Systems and methods for cryptographically splitting and storing data

US 9,294,444 B2
Filed: 02/10/2012
Issued: 03/22/2016
Est. Priority Date: 10/25/2004
Status: Active Grant

First Claim

Patent Images

1. A method for securing a data set, the method steps implemented by a programmed computer system, the method steps comprising:

encrypting, using a hardware processor, the data set based on an encryption key to produce an encrypted data set;

creating hash information based on a hash operation using the data set;

generating data splitting information, wherein the data splitting information is usable to determine into which of a plurality of shares of data a unit of data of the encrypted data set will be placed;

separating the encrypted data set into the plurality of shares based on the data splitting information, wherein each share contains one or more, but not all, of the units of data of the encrypted data set, and wherein at least two of the plurality of shares contain different amounts of the encrypted data set;

including in the plurality of shares data indicative of the encryption key and the hash information; and

causing the plurality of shares to be stored in separate storage locations;

wherein the data set is restorable by accessing less than all, but at least a threshold number of, the plurality of shares.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure data parser is provided that may be integrated into any suitable system for securely storing and communicating data. The secure data parser parses data and then splits the data into multiple portions that are stored or communicated distinctly. Encryption of the original data, the portions of data, or both may be employed for additional security. The secure data parser may be used to protect data in motion by splitting original data into portions of data, that may be communicated using multiple communications paths.

378 Citations

36 Claims

1. A method for securing a data set, the method steps implemented by a programmed computer system, the method steps comprising:
- encrypting, using a hardware processor, the data set based on an encryption key to produce an encrypted data set;
  
  creating hash information based on a hash operation using the data set;
  
  generating data splitting information, wherein the data splitting information is usable to determine into which of a plurality of shares of data a unit of data of the encrypted data set will be placed;
  
  separating the encrypted data set into the plurality of shares based on the data splitting information, wherein each share contains one or more, but not all, of the units of data of the encrypted data set, and wherein at least two of the plurality of shares contain different amounts of the encrypted data set;
  
  including in the plurality of shares data indicative of the encryption key and the hash information; and
  
  causing the plurality of shares to be stored in separate storage locations;
  
  wherein the data set is restorable by accessing less than all, but at least a threshold number of, the plurality of shares.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 28, 29, 30)
- - 2. The method of claim 1, wherein the step of separating the encrypted data set comprises using a deterministic technique.
  - 3. The method of claim 1, wherein the step of separating the encrypted data set comprises using a substantially random technique.
  - 4. The method of claim 1, further comprising causing a plurality of data units in each of the shares to be rearranged relative to one another after the separating step.
  - 5. The method of claim 1, wherein the step of separating the encrypted data into the plurality of shares comprises causing the plurality of shares to have a substantially randomly distribution of the encrypted data set.
  - 6. The method of claim 1, wherein the data indicative of the encryption key comprises data created using a Shamir secret sharing algorithm.
  - 7. The method of claim 1, wherein the step of including data indicative of the encryption key comprises:
    - encrypting the encryption key with a second key; and
      
      including in the plurality of shares data indicative of the encrypted encryption key.
  - 8. The method of claim 7 further comprising the method step of storing the second key outside of the plurality of shares, wherein the data set is restorable by accessing less than all, but at least a threshold number of, the plurality of shares, and the second key.
  - 9. The method of claim 1, wherein the separate storage locations are located on at least two separate storage devices.
  - 28. The method of claim 1, wherein the separate storage locations are located on one storage device.
  - 29. The method of claim 1, wherein the separate storage locations are geographically separated.
  - 30. The method of claim 1, wherein causing the plurality of shares to be stored in separate storage locations comprises causing the plurality of shares to be stored in respective separate storage locations.

10. A non-transitory computer readable medium storing computer executable instructions that, when executed by at least one processor, cause a computer system to carry out a method for securing a data set, the method comprising the steps of:
- encrypting the data set based on an encryption key to produce an encrypted data set;
  
  creating hash information based on a hash operation using the data set;
  
  generating data splitting information, wherein the data splitting information is usable to determine into which of a plurality of shares of data a unit of data of the encrypted data set will be placed;
  
  separating the encrypted data set into the plurality of shares based on the data splitting information, wherein each share contains one or more, but not all, of the units of data of the encrypted data set, and wherein at least two of the plurality of shares contain different amounts of the encrypted data set;
  
  including in the plurality of shares data indicative of the encryption key and the hash information; and
  
  causing the plurality of shares to be stored in separate storage locations;
  
