Communication Network With Rolling Encryption Keys and Data Exfiltration Control

US 20180337896A1
Filed: 05/18/2017
Published: 11/22/2018
Est. Priority Date: 05/18/2017
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

a memory configured to store;

a plurality of encryption keys, wherein each encryption key is linked with an encryption key index; and

an encrypted data entry, wherein the encrypted data entry comprises an encrypted data element and metadata linked with the encrypted data element, wherein the metadata identifies;

a first encryption key index referencing a first encryption key from the plurality of encryption keys, andan encryption wait time period; and

an encryption service engine configured to;

periodically re-encrypt the encrypted data element, wherein re-encrypting the encrypted data element comprises;

determining that the encryption wait time period has lapsed;

obtaining the first encryption key from the plurality of encryption keys using the first encryption key index;

decrypting the encrypted data element using the first encryption key to recover the original data element;

obtaining a second encryption key;

encrypting the original data element using the second encryption key; and

modifying the metadata linked with the encrypted data element with a second encryption key index referencing the second encryption key;

receive a data request for the encrypted data element;

send the encrypted data element in response to receiving the data request; and

limit the bandwidth of a data channel used to send the encrypted data element.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus that includes a memory configured to store encryption keys and encrypted data entries. The apparatus further includes an encryption service engine configured to periodically re-encrypt the encrypted data element, which includes determining that an encryption wait time period has lapsed, obtaining a first encryption key using a first key index, and decrypting the encrypted data element using the first encryption key to recover the original data. The encryption service engine is further configured to obtain a second encryption key, encrypt the original data using the second encryption key, and modify the metadata linked with the encrypted data element with a second key index referencing the second encryption key. The encryption service engine is further configured to receive a data request for the encrypted data element, to send the encrypted data element, and to limit the bandwidth of a data channel used to send the encrypted data element.

2 Citations

20 Claims

1. An apparatus comprising:
- a memory configured to store;
  
  a plurality of encryption keys, wherein each encryption key is linked with an encryption key index; and
  
  an encrypted data entry, wherein the encrypted data entry comprises an encrypted data element and metadata linked with the encrypted data element, wherein the metadata identifies;
  
  a first encryption key index referencing a first encryption key from the plurality of encryption keys, andan encryption wait time period; and
  
  an encryption service engine configured to;
  
  periodically re-encrypt the encrypted data element, wherein re-encrypting the encrypted data element comprises;
  
  determining that the encryption wait time period has lapsed;
  
  obtaining the first encryption key from the plurality of encryption keys using the first encryption key index;
  
  decrypting the encrypted data element using the first encryption key to recover the original data element;
  
  obtaining a second encryption key;
  
  encrypting the original data element using the second encryption key; and
  
  modifying the metadata linked with the encrypted data element with a second encryption key index referencing the second encryption key;
  
  receive a data request for the encrypted data element;
  
  send the encrypted data element in response to receiving the data request; and
  
  limit the bandwidth of a data channel used to send the encrypted data element.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus of claim 1, wherein the metadata comprises an authentication token generated based on the current encryption key index, the encryption wait time period, and at least a portion of the encrypted data element.
  - 3. The apparatus of claim 1, wherein obtaining the second encryption key comprises receiving the second encryption key from the memory in response to obtaining the first encryption key from the memory.
  - 4. The apparatus of claim 1, wherein the encryption service engine is configured to remove the first encryption key from the memory in response to decrypting the encrypted data element using the first encryption key.
  - 5. The apparatus of claim 1, wherein:
    - the memory comprises a plurality of data partitions, andeach of the plurality of data partitions uses a different encryption key to encrypt data entries within each data partition.
  - 6. The apparatus of claim 1, wherein obtaining the second encryption key comprises:
    - generating the second encryption key, andcreating a record in the memory for the second encryption key, wherein the record identifies;
      
      the second encryption key,the second encryption key index, andan encryption timestamp.
  - 7. The apparatus of claim 1, wherein the encryption service engine is configured to:
    - receive an encryption key request identifying the first encryption key index;
      
      obtain the first encryption key from the plurality of encryption keys using the first encryption key index; and
      
      send the first encryption key in response to the receiving the encryption key request, wherein sending the first encrypted key comprises limiting the bandwidth of a data channel used to send the first encryption key.

