Systems and methods for encryption and provision of information security using platform services

US 9,614,670 B1
Filed: 02/05/2016
Issued: 04/04/2017
Est. Priority Date: 02/05/2015
Status: Active Grant

First Claim

Patent Images

1. A method, comprising the steps of:

receiving, at a server, a request for encryption of data from an electronic computing device being operated by a user;

determining, at the server, a particular key space corresponding to the user and/or the electronic computing device based on the request for encryption, wherein the particular key space comprises a partitioned storage location that contains at least one encryption key;

transmitting the request for encryption from the server to a particular key service corresponding to the determined particular key space for generation of unique cryptographic information relating particularly to the request for encryption, wherein the particular key service provides functionalities of at least encryption key generation and/or encryption key storage;

receiving, at the server, the unique cryptographic information from the particular key service, wherein the unique cryptographic information comprises an encryption key uniquely corresponding to the request for encryption; and

transmitting the unique cryptographic information from the server to the electronic computing device for unique encryption of the data.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for securing or encrypting data or other information arising from a user'"'"'s interaction with software and/or hardware, resulting in transformation of original data into ciphertext. Generally, the ciphertext is generated using context-based keys that depend on the environment in which the original data originated and/or was accessed. The ciphertext can be stored in a user'"'"'s storage device or in an enterprise database (e.g., at-rest encryption) or shared with other users (e.g., cryptographic communication). The system generally allows for secure federation across organizations, including mechanisms to ensure that the system itself and any other actor with pervasive access to the network cannot compromise the confidentially of the protected data.

Citations

30 Claims

1. A method, comprising the steps of:
- receiving, at a server, a request for encryption of data from an electronic computing device being operated by a user;
  
  determining, at the server, a particular key space corresponding to the user and/or the electronic computing device based on the request for encryption, wherein the particular key space comprises a partitioned storage location that contains at least one encryption key;
  
  transmitting the request for encryption from the server to a particular key service corresponding to the determined particular key space for generation of unique cryptographic information relating particularly to the request for encryption, wherein the particular key service provides functionalities of at least encryption key generation and/or encryption key storage;
  
  receiving, at the server, the unique cryptographic information from the particular key service, wherein the unique cryptographic information comprises an encryption key uniquely corresponding to the request for encryption; and
  
  transmitting the unique cryptographic information from the server to the electronic computing device for unique encryption of the data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 2. The method of claim 1, wherein the request for encryption comprises identifying information that uniquely identifies the electronic computing device and/or the user of the electronic computing device.
  - 3. The method of claim 2, wherein the identifying information is selected from the group comprising a nonce, a device ID, and a hardware fingerprint hash.
  - 4. The method of claim 2, wherein the user and/or electronic computing device is associated with a particular tenant.
  - 5. The method of claim 4, wherein the determining step comprises analyzing the identifying information to determine the particular tenant and then identifying the particular key space associated with the particular tenant.
  - 6. The method of claim 2, wherein the server comprises one or more federation services.
  - 7. The method of claim 6, wherein the step of determining the particular key space corresponding to the electronic computing device further comprises the steps of:
    - extracting the identifying information from the request for encryption;
      
      determining, based on the extracted identifying information, a particular federation service corresponding to the user and/or the electronic computing device for authenticating the request for encryption;
      
      transmitting the request for encryption to the determined particular federation service for authenticating the request for encryption;
      
      authenticating, based on the identifying information, the request for encryption; and
      
