System for providing end-to-end protection against network-based attacks

US 10,333,905 B2
Filed: 10/14/2016
Issued: 06/25/2019
Est. Priority Date: 10/16/2015
Status: Active Grant

First Claim

Patent Images

1. A system for double-encrypting data comprising:

a node system, wherein the node system comprises an encryption key management system, a first user encryption key management system, and a processing server, wherein the first user encryption key management system comprises a first enterprise key management system that stores a first set of encryption keys, a first local key management system that manages transfers of the first set of encryption keys to a first self-encrypting drive, and the first self-encrypting drive, and wherein the encryption key management system comprises a second enterprise key management system that stores a second set of encryption keys;

a network manager system comprising computer hardware, wherein the network manager system is external to the node system and is in communication with the node system via a private network, and wherein the network manager system serves as an interface between the private network and a public network; and

a user system in communication with the network manager via the public network, wherein the user system is external to the node system and comprises a second user encryption key management system that communicates with the first user encryption key management system to facilitate key exchange between the first user encryption key management system and the second user encryption key management system, and wherein the second user encryption key management system comprises a third enterprise key management system that stores the first set of encryption keys, a second local key management system that manages transfers of the first set of encryption keys to a second self-encrypting drive, and the second self-encrypting drive,wherein the user system comprises first instructions that, when executed, cause the user system to;

encrypt user data stored in the second self-encrypting drive using an encryption key in the first set of encryption keys provided by the third enterprise key management system to form encrypted user data, andtransmit the encrypted user data to the network manager system via the public network, andwherein the network manager system comprises second instructions that, when executed, cause the network manager system to;

encrypt the encrypted user data using a second encryption key in the second set of encryption keys provided by the second enterprise key management system via the private network to form double-encrypted user data, andtransmit the double-encrypted user data to the node system via the private network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A plurality of system nodes coupled via a dedicated private network is described herein. The nodes offer an end-to-end solution for protecting against network-based attacks. For example, a single node can receive and store user data via a data flow that passes through various components of the node. The node can be designed such that communications internal to the node, such as the transmission of encryption keys, are partitioned or walled off from the components of the node that handle the publicly accessible data flow. The node also includes a key management subsystem to facilitate the use of encryption keys to encrypt user data.

12 Citations

View as Search Results

20 Claims

1. A system for double-encrypting data comprising:
- a node system, wherein the node system comprises an encryption key management system, a first user encryption key management system, and a processing server, wherein the first user encryption key management system comprises a first enterprise key management system that stores a first set of encryption keys, a first local key management system that manages transfers of the first set of encryption keys to a first self-encrypting drive, and the first self-encrypting drive, and wherein the encryption key management system comprises a second enterprise key management system that stores a second set of encryption keys;
  
  a network manager system comprising computer hardware, wherein the network manager system is external to the node system and is in communication with the node system via a private network, and wherein the network manager system serves as an interface between the private network and a public network; and
  
  a user system in communication with the network manager via the public network, wherein the user system is external to the node system and comprises a second user encryption key management system that communicates with the first user encryption key management system to facilitate key exchange between the first user encryption key management system and the second user encryption key management system, and wherein the second user encryption key management system comprises a third enterprise key management system that stores the first set of encryption keys, a second local key management system that manages transfers of the first set of encryption keys to a second self-encrypting drive, and the second self-encrypting drive,wherein the user system comprises first instructions that, when executed, cause the user system to;
  
  encrypt user data stored in the second self-encrypting drive using an encryption key in the first set of encryption keys provided by the third enterprise key management system to form encrypted user data, andtransmit the encrypted user data to the network manager system via the public network, andwherein the network manager system comprises second instructions that, when executed, cause the network manager system to;
  
  encrypt the encrypted user data using a second encryption key in the second set of encryption keys provided by the second enterprise key management system via the private network to form double-encrypted user data, andtransmit the double-encrypted user data to the node system via the private network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, wherein the first instructions, when executed, further cause the user system to transmit an instruction to the node system to process the user data.
  - 3. The system of claim 1, wherein third instructions, when executed, cause the node system to:
    - decrypt the double-encrypted user data using the second encryption key provided by the second enterprise key management system to form second encrypted user data;
      
      decrypt the second encrypted user data using a third encryption key in the first set of encryption keys provided by the first enterprise key management system to form decrypted user data; and
      
      process, by the processing server, the decrypted user data in response to receiving the instruction to form processed user data.
  - 4. The system of claim 3, wherein the third instructions, when executed, further cause the node system to:
    - encrypt the processed user data using the third encryption key to form encrypted processed user data;
      
      encrypt the encrypted processed user data using the second encryption key to form double-encrypted processed user data; and
      
      transmit the double-encrypted processed user data to the network manager system via the private network.
  - 5. The system of claim 4, wherein the second instructions, when executed, further cause the network manager system to:
    - decrypt the double-encrypted processed user data using the second encryption key to form single-encrypted processed user data; and
      
