System and method for securely storing and sharing information

US 9,973,484 B2
Filed: 06/02/2016
Issued: 05/15/2018
Est. Priority Date: 10/31/2011
Status: Active Grant

First Claim

Patent Images

1. A system having a plurality of participants for conducting secure exchange of encrypted data within a community of interest using a tightly-coupled, distributed three-element-core mechanism consisting of:

one or more cloud lockboxes operating on one or more file systems, wherein a cloud lockbox is configured to receive, store and enable secure retrieval of encrypted data;

one or more key masters, wherein a key master is configured to;

generate a public-private key pair for the key master;

generate one or more public-private key pairs for each participant, of the plurality of participants in the community of interest, served by the key master;

receive data from one or more participants;

encrypt the received data with respective participants public keys;

transmit the encrypted data to one or more cloud lockboxes associated with the respective participants;

maintain the participants'"'"' private keys required for decryption of the encrypted data; and

retrieve and decrypt the encrypted data from the one or more cloud lockboxes;

one or more registries, wherein a registry is configured to;

establish unique identities for each participant and key master;

maintain a directory of the participants, the one or more cloud lockboxes, the one or more key masters and, the one or more registries; and

create and manage one or more granular access control lists for determining access to stored data in the one or more cloud lockboxes;

wherein the registry is configured to update permissions for the plurality of participants to enable the plurality of participants to at least one of add and retrieve data from the one or more cloud lockboxes based on the one or more granular access control lists.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present application generally relates to systems, devices, and methods to conduct the secure exchange of encrypted data using a three-element-core mechanism consisting of the key masters, the registries and the cloud lockboxes with application programming interfaces providing interaction with a wide variety of user-facing software applications. Together the mechanism provides full lifecycle encryption enabling cross-platform sharing of encrypted data within and between organizations, individuals, applications and devices. Control of the private key required for decryption is maintained by the information owner. More specifically, the mechanism establishes unique identities, verifies authenticity, generates and securely exchanges asymmetric encryption key pairs, encrypts, transmits, receives and decrypts data to/from cloud lockboxes; creates and appends metadata specific to the applications and retrieves and/or act upon metadata.

38 Citations

View as Search Results

59 Claims

1. A system having a plurality of participants for conducting secure exchange of encrypted data within a community of interest using a tightly-coupled, distributed three-element-core mechanism consisting of:
- one or more cloud lockboxes operating on one or more file systems, wherein a cloud lockbox is configured to receive, store and enable secure retrieval of encrypted data;
  
  one or more key masters, wherein a key master is configured to;
  
  generate a public-private key pair for the key master;
  
  generate one or more public-private key pairs for each participant, of the plurality of participants in the community of interest, served by the key master;
  
  receive data from one or more participants;
  
  encrypt the received data with respective participants public keys;
  
  transmit the encrypted data to one or more cloud lockboxes associated with the respective participants;
  
  maintain the participants'"'"' private keys required for decryption of the encrypted data; and
  
  retrieve and decrypt the encrypted data from the one or more cloud lockboxes;
  
  one or more registries, wherein a registry is configured to;
  
  establish unique identities for each participant and key master;
  
  maintain a directory of the participants, the one or more cloud lockboxes, the one or more key masters and, the one or more registries; and
  
  create and manage one or more granular access control lists for determining access to stored data in the one or more cloud lockboxes;
  
  wherein the registry is configured to update permissions for the plurality of participants to enable the plurality of participants to at least one of add and retrieve data from the one or more cloud lockboxes based on the one or more granular access control lists.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59)
- - 2. The system of claim 1, wherein the three-element-core mechanism is configured to be integrated with one or more applications via one or more application programming interfaces.
  - 3. The system of claim 1, wherein the mechanism supports a case-based focus meshed with an individual-based orientation, wherein permissions and key pairs may be assigned to both individuals and cases.
  - 4. The system of claim 1, wherein the mechanism enables full lifecycle encryption and cross-platform sharing of encrypted data within and between organizations, individuals, applications, and devices.
  - 5. The system of claim 1, wherein the mechanism provides an interface by automating encryption, decryption, and key exchange processes.
  - 6. The system of claim 1, wherein the mechanism provides a distributed encryption solution enabling scalability to any size organization.
  - 7. The system of claim 1, wherein a customized community of interest is generated based on a selection of at least one of a plurality of options among built-in operating parameters, comprising:
    - selecting a public key encryption algorithm;
      
      selecting a registry or a plurality of registries;
      
      establishing membership requirements and identity verification thresholds;
      
