Systems and methods for secure data sharing

US 8,769,270 B2
Filed: 09/20/2011
Issued: 07/01/2014
Est. Priority Date: 09/20/2010
Status: Active Grant

First Claim

Patent Images

1. A method for encrypting a data file, comprising:

receiving a request to encrypt the data file;

retrieving a workgroup key associated with the data file;

retrieving unique information associated with the data file;

computing a hash value of the workgroup key;

combining the hash value of the workgroup key and the unique information by a hardware processor using a substantially randomized technique to form a file-level key;

encrypting the data file based on the file-level key;

receiving a request from an entity to access the encrypted data file, wherein the entity is not a member of a workgroup associated with the workgroup key; and

sharing the file-level key with the entity.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for creating and using a sharable file-level key to secure data files. The sharable file-level key is generated based on a workgroup key associated with the data file, as well as unique information associated with the data file. The sharable file-level key may be used to encrypt and split data using a Secure Parser. Systems and methods are also provided for sharing data without replicating the data on the machine of the end user. Data is encrypted and split across an external/consumer network and an enterprise/producer network. Access to the data is provided using a computing image generated by a server in the enterprise/producer network and then distributed to end users of the external/consumer network. This computing image may include preloaded files that provide pointers to the data that was encrypted and split. No access or replication of the data on the enterprise/producer network is needed in order for a user of the external/consumer network to access the data.

303 Citations

26 Claims

1. A method for encrypting a data file, comprising:
- receiving a request to encrypt the data file;
  
  retrieving a workgroup key associated with the data file;
  
  retrieving unique information associated with the data file;
  
  computing a hash value of the workgroup key;
  
  combining the hash value of the workgroup key and the unique information by a hardware processor using a substantially randomized technique to form a file-level key;
  
  encrypting the data file based on the file-level key;
  
  receiving a request from an entity to access the encrypted data file, wherein the entity is not a member of a workgroup associated with the workgroup key; and
  
  sharing the file-level key with the entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the workgroup key does not contain the unique information associated with the data file.
  - 3. The method of claim 1, wherein retrieving unique information associated with the data file comprises retrieving at least one of:
    - a name of the data file, a time and date the data file was created, a time the data file was last modified, a pointer to the location of the data file within the file system of a storage device, a size of the data file, and a type associated with the data file.
  - 4. The method of claim 1, wherein retrieving unique information associated with the data file further comprises accessing an attribute of the data file without accessing any data within the data file.
  - 5. The method of claim 1, further comprising computing a hash value of the unique information associated with the data file.
  - 6. The method of claim 1, wherein combining the hash value of the workgroup key and the unique information comprises jumbling the hash value of the workgroup key and the unique information based on a substantially random session key.
  - 7. The method of claim 1, wherein encrypting the data file based on the file-level key further comprises:
    - encrypting the data file using the file-level key and the workgroup key;
      
      generating a random or pseudo-random value;
      
      distributing, based, at least in part, on the random or pseudorandom value, encrypted data of the encrypted data file into two or more shares; and
      
      storing the two or more shares separately on at least one data depository.

8. A system for encrypting a data file, comprising a hardware processor configured to:
- receive a request to encrypt the data file;
  
  retrieve a workgroup key associated with the data file;
  
  retrieve unique information associated with the data file;
  
  compute a hash value of the workgroup key;
  
  combine the hash value of the workgroup key and the unique information using a substantially randomized technique to form a file-level key;
  
  encrypt the data file based on the file-level key;
  
  receive a request from an entity to access the encrypted data file, wherein the entity is not a member of a workgroup associated with the workgroup key; and
  
  share the file-level key with the entity.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 26)
- - 9. The system of claim 8, wherein the workgroup key does not contain the unique information associated with the data file.
  - 10. The system of claim 8, wherein the hardware processor is further configured to retrieve unique information associated with the data file by retrieving at least one of:
    - a name of the data file, a time and date the data file was created, a time the data file was last modified, a pointer to the location of the data file within the file system of a storage device, a size of the data file, and a type associated with the data file.
  - 11. The system of claim 8, wherein the hardware processor is further configured to retrieve unique information associated with the data file by accessing an attribute of the data file without accessing any data within the data file.
  - 12. The system of claim 8, wherein the hardware processor is further configured to compute a hash value of the unique information associated with the data file.
  - 13. The system of claim 8, wherein the hardware processor is configured to combine the hash value of the workgroup key and the unique information further by jumbling the hash value of the workgroup key and the unique information based on a substantially random session key.
  - 14. The system of claim 8, wherein the hardware processor is further configured to encrypt the data file based on the file-level key further by:
    - encrypting the data file using the file-level key and the workgroup key;
      
