Systems and methods for securing data in motion

US 8,745,379 B2
Filed: 08/20/2012
Issued: 06/03/2014
Est. Priority Date: 11/25/2009
Status: Active Grant

First Claim

Patent Images

1. A method for computing at least one shared encryption key, the method comprising:

generating original secret information;

obtaining public keys from unique certificate authorities;

dispersing the secret information into shares;

encrypting each one of the shares based on, at least in part, the public key of a different one of the unique certificate authorities, wherein the shares are restorable from at least a subset of the shares by recombining at least a threshold number of the shares, wherein the threshold number of shares includes fewer than all of the shares;

computing a first shared encryption key based on a set of substantially random numbers and the original secret information;

recombining the at least a threshold number of the shares; and

computing a second shared encryption key based on the set of substantially random numbers and the recombined shares.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Two approaches are provided for distributing trust among a set of certificate authorities. Each approach may be used to secure data in motion. One approach provides methods and systems in which the secure data parser is used to distribute trust in a set of certificate authorities during initial negotiation (e.g., the key establishment phase) of a connection between two devices. Another approach provides methods and systems in which the secure data parser is used to disperse packets of data into shares. A set of tunnels is established within a communication channel using a set of certificate authorities, keys developed during the establishment of the tunnels are used to encrypt shares of data for each of the tunnels, and the shares of data are transmitted through each of the tunnels. Accordingly, trust is distributed among a set of certificate authorities in the structure of the communication channel itself.

Citations

14 Claims

1. A method for computing at least one shared encryption key, the method comprising:
- generating original secret information;
  
  obtaining public keys from unique certificate authorities;
  
  dispersing the secret information into shares;
  
  encrypting each one of the shares based on, at least in part, the public key of a different one of the unique certificate authorities, wherein the shares are restorable from at least a subset of the shares by recombining at least a threshold number of the shares, wherein the threshold number of shares includes fewer than all of the shares;
  
  computing a first shared encryption key based on a set of substantially random numbers and the original secret information;
  
  recombining the at least a threshold number of the shares; and
  
  computing a second shared encryption key based on the set of substantially random numbers and the recombined shares.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprisingtransmitting data based on the recombined shares.
  - 3. The method of claim 1, further comprising:
    - comparing the first and second shared encryption key;
      
      determining whether to transmit data based on the comparison; and
      
      transmitting data based on the determination.
  - 4. The method of claim 1, further comprising encrypting each one of the shares based on a keywrap.
  - 5. The method of claim 4, wherein the keywrap is based on a workgroup key.
  - 6. The method of claim 1, further comprising:
    - generating a certificate authority hierarchy, wherein the certificate authority hierarchy comprises root certificate authorities; and
      
      encrypting each one of the shares based on a certificate issued by a unique root certificate authority of the certificate authority hierarchy.

7. A system for computing at least one shared encryption key, the system comprising:
- first processing circuitry configured to;
  
  generate original secret information;
  
  obtain public keys from unique certificate authorities;
  
  disperse the secret information into shares;
  
  compute a first shared encryption key based on a set of substantially random numbers and the original secret information; and
  
  encrypt each one of the shares based on the public key of a different one of the unique certificate authorities, wherein the shares are restorable from at least a subset of the shares by recombining at least a threshold number of the shares, wherein the threshold number of shares includes fewer than all of the shares; and
  
  second processing circuitry configured to;
  
  recombine the at least a threshold of the shares; and
  
  compute a second shared encryption key based on the set of substantially random numbers and the recombined shares.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The system of claim 7, wherein the second processing circuitry is further configured to transmit data based on the recombined shares.
  - 9. The system of claim 7, wherein the second processing circuitry is further configured to:
    - compare the first and second shared encryption key;
      
      determine whether to transmit data based on the comparison; and
      
      transmit data based on the determination.
  - 10. The system of claim 7, wherein the first processing circuitry is further configured to encrypt each one of the shares based on a keywrap.
  - 11. The system of claim 10, wherein the keywrap is based on a workgroup key.
  - 12. The system of claim 7, wherein the first processing circuitry is further configured to:
    - generate a certificate authority hierarchy, wherein the certificate authority hierarchy comprises root certificate authorities; and
      
      encrypt each one of the shares based on a certificate issued by a unique root certificate authority of the certificate authority hierarchy.
  - 13. The system of claim 7, wherein the first processing circuitry is further configured to:
    - generate a certificate authority hierarchy, wherein the certificate authority hierarchy comprises a set of minor certificate authorities; and
      
      encrypt each one of the shares based on a certificate issued by a unique minor certificate authority of the certificate authority hierarchy.
  - 14. The system of claim 7, wherein the first processing circuitry is located in a first device, and wherein the second processing circuitry is located in a second device, the second device being different than the first device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Security First Innovations, LLC
Original Assignee
Security First Corp
Inventors
Orsini, Rick L., O'Hare, Mark S., Bono, Stephen C., Landau, Gabriel D., Nielson, Seth James
Primary Examiner(s)
Nalven, Andrew
Assistant Examiner(s)
MALINOWSKI, WALTER J

Application Number

US13/589,894
Publication Number

US 20130042105A1
Time in Patent Office

652 Days
Field of Search
US Class Current

713/157
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 9/00   Cryptographic mechanisms or...

H04L 9/0816   Key establishment, i.e. cry...

H04L 9/085   Secret sharing or secret sp...

H04L 9/3263   involving certificates, e.g...

Systems and methods for securing data in motion

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for securing data in motion

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links