Decentralized information protection for confidentiality and tamper-proofing on distributed database

US 10,084,600 B1
Filed: 04/16/2018
Issued: 09/25/2018
Est. Priority Date: 04/16/2018
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented data security method, comprising:

at a first computing device, receiving security service data from a first digital data repository;

using the first computing device, generating hidden security service data by generating a plurality of shares of the security service data;

using the first computing device, encrypting each share of the plurality of shares using a separate public key from among a plurality of public keys corresponding to each of a plurality of second computing devices, to generate a plurality of encrypted shares;

electronically storing the plurality of encrypted shares as data in a second digital data repository;

using a requesting second computing device of the plurality of second computing devices, in response to receiving an authentication request from a third computing device to access one or more fourth computing devices, sending a request to reveal the hidden security service data to the plurality of second computing devices;

in response to receiving the request, checking an availability of the plurality of second computing devices to determine an available subset of the plurality of second computing devices;

decrypting a subset of the plurality of encrypted shares using a subset of separate private keys corresponding to each of the available subset of the plurality of second computing devices to generate a plurality of decrypted shares;

using the available subset, encrypting the plurality of decrypted shares using a public key corresponding to the requesting second computing device to generate a plurality of re-encrypted shares, and sending the plurality of re-encrypted shares to the requesting second computing device;

using the requesting second computing device, decrypting the re-encrypted shares using a private key corresponding to the requesting second computing device in order to form hidden security service data;

forming and storing a readable copy of the hidden security service data;

using the readable copy of the hidden security service data, performing authentication services for the third computing device to grant or deny access to the one or more fourth computing devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an embodiment, a computer-implemented data security method comprises: at a first computing device, receiving security service data from a first digital data repository; using the first computing device, generating hidden security service data by generating a plurality of shares of the security service data; using the first computing device, encrypting each share of the plurality of shares using a separate public key from among a plurality of public keys corresponding to each of a plurality of second computing devices, to generate a plurality of encrypted shares; electronically storing the plurality of encrypted shares as data in a second digital data repository; using a subset of the plurality of second computing devices, in response to receiving an authentication request from a third computing device to access one or more fourth computing devices, decrypting a subset of the plurality of encrypted shares using a subset of separate private keys corresponding to each of the subset of the plurality of second computing devices to generate a plurality of decrypted shares; forming and storing a readable copy of the hidden security service data using the plurality of decrypted shares; using the readable copy of the hidden security service data, performing authentication services for the third computing device to grant or deny access to the one or more fourth computing devices.

Citations

17 Claims

1. A computer-implemented data security method, comprising:
- at a first computing device, receiving security service data from a first digital data repository;
  
  using the first computing device, generating hidden security service data by generating a plurality of shares of the security service data;
  
  using the first computing device, encrypting each share of the plurality of shares using a separate public key from among a plurality of public keys corresponding to each of a plurality of second computing devices, to generate a plurality of encrypted shares;
  
  electronically storing the plurality of encrypted shares as data in a second digital data repository;
  
  using a requesting second computing device of the plurality of second computing devices, in response to receiving an authentication request from a third computing device to access one or more fourth computing devices, sending a request to reveal the hidden security service data to the plurality of second computing devices;
  
  in response to receiving the request, checking an availability of the plurality of second computing devices to determine an available subset of the plurality of second computing devices;
  
  decrypting a subset of the plurality of encrypted shares using a subset of separate private keys corresponding to each of the available subset of the plurality of second computing devices to generate a plurality of decrypted shares;
  
  using the available subset, encrypting the plurality of decrypted shares using a public key corresponding to the requesting second computing device to generate a plurality of re-encrypted shares, and sending the plurality of re-encrypted shares to the requesting second computing device;
  
  using the requesting second computing device, decrypting the re-encrypted shares using a private key corresponding to the requesting second computing device in order to form hidden security service data;
  
  forming and storing a readable copy of the hidden security service data;
  
  using the readable copy of the hidden security service data, performing authentication services for the third computing device to grant or deny access to the one or more fourth computing devices.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the second digital data repository is a distributed blockchain data repository.
  - 3. The method of claim 1, wherein generating the hidden security service data comprises using the security service data to generate a stored digital representation of a polynomial function and calculating a plurality of x-y coordinate points from the polynomial function, each share of the plurality of shares representing a point of the plurality of x-y coordinate points, and wherein forming the readable copy of the hidden security comprises calculating the polynomial function using the plurality of decrypted shares.
  - 4. The method of claim 1, further comprising:
    - using the plurality of second computing devices, conducting security checks on the requesting second computing device or the third computing device;
      
      wherein decrypting the subset of the plurality of encrypted shares occurs using the available subset of the plurality of second computing devices.
  - 5. The method of claim 1, wherein decrypting the subset comprises decrypting at least two encrypted shares of the plurality of encrypted shares to generate at least two decrypted shares, and wherein forming the readable copy of the hidden security service data comprises using the at least two decrypted shares.
  - 6. The method of claim 1, wherein the security service data comprises one or more usernames and passwords, keys, certificates, or audit logs.