      transmit the single-encrypted processed user data to the user system via the public network.
  - 6. The system of claim 3, wherein the third encryption key is the encryption key.
  - 7. The system of claim 6, wherein the third enterprise key management system transmits the encryption key to the first enterprise key management system via the public network and the private network.
  - 8. The system of claim 6, wherein the third enterprise key management system transmits information associated with the encryption key to the first enterprise key management system via the public network and the private network such that the first enterprise key management system can generate the encryption key.
  - 9. The system of claim 1, wherein the instruction comprises one of an instruction to aggregate the user data, an instruction to identify trends in the user data, or an instruction to filter the user data.
  - 10. The system of claim 1, wherein the second instructions, when executed, further cause the network manager system to block data packets from being transmitted via the private network if the data packets are not encrypted.
  - 11. The system of claim 1, wherein the first user encryption key management system is associated with the user system.
  - 12. The system of claim 1, further comprising:
    - a second user system in communication with the network manager via the public network, wherein the second user system comprises a second user encryption key management system, and wherein the second user encryption key management system comprises a fourth enterprise key management system and a third self-encrypting drive,wherein the second user system comprises third instructions that, when executed, cause the second user system to;
      
      encrypt second user data stored in the third self-encrypting drive using a third encryption key provided by the fourth enterprise key management system to form encrypted second user data, andtransmit the encrypted second user data to the network manager system.
  - 13. The system of claim 12, wherein the second instructions, when executed, further cause the network manager system to:
    - encrypt the encrypted second user data using the second encryption key to form double-encrypted second user data; and
      
      transmit the double-encrypted second user data to the node system.
  - 14. The system of claim 1, wherein the third enterprise key management system generates a third encryption key in the first set of encryption keys, wherein the second self-encrypting drive transmits a request for the third encryption key, wherein the second local key management system maintains an association of encryption keys and self-encrypting drives, and wherein the second local key management system:
    - receives the request for the third encryption key from the self-encrypting drive,transmits a second request for the third encryption key to the third enterprise key management system in response to receiving the request for the third encryption key from the second self-encrypting drive,receives the third encryption key from the third enterprise key management system, andtransmits the third encryption key to the second self-encrypting drive such that the second self-encrypting drive encrypts the user data using the third encryption key.

15. A system for double-encrypting data comprising:
- a node system, wherein the node system comprises a processing server, a first enterprise key management system that stores a first set of encryption keys, and a second enterprise key management system that stores a second set of encryption keys;
  
  a network manager system comprising computer hardware, wherein the network manager system is external to the node system and is in communication with the node system via a private network, and wherein the network manager system serves as an interface between the private network and a public network; and
  
  a user system in communication with the network manager via the public network, wherein the user system is external to the node system and comprises a third enterprise key management system that stores the first set of encryption keys and a self-encrypting drive, wherein the third enterprise key management system communicates with the first enterprise key management system to facilitate key exchange between the third enterprise key management system and the first enterprise key management system, and wherein the first enterprise key management system is associated with the user system,wherein the user system comprises first instructions that, when executed, cause the user system to;
  
  encrypt user data stored in the self-encrypting drive using an encryption key in the first set of encryption keys provided by the third enterprise key management system to form encrypted user data, andtransmit the encrypted user data to the network manager system via the public network, andwherein the network manager system comprises second instructions that, when executed, cause the network manager system to;
  
  encrypt the encrypted user data using a second encryption key in the second set of encryption keys provided by the second enterprise key management system via the private network to form double-encrypted user data, andtransmit the double-encrypted user data to the node system via the private network.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the first instructions, when executed, further cause the user system to transmit an instruction to the node system to process the user data.
  - 17. The system of claim 16, wherein third instructions, when executed, cause the node system to:
    - decrypt the double-encrypted user data using the second encryption key provided by the second enterprise key management system to form second encrypted user data;
      
      decrypt the second encrypted user data using a third encryption key in the first set of encryption keys provided by the first enterprise key management system to form decrypted user data; and
      
      process, by the processing server, the decrypted user data in response to receiving the instruction to form processed user data.
  - 18. The system of claim 17, wherein the third instructions, when executed, further cause the node system to:
    - encrypt the processed user data using the third encryption key to form encrypted processed user data;
      
      encrypt the encrypted processed user data using the second encryption key to form double-encrypted processed user data; and
      
      transmit the double-encrypted processed user data to the network manager system via the private network.
  - 19. The system of claim 18, wherein the second instructions, when executed, further cause the network manager system to:
    - decrypt the double-encrypted processed user data using the second encryption key to form single-encrypted processed user data; and
      
      transmit the single-encrypted processed user data to the user system via the public network.
  - 20. The system of claim 16, wherein the instruction comprises one of an instruction to aggregate the user data, an instruction to identify trends in the user data, or an instruction to filter the user data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ORock Technologies, Inc.
Original Assignee
ORock Technologies, Inc.
Inventors
Leon, John
Primary Examiner(s)
Tran, Tri M

Application Number

US15/294,333
Publication Number

US 20170111328A1
Time in Patent Office

984 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/0478   applying multiple layers of...

H04L 63/06   for supporting key manageme...

H04L 67/1097   for distributed storage of ...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3252   using DSA or related signat...

H04L 9/3263   involving certificates, e.g...

System for providing end-to-end protection against network-based attacks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System for providing end-to-end protection against network-based attacks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links