Secure data handling and storage

US 10,516,530 B2
Filed: 01/30/2017
Issued: 12/24/2019
Est. Priority Date: 01/29/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a request from an aggregation server to access encrypted credential information for a user, the aggregation server aggregating financial data from one or more financial institutions where a user has an account using the encrypted credential information;

determining whether the aggregation server is authorized to communicate with an encryption engine that is used to encrypt the credential information for the user by cross-referencing one or more tokens issued to the aggregation server with one or more predefined tokens designated as allowed tokens;

receiving, in response to determining that the aggregation server is authorized to communicate with the encryption engine, a plurality of keys for unlocking the encryption engine, each key associated with a key holder;

combining at least a subset of the plurality of keys to generate a master key, the subset comprising at least two keys of the plurality of keys;

unlocking the encryption engine using the master key;

receiving, at the encryption engine, the encrypted credential information for accessing the user'"'"'s accounts at the plurality of financial institutions, the credential information encrypted using a first encryption key;

decrypting the encrypted credential information using the first encryption key, the decrypted credential information transmitted to the aggregation server for accessing the one or more financial institutions where the user has an account; and

re-encrypting the decrypted credential information using a second encryption key, the second encryption key newer than the first encryption key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatuses, methods, systems, and program products are disclosed for secure data handling and storage. A method includes receiving a plurality of keys for unlocking an encryption engine. Each key may be associated with a key holder. At least a subset of the plurality of keys are combined to generate a master key. An encryption engine is unlocked using the master key. Encrypted data is received at the encryption engine on a continuous basis. The encrypted data is encrypted using a first encryption key, and includes sensitive information for one or more users. The encrypted data is decrypted using the first encryption key. The decrypted data is re-encrypted using a second encryption key that is newer than the first encryption key.

10 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving a request from an aggregation server to access encrypted credential information for a user, the aggregation server aggregating financial data from one or more financial institutions where a user has an account using the encrypted credential information;
  
  determining whether the aggregation server is authorized to communicate with an encryption engine that is used to encrypt the credential information for the user by cross-referencing one or more tokens issued to the aggregation server with one or more predefined tokens designated as allowed tokens;
  
  receiving, in response to determining that the aggregation server is authorized to communicate with the encryption engine, a plurality of keys for unlocking the encryption engine, each key associated with a key holder;
  
  combining at least a subset of the plurality of keys to generate a master key, the subset comprising at least two keys of the plurality of keys;
  
  unlocking the encryption engine using the master key;
  
  receiving, at the encryption engine, the encrypted credential information for accessing the user'"'"'s accounts at the plurality of financial institutions, the credential information encrypted using a first encryption key;
  
  decrypting the encrypted credential information using the first encryption key, the decrypted credential information transmitted to the aggregation server for accessing the one or more financial institutions where the user has an account; and
  
  re-encrypting the decrypted credential information using a second encryption key, the second encryption key newer than the first encryption key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising generating, on a consistent frequency, new encryption keys for re-encrypting the credential information, wherein a previously generated encryption key is expired in response to determining that the credential information is not encrypted with the previously generated encryption key.
  - 3. The method of claim 2, further comprising assigning an identifier to each encryption key, the identifier stored with the credential information and used to determine which encryption key was used to encrypt the credential information.
  - 4. The method of claim 2, wherein the frequency with which the new encryption keys are generated is determined as a function of how often the credential information is re-encrypted.
  - 5. The method of claim 1, further comprising using the master key to unlock a private key stored at the encryption engine, the encryption engine being unlocked in response to the private key being unlocked using the master key.
  - 6. The method of claim 1, further comprising disregarding the received encrypted credential information at the encryption engine in response to the encryption engine not being unlocked.
  - 7. The method of claim 1, further comprising locking the encryption engine in response to one or more of detecting changes in a configuration of the encryption engine and receiving a manual request to lock the encryption engine, the detected configuration changes comprising one or more of a change in network ports and a change in available backends used by the encryption engine.
  - 8. The method of claim 1, wherein the encrypted credential information comprises a plurality of records of a database, the database storing sensitive data for the one or more users.
  - 9. The method of claim 8, further comprising receiving the records on a continuous basis by receiving each record of the plurality of records without a delay between each record.
  - 10. The method of claim 8, further comprising receiving the records on a continuous basis by receiving the plurality of records at predefined time intervals, the predefined time intervals selected from the group consisting of seconds, minutes, hours, and days.
  - 11. The method of claim 1, wherein the encryption engine is one or more of unlocked when the encryption engine is initialized and unlocked in response to receiving a request to one or more of encrypt and decrypt data.
  - 12. The method of claim 1, wherein the first and second encryption keys are stored in a separate location from the encrypted credential information.
  - 13. The method of claim 1, wherein the credential information for a user comprises one or more of login credentials, passwords, shared secrets, financial information, and personal identifying information.

