Systems and methods for providing information security using context-based keys

US 9,621,343 B1
Filed: 02/26/2016
Issued: 04/11/2017
Est. Priority Date: 06/14/2011
Status: Active Grant

First Claim

Patent Images

1. A method for contextually-encrypting data, comprising the steps of:

detecting an item of original data that is to be encrypted;

identifying contextual information relating to creation of the item of original data, wherein the contextual information comprises at least data uniquely representing an application program with which the item of original data was created;

generating unique cryptographic information for use in encrypting the item of original data, wherein the unique cryptographic information is stored in a database in association with data identifying the contextual information comprising at least the data uniquely representing the application program; and

generating an encrypted output of the item of original data as a function of the item of original data and the unique cryptographic information.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for securing or encrypting data or other information arising from a user'"'"'s interaction with software and/or hardware, resulting in transformation of original data into ciphertext. Generally, the ciphertext is generated using context-based keys that depend on the environment in which the original data originated and/or accessed. The ciphertext can be stored in a user'"'"'s storage device or in an enterprise database (e.g., at-rest encryption), or shared with other users (e.g., cryptographic communication). Use of context-based encryption keys enables key association with individual data elements, as opposed to public-private key pairs, or use of conventional user-based or system-based keys. In scenarios wherein data is shared by a sender with other users, the system manages the rights of users who are able to send and/or access the sender'"'"'s data according to pre-defined policies/roles.

35 Citations

28 Claims

1. A method for contextually-encrypting data, comprising the steps of:
- detecting an item of original data that is to be encrypted;
  
  identifying contextual information relating to creation of the item of original data, wherein the contextual information comprises at least data uniquely representing an application program with which the item of original data was created;
  
  generating unique cryptographic information for use in encrypting the item of original data, wherein the unique cryptographic information is stored in a database in association with data identifying the contextual information comprising at least the data uniquely representing the application program; and
  
  generating an encrypted output of the item of original data as a function of the item of original data and the unique cryptographic information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 27, 28)
- - 2. The method of claim 1, wherein the step of detecting the item of original data that is to be encrypted further comprises the step of detecting a predetermined trigger event indicating that the item of original data is to be encrypted, wherein the predetermined trigger event is selected from the group comprising:
    - identification of data entry, identification of data submission, identification of data storage, user interaction with a user interface in a predetermined manner, predetermined movement of a computer control device associated with an electronic computing device, passage of a predetermined time period, user interaction with an application program command.
  - 3. The method of claim 1, wherein the step of detecting the item of original data that is to be encrypted further comprises receiving an affirmative request for encryption of the item of original data.
  - 4. The method of claim 1, further comprising the steps of:
    - temporarily diverting the item of original data from an expecting application program operating on an electronic computing device to a memory associated with the particular electronic computing device; and
      
      upon generation of the encrypted output of the item of original data, reinserting the encrypted output into the expecting application program for subsequent use.
  - 5. The method of claim 1, wherein the contextual information-further comprises data uniquely representing a role of a user of the electronic computing device.
  - 6. The method of claim 1, wherein the unique cryptographic information includes a context-based key (CBK) and a context-based key identifier (CBK ID).
  - 7. The method of claim 6, wherein the step of generating the encrypted output further comprises the step of processing the item of original data and the CBK through an encryption algorithm.
  - 8. The method of claim 7, wherein the step of generating the encrypted output further comprises concatenating the CBK ID with an encrypted version of the item of original data.
  - 9. The method of claim 6, wherein the CBK is generated by extracting a predetermined number of bits from an output of a cryptographic algorithm.
  - 10. The method of claim 6, wherein the CBK and CBK ID are used for a subsequent auditing function.
  - 11. The method of claim 1, further comprising the step of retrieving one or more predefined access control policies relating to the contextual information prior to generating unique cryptographic information.
  - 12. The method of claim 11, further comprising the step of generating unique cryptographic information only upon determining that the predefined access control policies are satisfied.
  - 13. The method of claim 1, wherein detecting an item of original data that is to be encrypted further comprises autonomously detecting an item of original data that is to be encrypted.
  - 14. The method of claim 1, wherein the encrypted output of the item of original data further comprises a persistently encrypted output of the item of original data that is only accessible via local decryption in an electronic computing device having appropriate access authority.
  - 15. The method of claim 1, wherein the unique cryptographic information is generated by processing an identifier comprising at least a portion of the identified contextual information through a cryptographic algorithm.
  - 27. The method of claim 1, wherein the data uniquely representing the application program is subsequently used for purposes of decrypting the encrypted output of the item of original data by comparing the data uniquely representing the application program with one or more access policies associated with a respective decryptor.
  - 28. The method of claim 1, wherein the contextual information further comprises data uniquely representing a corporate organization associated with the electronic computing device.