      selecting a storage solution or solutions at which to establish the one or more cloud lockboxes;
      
      selecting from among a plurality of optional security measures;
      
      determining a minimum application integration level; and
      
      determining initial metadata structure, purpose, and meaning.
  - 8. The system of claim 1, wherein the three-part-core mechanism is vendor-neutral, thereby enabling underlying software to security-enable at least one of a records management, file sharing, or document management application software.
  - 9. The system of claim 2, wherein the three-part-core mechanism and the application programming interface operate as a standalone service.
  - 10. The system of claim 1, wherein the plurality of participants are associated with members of the community of interest, the member of the community of interest comprises at least one of:
    - an individual participating directly;
      
      an organization participating for its own purposes; and
      
      an organization participating to represent multiple individuals, whereby the multiple individuals are participating by proxy.
  - 11. The system of claim 10, wherein the three-part-core mechanism provides the multiple individuals participating by proxy or individuals participating directly the ability to access data, to review activity logs, and to receive alerts regarding anomalous access.
  - 12. The system of claim 1, wherein the mechanism is configured to:
    - enable a key master to exchange one or more private keys of a participant with another key master;
      
      encrypt a first participant'"'"'s private key with the public key of the key master serving a second participant;
      
      decrypt the first participant'"'"'s private key with the private of the key master serving the second participant.
  - 13. The system of claim 1, wherein the mechanism is configured to:
    - enable a key master to exchange one or more private keys of a participant with another key master using a secure relay;
      
      encrypt a first participant'"'"'s private key with the public key of the key master serving a second participant;
      
      decrypt the first participant'"'"'s private key with the private of the key master serving the second participant.
  - 14. The system of claim 12, wherein the key master is further configured to exchange public keys of a participant with another key master.
  - 15. The system of claim 13, wherein the key master is further enabled to exchange public keys of a participant with another key master using the secure relay.
  - 16. The system of claim 1, wherein the mechanism is configured to:
    - update permissions at the registry serving a first participant to enable a second participant to deposit encrypted data into, and/or retrieve specified subsets of the encrypted data from, the first participant'"'"'s cloud lockbox.
  - 17. The system of claim 16, wherein the second participant is designated as a deposit-only participant.
  - 18. The system of claim 1, wherein the mechanism is configured to:
    - generate activity records of at least one of key creation, key sharing, file retrieval requests, and private key exchanges.
  - 19. The system of claim 1, wherein:
    - the key master is configured to be managed by a key master administrative application programming interface; and
      
      the key master administrative application programming interface includes a key vault for securely storing private keys of the key master and the private keys of participants served by the key master being administered.
  - 20. The system of claim 2, wherein the key master is configured to generate a unique file identifier when encrypting a file, the unique file identifier:
    - is anonymous with respect to information regarding the owner or contents of the file;
      
      is anonymous with respect to information regarding the physical storage location of the file;
      
      is utilized throughout the lifecycle of the file to identity the file; and
      
      is provided to the application programming interface for use in later file retrieval.
  - 21. The system of claim 1, wherein the cloud lockbox is configured to create and provide a one-time, time-limited, download token for retrieval of the encrypted data.
  - 22. The system of claim 2, wherein the cloud lockbox is configured to generate a unique file identifier when receiving a file, the unique file identifier:
    - is anonymous with respect to information regarding the owner or contents of the file;
      
      is anonymous with respect to information regarding the physical storage location of the file;
      
      is utilized throughout the lifecycle of the file to identity the file; and
      
      is provided to the application programming interface for use in later file retrieval.
  - 23. The system of claim 1, wherein the mechanism is configured to enable push notifications, indicative of new file availability, to members.
  - 24. The system of claim 2, wherein the registry is configured to serve as a secure relay to:
    - receive encrypted data from a key master;
      
      update access permissions to retrieve the encrypted data based on access policy and/or metadata appended to the encrypted data by the application programming interface;
      
      transfer the encrypted data to a cloud lockbox; and
      
      facilitate retrieval of the encrypted data by requesting a time limited download token from the cloud lockbox to retrieve the encrypted data.
  - 25. The system of claim 1, wherein the registry is configured to receive one or more activity logs from the key masters, the application program interfaces, and the cloud lockboxes to:
    - analyze the one or more activity logs to detect and halt anomalous access; and
      
      provide alerts regarding anomalous access and with routine access to activity logs.
  - 26. The system of claim 2, wherein the registry is configured to conduct routine polling of the one or more key masters, the one or more application programming interfaces, the one or more cloud lockboxes, and other registries to verify accessibility of activity reporting.
  - 27. The system of claim 1, wherein the key master is operated by or on behalf of a participant of the plurality of participants of the community of interest, wherein the key master is configured to:
    - receive a participant'"'"'s related metadata;
      
