SYSTEMS AND METHODS FOR SECURE DATA SHARING

US 20120072723A1
Filed: 09/20/2011
Published: 03/22/2012
Est. Priority Date: 09/20/2010
Status: Active Grant

First Claim

Patent Images

1. A method for encrypting a data file, comprising:

receiving a request to encrypt the data file;

retrieving a workgroup key associated with the data file;

retrieving unique information associated with the data file;

computing a hash value of the workgroup key;

combining the hash value of the workgroup key and the unique information to form a file-level key; and

encrypting the data file based on the file-level key.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for creating and using a sharable file-level key to secure data files. The sharable file-level key is generated based on a workgroup key associated with the data file, as well as unique information associated with the data file. The sharable file-level key may be used to encrypt and split data using a Secure Parser. Systems and methods are also provided for sharing data without replicating the data on the machine of the end user. Data is encrypted and split across an external/consumer network and an enterprise/producer network. Access to the data is provided using a computing image generated by a server in the enterprise/producer network and then distributed to end users of the external/consumer network. This computing image may include preloaded files that provide pointers to the data that was encrypted and split. No access or replication of the data on the enterprise/producer network is needed in order for a user of the external/consumer network to access the data.

206 Citations

28 Claims

1. A method for encrypting a data file, comprising:
- receiving a request to encrypt the data file;
  
  retrieving a workgroup key associated with the data file;
  
  retrieving unique information associated with the data file;
  
  computing a hash value of the workgroup key;
  
  combining the hash value of the workgroup key and the unique information to form a file-level key; and
  
  encrypting the data file based on the file-level key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the workgroup key does not contain the unique information associated with the data file.
  - 3. The method of claim 1, wherein retrieving unique information associated with the data file comprises retrieving at least one of:
    - a name of the data file, a time and date the data file was created, a time the data file was last modified, a pointer to the location of the data file within the file system of a storage device, a size of the data file, and a type associated with the data file.
  - 4. The method of claim 1, wherein retrieving unique information associated with the data file further comprises accessing an attribute of the data file without accessing any data within the data file.
  - 5. The method of claim 1, further comprising computing a hash value of the unique information associated with the data file.
  - 6. The method of claim 1, wherein combining the hash value of the workgroup key and the unique information further comprises jumbling the hash value of the workgroup key and the unique information based on a random session key.
  - 7. The method of claim 1, wherein encrypting the data file based on the file-level key further comprises:
    - encrypting the data file using the file-level key and the workgroup key;
      
      generating a random or pseudo-random value;
      
      distributing, based, at least in part, on the random or pseudorandom value, encrypted data of the encrypted data file into two or more shares; and
      
      storing the two or more shares separately on at least one data depository.
  - 8. The method of claim 1, further comprising:
    - receiving a request from an entity to access the encrypted data file, wherein the entity is not a member of a workgroup associated with the workgroup key; and
      
      sharing the file-level key with the entity.

9. A system for encrypting a data file, the comprising a processor configured to:
- receive a request to encrypt the data file;
  
  retrieve a workgroup key associated with the data file;
  
  retrieve unique information associated with the data file;
  
  compute a hash value of the workgroup key;
  
  combine the hash value of the workgroup key and the unique information to form a file-level key; and
  
  encrypt the data file based on the file-level key.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the workgroup key does not contain the unique information associated with the data file.
  - 11. The system of claim 9, wherein the processor is further configured to retrieve unique information associated with the data file by retrieving at least one of:
    - a name of the data file, a time and date the data file was created, a time the data file was last modified, a pointer to the location of the data file within the file system of a storage device, a size of the data file, and a type associated with the data file.
  - 12. The system of claim 9, wherein the processor is further configured to retrieve unique information associated with the data file by accessing an attribute of the data file without accessing any data within the data file.
  - 13. The system of claim 9, wherein the processor is further configured to compute a hash value of the unique information associated with the data file.
  - 14. The system of claim 9, wherein the processor is further configured to combine the hash value of the workgroup key and the unique information further by jumbling the hash value of the workgroup key and the unique information based on a random session key.
  - 15. The system of claim 9, wherein the processor is further configured to encrypt the data file based on the file-level key further by:
    - encrypting the data file using the file-level key and the workgroup key;
      
