Communication network with rolling encryption keys and data exfiltration control
First Claim
1. An apparatus comprising:
- a memory configured to store;
a plurality of encryption keys, wherein each encryption key is linked with an encryption key index; and
an encrypted data entry, wherein the encrypted data entry comprises an encrypted data element and metadata linked with the encrypted data element, wherein the metadata identifies;
a first encryption key index referencing a first encryption key from the plurality of encryption keys, and an encryption wait time period; and
an encryption service engine configured to;
periodically re-encrypt the encrypted data element stored in the memory, wherein re-encrypting the encrypted data element comprises;
determining that the encryption wait time period has lapsed;
obtaining the first encryption key from the plurality of encryption keys using the first encryption key index;
obtaining the encrypted data element from the memory;
decrypting the encrypted data element using the first encryption key to recover an original data element;
obtaining a second encryption key;
encrypting the original data element using the second encryption key; and
modifying the metadata linked with the encrypted data element with a second encryption key index referencing the second encryption key;
receive a data request for the encrypted data element;
send the re-encrypted data element in response to receiving the data request;
limit a bandwidth of a data channel used to send the re-encrypted data element; and
wherein the metadata comprises an authentication token generated based on a current encryption key index, the encryption wait time period, and at least a portion of the encrypted data element.
1 Assignment
0 Petitions
Accused Products
Abstract
An apparatus that includes a memory configured to store encryption keys and encrypted data entries. The apparatus further includes an encryption service engine configured to periodically re-encrypt the encrypted data element, which includes determining that an encryption wait time period has lapsed, obtaining a first encryption key using a first key index, and decrypting the encrypted data element using the first encryption key to recover the original data. The encryption service engine is further configured to obtain a second encryption key, encrypt the original data using the second encryption key, and modify the metadata linked with the encrypted data element with a second key index referencing the second encryption key. The encryption service engine is further configured to receive a data request for the encrypted data element, to send the encrypted data element, and to limit the bandwidth of a data channel used to send the encrypted data element.
24 Citations
17 Claims
-
1. An apparatus comprising:
- a memory configured to store;
a plurality of encryption keys, wherein each encryption key is linked with an encryption key index; and
an encrypted data entry, wherein the encrypted data entry comprises an encrypted data element and metadata linked with the encrypted data element, wherein the metadata identifies;
a first encryption key index referencing a first encryption key from the plurality of encryption keys, and an encryption wait time period; and
an encryption service engine configured to;
periodically re-encrypt the encrypted data element stored in the memory, wherein re-encrypting the encrypted data element comprises;
determining that the encryption wait time period has lapsed;
obtaining the first encryption key from the plurality of encryption keys using the first encryption key index;
obtaining the encrypted data element from the memory;
decrypting the encrypted data element using the first encryption key to recover an original data element;
obtaining a second encryption key;
encrypting the original data element using the second encryption key; and
modifying the metadata linked with the encrypted data element with a second encryption key index referencing the second encryption key;
receive a data request for the encrypted data element;
send the re-encrypted data element in response to receiving the data request;
limit a bandwidth of a data channel used to send the re-encrypted data element; and
wherein the metadata comprises an authentication token generated based on a current encryption key index, the encryption wait time period, and at least a portion of the encrypted data element. - View Dependent Claims (2, 3, 4, 5, 6)
- a memory configured to store;
-
7. A system comprising:
- a mix router configured to;
receive an encryption key request identifying a first encryption key index for an encrypted data element from a network node;
identify an encryption service device linked with the encrypted data element in response to receiving the encryption key request;
send the encryption key request to the encryption service device;
obtain an encryption key for the encrypted data; and
send the encryption key for the encrypted data element to the network node in response to receiving the encrypted key; and
the encryption service device in signal communication with the mixer router, comprising;
a memory configured to store;
a plurality of encryption keys, wherein each encryption key is linked with an encryption key index;
an encrypted data entry, wherein the encrypted data entry comprises the encrypted data element and metadata linked with the encrypted data element, wherein the metadata identifies;
the first encryption key index referencing a first encryption key from the plurality of encryption keys, and an encryption wait time period; and
an encryption service engine configured to;
periodically re-encrypt the encrypted data element stored in the memory;
receive the encryption key request;
obtain the first encryption key from the memory using the first encryption key index in response to receiving the encryption key request;
send the first encryption key to the mix router in response to obtaining the first encryption key from the memory;
limit a bandwidth of a data channel used to send the first encryption key; and
wherein the metadata comprises an authentication token generated based on a current encryption key index, the encryption wait time period, and at least a portion of the encrypted data element. - View Dependent Claims (8, 9, 10, 11, 12)
- a mix router configured to;
-
13. A method comprising:
- periodically re-encrypting, by an encryption service engine stored in a memory, an encrypted data element comprising;
accessing an encrypted data entry in the memory, wherein the encrypted data entry comprises an encrypted data element and metadata linked with the encrypted data element, wherein the metadata identifies;
a first encryption key index referencing a first encryption key from a plurality of encryption keys, and an encryption wait time period;
determining the encryption wait time period has lapsed;
obtaining the first encryption key from the memory using the first encryption key index;
decrypting the encrypted data element using the first encryption key to recover an original data element;
obtaining a second encryption key;
encrypting the original data element using the second encryption key; and
modifying the metadata linked with the encrypted data element with a second encryption key index referencing the second encryption key;
receiving, at the encryption service engine, a data request for the encrypted data element;
sending, by the encryption service engine, the encrypted data element in response to receiving the data request;
limiting, by the encryption service engine, a bandwidth of a data channel used to send the encrypted data element; and
wherein the metadata comprises an authentication token generated based on a current encryption key index, the encryption wait time period, and at least a portion of the encrypted data element. - View Dependent Claims (14, 15, 16, 17)
- periodically re-encrypting, by an encryption service engine stored in a memory, an encrypted data element comprising;
Specification