      encrypt the related metadata with the participant'"'"'s public key;
      
      create non-sensitive transactional metadata and associate the non-sensitive transactional metadata with the participant'"'"'s data and related metadata;
      
      transmit the encrypted metadata, and transactional metadata to a cloud lockbox associated with the participant, a process which employs a secure relay; and
      
      retrieve the encrypted metadata from the cloud lockbox, a process which employs a secure relay.
  - 28. The system of claim 1, wherein a registry remotely coupled to the cloud lockbox and the key master is configured to:
    - communicate with additional registries if more than one registry is operational for the community of interest; and
      
      record the IP address of the key master, the cloud lockbox and the registry for selectively restricting communications.
  - 29. The system of claim 1, wherein the registry is configured to conduct routing polling of the plurality of key masters to establish and maintain routine contact to:
    - provide awareness by the registry of key master status;
      
      provide notification to key masters of pending secure relay actions;
      
      download tokens to key masters to authorize retrieval of encrypted data; and
      
      provide opportunity for security triggers related to changes of key master operational environment.
  - 30. The system of claim 1, wherein the key master is configured to issue, honor and confirm requests from other key masters to revoke and erase their local copy of the private key of an individual participant that had been previously shared.
  - 31. The system of claim 1, wherein the cloud lockbox is configured to employ a file system including at least one of public cloud services, private cloud environments, local or remote servers, and local device storage.
  - 32. The system of claim 1, wherein an individual'"'"'s cloud lockbox is split with an individual'"'"'s files stored across a plurality of the file systems.
  - 33. The system of claim 2, wherein an application programming interface is configured to at least one of:
    - convert data between a plurality of formats;
      
      convert data between a key-value data store and a relational database;
      
      generate metadata specific to an application, wherein the metadata is one of;
      
      appended to data and encrypted with the data;
      
      encrypted separately from the data; and
      
      left unencrypted and added to the transactional metadata created by the key master by;
      
      using unencrypted metadata as indexing elements, information about the source of the data; and
      
      using unencrypted metadata to enable granular access control;
      
      map a participant device'"'"'s identification numbers in an application to community of interest identification numbers for the same participant device;
      
      enable the creation of a hybrid cloud and an on-premise storage solution; and
      
      transmit activity records of file retrieval requests and access revocations to the registries.
  - 34. The system of claim 2, wherein an application programming interface is configured to:
    - facilitate multi-factor authentication in a key master or registry;
      
      conduct administration of the key master;
      
      host a vault for securely storing and backing up private keys of individuals and key masters;
      
      receive alerts from the key masters, registries, cloud lockboxes or other application programming interfaces; and
      
      respond to alerts from the key masters, registries, cloud lockboxes or other application programming interfaces transmitted to the application programming interface, texted to a device or transmitted as a voice call to the device.
  - 35. The system of claim 1, where in a key master administration application programming interface enables a key master administrator to:
    - conduct routine maintenance of key master functions;
      
      allow new users to associate to key master;
      
      facilitate multi-factor authentication to a key master or registry;
      
      receive alerts from the key masters, registries, cloud lockboxes or other application programming interfaces; and
      
      respond to alerts from the key masters, registries, cloud lockboxes or other application programming interfaces transmitted to the key master administrative application programming interface, texted to a device or transmitted as a voice call to the device.
  - 36. The system of claim 1, wherein a key master operates within an elastic compute environment to provide scalable hosted key master services.
  - 37. The system of claim 2, wherein an application programming interface hosts a key vault to securely backup the private keys of participant.
  - 38. The system of claim 1, wherein a user fully control access to his/her own private keys using an application programming interface and associated key vault.
  - 39. The system of claim 2, wherein an application programming interface appends metadata to an encrypted file to indicate permissions inherited based on selections by the users.
  - 40. The system of claim 2, wherein the application programming interfaces distribute and thus improve breach detection, including the breach of end-points.
  - 41. The system of claim 2, wherein the key masters operate malware detection functions to:
    - scan files after decryption, before being provided to an application programming interface; and
      
      scan files after being provided from the application programming interface, before encryption.
  - 42. The system of claim 2, wherein individuals or companies outside a community of interest may operate the application programming interfaces to:
    - establish their identity at the registry;
      
      obtain public key of an individual or organization;
      
      encrypt data with the public key of an individual or organization;
      
      transmit the encrypted data files to one of;
      
