Systems and methods for securing data using multi-factor or keyed dispersal
First Claim
1. A method for securing a data set, the method comprising:
- generating, by a computer system, a session key;
encrypting, by the computer system, the data set using the session key to produce an encrypted data set;
encrypting, by the computer system, the session key with a shared workgroup key;
distributing, by the computer system, unique portions of the encrypted session key into three or more session key shares;
distributing, by the computer system, unique portions of the encrypted data set into three or more encrypted data set shares;
forming, by the computer system, three or more user shares by combining each of at least three session key shares and a respective one of at least three encrypted data set shares by interleaving each of the at least three session key shares into the respective one of the at least three encrypted data set shares, thereby causing each of the at least three session key shares to be distributed into a different one of the at least three encrypted data set shares; and
causing, by the computer system, the storage of the three or more user shares separately on at least one data depository, whereby the shared workgroup key and at least two of the three or more user shares are needed to restore the data.
11 Assignments
0 Petitions
Accused Products
Abstract
A secure data parser is provided that may be integrated into any suitable system for securely storing and communicating data. The secure data parser parses data and then splits the data into multiple portions that are stored or communicated distinctly. Encryption of the original data, the portions of data, or both may be employed for additional security. The secure data parser may be used to protect data in motion by splitting original data into portions of data, that may be communicated using multiple communications paths. A keyed information dispersal algorithm (keyed IDA) may also be used. The key for the keyed IDA may additionally be protected by an external workgroup key, resulting in a multi-factor secret sharing scheme.
183 Citations
44 Claims
-
1. A method for securing a data set, the method comprising:
-
generating, by a computer system, a session key; encrypting, by the computer system, the data set using the session key to produce an encrypted data set; encrypting, by the computer system, the session key with a shared workgroup key; distributing, by the computer system, unique portions of the encrypted session key into three or more session key shares; distributing, by the computer system, unique portions of the encrypted data set into three or more encrypted data set shares; forming, by the computer system, three or more user shares by combining each of at least three session key shares and a respective one of at least three encrypted data set shares by interleaving each of the at least three session key shares into the respective one of the at least three encrypted data set shares, thereby causing each of the at least three session key shares to be distributed into a different one of the at least three encrypted data set shares; and causing, by the computer system, the storage of the three or more user shares separately on at least one data depository, whereby the shared workgroup key and at least two of the three or more user shares are needed to restore the data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus for securing a data set, the apparatus comprising:
-
at least one data depository; and a computer system configured to; generate a session key; encrypt the data set using the session key to produce an encrypted data set; encrypt the session key using a shared workgroup key; distribute unique portions of the encrypted session key into three or more session key shares; distribute unique portions of the encrypted data set into three or more encrypted data set shares; form three or more user shares by combining each of at least three session key shares and a respective one of at least three encrypted data set share by interleaving each of the at least three session key shares into the respective one of the at least three encrypted data set shares, thereby causing each of the at least three session key shares to be distributed into a different one of the at least three encrypted data set shares; and store the three or more user shares separately on the at least one data depository, whereby the shared workgroup key and at least two of the three or more user shares are needed to restore the data set. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A machine-readable non-transitory medium comprising machine program logic recorded thereon which, when executed by a processor, cause a computing system to carry out the steps of:
-
generating a session key; encrypting the data set using the session key to produce an encrypted data set; encrypting the session key with a shared workgroup key; distributing unique portions of the encrypted session key into three or more session key shares; distributing unique portions of the encrypted data set into three or more encrypted data set shares; forming three or more user shares by combining each of at least three session key shares and a respective one of at least three encrypted data set shares by interleaving each of the at least three session key shares into the respective one of the at least three encrypted data set shares, thereby causing each of the at least three session key shares to be distributed into a different one of the at least three encrypted data set shares; and causing the storage of the three or more user shares separately on at least one data depository, whereby the shared workgroup key and at least two of the three or more user shares are needed to restore the data set.
-
-
19. A method for securing a data set, the method comprising:
-
generating, by a computer system, a session key; encrypting, by the computer system, the data set using the session key to produce an encrypted data set; encrypting, by the computer system, the session key with a shared workgroup key; distributing, by the computer system, unique portions of the encrypted session key into two or more session key shares; distributing, by the computer system, unique portions of the encrypted data set into two or more encrypted data set shares; forming, by the computer system, two or more user shares by combining each of at least two session key shares and a respective one of at least two encrypted data set shares by interleaving each of the at least two session key shares into the respective one of the at least two encrypted data set shares, thereby causing each of the at least two session key shares to be distributed into a different one of the at least two encrypted data set shares; and causing, by the computer system, the storage of the two or more user shares separately on at least one data depository, whereby the data set is restorable from the shared workgroup key and a minimum number of the two or more user shares. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
-
-
32. An apparatus for securing a data set, the apparatus comprising:
-
at least one data depository; and a computer system configured to; generate a session key; encrypt the data set using the session key to produce an encrypted data set; encrypt the session key using a shared workgroup key; distribute unique portions of the encrypted session key into two or more session key shares; distribute unique portions of the encrypted data set into two or more encrypted data set shares; form two or more user shares by combining each of at least two session key shares and a respective one of at least two encrypted data set shares by interleaving each of the at least two session key shares into the respective one of the at least two encrypted data set shares, thereby causing each of the at least two session key shares to be distributed into a different one of the at least two encrypted data set shares; and store the two or more user shares separately on at least one data depository, the data set is restorable from the shared workgroup key and a minimum number of the two or more user shares. - View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
-
-
44. A machine-readable non-transitory medium comprising machine program logic recorded thereon which, when executed by a processor, cause a computing system to carry out the steps of:
-
generating a session key; encrypting the data set using the session key to produce an encrypted data set; encrypting the session key with a shared workgroup key; distributing unique portions of the encrypted session key into two or more session key shares; distributing unique portions of the encrypted data set into two or more encrypted data set shares; forming two or more user shares by combining each of at least two session key shares and a respective one of at least two encrypted data set shares by interleaving each of the at least two session key shares into the respective one of the at least two encrypted data set shares, thereby causing each of the at least two session key shares to be distributed into a different one of the at least two encrypted data set shares; and causing the storage of the two or more user shares separately on at least one data depository, whereby the data set is restorable from the shared workgroup key and a minimum number of the two or more user shares.
-
Specification