14. An apparatus comprising:
- a lock module that;
  
  receives a request from an aggregation server to access encrypted credential information for a user, the aggregation server aggregating financial data from one or more financial institutions where a user has an account using the encrypted credential information;
  
  determines, at an encryption engine, whether the aggregation server is authorized to communicate with the encryption engine that is used to encrypt the credential information for the user by cross-referencing one or more tokens issued to the aggregation server with one or more predefined tokens designated as allowed tokens;
  
  receives, in response to determining that the aggregation server is authorized to communicate with the encryption engine, a plurality of keys for unlocking the encryption engine, each key associated with a key holder;
  
  combines at least a subset of the plurality of keys to generate a master key, the subset comprising at least two keys of the plurality of keys;
  
  unlocks the encryption engine using the master key;
  
  a data module that receives, at the encryption engine, the encrypted credential information for accessing the user'"'"'s accounts at the plurality of financial institutions, the credential information encrypted using a first encryption key;
  
  a decryption module that decrypts the encrypted credential information using the first encryption key, the decrypted credential information transmitted to the aggregation server for accessing the one or more financial institutions where the user has an account; and
  
  an encryption module that re-encrypts the decrypted credential information using a second encryption key, the second encryption key newer than the first encryption key.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The apparatus of claim 14, further comprising a key module that generates, on a consistent frequency, new encryption keys for re-encrypting the credential information, wherein a previously generated encryption key is expired in response to determining that the credential information is not encrypted with the previously generated encryption key.
  - 16. The apparatus of claim 15, further comprising an identifier module that assigns an identifier to each encryption key, the identifier stored with the credential data and used to determine which encryption key was used to encrypt the credential information.
  - 17. The apparatus of claim 15, wherein the frequency with which the new encryption keys are generated is determined as a function of how often the credential information is re-encrypted.
  - 18. The apparatus of claim 14, wherein the lock module locks the encryption engine in response to one or more of detecting changes in a configuration of the encryption engine and receiving a manual request to lock the encryption engine, the detected configuration changes comprising one or more of a change in network ports and a change in available backends used by the encryption engine.
  - 19. The apparatus of claim 14, wherein the encrypted credential information comprises a plurality of records of a database, the database storing credential information for the one or more users, wherein receiving the records on a continuous basis comprises receiving each record of the plurality of records without a delay between each record.

20. A program product comprising a computer readable storage medium that stores code executable by a processor, the executable code comprising code to perform:
- receiving a request from an aggregation server to access encrypted credential information for a user, the aggregation server aggregating financial data from one or more financial institutions where a user has an account using the encrypted credential information;
  
  determining whether the aggregation server is authorized to communicate with an encryption engine that is used to encrypt the credential information for the user by cross-referencing one or more tokens issued to the aggregation server with one or more predefined tokens designated as allowed tokens;
  
  receiving, in response to determining that the aggregation server is authorized to communicate with the encryption engine, a plurality of keys for unlocking the encryption engine, each key associated with a key holder;
  
  combining at least a subset of the plurality of keys to generate a master key, the subset comprising at least two keys of the plurality of keys;
  
  unlocking the encryption engine using the master key;
  
  receiving, at the encryption engine, the encrypted credential information for accessing the user'"'"'s accounts at the plurality of financial institutions, the credential information encrypted using a first encryption key;
  
  decrypting the encrypted credential information using the first encryption key, the decrypted credential information transmitted to the aggregation server for accessing the one or more financial institutions where the user has an account; and
  
  re-encrypting the decrypted credential information using a second encryption key, the second encryption key newer than the first encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
MX Technologies Inc.
Original Assignee
MX Technologies Inc.
Inventors
Dewitt, Brandon, Hillary, Matt, Christensen, Devin, Atkinson, John, Lambson, George
Primary Examiner(s)
Leung, Robert B

Application Number

US15/420,026
Publication Number

US 20170222804A1
Time in Patent Office

1,058 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6209   to a single file or object,...

H04L 9/0822   using key encryption key

H04L 9/0861   Generation of secret inform...

H04L 9/0891   Revocation or update of sec...

H04L 9/0897   involving additional device...

H04L 9/14   using a plurality of keys o...

Secure data handling and storage

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

10 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure data handling and storage

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links