8. A system comprising:
- a mix router configured to;
  
  receive an encryption key request identifying a first encryption key index for an encrypted data element from a network node;
  
  identify an encryption service device linked with the encrypted data element in response to receiving the encryption key request;
  
  send the encryption key request to the encryption service device; and
  
  send an encryption key for the encrypted data element to the network node in response to receiving the encrypted key; and
  
  the encryption service device in signal communication with the mixer router, comprising;
  
  a memory configured to store;
  
  a plurality of encryption keys, wherein each encryption key is linked with an encryption key index;
  
  an encrypted data entry, wherein the encrypted data entry comprises the encrypted data element and metadata linked with the encrypted data element, wherein the metadata identifies;
  
  the first encryption key index referencing a first encryption key from the plurality of encryption keys, andan encryption wait time period; and
  
  an encryption service engine configured to;
  
  periodically re-encrypt the encrypted data element;
  
  receive the encryption key request;
  
  obtain the first encryption key from the memory using the first encryption key index in response to receiving the encryption key request;
  
  send the first encryption key to the mix router in response to obtaining the first encryption key from the memory; and
  
  limit the bandwidth of a data channel used to send the first encryption key.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein, in response to sending the first encryption key to the mix router, the encryption service engine is configured to:
    - decrypt the encrypted data element using the first encryption key to recover the original data element;
      
      obtain a second encryption key from the plurality of encryption keys;
      
      encrypt the original data element using the second encryption key;
      
      modify the metadata linked with the encrypted data element with a second encryption key index referencing the second encryption key; and
      
      remove the first encryption key from the memory.
  - 10. The system of claim 8, wherein the encryption service engine is configured to:
    - receive a data request for the encrypted data element; and
      
      send the encrypted data element in response to receiving the data request, wherein sending the encrypted data element comprises limiting the bandwidth of a data channel used to send the encrypted data element.
  - 11. The system of claim 8, wherein re-encrypting the encrypted data comprises:
    - determining the encryption wait time period has lapsed;
      
      obtaining the first encryption key from the memory using the encryption key index;
      
      decrypting the encrypted data element using the first encryption key to recover the original data element;
      
      obtaining a second encryption key from the plurality of encryption keys;
      
      encrypting the original data element using the second encryption key; and
      
      modifying the metadata linked with the encrypted data element with a second encryption key index referencing the second encryption key.
  - 12. The system of claim 8, wherein:
    - the encryption key request is encoded using successive layers of encryption, andeach layer of encryption is decrypted by a different network device as the encryption key request is forwarded from the network node to the encryption services device.
  - 13. The system of claim 8, further comprising a translator device comprising a second memory, wherein the second memory comprises an entry linking the first key index with the encryption service device;
    - wherein identifying the encryption service device linked with the encrypted data element comprises;
      
      sending a device identification request comprising the first encryption key index to the translator device, andreceiving information identifying the encryption service device in response to sending the device identification request.
  - 14. The system of claim 8, wherein the metadata comprises an authentication token generated based on the current encryption key index, the encryption wait time period, and at least a portion of the encrypted data element.

15. A method comprising:
- periodically re-encrypting, by an encryption service engine, an encrypted data element comprising;
  
  accessing an encrypted data entry in a memory, wherein the encrypted data entry comprises an encrypted data element and metadata linked with the encrypted data element, wherein the metadata identifies;
  
  a first encryption key index referencing a first encryption key from the plurality of encryption keys, andan encryption wait time period;
  
  determining the encryption wait time period has lapsed;
  
  obtaining the first encryption key from the memory using the first encryption key index;
  
  decrypting the encrypted data element using the first encryption key to recover an original data element;
  
  obtaining a second encryption key;
  
  encrypting the original data element using the second encryption key; and
  
  modifying the metadata linked with the encrypted data element with a second encryption key index referencing the second encryption key;
  
  receiving, at the encryption service engine, a data request for the encrypted data element;
  
  sending, by the encryption service engine, the encrypted data element in response to receiving the data request; and
  
  limiting, by the encryption service engine, the bandwidth of a data channel used to send the encrypted data element.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, wherein the metadata comprises an authentication token generated based on the current encryption key index, the encryption wait time period, and at least a portion of the encrypted data element.
  - 17. The method of claim 15, wherein obtaining the second encryption key comprises receiving the second encryption key from the memory in response to obtaining the first encryption key from the memory.
  - 18. The method of claim 15, further comprising removing, by the encryption service engine, the first encryption key from the memory in response to decrypting the encrypted data element using the first encryption key.
  - 19. The method of claim 15, wherein obtaining the second encryption key comprises:
    - generating the second encryption key, andcreating a record in the memory for the second encryption key, wherein the record identifies;
      
      the second encryption key,the second encryption key index, andan encryption timestamp.
  - 20. The method of claim 15, further comprising:
    - receiving, at the encryption service engine, an encryption key requestidentifying the first encryption key index;
      
      obtaining, by the encryption service engine, the first encryption key from the plurality of encryption keys using the first encryption key index; and
      
      sending, by the encryption service engine, the first encrypted key in response to the receiving the encryption key request, wherein sending the first encrypted key comprises limiting the bandwidth of a data channel used to send the first encrypted key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Frankel, Yair, Azeez, Abdul Rafman

Granted Patent

US 10,462,111 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 9/088   Usage controlling of secret...

H04L 9/3228   One-time or temporary data,...

H04L 9/3297   involving time stamps, e.g....

Communication Network With Rolling Encryption Keys and Data Exfiltration Control

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

2 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Communication Network With Rolling Encryption Keys and Data Exfiltration Control

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

2 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links