Systems and methods for securing data in motion
First Claim
1. A method for securing data, the method comprising:
- receiving, using a programmed hardware processor, a first set of data shares that were generated from an encrypted data set by an information dispersal algorithm using a first split key, wherein;
(1) the first set of data shares includes at least a minimum number less than all of a plurality of data shares generated from the encrypted data set, and(2) each data share of the first set of data shares is based on a portion less than all of the encrypted data set; and
in response to detecting that one or more of the plurality of data shares is unavailable for restoring the encrypted data set;
(a) reconstructing the encrypted data set using the first split key and the first set of data shares without decrypting the first set of data shares to obtain a reconstructed encrypted data set, and(b) generating a second set of data shares from the reconstructed encrypted data set using a second split key without decrypting the reconstructed encrypted data set, wherein the second split key is different from the first split keyretrieving headers associated with the first set of data shares;
extracting a key encryption key from the retrieved headers;
encrypting an authentication key with the key encryption key; and
storing the encrypted authentication key within headers of the second set of data shares.
4 Assignments
0 Petitions
Accused Products
Abstract
The systems and methods of the present invention provide a solution that makes data provably secure and accessible—addressing data security at the bit level—thereby eliminating the need for multiple perimeter hardware and software technologies. Data security is incorporated or weaved directly into the data at the bit level. The systems and methods of the present invention enable enterprise communities of interest to leverage a common enterprise infrastructure. Because security is already woven into the data, this common infrastructure can be used without compromising data security and access control. In some applications, data is authenticated, encrypted, and parsed or split into multiple shares prior to being sent to multiple locations, e.g., a private or public cloud. The data is hidden while in transit to the storage location, and is inaccessible to users who do not have the correct credentials for access.
-
Citations
22 Claims
-
1. A method for securing data, the method comprising:
-
receiving, using a programmed hardware processor, a first set of data shares that were generated from an encrypted data set by an information dispersal algorithm using a first split key, wherein; (1) the first set of data shares includes at least a minimum number less than all of a plurality of data shares generated from the encrypted data set, and (2) each data share of the first set of data shares is based on a portion less than all of the encrypted data set; and in response to detecting that one or more of the plurality of data shares is unavailable for restoring the encrypted data set; (a) reconstructing the encrypted data set using the first split key and the first set of data shares without decrypting the first set of data shares to obtain a reconstructed encrypted data set, and (b) generating a second set of data shares from the reconstructed encrypted data set using a second split key without decrypting the reconstructed encrypted data set, wherein the second split key is different from the first split key retrieving headers associated with the first set of data shares; extracting a key encryption key from the retrieved headers; encrypting an authentication key with the key encryption key; and storing the encrypted authentication key within headers of the second set of data shares. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for securing data, the method comprising:
-
receiving, using a programmed hardware processor, a first set of data shares that were generated from an encrypted data set by an information dispersal algorithm using a first encryption key, wherein; (1) the first set of data shares includes at least a minimum number less than all of a plurality of data shares generated from the encrypted data set, (2) the first set of data shares is associated with a first authentication key, and (3) each data share of the first set of data shares is based on a portion less than all of the encrypted data set; and in response to detecting that one or more of the plurality of data shares is unavailable for restoring the encrypted data set; (a) reconstructing the encrypted data set using the first authentication key and the first set of data shares without decrypting the first set of data shares to obtain a reconstructed encrypted data set, (b) generating a second set of data shares from the reconstructed encrypted data set without decrypting the reconstructed encrypted data set, and (c) rekeying the second set of data shares by associating the second set of data shares with a second authentication key, wherein the second authentication key is different from the first authentication key retrieving headers associated with the first set of data shares; extracting a key encryption key from the retrieved headers; encrypting the second authentication key with the key encryption key; and storing the encrypted second authentication key within headers of the second set of data shares. - View Dependent Claims (10, 11)
-
-
12. A system for securing data, the system comprising:
-
a programmed hardware processor; and a non-transitory computer readable medium storing computer executable instructions that, when executed by the processing circuitry, cause the computer system to carry out a method for securing data, the method comprising; receiving a first set of data shares that were generated from an encrypted data set by an information dispersal algorithm using a first split key, wherein; (1) the first set of data shares includes at least a minimum number less than all of a plurality of data shares generated from the encrypted data set, and (2) each data share of the first set of data shares is based on a portion less than all of the encrypted data set; and in response to detecting that one or more of the plurality of data shares is unavailable for restoring the encrypted data set; (a) reconstructing the encrypted data set using the first split key and the first set of data shares without decrypting the first set of data shares to obtain a reconstructed encrypted data set, and (b) generating a second set of data shares from the reconstructed encrypted data set using a second split key without decrypting the reconstructed encrypted data set, wherein the second split key is different from the first split key retrieving headers associated with the first set of data shares; extracting a key encryption key from the retrieved headers; encrypting an authentication key with the key encryption key; and storing the encrypted authentication key within headers of the second set of data shares. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. A system for securing data, the system comprising:
-
a programmed hardware processor; and a non-transitory computer readable medium storing computer executable instructions that, when executed by the processing circuitry, cause the computer system to carry out a method for securing data, the method comprising; receiving a first set of data shares that were generated from an encrypted data set by an information dispersal algorithm using a first encryption key, wherein; (1) the first set of data shares includes at least a minimum number less than all of a plurality of data shares generated from the encrypted data set, (2) the first set of data shares is associated with a first authentication key, and (3) each data share of the first set of data shares is based on a portion less than all of the encrypted data set; and in response to detecting that one or more of the plurality of data shares is unavailable for restoring the encrypted data set; (a) reconstructing the encrypted data set using the first authentication key and the first set of data shares without decrypting the first set of data shares to obtain a reconstructed encrypted data set, (b) generating a second set of data shares from the reconstructed encrypted data set without decrypting the reconstructed encrypted data set, and (c) rekeying the second set of data shares by associating the second set of data shares with a second authentication key, wherein the second authentication key is different from the first authentication key retrieving headers associated with the first set of data shares; extracting a key encryption key from the retrieved headers; encrypting the second authentication key with the key encryption key; and storing the encrypted second authentication key within headers of the second set of data shares. - View Dependent Claims (21, 22)
-
Specification