Communication network with rolling encryption keys and data exfiltration control

US 10,462,111 B2
Filed: 05/18/2017
Issued: 10/29/2019
Est. Priority Date: 05/18/2017
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

a memory configured to store;

a plurality of encryption keys, wherein each encryption key is linked with an encryption key index; and

an encrypted data entry, wherein the encrypted data entry comprises an encrypted data element and metadata linked with the encrypted data element, wherein the metadata identifies;

a first encryption key index referencing a first encryption key from the plurality of encryption keys, and an encryption wait time period; and

an encryption service engine configured to;

periodically re-encrypt the encrypted data element stored in the memory, wherein re-encrypting the encrypted data element comprises;

determining that the encryption wait time period has lapsed;

obtaining the first encryption key from the plurality of encryption keys using the first encryption key index;

obtaining the encrypted data element from the memory;

decrypting the encrypted data element using the first encryption key to recover an original data element;

obtaining a second encryption key;

encrypting the original data element using the second encryption key; and

modifying the metadata linked with the encrypted data element with a second encryption key index referencing the second encryption key;

receive a data request for the encrypted data element;

send the re-encrypted data element in response to receiving the data request;

limit a bandwidth of a data channel used to send the re-encrypted data element; and

wherein the metadata comprises an authentication token generated based on a current encryption key index, the encryption wait time period, and at least a portion of the encrypted data element.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus that includes a memory configured to store encryption keys and encrypted data entries. The apparatus further includes an encryption service engine configured to periodically re-encrypt the encrypted data element, which includes determining that an encryption wait time period has lapsed, obtaining a first encryption key using a first key index, and decrypting the encrypted data element using the first encryption key to recover the original data. The encryption service engine is further configured to obtain a second encryption key, encrypt the original data using the second encryption key, and modify the metadata linked with the encrypted data element with a second key index referencing the second encryption key. The encryption service engine is further configured to receive a data request for the encrypted data element, to send the encrypted data element, and to limit the bandwidth of a data channel used to send the encrypted data element.

24 Citations

View as Search Results

17 Claims

1. An apparatus comprising:
- a memory configured to store;
  
  a plurality of encryption keys, wherein each encryption key is linked with an encryption key index; and
  
  an encrypted data entry, wherein the encrypted data entry comprises an encrypted data element and metadata linked with the encrypted data element, wherein the metadata identifies;
  
  a first encryption key index referencing a first encryption key from the plurality of encryption keys, and an encryption wait time period; and
  
  an encryption service engine configured to;
  
  periodically re-encrypt the encrypted data element stored in the memory, wherein re-encrypting the encrypted data element comprises;
  
  determining that the encryption wait time period has lapsed;
  
  obtaining the first encryption key from the plurality of encryption keys using the first encryption key index;
  
  obtaining the encrypted data element from the memory;
  
  decrypting the encrypted data element using the first encryption key to recover an original data element;
  
  obtaining a second encryption key;
  
  encrypting the original data element using the second encryption key; and
  
  modifying the metadata linked with the encrypted data element with a second encryption key index referencing the second encryption key;
  
  receive a data request for the encrypted data element;
  
  send the re-encrypted data element in response to receiving the data request;
  
  limit a bandwidth of a data channel used to send the re-encrypted data element; and
  
  wherein the metadata comprises an authentication token generated based on a current encryption key index, the encryption wait time period, and at least a portion of the encrypted data element.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The apparatus of claim 1, wherein obtaining the second encryption key comprises receiving the second encryption key from the memory.
  - 3. The apparatus of claim 1, wherein the encryption service engine is configured to remove the first encryption key from the memory in response to decrypting the encrypted data element using the first encryption key.
  - 4. The apparatus of claim 1, wherein:
    - the memory comprises a plurality of data partitions, and each of the plurality of data partitions uses a different encryption key to encrypt data entries within each data partition.
  - 5. The apparatus of claim 1, wherein obtaining the second encryption key comprises:
    - generating the second encryption key, and creating a record in the memory for the second encryption key, wherein the record identifies;
      
      the second encryption key, the second encryption key index, and an encryption timestamp.
  - 6. The apparatus of claim 1, wherein the encryption service engine is configured to:
    - receive an encryption key request identifying the first encryption key index;
      
      obtain the first encryption key from the plurality of encryption keys using the first encryption key index; and
      
      send the first encryption key in response to the receiving the encryption key request, wherein sending the first encrypted key comprises limiting the bandwidth of a data channel used to send the first encryption key.

