SECURE DATA HANDLING AND STORAGE

US 20170222804A1
Filed: 01/30/2017
Published: 08/03/2017
Est. Priority Date: 01/29/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a plurality of keys for unlocking an encryption engine, each key associated with a key holder;

combining at least a subset of the plurality of keys to generate a master key;

unlocking the encryption engine using the master key;

receiving, at the encryption engine on a continuous basis, encrypted data, the data encrypted using a first encryption key, the data comprising sensitive information for one or more users;

decrypting the encrypted data using the first encryption key; and

re-encrypting the decrypted data using a second encryption key, the second encryption key newer than the first encryption key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatuses, methods, systems, and program products are disclosed for secure data handling and storage. A method includes receiving a plurality of keys for unlocking an encryption engine. Each key may be associated with a key holder. At least a subset of the plurality of keys are combined to generate a master key. An encryption engine is unlocked using the master key. Encrypted data is received at the encryption engine on a continuous basis. The encrypted data is encrypted using a first encryption key, and includes sensitive information for one or more users. The encrypted data is decrypted using the first encryption key. The decrypted data is re-encrypted using a second encryption key that is newer than the first encryption key.

Citations

20 Claims

1. A method comprising:
- receiving a plurality of keys for unlocking an encryption engine, each key associated with a key holder;
  
  combining at least a subset of the plurality of keys to generate a master key;
  
  unlocking the encryption engine using the master key;
  
  receiving, at the encryption engine on a continuous basis, encrypted data, the data encrypted using a first encryption key, the data comprising sensitive information for one or more users;
  
  decrypting the encrypted data using the first encryption key; and
  
  re-encrypting the decrypted data using a second encryption key, the second encryption key newer than the first encryption key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising generating, on a consistent frequency, new encryption keys for re-encrypting the sensitive information, wherein a previously generated encryption key is expired in response to determining that the sensitive data is not encrypted with the previously generated encryption key.
  - 3. The method of claim 2, further comprising assigning an identifier to each encryption key, the identifier stored with the sensitive data and used to determine which encryption key was used to encrypt the sensitive information.
  - 4. The method of claim 2, wherein the frequency with which the new encryption keys are generated is determined as a function of how often the sensitive information is re-encrypted.
  - 5. The method of claim 1, further comprising using the master key to unlock a private key stored at the encryption engine, the encryption engine being unlocked in response to the private key being unlocked using the master key.
  - 6. The method of claim 1, further comprising disregarding the received encrypted data at the encryption engine in response to the encryption engine not being unlocked.
  - 7. The method of claim 1, further comprising locking the encryption engine in response to one or more of detecting changes in a configuration of the encryption engine and receiving a manual request to lock the encryption engine, the detected configuration changes comprising one or more of a change in network ports and a change in available backends used by the encryption engine.
  - 8. The method of claim 1, wherein the encrypted data comprises a plurality of records of a database, the database storing sensitive data for the one or more users.
  - 9. The method of claim 8, wherein receiving the records on a continuous basis comprises receiving each record of the plurality of records without a delay between each record.
  - 10. The method of claim 8, wherein receiving the records on a continuous basis comprises receiving the plurality of records at predefined time intervals, the predefined time intervals selected from the group consisting of seconds, minutes, hours, and days.
  - 11. The method of claim 1, wherein the encryption engine is one or more of unlocked when the encryption engine is initialized and unlocked in response to receiving a request to one or more of encrypt and decrypt data.
  - 12. The method of claim 1, wherein the first and second encryption keys are stored in a separate location from the encrypted data.
  - 13. The method of claim 1, wherein the sensitive information for a user comprises one or more of login credentials, passwords, shared secrets, financial information, and personal identifying information.

14. An apparatus comprising:
- a lock module that;
  
  receives a plurality of keys for unlocking an encryption engine, each key associated with a key holder;
  
  combines at least a subset of the plurality of keys to generate a master key;
  
  unlocks the encryption engine using the master key;
  
  a data module that receives, at the encryption engine on a continuous basis, encrypted data, the data encrypted using a first encryption key, the data comprising sensitive information for one or more users;
  
  a decryption module that decrypts the encrypted data using the first encryption key; and
  
  an encryption module that re-encrypts the decrypted data using a second encryption key, the second encryption key newer than the first encryption key.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The apparatus of claim 14, further comprising a key module that generates, on a consistent frequency, new encryption keys for re-encrypting the sensitive information, wherein a previously generated encryption key is expired in response to determining that the sensitive data is not encrypted with the previously generated encryption key.
  - 16. The apparatus of claim 15, further comprising an identifier module that assigns an identifier to each encryption key, the identifier stored with the sensitive data and used to determine which encryption key was used to encrypt the sensitive information
  - 17. The apparatus of claim 15, wherein the frequency with which the new encryption keys are generated is determined as a function of how often the sensitive information is re-encrypted.
  - 18. The apparatus of claim 14, wherein the lock module locks the encryption engine in response to one or more of detecting changes in a configuration of the encryption engine and receiving a manual request to lock the encryption engine, the detected configuration changes comprising one or more of a change in network ports and a change in available backends used by the encryption engine.
  - 19. The apparatus of claim 14, wherein the encrypted data comprises a plurality of records of a database, the database storing sensitive data for the one or more users, wherein receiving the records on a continuous basis comprises receiving each record of the plurality of records without a delay between each record.

20. A program product comprising a computer readable storage medium that stores code executable by a processor, the executable code comprising code to perform:
- receiving a plurality of keys for unlocking an encryption engine, each key associated with a key holder;
  
  combining at least a subset of the plurality of keys to generate a master key;
  
  unlocking the encryption engine using the master key;
  
  receiving, at the encryption engine on a continuous basis, encrypted data, the data encrypted using a first encryption key, the data comprising sensitive information for one or more users;
  
  decrypting the encrypted data using the first encryption key; and
  
  re-encrypting the decrypted data using a second encryption key, the second encryption key newer than the first encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
MX Technologies Inc.
Original Assignee
MX Technologies Inc.
Inventors
Dewitt, Brandon, Hillary, Matt, Christensen, Devin, Atkinson, John, Lambson, George

Granted Patent

US 10,516,530 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6209   to a single file or object,...

H04L 9/0822   using key encryption key

H04L 9/0861   Generation of secret inform...

H04L 9/0891   Revocation or update of sec...

H04L 9/0897   involving additional device...

H04L 9/14   using a plurality of keys o...

SECURE DATA HANDLING AND STORAGE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE DATA HANDLING AND STORAGE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links