Systems and methods for securing data using multi-factor or keyed dispersal

US 9,825,927 B2
Filed: 06/25/2015
Issued: 11/21/2017
Est. Priority Date: 01/07/2008
Status: Active Grant

First Claim

Patent Images

1. A method for securing a data set, the method comprising:

receiving, using a processor that includes processing circuitry, two or more encrypted data set shares, wherein the encrypted data set shares correspond to a data set and are secured using a session key, each encrypted data set share being based on less than all of the units of data of the data set;

generating at least two session key shares from the session key used to secured the data set shares, wherein each session key share is based on less than all of the units of data of the session key;

forming two or more user shares by interleaving the at least two session key shares into at least two encrypted data set shares, wherein the interleaving comprises causing each of the at least two session key shares to be distributed into a different one of the at least two encrypted data set shares; and

providing the two or more user shares for storage, whereby the data set is restorable from a minimum number of the two or more user shares.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure data parser is provided that may be integrated into any suitable system for securely storing and communicating data. The secure data parser parses data and then splits the data into multiple portions that are stored or communicated distinctly. Encryption of the original data, the portions of data, or both may be employed for additional security. The secure data parser may be used to protect data in motion by splitting original data into portions of data, that may be communicated using multiple communications paths. A keyed information dispersal algorithm (keyed IDA) may also be used. The key for the keyed IDA may additionally be protected by an external workgroup key, resulting in a multi-factor secret sharing scheme.

Citations

33 Claims

1. A method for securing a data set, the method comprising:
- receiving, using a processor that includes processing circuitry, two or more encrypted data set shares, wherein the encrypted data set shares correspond to a data set and are secured using a session key, each encrypted data set share being based on less than all of the units of data of the data set;
  
  generating at least two session key shares from the session key used to secured the data set shares, wherein each session key share is based on less than all of the units of data of the session key;
  
  forming two or more user shares by interleaving the at least two session key shares into at least two encrypted data set shares, wherein the interleaving comprises causing each of the at least two session key shares to be distributed into a different one of the at least two encrypted data set shares; and
  
  providing the two or more user shares for storage, whereby the data set is restorable from a minimum number of the two or more user shares.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, further comprising generating the session key.
  - 3. The method of claim 1, further comprising encrypting the session key with a shared workgroup key to obtain an encrypted session key;
    - whereingenerating the two or more session key shares comprises distributing portions of the encrypted session key into the two or more session key shares; and
      
      the data set is restorable from the shared workgroup key and a minimum number of the two or more user shares.
  - 4. The method of claim 3, wherein the shared workgroup key is stored separately from the two or more user shares.
  - 5. The method of claim 4, further comprising causing the storage of the shared workgroup key on a data depository on which at least one of the two or more user shares is stored, wherein the shared workgroup key is stored at a different location from a location at which the at least one of the two or more user shares is stored.
  - 6. The method of claim 4, further comprising causing the storage of the shared workgroup key on a different data depository from a data depository on which the two or more user shares are stored.
  - 7. The method of claim 4, wherein the shared workgroup key is stored in a hardware-based key.
  - 8. The method of claim 1, wherein generating the session key shares comprises generating the session key shares using robust computational secret sharing (RCSS).
  - 9. The method of claim 1, wherein forming two or more user shares comprises inserting each of the at least two session key shares into the respective one of the at least two encrypted data set shares at a location based at least in part on a shared workgroup key.
  - 10. The method of claim 1, wherein causing the storage of the two or more user shares comprises causing the storage of the two or more user shares separately on at least one data depository.
  - 11. The method of claim 10, wherein causing the storage of the two or more user shares separately on at least one data depository comprises causing the storage of the two or more user shares on different locations of the same data depository.
  - 12. The method of claim 10, wherein causing the storage of the two or more user shares separately on at least one data depository comprises causing the storage of the two or more user shares on different data depositories.
  - 13. The method of claim 10, wherein causing the storage of the two or more user shares separately on at least one data depository comprises causing the storage of the two or more user shares on different data depositories in different geographic locations.
  - 14. The method of claim 1, further comprising generating the two or more encrypted data set shares, wherein the generating comprises:
    - generating, based at least in part on the session key, random or pseudo-random numbers;
      
      associating the random or pseudo-random numbers with the two or more encrypted data set shares;
      
      associating the random or pseudo-random numbers with units of data from the encrypted data set; and
      
      determining into which of the two or more encrypted data set shares to distribute each unit of data based at least in part on the association of the random or pseudo-random numbers with the two or more user shares and with the units of data.
  - 15. The method of claim 14, wherein the units of data comprise bytes of data from the data set.
  - 16. The method of claim 14, wherein the units of data comprise bits of data from the data set.