16. A method for decrypting contextually-encrypted data, comprising the steps of:
- detecting a particular encrypted output corresponding to an item of original data that is to be decrypted, wherein the particular encrypted output comprises at least a first type of cryptographic information associated with one or more items of contextual information, wherein at least one of the one or more items of contextual information comprises data uniquely representing an application program with which the item of original data was created;
  
  retrieving from a database one or more access control policies corresponding to the one or more items of contextual information, wherein the one or more access control policies define access to the item of original data based in part on the one or more items of contextual information;
  
  determining, based on satisfaction of at least one of the one or more access policies, that a particular user is authorized to access the item of original data associated with the first type of cryptographic information;
  
  upon determination that the particular user is authorized to access the item of original data, retrieving from the database a second type of cryptographic information associated with the first type of cryptographic information in the database; and
  
  decrypting the item of original data from the particular encrypted output by processing the second type of cryptographic information via an encryption algorithm.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 17. The method of claim 16, wherein the particular encrypted output further comprises an encrypted version of the item of original data.
  - 18. The method of claim 17, wherein the step of decrypting the item of original data further comprises processing the encrypted version of the item of original data via the encryption algorithm.
  - 19. The method of claim 16, further comprising the step of parsing the particular encrypted output to extract the first type of cryptographic information.
  - 20. The method of claim 16, further comprising the step of reinserting the decrypted item of original data into an application program operating on an electronic device.
  - 21. The method of claim 16, wherein the first type of cryptographic information comprises a context-based key (CBK) identifier embedded in the particular encrypted output.
  - 22. The method of claim 16, wherein the second type of cryptographic information comprises a context-based key (CBK).
  - 23. The method of claim 16, wherein the first type of cryptographic information comprises a string of predetermined length and position with respect to the particular encrypted output.
  - 24. The method of claim 16, wherein detecting a particular encrypted output corresponding to an item of original data that is to be decrypted further comprises autonomously detecting a particular encrypted output corresponding to an item of original data that is to be decrypted.
  - 25. The method of claim 16, wherein the decrypted item of original data further comprises a locally decrypted item of original data that is only locally accessible within an electronic computing device.
  - 26. The method of claim 16, wherein the second type of cryptographic information was generated by processing the first type of cryptographic information through a cryptographic algorithm.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ionic Security, Inc. (Twilio, Inc.)
Original Assignee
Ionic Security, Inc. (Twilio, Inc.)
Inventors
Ghetti, Adam
Primary Examiner(s)
Leung, Robert

Application Number

US15/054,484
Time in Patent Office

410 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6209   to a single file or object,...

G06F 2212/402   Encrypted data

G06F 2221/2107   File encryption

H04L 63/0478   applying multiple layers of...

H04L 9/083   involving central third par...

H04L 9/0866   involving user or device id...

H04L 9/0872   using geo-location informat...

H04L 9/088   Usage controlling of secret...

Systems and methods for providing information security using context-based keys

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for providing information security using context-based keys

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links