Systems and methods for securing data in motion

US 9,589,148 B2
Filed: 07/29/2016
Issued: 03/07/2017
Est. Priority Date: 03/31/2010
Status: Active Grant

First Claim

Patent Images

1. A method for securing data, the method comprising:

using a hardware processor for;

determining that at least one share of a first set of data shares is unavailable for restoring an encrypted data set, wherein the first set of data shares was generated from the encrypted data set by using a split key,in response to determining that the at least one share is unavailable, retrieving a subset of the first set of data shares that were generated from the encrypted data set, the subset of shares including at least a minimum number less than all of the data shares necessary for restoring the encrypted data set, wherein the first set of shares is associated with a first authentication key, andgenerating a second set of data shares from the subset of data shares without decrypting the encrypted data set, wherein the second set of shares is associated with a second authentication key and comprises the at least one data share of the first set of data shares; and

storing the at least one share.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The systems and methods of the present invention provide a solution that makes data provably secure and accessible—addressing data security at the bit level—thereby eliminating the need for multiple perimeter hardware and software technologies. Data security is incorporated or weaved directly into the data at the bit level. The systems and methods of the present invention enable enterprise communities of interest to leverage a common enterprise infrastructure. Because security is already woven into the data, this common infrastructure can be used without compromising data security and access control. In some applications, data is authenticated, encrypted, and parsed or split into multiple shares prior to being sent to multiple locations, e.g., a private or public cloud. The data is hidden while in transit to the storage location, and is inaccessible to users who do not have the correct credentials for access.

363 Citations

28 Claims

1. A method for securing data, the method comprising:
- using a hardware processor for;
  
  determining that at least one share of a first set of data shares is unavailable for restoring an encrypted data set, wherein the first set of data shares was generated from the encrypted data set by using a split key,in response to determining that the at least one share is unavailable, retrieving a subset of the first set of data shares that were generated from the encrypted data set, the subset of shares including at least a minimum number less than all of the data shares necessary for restoring the encrypted data set, wherein the first set of shares is associated with a first authentication key, andgenerating a second set of data shares from the subset of data shares without decrypting the encrypted data set, wherein the second set of shares is associated with a second authentication key and comprises the at least one data share of the first set of data shares; and
  
  storing the at least one share.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein generating the second set of data shares comprises:
    - reconstructing the encrypted data set from the subset of data shares; and
      
      generating the second set of data shares from the encrypted data set without decrypting the encrypted data set.
  - 3. The method of claim 1, wherein the second set of data shares comprises at least one data share that is not included in the subset of data shares.
  - 4. The method of claim 1, wherein the second set of data shares comprises at least one data share that is not included in the first set of data shares.
  - 5. The method of claim 1, wherein the determining that at least one share of the first set of data shares is unavailable comprises determining that the at least one share has been compromised.
  - 6. The method of claim 1, wherein the determining that at least one share of the first set of data shares is unavailable comprises determining that a data storage device storing the at least one share is inaccessible.
  - 7. The method of claim 1, wherein the determining that at least one share of the first set of data shares is unavailable comprises determining that a data storage device storing the at least one share has failed.
  - 8. The method of claim 1, wherein the determining that at least one share of the first set of data shares is unavailable comprises determining that the at least one share has been corrupted.
  - 9. The method of claim 1, wherein the generating comprises:
    - authenticating the subset of data shares with the first authentication key to obtain an authenticated subset of data shares; and
      
      reconstructing the encrypted data set from the authenticated subset of data shares using the split key.
  - 10. The method of claim 9, further comprising:
    - retrieving headers associated with the subset of data shares;
      
      extracting a key encryption key from the retrieved headers;
      
      encrypting the second authentication key with the key encryption key; and
      
      storing the encrypted second authentication key within the headers of the second set of data shares.
  - 11. The method of claim 1, wherein each data share of the first set of data shares is based on a portion less than all of the encrypted data set.
  - 12. The method of claim 1, wherein the generating comprises reconstructing the encrypted data set using a first the split key and the first set of data shares without decrypting the first set of data shares to obtain a reconstructed encrypted data set.
  - 13. The method of claim 12, wherein the generating comprises generating the second set of data shares from the reconstructed encrypted data set using a second split key, wherein the second split key is different from the first split key.
  - 14. The method of claim 1, wherein storing the at least one share comprises storing the second set of data shares comprising the at least one share.

