SYSTEMS AND METHODS FOR SECURING DATA IN MOTION

US 20110246766A1
Filed: 03/31/2011
Published: 10/06/2011
Est. Priority Date: 03/31/2010
Status: Active Grant

First Claim

Patent Images

1. A method for rebuilding a set of data shares that were generated from an encrypted data set by an information dispersal algorithm using a first split key, the method comprising:

receiving at least a minimum number of data shares necessary for rebuilding the set of data shares; and

rebuilding the set of data shares from the minimum number of data shares without decrypting the minimum number of data shares.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The systems and methods of the present invention provide a solution that makes data provably secure and accessible—addressing data security at the bit level—thereby eliminating the need for multiple perimeter hardware and software technologies. Data security is incorporated or weaved directly into the data at the bit level. The systems and methods of the present invention enable enterprise communities of interest to leverage a common enterprise infrastructure. Because security is already woven into the data, this common infrastructure can be used without compromising data security and access control. In some applications, data is authenticated, encrypted, and parsed or split into multiple shares prior to being sent to multiple locations, e.g., a private or public cloud. The data is hidden while in transit to the storage location, and is inaccessible to users who do not have the correct credentials for access.

Citations

54 Claims

1. A method for rebuilding a set of data shares that were generated from an encrypted data set by an information dispersal algorithm using a first split key, the method comprising:
- receiving at least a minimum number of data shares necessary for rebuilding the set of data shares; and
  
  rebuilding the set of data shares from the minimum number of data shares without decrypting the minimum number of data shares.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the rebuilding is performed in response to a determination that one or more of the data shares have been compromised.
  - 3. The method of claim 1, further comprising storing at least one of the rebuilt data shares on a storage network.
  - 4. The method of claim 3, wherein the storage network includes one of a private cloud, a public cloud, a hybrid cloud, a removable storage device, and a mass storage device.
  - 5. The method of claim 1, wherein rebuilding includes:
    - authenticating the minimum number of data shares with an authentication key;
      
      reconstructing the encrypted data from the authenticated minimum number of data shares using the split key;
      
      regenerating the set of data shares by splitting the encrypted data using the split key.

6. A method for rekeying a set of data shares that were generated from an encrypted data set by an information dispersal algorithm using a first encryption key, the method comprising:
- receiving at least a minimum number of data shares necessary for rebuilding the set of data shares;
  
  associating the minimum number of data shares with a first authentication key;
  
  rebuilding the set of data shares from the minimum number of data shares without decrypting the minimum number of data shares; and
  
  rekeying the rebuilt set of data shares by associating the rebuilt set of data shares with a second encryption key.
- View Dependent Claims (7, 8, 9)
- - 7. The method of claim 6, further comprising:
    - retrieving headers associated with the minimum number of data shares;
      
      extracting a key encryption key from the retrieved headers;
      
      encrypting the second encryption key with the key encryption key; and
      
      storing the encrypted second authentication key within the headers of the rekeyed data shares.
  - 8. The method of claim 6, further comprising storing at least one of the rekeyed data shares on a storage network.
  - 9. The method of claim 8, wherein the storage network includes one of a private cloud, a public cloud, a hybrid cloud, a removable storage device, and a mass storage device.

10. A method for rekeying a set of data shares that were generated from an encrypted data set by an information dispersal algorithm using a first split key, the method comprising:
- receiving at least a minimum number of data shares necessary for rekeying the set of data shares;
  
  rebuilding the set of data shares from the minimum number of data shares without decrypting the minimum number of data shares; and
  
  rekeying the rebuilt set of data shares by associating the rebuilt set of data shares with a second split key.
- View Dependent Claims (11, 12, 13)
- - 11. The method of claim 10, further comprising:
    - retrieving headers associated with the minimum number of data shares;
      
      extracting a key encryption key from the retrieved headers;
      
      encrypting the second split key with the key encryption key; and
      
      storing the encrypted second split key within the headers of the rekeyed data shares.
  - 12. The method of claim 10, further comprising storing at least one of the rekeyed data shares on a storage network.
  - 13. The method of claim 11, wherein the storage network includes one of a private cloud, a public cloud, a hybrid cloud, a removable storage device, and a mass storage device.

14. A method for associating stubs with a set of data shares on the file system of a storage network, the method comprisinggenerating the set of data shares from an encrypted data set by an information dispersal algorithm;
- generating a set of stubs associated with the generated data shares, wherein each stub corresponds to a respective data share, and wherein each stub includes information associated with the respective data share; and
  
  storing the set of stubs in a location on the storage network.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. The method of claim 14, wherein the information includes one of the name of the respective data share, a date the respective data share was created, a time at which the respective data share was last modified, a pointer to the location of the respective data share within the file system
  - 16. The method of claim 14, wherein the storage network includes one or more storage devices associated with one of a private cloud, a public cloud, a hybrid cloud, a removable storage device, and a mass storage device.
  - 17. The method of claim 14, further comprising:
    - receiving a command to view the information associated with the generated data shares;
      
      retrieving the stubs from the location on the storage network;
      
      extracting the information from the stubs to create a file system of data shares; and
      
      displaying the file system of data shares.
  - 18. The method of claim 14, wherein the stubs are stored within the headers of the generated data shares, and wherein retrieving includes retrieving the headers of the generated data shares.
  - 19. The method of claim 18, wherein less than all of the headers are retrieved.
  - 20. The method of claim 14, wherein the stubs are stored in a stub directory, and wherein retrieving includes retrieving the stubs from the stub directory.
  - 21. The method of claim 14, further comprising:
    - receiving an indication of a virtual directory or a physical directory in the storage network in which to store the stubs.
  - 22. The method of claim 21, wherein the indication is received from a user.

