Secure self managed data (SSMD)

US 8,565,436 B2
Filed: 03/31/2009
Issued: 10/22/2013
Est. Priority Date: 12/15/2008
Status: Active Grant

First Claim

Patent Images

1. A method for securing data, the method comprising:

assigning a classification level to the data;

assigning a unique identification (ID) to the data;

assigning an expiration period to the data;

obtaining a master application key for encryption from a key site, wherein the master application key is specific to a user application;

the master application key is encrypted using a master key seal key; and

the encrypted master application key is broken into multiple parts that are stored separately;

generating a main secure self-managed data (SSMD) key using the unique ID and the master application key, wherein the generated main SSMD key is never stored anywhere and is not shared; and

encoding the data, unique ID, expiration period, and data classification level using the generated main SSMD key that is never stored anywhere and is not shared, wherein the encoded data and encoded unique ID, expiration period, and data classification level form an SSMD encoded data, wherein;

the generated SSMD key that is not stored anywhere and is not shared is used to decode the SSMD encoded data, including decoding the data classification level of the SSMD encoded data included in the SSMD encoded data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, according to one embodiment, includes a master key for encryption of data; an encryption key site accessible by computer and storing a first piece of the master key; a configuration file resident in a computer file system, the configuration file storing a second piece of the master key; a computer database storing a third piece of the master key; a master-key seal key used to encrypt the master key, wherein a secure self managed data (SSMD) key is obtained by assembling and decrypting the first piece, the second piece and the third piece using the master-key seal key; a unique ID for the data; a classification level for the data; and an expiration time for the data, wherein the data, the unique ID, the classification level, and the expiration time are encrypted together using the SSMD key to form an SSMD encoded data.

Citations

20 Claims

1. A method for securing data, the method comprising:
- assigning a classification level to the data;
  
  assigning a unique identification (ID) to the data;
  
  assigning an expiration period to the data;
  
  obtaining a master application key for encryption from a key site, wherein the master application key is specific to a user application;
  
  the master application key is encrypted using a master key seal key; and
  
  the encrypted master application key is broken into multiple parts that are stored separately;
  
  generating a main secure self-managed data (SSMD) key using the unique ID and the master application key, wherein the generated main SSMD key is never stored anywhere and is not shared; and
  
  encoding the data, unique ID, expiration period, and data classification level using the generated main SSMD key that is never stored anywhere and is not shared, wherein the encoded data and encoded unique ID, expiration period, and data classification level form an SSMD encoded data, wherein;
  
  the generated SSMD key that is not stored anywhere and is not shared is used to decode the SSMD encoded data, including decoding the data classification level of the SSMD encoded data included in the SSMD encoded data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - forming an external object including at least one of an expiration date for the data and the classification level for the data, whereinthe external object is appended to the SSMD encoded data.
  - 3. The method of claim 1, wherein:
    - a user application provides the data; and
      
      the user application stores the SSMD encoded data.
  - 4. The method of claim 1, wherein:
    - a user application provides the data; and
      
      the SSMD encoded data and an appended external object is returned to the user application.
  - 5. The method of claim 1, wherein encoding the data, unique ID, expiration period, and data classification level to form an SSMD encoded data comprises:
    - creating a unique data encryption key from the master application key and the unique ID;
      
      encrypting the data using the unique data encryption key;
      
      creating a data behavior object using a creation time and the expiration period, the classification level, and the unique ID;
      
      obtaining an SSMD master encryption key from a key site;
      
      generating a unique behavior encryption key from the unique ID and the S SMD master encryption key;
      
      using the unique behavior encryption key to encrypt the data behavior object together with the already-encrypted data, encrypted using the unique data encryption key; and
      
      forming the SSMD encoded data from the encrypted data behavior object and doubly encrypted data.
  - 6. The method of claim 5, wherein the data behavior object includes an SSMD tag identifier.
  - 7. The method of claim 2, wherein:
    - the external object includes the expiration time for the data; and
      
      the expiration time for the data is accessible from the external object without decryption.
  - 8. The method of claim 2, wherein:
    - the external object includes the classification level for the data; and
      
      the classification level for the data is accessible from the external object without decryption.

