SYSTEMS AND METHODS FOR SECURING DATA USING MULTI-FACTOR OR KEYED DISPERSAL

US 20090177894A1
Filed: 01/07/2009
Published: 07/09/2009
Est. Priority Date: 01/07/2008
Status: Active Grant

First Claim

Patent Images

1. A method for securing a data set, the method comprising:

generating a session key;

encrypting the data set using the session key to produce an encrypted data set;

encrypting the session key with a shared workgroup key;

distributing unique portions of the encrypted session key into two or more session key shares;

distributing unique portions of the encrypted data set into two or more encrypted data set shares;

forming two or more user shares by combining at least one session key share and at least one encrypted data set share; and

storing the two or more user shares separately on at least one data depository, whereby the data set is restorable from at least two of the two or more user shares and the shared workgroup key.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure data parser is provided that may be integrated into any suitable system for securely storing and communicating data. The secure data parser parses data and then splits the data into multiple portions that are stored or communicated distinctly. Encryption of the original data, the portions of data, or both may be employed for additional security. The secure data parser may be used to protect data in motion by splitting original data into portions of data, that may be communicated using multiple communications paths. A keyed information dispersal algorithm (keyed IDA) may also be used. The key for the keyed IDA may additionally be protected by an external workgroup key, resulting in a multi-factor secret sharing scheme.

250 Citations

20 Claims

1. A method for securing a data set, the method comprising:
- generating a session key;
  
  encrypting the data set using the session key to produce an encrypted data set;
  
  encrypting the session key with a shared workgroup key;
  
  distributing unique portions of the encrypted session key into two or more session key shares;
  
  distributing unique portions of the encrypted data set into two or more encrypted data set shares;
  
  forming two or more user shares by combining at least one session key share and at least one encrypted data set share; and
  
  storing the two or more user shares separately on at least one data depository, whereby the data set is restorable from at least two of the two or more user shares and the shared workgroup key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein at least one of distributing unique portions of the session key and distributing unique portions of the encrypted data set is performed using robust computational secret sharing (RCSS).
  - 3. The method of claim 1 wherein forming two or more user shares by combining at least one session key share and at least one encrypted data set share comprising interleaving the at least one session key share into the at least one encrypted data set share.
  - 4. The method of claim 1 wherein forming two or more user shares by combining at least one session key share and at least one encrypted data set share comprising inserting the at least one session key share into the at least one encrypted data set share at a location based at least in part on the shared workgroup key.
  - 5. The method of claim 1 wherein storing the two or more user shares separately on at least one data depository comprises storing the two or more user shares on different locations of the same data depository.
  - 6. The method of claim 1 wherein storing the two or more user shares separately on at least one data depository comprises storing the two or more user shares on different data depositories.
  - 7. The method of claim 1 wherein storing the two or more user shares separately on at least one data depository comprises storing the two or more user shares on different data depositories in different geographic locations.
  - 8. The method of claim 1 wherein distributing unique portions of the encrypted data set into two or more encrypted data set shares comprises:
    - generating, based at least in part on the session key, random or pseudo-random numbers;
      
      associating the random or pseudo-random numbers with the two or more encrypted data set shares;
      
      associating the random or pseudo-random numbers with units of data from the encrypted data set; and
      
      determining into which of the two or more encrypted data set shares to distribute each unit of data based at least in part on the association of the random or pseudo-random numbers with the two or more user shares and with the units of data.
  - 9. The method of claim 8 wherein the units of data comprise bytes of data from the data set.
  - 10. The method of claim 8 wherein the units of data comprise bits of data from the data set.

11. An apparatus for securing a data set, the apparatus comprising:
- at least one data depository; and
  
  a user system configured to;
  
  generate a session key;
  
  encrypt the data set using the session key to produce an encrypted data set;
  
  encrypt the session key using a shared workgroup key;
  
  distribute unique portions of the encrypted session key into two or more session key shares;
  
  distribute unique portions of the encrypted data set into two or more encrypted data set shares;
  
  form two or more user shares by combining at least one session key share and at least one encrypted data set share; and
  
  store the two or more user shares separately on the at least one data depository, whereby the data set is restorable from at least two of the two or more user shares and the shared workgroup key.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The apparatus of claim 11 wherein the user system is configured to distribute at least one of unique portions of the session key and unique portions of the encrypted data set using robust computational secret sharing (RCSS).
  - 13. The apparatus of claim 11 wherein the user system is configured to form the two or more user shares by interleaving the at least one session key share into the at least one encrypted data set share.
  - 14. The apparatus of claim 11 wherein the user system is configured to form two or more user shares by inserting the at least one session key share into the at least one encrypted data set share at a location based at least in part on the shared workgroup key.
  - 15. The apparatus of claim 11 wherein the user system is configured to store the two or more user shares separately on different locations of the same data depository.
  - 16. The apparatus of claim 11 wherein the user system is configured to store the two or more user shares separately on different data depositories.
  - 17. The apparatus of claim 11 wherein the user system is configured to store the two or more user shares separately on different data depositories in different geographic locations.
  - 18. The apparatus of claim 11 wherein the user system is configured to distribute unique portions of the encrypted data set into two or more encrypted data set shares by:
    - generating, based at least in part on the session key, random or pseudo-random numbers;
      
      associating the random or pseudo-random numbers with the two or more encrypted data set shares;
      
      associating the random or pseudo-random numbers with units of data from the encrypted data set; and
      
      determining into which of the two or more encrypted data set shares to distribute each unit of data based at least in part on the association of the random or pseudo-random numbers with the two or more user shares and with the units of data.
  - 19. The apparatus of claim 18 wherein the units of data comprise bytes of data from the data set.

20. A machine-readable medium comprising machine program logic recorded thereon for:
- generating a session key;
  
  encrypting the data set using the session key to produce an encrypted data set;
  
  encrypting the session key with a shared workgroup key;
  
  distributing unique portions of the encrypted session key into two or more session key shares;
  
  distributing unique portions of the encrypted data set into two or more encrypted data set shares;
  
  forming two or more user shares by combining at least one session key share and at least one encrypted data set share; and
  
  storing the two or more user shares separately on at least one data depository, whereby the data set is restorable from at least two of the two or more user shares and the shared workgroup key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Security First Innovations, LLC
Original Assignee
Security First Corp
Inventors
O'Hare, Mark S., Orsini, Rick L., Bellare, Mihir, Rogaway, Phillip

Granted Patent

US 8,473,756 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/193
CPC Class Codes

G06F 21/6209   to a single file or object,...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless network architectu...

H04L 63/062   for key distribution, e.g. ...

H04L 63/065   for group communications cr...

H04L 9/0822   using key encryption key

H04L 9/085   Secret sharing or secret sp...

H04L 9/321   involving a third party or ...

H04L 9/3226   using a predetermined code,...

H04L 9/3263   involving certificates, e.g...

SYSTEMS AND METHODS FOR SECURING DATA USING MULTI-FACTOR OR KEYED DISPERSAL

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

250 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR SECURING DATA USING MULTI-FACTOR OR KEYED DISPERSAL

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

250 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links