      generating a random or pseudo-random value;
      
      distributing, based at least in part on the random or pseudorandom value, the encrypted data of the encrypted data file into two or more shares; and
      
      storing the two or more shares separately on at least one data depository.
  - 16. The system of claim 9, wherein the processor is further configured to:
    - receive a request from an entity to access the encrypted data file, wherein the entity is not a member of a workgroup associated with the workgroup key; and
      
      share the file-level key with the entity.

17. A method for securely sharing a data set, comprising:
- encrypting the data set using at least one cryptographic key;
  
  generating a random or pseudo-random valuedistributing, based at least in part on the random or pseudorandom value, the encrypted data in the data set into two or more shares;
  
  distributing the two or more data shares across at least one consumer storage location and at least one enterprise storage location;
  
  generating permissions associated with the data set;
  
  generating a computing image;
  
  distributing the computing image to users associated with the at least one consumer storage location; and
  
  using the computing image, providing access to the data set based on the permissions.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The method of claim 17, wherein generating the computing image further comprises generating a virtual machine image comprising preloaded stub files, wherein the preloaded stub files provide pointers to the two or more data shares.
  - 19. The method of claim 17, further comprising generating stub files independently of generating the computing image, wherein the stub files provide pointers to the two or more data shares.
  - 20. The method of claim 17, wherein distributing the computing image comprises physically distributing the computing image to at least one end user of the at least one consumer storage location.
  - 21. The method of claim 17, wherein distributing the computing image comprises distributing the computing image across a network to at least one end user of the at least one consumer storage location.
  - 22. The method of claim 17, wherein the computing image provides access to the data set independent of reconstructing the data set from the two or more data shares.

23. A system for securely sharing a data set, the system comprising a server configured to:
- encrypt the data set using at least one cryptographic stored on a key manager;
  
  generate a random or pseudo-random valuedistribute, based, at least in part, on the random or pseudorandom value, encrypted data in the data set into two or more shares;
  
  distribute the two or more data shares across at least one consumer storage location and at least one enterprise storage location;
  
  generate permissions associated with the data set;
  
  generate a computing image;
  
  distribute the computing image to users associated with the at least one consumer storage location; and
  
  using the computing image, provide access to the data set based on the permissions.
- View Dependent Claims (24, 25, 26, 27, 28)
- - 24. The system of claim 23, wherein the server is configured to generate the computing image by generating a virtual machine image comprising preloaded stub files, wherein the preloaded stub files provide pointers to the two or more data shares.
  - 25. The system of claim 23, wherein the server is further configured to generate stub files independently of generating the computing image, wherein the stub files provide pointers to the two or more data shares.
  - 26. The system of claim 23, wherein the server is configured to distribute the computing image by physically distributing the computing image to at least one end user of the at least one consumer storage location.
  - 27. The system of claim 23, wherein the server is configured to distribute the computing image by distributing the computing image across a network to at least one end user of the at least one consumer storage location.
  - 28. The system of claim 23, wherein the computing image provides access to the data set independent of reconstructing the data set from the two or more data shares.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Security First Innovations, LLC
Original Assignee
Security First Corp
Inventors
Orsini, Rick L., O'Hare, Mark S., Landau, Gabriel D., Staker, Matthew, Yakamovich, William

Granted Patent

US 8,769,270 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/165
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

H04L 2209/24   Key scheduling, i.e. genera...

H04L 2209/42   Anonymization, e.g. involvi...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless network architectu...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 9/085   Secret sharing or secret sp...

H04L 9/0861   Generation of secret inform...

H04L 9/3231   Biological data, e.g. finge...

H04L 9/3268   using certificate validatio...

SYSTEMS AND METHODS FOR SECURE DATA SHARING

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

206 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR SECURE DATA SHARING

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

206 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links