7. One or more non-transitory computer-readable storage media storing one or more sequences of program instructions which, when executed by one or more computing devices, cause:
- at a first computing device, receiving security service data from a first digital data repository;
  
  using the first computing device, generating hidden security service data by generating a plurality of shares of the security service data;
  
  using the first computing device, encrypting each share of the plurality of shares using a separate public key from among a plurality of public keys corresponding to each of a plurality of second computing devices, to generate a plurality of encrypted shares;
  
  electronically storing the plurality of encrypted shares as data in a second digital data repository;
  
  using a requesting second computing device of the plurality of second computing devices in response to receiving an authentication request from a third computing device to access one or more fourth computing devices, sending a request to reveal the hidden security service data to the plurality of second computing devices;
  
  in response to receiving the request, checking an availability of the plurality of second computing devices to determine an available subset of the plurality of second computing devices;
  
  decrypting a subset of the plurality of encrypted shares using a subset of separate private keys corresponding to each of the available subset of the plurality of second computing devices to generate a plurality of decrypted shares;
  
  using the available subset, encrypting the plurality of decrypted shares using a public key corresponding to the requesting second computing device to generate a plurality of re-encrypted shares, and sending the plurality of re-encrypted shares to the requesting second computing device;
  
  using the requesting second computing device, decrypting the re-encrypted shares using a private key corresponding to the requesting second computing device in order to form hidden security service data;
  
  forming and storing a readable copy of the hidden security service data;
  
  using the readable copy of the hidden security service data, performing authentication services for the third computing device to grant or deny access to the one or more fourth computing devices.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The one or more non-transitory machine-readable media of claim 7, wherein the second digital data repository is a distributed blockchain data repository.
  - 9. The one or more non-transitory machine-readable media of claim 7, wherein generating the hidden security service data comprises using the security service data to generate a stored digital representation of a polynomial function and calculating a plurality of x-y coordinate points from the polynomial function, each share of the plurality of shares representing a point of the plurality of x-y coordinate points, and wherein forming the readable copy of the hidden security comprises calculating the polynomial function using the plurality of decrypted shares.
  - 10. The one or more non-transitory machine-readable media of claim 7, further comprising instructions that, when executed by one or more computing devices, cause:
    - using the plurality of second computing devices, conducting security checks on the requesting second computing device or the third computing device;
      
      wherein decrypting the subset of the plurality of encrypted shares occurs using the available subset of the plurality of second computing devices.
  - 11. The one or more non-transitory machine-readable media of claim 7, wherein decrypting the subset comprises decrypting at least two encrypted shares of the plurality of encrypted shares to generate at least two decrypted shares, and wherein forming the readable copy of the hidden security service data comprises using the at least two decrypted shares.
  - 12. The one or more non-transitory machine-readable media of claim 7, wherein the security service data comprises one or more usernames and passwords, keys, tokens, certificates, or audit logs.

13. A computer system providing an improvement in data security, the system comprising:
- a distributed blockchain data repository;
  
  a first computing device that is communicatively coupled to the distributed blockchain data repository and comprising a first non-transitory data storage medium storing instructions which, when executed by the first computing device, cause;
  
  receiving security service data from a first digital data repository;
  
  generating hidden security service data by generating a plurality of shares of the security service data;
  
  encrypting each share of the plurality of shares using a separate public key from among a plurality of public keys corresponding to each of a plurality of second computing devices, to generate a plurality of encrypted shares;
  
  electronically updating the distributed blockchain data repository with the plurality of encrypted shares;
  
  at least two second computing devices of the plurality of second computing devices that are communicatively coupled to the distributed blockchain data repository and each comprising a second non-transitory data storage medium, storing instructions which, when executed by the plurality of second computing devices, cause;
  
  in response to receiving an authentication request from a third computing device to access one or more fourth computing devices, using a requesting second computing device of the at least two second computing devices, sending a request to reveal the hidden security service data to the plurality of second computing devices;
  
  in response to receiving the request, checking an availability of the at least two second computing devices to determine an available second computing device of the at least two second computing devices;
  
