861   Generation of secret inform...

Systems and methods for encryption and provision of information security using platform services

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

93 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for encryption and provision of information security using platform services

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

93 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links