23. A coprocessor acceleration device for acceleration of secure data processing, comprising:
- a memory for storing data;
  
  a main processor coupled to the memory; and
  
  a coprocessor coupled to the main processor and the memory configured to perform dedicated secure parsing functions including at least one of encrypting data, splitting data, and decrypting data.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31)
- - 24. The device of claim 23, wherein splitting data includes the use of an information dispersal algorithm (IDA).
  - 25. The device of claim 23, further comprising a field programmable gate array coupled to the coprocessor.
  - 26. The device of claim 25, wherein the FPGA performs at least one of encrypting the parsed data, or decrypting encrypted data
  - 27. The device of claim 23, wherein the coprocessor is coupled to the main processor via a PCIe bus.
  - 28. The device of claim 23, wherein the coprocessor is coupled to the main processor via an HT bus.
  - 29. The device of claim 23, wherein the memory includes a dedicated memory for the main processor.
  - 30. The device of claim 23, wherein the memory includes a dedicated memory for the coprocessor.
  - 31. The device of claim 23, wherein the coprocessor is a redundant array of independent disks (RAID) processing unit that implements one or more RAID functions.

32. A method for securing data using a portable device, the method comprising:
- generating at least two portions of data from a set of data based at least in part on a key, wherein the at least two portions of data and the key are sufficient to reconstruct the set of data; and
  
  storing the key on the portable device.
- View Dependent Claims (33, 34, 35, 36, 37)
- - 33. The method of claim 32, wherein the portable device is a removable storage device.
  - 34. The method of claim 33, wherein the removable storage device couples to an end user device via a Universal Serial Bus (USB) interface.
  - 35. The method of claim 32, further comprising storing at least one of the generated data portions on the portable device.
  - 36. The method of claim 32, wherein the key is one of an encryption key, a split key and an authentication key.
  - 37. The method of claim 32, wherein the at least two portions of data are generated using an information dispersal algorithm (IDA) and a split key associated with the IDA.

38. A method for securing data using a portable device, the method comprising:
- generating at least two portions of data from a set of data based at least in part on a key, wherein the at least two portions of data and the key are sufficient to reconstruct the set of data; and
  
  storing at least one of the generated data portions on the portable device.
- View Dependent Claims (39, 40, 41, 42, 43)
- - 39. The method of claim 38, wherein the portable device is a removable storage device.
  - 40. The method of claim 39, wherein the removable storage device couples to an end user device via a Universal Serial Bus (USB) interface.
  - 41. The method of claim 38, further comprising storing the key on the portable device.
  - 42. The method of claim 38, wherein the key is one of an encryption key, a split key and an authentication key.
  - 43. The method of claim 38, wherein the at least two portions of data are generated using an information dispersal algorithm (IDA) and a split key associated with the IDA.

44. A method for securing the file name of a file to be split and stored on a storage network, the method comprising:
- processing the file name of the file using an authentication algorithm to obtain an authentication value; and
  
  retrieving the data shares corresponding to the file by searching the share locations on the storage network for file names of data shares with authentication values that match the authentication value of the file.
- View Dependent Claims (45, 46, 47, 48, 49)
- - 45. The method of claim 44, further comprising:
    - generating one or more data shares associated with the authenticated file name using an information dispersal algorithm; and
      
      storing the generated data shares on one or more data share locations in the storage network.
  - 46. The method of claim 44, wherein the storage network includes one of a private cloud, a public cloud, a hybrid cloud, a removable storage device, and a mass storage device.
  - 47. The method of claim 44, wherein the authentication algorithm is an HMAC-SHA256 algorithm.
  - 48. The method of claim 44, further comprising appending additional information to the file name of the file prior to the processing.
  - 49. The method of claim 48, wherein the additional information includes a number associated with a data share location.

50. A method for securing the file name of a file to be split and stored on a storage network, the method comprising:
- encrypting the file name of the file using an encryption algorithm;
  
  generating one or more data shares associated with the encrypted file name using an information dispersal algorithm;
  
  storing the generated data shares on one or more data share locations in the storage network; and
  
  regenerating the file name of the file by decrypting the file name of one of the generated data shares.
- View Dependent Claims (51, 52, 53, 54)
- - 51. The method of claim 50, wherein the storage network includes one of a private cloud, a public cloud, a hybrid cloud, a removable storage device, and a mass storage device.
  - 52. The method of claim 50, wherein the encryption algorithm is an AES algorithm.
  - 53. The method of claim 50, further comprising appending additional information to the file name of the file prior to the encrypting.
  - 54. The method of claim 53, wherein the additional information includes a number associated with a data share location.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Security First Innovations, LLC
Original Assignee
Security First Corp
Inventors
O'Hare, Mark S., Orsini, Rick L.

Granted Patent

US 9,443,097 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/160
CPC Class Codes

G06F 11/1076   Parity data used in redunda...

G06F 11/182   based on mutual exchange of...

G06F 11/2094   Redundant storage or storag...

G06F 21/60   Protecting data

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 21/72   in cryptographic circuits

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2107   File encryption

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/0861   using biometrical features,...

H04L 67/1097   for distributed storage of ...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0894   Escrow, recovery or storing...

SYSTEMS AND METHODS FOR SECURING DATA IN MOTION

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

54 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR SECURING DATA IN MOTION

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

54 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links