15. A system for securing data, comprising:
- a hardware processor configured to;
  
  determine that at least one share of a first set of data shares is unavailable for restoring an encrypted data set, wherein the first set of data shares was generated from the encrypted data set by using a split key;
  
  in response to determining that the at least one share is unavailable, retrieve a subset of the first set of data shares that were generated from the encrypted data set, the subset of shares including at least a minimum number less than all of the data shares necessary for restoring the encrypted data set, wherein the first set of shares is associated with a first authentication key; and
  
  generate a second set of data shares from the subset of data shares without decrypting the encrypted data set, wherein the second set of shares is associated with a second authentication key and comprises the at least one share of the first set of data shares.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. The system of claim 15, wherein the hardware processor is configured to generate the second set of data shares by:
    - reconstructing the encrypted data set from the subset of data shares; and
      
      generating the second set of data shares from the encrypted data set without decrypting the encrypted data set.
  - 17. The system of claim 15, wherein the hardware processor is configured to generate the second set of data shares including at least one share that is not included in the subset of data shares.
  - 18. The system of claim 15, wherein the hardware processor is configured to generate the second set of data shares including at least one share that is not included in the first set of data shares.
  - 19. The system of claim 15, wherein the hardware processor is configured to determine that at least one share of the first set of data shares is unavailable by determining that the at least one share has been compromised.
  - 20. The system of claim 15, wherein the hardware processor is configured to determine that at least one share of the first set of data shares is unavailable by determining that a data storage device storing the at least one share is inaccessible.
  - 21. The system of claim 15, wherein the hardware processor is configured to determine that at least one share of the first set of data shares is unavailable by determining that a data storage device storing the at least one share has failed.
  - 22. The system of claim 15, wherein the hardware processor is configured to determine that at least one share of the first set of data shares is unavailable by determining that the at least one share has been corrupted.
  - 23. The system of claim 15, wherein the hardware processor is configured to generate a second set of data shares by:
    - authenticating the subset of data shares with the first authentication key to obtain an authenticated subset of data shares; and
      
      reconstructing the encrypted data set from the authenticated subset of data shares using the split key.
  - 24. The system of claim 23, wherein the hardware processor is further configured to:
    - retrieve headers associated with the subset of data shares;
      
      extract a key encryption key from the retrieved headers;
      
      encrypt the second authentication key with the key encryption key; and
      
      store the encrypted second authentication key within the headers of the second set of data shares.
  - 25. The system of claim 15, wherein each data share of the first set of data shares is based on a portion less than all of the encrypted data set.
  - 26. The system of claim 15, wherein the hardware processor is configured to generate a second set of data shares by reconstructing the encrypted data set using the split key and the first set of data shares without decrypting the first set of data shares to obtain a reconstructed encrypted data set.
  - 27. The system of claim 15, wherein the hardware processor is configured to generate a second set of data shares by generating the second set of data shares from the reconstructed encrypted data set using a second split key, wherein the second split key is different from the split key.
  - 28. The system of claim 15, further comprising a storage device configured to store the at least one share by storing the second set of data shares comprising the at least one share.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Security First Innovations, LLC
Original Assignee
Security First Corp
Inventors
O'Hare, Mark S., Orsini, Rick L.
Primary Examiner(s)
Desrosiers, Evans

Application Number

US15/223,917
Publication Number

US 20160379005A1
Time in Patent Office

221 Days
Field of Search

713/150, 713/160, 709/236, 709/245, 380227-232, 380247-250
US Class Current

1/1
CPC Class Codes

G06F 11/1076   Parity data used in redunda...

G06F 11/182   based on mutual exchange of...

G06F 11/2094   Redundant storage or storag...

G06F 21/60   Protecting data

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 21/72   in cryptographic circuits

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2107   File encryption

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/0861   using biometrical features,...

H04L 67/1097   for distributed storage of ...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0894   Escrow, recovery or storing...

Systems and methods for securing data in motion

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

363 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for securing data in motion

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

363 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links