  decrypting at least two of the plurality of encrypted shares using at least two separate private keys corresponding to each of at least two second computing devices of the plurality of second computing devices to generate at least two decrypted shares;
  
  encrypting one of the at least two decrypted shares generated by the available second computing device using a public key corresponding to the requesting second computing device to generate a re-encrypted share, and sending the re-encrypted share to the requesting second computing device;
  
  receiving, at the requesting second computing device, the re-encrypted share from the available second computing device;
  
  decrypting the re-encrypted share using a private key corresponding to the requesting second computing device in order to form hidden security service data;
  
  forming and storing a readable copy of the hidden security service data;
  
  using the readable copy of the hidden security service data, performing authentication services for the third computing device to grant access to the one or more fourth computing devices.
- View Dependent Claims (14, 15, 16)
- - 14. The computer system of claim 13, wherein generating the hidden security service data comprises using the security service data to generate a stored digital representation of a polynomial function and calculating a plurality of x-y coordinate points from the polynomial function, each share of the plurality of shares representing a point of the plurality of x-y coordinate points, and wherein forming the readable copy of the hidden security comprises calculating the polynomial function using the at least two decrypted shares.
  - 15. The computer system of claim 14, wherein forming the readable copy of the hidden security service data comprises recreating a stored digital representation of a polynomial function using the at least two decrypted shares.
  - 16. The computer system of claim 13, wherein the security service data comprises one or more usernames and passwords, keys, tokens, certificates, or audit logs.

17. A computer-implemented data security method, comprising:
- at a first computing device, receiving security service data for accessing one or more Internet of Things (IoT) computing devices from a first digital data repository;
  
  using the first computing device, generating, on behalf of an enterprise server and using the security service data, a stored digital representation of a polynomial function and calculating a plurality of x-y coordinate points from the polynomial function to generate a plurality of shares of the security service data, each share of the plurality of shares representing a point of the plurality of x-y coordinate points;
  
  using the first computing device, encrypting each share of the plurality of shares using a separate public key from among a plurality of public keys corresponding to each of a plurality of second computing devices, to generate a plurality of encrypted shares;
  
  using the first computing device, electronically updating a distributed blockchain data repository with the plurality of encrypted shares;
  
  using a requesting second computing device of the plurality of second computing devices, receiving an authentication request from a third computing device to access the one or more IoT computing devices and, in response to receiving the authentication request, requesting a first encrypted share of the plurality of encrypted shares, encrypted using a first public key corresponding to the requesting second computing device, from the distributed blockchain data repository, and requesting at least one second encrypted share of the plurality of encrypted shares from at least one available second computing devices of the plurality of second computing devices;
  
  using the at least one available second computing device, accessing and decrypting, from the distributed blockchain data repository, the at least one second encrypted share that correspond to the at least one available second computing devices using a corresponding private key of the at least one available second computing device to generate at least one decrypted share;
  
  using the at least one available second computing device, encrypting the at least one decrypted share using a public key of the requesting second computing device to generate at least one re-encrypted share, and sending the at least one re-encrypted share to the requesting second computing device;
  
  using the requesting second computing device, decrypting the first encrypted share and the at least one re-encrypted share using a private key of the requesting second computing device to form at least two points of the plurality of x-y coordinate points;
  
  using the requesting second computing device, reconstructing the stored digital representation of the polynomial function using the at least two points of the plurality of x-y coordinate points to form the security service data;
  
  using the requesting second computing device, in response to forming the security service data, performing authentication services using the readable copy of the hidden security service data for the third computing device to grant or deny access to the one or more IoT computing devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Xage Security, Inc.
Original Assignee
Xage Security, Inc.
Inventors
Irwan, Susanto Junaidi, Arutyunov, Roman M., Valderrama, Alexander Michael
Primary Examiner(s)
Cribbs, Malcolm

Application Number

US15/954,365
Time in Patent Office

162 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0442   wherein the sending and rec...

H04L 63/0464   using hop-by-hop encryption...

H04L 63/08   for authentication of entit...

H04L 67/12   specially adapted for propr...

H04L 9/0637   Modes of operation, e.g. ci...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0861   Generation of secret inform...

H04L 9/14   using a plurality of keys o...

H04L 9/3093   involving Lattices or polyn...

H04L 9/321   involving a third party or ...

H04L 9/3236   using cryptographic hash fu...

H04L 9/50   using hash chains, e.g. blo...

Decentralized information protection for confidentiality and tamper-proofing on distributed database

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Decentralized information protection for confidentiality and tamper-proofing on distributed database

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links