9. A method for accessing secure data by an application, the method comprising:
- obtaining a classification level of an identity associated with the application;
  
  obtaining a secure self-managed data (SSMD) encoded data and a unique ID associated with the SSMD encoded data;
  
  obtaining a master application key for encryption from a key site, wherein;
  
  the master application key is specific to the application;
  
  the master application key is encrypted using a master key seal key; and
  
  the encrypted master application key is broken into multiple parts that are stored separately;
  
  generating an SSMD key using the unique ID and the master application key, wherein the generated SSMD key is not stored anywhere and is not shared;
  
  using the generated SSMD key that is not stored anywhere and is not shared to decode the SSMD encoded data, including decoding a classification level of the SSMD encoded data included in the SSMD encoded data, wherein;
  
  the data unique ID, expiration period, and data classification level were encoded using the generated main SSMD key that is never stored anywhere and is not shared, andreturning the decoded SSMD encoded data to the application if the data has not expired and the classification level of the identity associated with the application subsumes the classification level of the SSMD encoded data.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, wherein decoding the SSMD encoded data further comprises:
    - obtaining an SSMD master encryption key from a key site;
      
      generating a behavior decryption key from the unique ID and the SSMD master encryption key;
      
      using the behavior decryption key to decrypt the SSMD encoded data; and
      
      obtaining a data behavior object from the decrypted SSMD encoded data.
  - 11. The method of claim 10, wherein decoding the SSMD encoded data further comprises:
    - using the data behavior object obtained from the decrypted SSMD encoded data to check the classification level of the identity associated with the application against the classification level of the data;
      
      using the data behavior object obtained from the decrypted SSMD encoded data to check an expiration time of the data against a current time to determine if the data has not expired; and
      
      returning an exception to the application if either check fails.
  - 12. The method of claim 9, wherein decoding the SSMD encoded data further comprises:
    - creating a data decryption key from the master application key and the unique ID;
      
      decrypting the data using the data decryption key; and
      
      returning the decrypted data to the application.
  - 13. The method of claim 9, wherein:
    - an external data object is appended to the SSMD encoded data; and
      
      the application checks the external data object without decryption to determine if SSMD encoded data has expired.
  - 14. The method of claim 10, wherein the data behavior object includes an SSMD tag identifier.
  - 15. The method of claim 13, wherein:
    - the external object includes the expiration time for the data; and
      
      the expiration time for the data is accessible from the external object without decryption.
  - 16. The method of claim 13, wherein:
    - the external object includes the classification level for the data; and
      
      the classification level for the data is accessible from the external object without decryption.

17. A system comprising:
- a memory for storing computer readable and executable instructions for execution by one or more processors; and
  
  one or more processors configured forassigning a classification level to the data;
  
  assigning a unique identification (ID) to the data;
  
  assigning an expiration period to the data;
  
  obtaining a master application key for encryption from a key site, wherein;
  
  the master application key is specific to a user application;
  
  the master application key is encrypted using a master key seal key;
  
  the encrypted master application key is broken into multiple parts that are stored separately;
  
  generating a main secure self-managed data (SSMD) key using the unique ID and the master application key, wherein the generated main SSMD key is never stored anywhere and is not shared; and
  
  encoding the data, unique ID, expiration period, and data classification level using the generated main SSMD key that is never stored anywhere and is not shared, wherein the encoded data and encoded unique ID, expiration period, and data classification level form an SSMD encoded data; and
  
  decoding the SSMD encoded data using the generated SSMD key that is stored anywhere and is not shared, including decoding a classification level of the SSMD encoded data included in the SSMD encoded data.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein the one or more processors are further configured for:
    - forming an external object including at least one of an expiration date for the data and the classification level for the data, whereinthe external object is appended to the SSMD encoded data.
  - 19. The system of claim 18, wherein:
    - the external object includes the expiration time for the data; and
      
      the expiration time for the data is accessible from the external object without decryption.
  - 20. The system of claim 18, wherein:
    - the external object includes the classification level for the data; and
      
      the classification level for the data is accessible from the external object without decryption.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
PayPal, Inc. (PayPal Holdings, Inc.)
Original Assignee
eBay Inc.
Inventors
Mansour, Rasta A., Nahari, Hadi
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
TRAN, TRI MINH

Application Number

US12/415,355
Publication Number

US 20100150352A1
Time in Patent Office

1,666 Days
Field of Search

380/44, 380/45, 380/278, 380/279, 380/281, 380/282, 380/285
US Class Current

380/281
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 9/003   for power analysis, e.g. di...

H04L 9/088   Usage controlling of secret...

Secure self managed data (SSMD)

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure self managed data (SSMD)

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links