      determining, based on the authenticated request for encryption and the extracted identifying information, the particular key space corresponding to the user and/or the electronic computing device.
  - 8. The method of claim 1, wherein the step of determining the particular key space corresponding to the user and/or the electronic computing device further comprises the step of determining, based on the particular key space, the particular key service corresponding to the determined particular key space.
  - 9. The method of claim 1, wherein the particular key service is managed separately from the server.
  - 10. The method of claim 1, wherein the server has no access to data maintained in the particular key service.
  - 11. The method of claim 1, wherein the server comprises a cloud-based security platform.
  - 12. The method of claim 1, wherein the particular key service generates the unique cryptographic information according to one or more predefined rules.
  - 13. The method of claim 1, wherein the request for encryption of data and the unique cryptographic information are securely enveloped.
  - 14. The method of claim 1, wherein the electronic computing device encrypts the request for encryption data prior to transmitting the request for encryption to the server.
  - 15. The method of claim 14, wherein the particular key service decrypts the request for encryption prior to generating the unique cryptographic information.
  - 16. The method of claim 1, wherein the particular key service encrypts the unique cryptographic information prior to transmitting the unique cryptographic information to the server.
  - 17. The method of claim 16, wherein the electronic computing device decrypts the unique cryptographic information prior to using the unique cryptographic information to uniquely encrypt the data.
  - 18. The method of claim 1, wherein the unique cryptographic information further comprises a key tag.
  - 19. The method of claim 18, wherein the encryption key uniquely corresponding to the request for encryption comprises a context-based key.
  - 20. The method of claim 18, wherein the key tag comprises a context-based key identifier.
  - 21. The method of claim 1, wherein the request for encryption includes contextual information relating to creation of the data.
  - 22. The method of claim 21, wherein the unique cryptographic information is associated with the contextual information.
  - 23. The method of claim 21, wherein the unique cryptographic information corresponds to the request for encryption and is used solely to encrypt the data relating to the request for encryption.
  - 24. The method of claim 21, wherein the contextual information is selected from the group comprising:
    - a user identifier associated with a user entering the data, a user identifier of a user interacting with the data, a session identifier, a time instant at which the data was generated, a time instant at which the data was accessed, an electronic computing device identifier, an application program identifier, a tenant identifier, a network address.
  - 25. The method of claim 1, wherein subsequent decryption of the data is dependent upon one or more predefined policies.
  - 26. The method of claim 1, wherein the unique cryptographic information is used for a subsequent auditing function.

27. A system, comprising:
- an electronic computing device that generates or receives data and is associated with a user, wherein the electronic computing device generates a request for encryption of the data and transmits the request for encryption to a server;
  
  the server that receives the request for encryption from the electronic computing device, wherein the sever determines a particular key space corresponding to the user and/or the electronic computing device based on the request for encryption, wherein the particular key space comprises a partitioned storage location that contains at least one encryption key, and transmits the request for encryption to a particular key service corresponding to the determined particular key space, wherein the particular key service provides functionalities of at least encryption key generation and/or encryption key storage;
  
  the particular key service that receives the request for encryption from the server, wherein the particular key service generates unique cryptographic information relating particularly to the request for encryption and transmits the unique cryptographic information to the server, wherein the unique cryptographic information comprises an encryption key uniquely corresponding to the request for encryption;
  
  the server that receives the unique cryptographic information from the particular key service, wherein the server transmits the unique cryptographic information to the electronic computing device; and
  
  the electronic computing device that receives the unique cryptographic information from the server, wherein the electronic computing device uniquely encrypts the data using the unique cryptographic information.
- View Dependent Claims (28, 29, 30)
- - 28. The system of claim 27, wherein the request for encryption comprises identifying information that uniquely identifies the electronic computing device and/or the user of the electronic computing device.
  - 29. The system of claim 27, wherein the server comprises a cloud-based security platform.
  - 30. The system of claim 27, wherein the particular key service is managed separately from the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ionic Security, Inc. (Twilio, Inc.)
Original Assignee
Ionic Security, Inc. (Twilio, Inc.)
Inventors
McColl, Robert, Ghetti, Adam, Jordan, James, Silva, Kenneth, Eckman, Jeremy, Speers, Ryan
Primary Examiner(s)
Reza, Mohammad W

Application Number

US15/017,255
Time in Patent Office

424 Days
Field of Search

713168
US Class Current
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/602   Providing cryptographic fac...

G06F 21/62   Protecting access to data v...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2133   Verifying human interaction...

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 63/065   for group communications cr...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 9/0819   Key transport or distributi...

H04L 9/0822   using key encryption key

H04L 9/083   involving central third par...

H04L 9/0861   Generation of secret inform...

Systems and methods for encryption and provision of information security using platform services

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for encryption and provision of information security using platform services

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links