      the recipient'"'"'s cloud lockbox, a process that may include a secure relay; and
      
      a quarantine location, a process that includes a secure relay; and
      
      receive acknowledgement that a member of the community of interest received the encrypted data file.
  - 43. The system of claim 1, wherein a member of a community of interest may receive data from individuals or companies outside the community of interest in which:
    - a notification is provided to the member that a file from an outside source is awaiting review in the quarantine location;
      
      the member may review metadata and other information regarding sender of data;
      
      the member may elect to accept data into their cloud lockbox; and
      
      the member'"'"'s key master may decrypt and may scan the external file for malware.
  - 44. The system of claim 1, wherein a registry may be integrated with an external identity management system to delegate an identity verification and/or access permissions processes to the external identity management systems.
  - 45. The system of claim 1, wherein the three-part-core mechanism is configured to use unencrypted transaction metadata as indexing elements to provide information representative of transactional information as defined by the community of interest, including information about data source and date of storage.
  - 46. The system of claim 1, wherein the three-part-core mechanism is configured to enable:
    - changing keys;
      
      revoking access;
      
      recovering keys;
      
      recovering files;
      
      de-identifying files;
      
      tokenizing sensitive data; and
      
      providing emergency access.
  - 47. The system of claim 1, wherein the three-part-core mechanism is configured to offer a plurality of security levels by:
    - deploying the one or more key masters as one or more appliances;
      
      integrating one or more applications with the mechanism to provide additional information, including an internal application username of a person requesting data;
      
      requiring multi-factor authentication;
      
      using messaging to/from mobile devices;
      
      using a key master operational status; and
      
      applying IP address communications restrictions based on information gathered by the registry.
  - 48. The system of claim 1, wherein the key master is configured to compresses and decompresses data and to encrypt and decrypt data.
  - 49. The system of claim 1, wherein the mechanism is configured to provide real-time protection, data integrity and control of intelligent embedded systems of electronics, software, sensors and network connectivity.
  - 50. The system of claim 49, wherein the mechanism is configured to provide real-time protection for the intelligent embedded system by verifying the identity of entity issuing a remote command by:
    - verifying the identity of the entity using a digital signature, verification of which involves the registry,one of allowing or denying the remotely issued command based on a list of approved entities.
  - 51. The system of claim 49, wherein a remote entity issuing commands to intelligent embedded systems may operate its own key master and related application programming interfaces to advance identity verification by an onboard key master.
  - 52. The system of claim 49, wherein the mechanism is configured to provides real-time protection for the intelligent embedded system by:
    - one of allowing or denying remotely issued commands based on a list of accepted commands; and
      
      one of allowing or denying remotely issued commands based on the operating state of the intelligent embedded system.
  - 53. The system of claim 49, wherein the owner of the intelligent embedded system trains the mechanism regarding the identity of entities approved for issuing remote commands, the specific commands allowed, and the related state of the intelligent embedded system during which approved commands are allowed.
  - 54. The system of claim 49, wherein the mechanism is configured to operate transparently for some period of time, cataloging all commands issued by remote entities and providing to the owner of intelligent embedded system opportunity to one of accept or deny commands and establish an intelligent embedded system state in which commands may be executed.
  - 55. The system of claim 49, wherein onboard data is synchronized to a location remote from the embedded system to provide backup of the approved identities, commands, and related embedded system states.
  - 56. The system of claim 49, wherein the mechanism is configured to determine the integrity of the approved list of identities to issue remote commands and the integrity of the list of approved remote commands using an file integrity checking solution.
  - 57. The system of claim 49, wherein remotely issued commands and related actions by the mechanism are logged and transmitted to a location remote from the embedded system.
  - 58. The system of claim 1, wherein the registry is further configured to maintain a directory for lookup and delivery of public keys of participants, organizations, and devices.
  - 59. The system of claim 1, wherein the mechanism is configured to support secure sharing without the exchange of participant'"'"'s private keys through use of deposit-only permissions supporting participant-to-participant exchange.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Original Assignee
Reid Consulting Group, Inc.
Inventors
Reid, Thomas Alan, Guy, Dennie
Primary Examiner(s)
King, John B
Assistant Examiner(s)
Golriz, Arya

Application Number

US15/170,981
Publication Number

US 20160277374A1
Time in Patent Office

712 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6209   to a single file or object,...

G16H 10/60   for patient-specific data, ...

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/045   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/101   Access control lists [ACL]

System and method for securely storing and sharing information

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

38 Citations

59 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for securely storing and sharing information

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

59 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links