      generating a random or pseudo-random value;
      
      distributing, based at least in part on the random or pseudorandom value, the encrypted data of the encrypted data file into two or more shares; and
      
      storing the two or more shares separately on at least one data depository.
  - 26. The system of claim 8, wherein the hardware processor comprises one or more hardware processors in one or more servers.

15. A method for securely sharing a data set, comprising:
- encrypting the data set using at least one cryptographic key;
  
  generating a random or pseudo-random valuedistributing, based at least in part on the random or pseudorandom value, the encrypted data in the data set into two or more shares;
  
  distributing the two or more data shares across at least one consumer storage location and at least one enterprise storage location;
  
  generating permissions associated with the data set;
  
  generating a computing image that provides one or more pointers to the data set, wherein generating the computing image comprises generating a virtual machine image comprising preloaded stub files, wherein the preloaded stub files provide pointers to the two or more data shares;
  
  distributing the computing image to users associated with the at least one consumer storage location; and
  
  using the computing image, providing access to the data set based on the permissions.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The method of claim 15, further comprising generating stub files independently of generating the computing image, wherein the stub files provide pointers to the two or more data shares.
  - 17. The method of claim 15, wherein distributing the computing image comprises physically distributing the computing image to at least one end user of the at least one consumer storage location.
  - 18. The method of claim 15, wherein distributing the computing image comprises distributing the computing image across a network to at least one end user of the at least one consumer storage location.
  - 19. The method of claim 15, wherein the computing image provides access to the data set independent of reconstructing the data set from the two or more data shares.

20. A system for securely sharing a data set, the system comprising a hardware processor configured to:
- encrypt the data set using at least one cryptographic stored on a key manager;
  
  generate a random or pseudo-random valuedistribute, based, at least in part, on the random or pseudorandom value, encrypted data in the data set into two or more shares;
  
  distribute the two or more data shares across at least one consumer storage location and at least one enterprise storage location;
  
  generate permissions associated with the data set;
  
  generate a computing image that provides one or more pointers to the data set by generating a virtual machine image comprising preloaded stub files, wherein the preloaded stub files provide pointers to the two or more data shares;
  
  distribute the computing image to users associated with the at least one consumer storage location; and
  
  using the computing image, provide access to the data set based on the permissions.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. The system of claim 20, wherein the hardware processor is further configured to generate stub files independently of generating the computing image, wherein the stub files provide pointers to the two or more data shares.
  - 22. The system of claim 20, wherein the hardware processor is configured to distribute the computing image by physically distributing the computing image to at least one end user of the at least one consumer storage location.
  - 23. The system of claim 20, wherein the hardware processor is configured to distribute the computing image by distributing the computing image across a network to at least one end user of the at least one consumer storage location.
  - 24. The system of claim 20, wherein the computing image provides access to the data set independent of reconstructing the data set from the two or more data shares.
  - 25. The system of claim 20, wherein the hardware processor comprises one or more hardware processors in one or more servers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Security First Innovations, LLC
Original Assignee
Security First Corp
Inventors
Orsini, Rick L., O'Hare, Mark S., Landau, Gabriel D., Staker, Matthew, Yakamovich, William
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
Cribbs, Malcolm

Application Number

US13/237,781
Publication Number

US 20120072723A1
Time in Patent Office

1,015 Days
Field of Search

None
US Class Current

713/165
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

H04L 2209/24   Key scheduling, i.e. genera...

H04L 2209/42   Anonymization, e.g. involvi...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless network architectu...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 9/085   Secret sharing or secret sp...

H04L 9/0861   Generation of secret inform...

H04L 9/3231   Biological data, e.g. finge...

H04L 9/3268   using certificate validatio...

Systems and methods for secure data sharing

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

303 Citations

26 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for secure data sharing

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

303 Citations

26 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others