17. An apparatus for securing a data set, the apparatus comprising a physical processor configured to:
- receive two or more encrypted data set shares, wherein the encrypted data set shares correspond to a data set and are secured using a session key, each encrypted data set share being based on less than all of the data units of the data set;
  
  generate at least two session key shares from the session key used to secured the data set shares, wherein each session key share is based on less than all of the data units of the session key;
  
  form two or more user shares by interleaving the at least two session key shares into at least two encrypted data set shares, wherein the interleaving comprises causing each of the at least two session key shares to be distributed into a different one of the at least two encrypted data set shares; and
  
  provide the two or more user shares for non-transitory storage, whereby the data set is restorable from a minimum number of the two or more user shares.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 18. The apparatus of claim 17, wherein the physical processor is further configured to generate the session key.
  - 19. The apparatus of claim 17, wherein the physical processor is further configured to encrypt the session key with a shared workgroup key;
    - whereinthe session key shares comprise portions of the encrypted session key; and
      
      the data set is restorable from the shared workgroup key and a minimum number of the two or more user shares.
  - 20. The apparatus of claim 19, wherein the shared workgroup key is stored separately from the two or more user shares.
  - 21. The apparatus of claim 20, wherein the physical processor is configured to store the shared workgroup key on a data depository on which at least one of the two or more user shares is stored and at a different location from a location at which the at least one of the two or more user shares is stored.
  - 22. The apparatus of claim 20, wherein the physical processor is configured to store the shared workgroup key on a different data depository from a data depository on which the two or more user shares are stored.
  - 23. The apparatus of claim 20, wherein the shared workgroup key is stored in a hardware-based key.
  - 24. The apparatus of claim 17, wherein the physical processor is configured to use robust computational secret sharing (RCSS) to distribute portions of the session key into the at least two session key shares.
  - 25. The apparatus of claim 17, wherein the physical processor is configured to form two or more user shares by inserting each of the at least two session key shares into the respective one of the at least two encrypted data set shares at a location based at least in part on a shared workgroup key.
  - 26. The apparatus of claim 17, further comprising at least one data repository;
    - wherein providing the two or more user shares for storage comprises providing the two or more user shares for storage separately on at least one data depository.
  - 27. The apparatus of claim 26, wherein the physical processor is configured to provide the two or more user shares for storage separately on different locations of the same data depository.
  - 28. The apparatus of claim 26, wherein the physical processor is configured to provide the two or more user shares for storage separately on different data depositories.
  - 29. The apparatus of claim 26, wherein the physical processor is configured to store the two or more user shares separately on different data depositories in different geographic locations.
  - 30. The apparatus of claim 17, wherein the physical processor is further configured to distribute portions of the encrypted data set into the two or more encrypted data set shares by:
    - generating, based at least in part on the session key, random or pseudo-random numbers;
      
      associating the random or pseudo-random numbers with the two or more encrypted data set shares;
      
      associating the random or pseudo-random numbers with units of data from the encrypted data set; and
      
      determining into which of the two or more encrypted data set shares to distribute each unit of data based at least in part on the association of the random or pseudo-random numbers with the two or more user shares and with the units of data.
  - 31. The apparatus of claim 30 wherein the units of data comprise bytes of data from the data set.
  - 32. The apparatus of claim 30, wherein the units of data comprise bits of data from the data set.

33. A machine-readable non-transitory medium comprising machine program logic recorded thereon which, when executed by a processor, causes a computing system to carry out the steps of:
- receiving, using a processor that includes processing circuitry, two or more encrypted data set shares, wherein the encrypted data set shares correspond to a data set and are secured using a session key, each encrypted data set share being based on less than all of the units of data of the data set;
  
  generating at least two session key shares from the session key used to secured the data set shares, wherein each session key share is based on less than all of the units of data of the session key;
  
  forming two or more user shares by interleaving the at least two session key shares into at least two encrypted data set shares, wherein the interleaving comprises causing each of the at least two session key shares to be distributed into a different one of the at least two encrypted data set shares; and
  
  providing the two or more user shares for storage, whereby the data set is restorable from a minimum number of the two or more user shares.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Security First Innovations, LLC
Original Assignee
Security First Corp
Inventors
O'Hare, Mark S., Orsini, Rick L., Bellare, Mihir, Rogaway, Phillip
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Getachew, Abiy

Application Number

US14/750,562
Publication Number

US 20150295908A1
Time in Patent Office

880 Days
Field of Search

713193
US Class Current
CPC Class Codes

G06F 21/6209   to a single file or object,...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless

H04L 63/062   for key distribution, e.g. ...

H04L 63/065   for group communications cr...

H04L 9/0822   using key encryption key

H04L 9/085   Secret sharing or secret sp...

H04L 9/321   involving a third party or ...

H04L 9/3226   using a predetermined code,...

H04L 9/3263   involving certificates, e.g...

Systems and methods for securing data using multi-factor or keyed dispersal

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for securing data using multi-factor or keyed dispersal

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links