7. A system comprising:
- a mix router configured to;
  
  receive an encryption key request identifying a first encryption key index for an encrypted data element from a network node;
  
  identify an encryption service device linked with the encrypted data element in response to receiving the encryption key request;
  
  send the encryption key request to the encryption service device;
  
  obtain an encryption key for the encrypted data; and
  
  send the encryption key for the encrypted data element to the network node in response to receiving the encrypted key; and
  
  the encryption service device in signal communication with the mixer router, comprising;
  
  a memory configured to store;
  
  a plurality of encryption keys, wherein each encryption key is linked with an encryption key index;
  
  an encrypted data entry, wherein the encrypted data entry comprises the encrypted data element and metadata linked with the encrypted data element, wherein the metadata identifies;
  
  the first encryption key index referencing a first encryption key from the plurality of encryption keys, and an encryption wait time period; and
  
  an encryption service engine configured to;
  
  periodically re-encrypt the encrypted data element stored in the memory;
  
  receive the encryption key request;
  
  obtain the first encryption key from the memory using the first encryption key index in response to receiving the encryption key request;
  
  send the first encryption key to the mix router in response to obtaining the first encryption key from the memory;
  
  limit a bandwidth of a data channel used to send the first encryption key; and
  
  wherein the metadata comprises an authentication token generated based on a current encryption key index, the encryption wait time period, and at least a portion of the encrypted data element.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein, in response to sending the first encryption key to the mix router, the encryption service engine is configured to:
    - decrypt the encrypted data element using the first encryption key to recover an original data element;
      
      obtain a second encryption key from the plurality of encryption keys;
      
      encrypt the original data element using the second encryption key;
      
      modify the metadata linked with the encrypted data element with a second encryption key index referencing the second encryption key; and
      
      remove the first encryption key from the memory.
  - 9. The system of claim 7, wherein the encryption service engine is configured to:
    - receive a data request for the encrypted data element; and
      
      send the encrypted data element in response to receiving the data request, wherein sending the encrypted data element comprises limiting the bandwidth of a data channel used to send the encrypted data element.
  - 10. The system of claim 7, wherein re-encrypting the encrypted data comprises:
    - determining the encryption wait time period has lapsed;
      
      obtaining the first encryption key from the memory using the encryption key index;
      
      decrypting the encrypted data element using the first encryption key to recover an original data element;
      
      obtaining a second encryption key from the plurality of encryption keys;
      
      encrypting the original data element using the second encryption key; and
      
      modifying the metadata linked with the encrypted data element with a second encryption key index referencing the second encryption key.
  - 11. The system of claim 7, wherein:
    - the encryption key request is encoded using successive layers of encryption, and each layer of encryption is decrypted by a different network device as the encryption key request is forwarded from the network node to the encryption services device.
  - 12. The system of claim 7, further comprising a translator device comprising a second memory, wherein the second memory comprises an entry linking the first key index with the encryption service device;
    - wherein identifying the encryption service device linked with the encrypted data element comprises;
      
      sending a device identification request comprising the first encryption key index to the translator device, and receiving information identifying the encryption service device in response to sending the device identification request.

13. A method comprising:
- periodically re-encrypting, by an encryption service engine stored in a memory, an encrypted data element comprising;
  
  accessing an encrypted data entry in the memory, wherein the encrypted data entry comprises an encrypted data element and metadata linked with the encrypted data element, wherein the metadata identifies;
  
  a first encryption key index referencing a first encryption key from a plurality of encryption keys, and an encryption wait time period;
  
  determining the encryption wait time period has lapsed;
  
  obtaining the first encryption key from the memory using the first encryption key index;
  
  decrypting the encrypted data element using the first encryption key to recover an original data element;
  
  obtaining a second encryption key;
  
  encrypting the original data element using the second encryption key; and
  
  modifying the metadata linked with the encrypted data element with a second encryption key index referencing the second encryption key;
  
  receiving, at the encryption service engine, a data request for the encrypted data element;
  
  sending, by the encryption service engine, the encrypted data element in response to receiving the data request;
  
  limiting, by the encryption service engine, a bandwidth of a data channel used to send the encrypted data element; and
  
  wherein the metadata comprises an authentication token generated based on a current encryption key index, the encryption wait time period, and at least a portion of the encrypted data element.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method of claim 13, wherein obtaining the second encryption key comprises receiving the second encryption key from the memory.
  - 15. The method of claim 13, further comprising removing, by the encryption service engine, the first encryption key from the memory in response to decrypting the encrypted data element using the first encryption key.
  - 16. The method of claim 13, wherein obtaining the second encryption key comprises:
    - generating the second encryption key, and creating a record in the memory for the second encryption key, wherein the record identifies;
      
      the second encryption key, the second encryption key index, and an encryption timestamp.
  - 17. The method of claim 13, further comprising:
    - receiving, at the encryption service engine, an encryption key request identifying the first encryption key index;
      
      obtaining, by the encryption service engine, the first encryption key from the plurality of encryption keys using the first encryption key index; and
      
      sending, by the encryption service engine, the first encrypted key in response to the receiving the encryption key request, wherein sending the first encrypted key comprises limiting the bandwidth of a data channel used to send the first encrypted key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Frankel, Yair, Azeez, Abdul Rafman
Primary Examiner(s)
Alata, Ayoub

Application Number

US15/599,278
Publication Number

US 20180337896A1
Time in Patent Office

894 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 9/088   Usage controlling of secret...

H04L 9/3228   One-time or temporary data,...

H04L 9/3297   involving time stamps, e.g....

Communication network with rolling encryption keys and data exfiltration control

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

24 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Communication network with rolling encryption keys and data exfiltration control

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links