  wherein the data set is restorable by accessing less than all, but at least a threshold number of, the plurality of shares.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 31, 32, 33)
- - 11. The non-transitory computer readable medium of claim 10, wherein the step of separating the encrypted data set comprises using a deterministic technique.
  - 12. The non-transitory computer readable medium of claim 10, wherein the step of separating the encrypted data set comprises using a substantially random technique.
  - 13. The non-transitory computer readable medium of claim 10, wherein the method further comprises causing a plurality of data units of the encrypted data set to be rearranged relative to one another after the separating step.
  - 14. The non-transitory computer readable medium of claim 10, wherein the step of separating the encrypted data into the plurality of shares comprises causing the plurality of shares to have a substantially randomly distribution of the encrypted data set.
  - 15. The non-transitory computer readable medium of claim 10, wherein the data indicative of the encryption key comprises data created using a Shamir secret sharing algorithm.
  - 16. The non-transitory computer readable medium of claim 11, wherein the step of including data indicative of the encryption key comprises:
    - encrypting the encryption key with a second key; and
      
      including in the plurality of shares data indicative of the encrypted encryption key.
  - 17. The non-transitory computer readable medium of claim 16 wherein the method further comprises storing the second key outside of the plurality of shares, wherein the data set is restorable by accessing less than all, but at least a threshold number of, the plurality of shares, and the second key.
  - 18. The non-transitory computer readable medium of claim 10, wherein the separate storage locations are located on at least two separate storage devices.
  - 31. The non-transitory computer readable medium of claim 10, wherein the separate storage locations are located on one storage device.
  - 32. The non-transitory computer readable medium of claim 10, wherein the separate storage locations are geographically separated.
  - 33. The non-transitory computer readable medium of claim 10, wherein causing the plurality of shares to be stored in separate storage locations comprises causing the plurality of shares to be stored in respective separate storage locations.

19. A computer system for securing a data set, the system comprising:
- at least one processor;
  
  a non-transitory computer readable medium storing computer executable instructions that, when executed by the at least one processor, cause the computer system to carry out the following steps;
  
  encrypting the data set based on an encryption key to produce an encrypted data set;
  
  creating hash information based on a hash operation using the data set;
  
  generating data splitting information, wherein the data splitting information is usable to determine into which of a plurality of shares of data a unit of data of the encrypted data set will be placed;
  
  separating the encrypted data set into the plurality of shares based on the data splitting information, wherein each share contains one or more, but not all, of the units of data of the encrypted data set, and wherein at least two of the plurality of shares contain different amounts of the encrypted data set;
  
  including in the plurality of shares data indicative of the encryption key and the hash information; and
  
  causing the plurality of shares to be stored in separate storage locations;
  
  wherein the data set is restorable by accessing less than all, but at least a threshold number of, the plurality of shares.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 34, 35, 36)
- - 20. The system of claim 19, wherein the step of separating the encrypted data set comprises using a deterministic technique.
  - 21. The system of claim 19, wherein the step of separating the encrypted data set comprises using a substantially random technique.
  - 22. The system of claim 19, wherein the method further comprises causing a plurality of data units of the encrypted data set to be rearranged relative to one another after the separating step.
  - 23. The system of claim 19, wherein the step of separating the encrypted data into the plurality of shares comprises causing the plurality of shares to have a substantially randomly distribution of the encrypted data set.
  - 24. The system of claim 19, wherein data indicative of the encryption key comprises data that was created using a Shamir secret sharing algorithm.
  - 25. The system of claim 19, wherein the step of including data indicative of the encryption key comprises:
    - encrypting the encryption key with a second key; and
      
      including in the plurality of shares data indicative of the encrypted encryption key.
  - 26. The system of claim 25 wherein the method further comprises storing the second key outside of the plurality of shares, wherein the data set is restorable by accessing less than all, but at least a threshold number of, the plurality of shares, and the second key.
  - 27. The system of claim 19, wherein the separate storage locations are located on at least two separate storage devices.
  - 34. The computer system of claim 19, wherein the separate storage locations are located on one storage device.
  - 35. The computer system of claim 19, wherein the separate storage locations are geographically separated.
  - 36. The computer system of claim 19, wherein causing the plurality of shares to be stored in separate storage locations comprises causing the plurality of shares to be stored in respective separate storage locations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Security First Innovations, LLC
Original Assignee
Security First Corp
Inventors
O'Hare, Mark S., Orsini, Rick L., Davenport, Roger S., Winick, Steven
Primary Examiner(s)
Kim, Tae

Application Number

US13/371,363
Publication Number

US 20120166815A1
Time in Patent Office

1,502 Days
Field of Search

726/26
US Class Current

1/1
CPC Class Codes

G06F 11/1092   Rebuilding, e.g. when physi...

G06F 16/22   Indexing; Data structures t...

G06F 21/602   Providing cryptographic fac...

G06F 21/606   by securing the transmissio...

G06F 21/62   Protecting access to data v...

G06F 21/6218   to a system of files or obj...

H04L 2209/80   Wireless network architectu...

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/0876   based on the identity of th...

H04L 67/108   characterised by resources ...

H04L 69/14   Multichannel or multilink p...

H04L 9/085   Secret sharing or secret sp...

H04L 9/3226   using a predetermined code,...

H04L 9/3263   involving certificates, e.g...

Systems and methods for cryptographically splitting and storing data

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

378 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for cryptographically splitting and storing data

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

378 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links