Systems and methods for securing data in motion

US 9,443,097 B2
Filed: 03/31/2011
Issued: 09/13/2016
Est. Priority Date: 03/31/2010
Status: Active Grant

First Claim

Patent Images

1. A method for securing data, the method comprising:

receiving, using a programmed hardware processor, a first set of data shares that were generated from an encrypted data set by an information dispersal algorithm using a first split key, wherein;

(1) the first set of data shares includes at least a minimum number less than all of a plurality of data shares generated from the encrypted data set, and(2) each data share of the first set of data shares is based on a portion less than all of the encrypted data set; and

in response to detecting that one or more of the plurality of data shares is unavailable for restoring the encrypted data set;

(a) reconstructing the encrypted data set using the first split key and the first set of data shares without decrypting the first set of data shares to obtain a reconstructed encrypted data set, and(b) generating a second set of data shares from the reconstructed encrypted data set using a second split key without decrypting the reconstructed encrypted data set, wherein the second split key is different from the first split keyretrieving headers associated with the first set of data shares;

extracting a key encryption key from the retrieved headers;

encrypting an authentication key with the key encryption key; and

storing the encrypted authentication key within headers of the second set of data shares.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The systems and methods of the present invention provide a solution that makes data provably secure and accessible—addressing data security at the bit level—thereby eliminating the need for multiple perimeter hardware and software technologies. Data security is incorporated or weaved directly into the data at the bit level. The systems and methods of the present invention enable enterprise communities of interest to leverage a common enterprise infrastructure. Because security is already woven into the data, this common infrastructure can be used without compromising data security and access control. In some applications, data is authenticated, encrypted, and parsed or split into multiple shares prior to being sent to multiple locations, e.g., a private or public cloud. The data is hidden while in transit to the storage location, and is inaccessible to users who do not have the correct credentials for access.

352 Citations

22 Claims

1. A method for securing data, the method comprising:
- receiving, using a programmed hardware processor, a first set of data shares that were generated from an encrypted data set by an information dispersal algorithm using a first split key, wherein;
  
  (1) the first set of data shares includes at least a minimum number less than all of a plurality of data shares generated from the encrypted data set, and(2) each data share of the first set of data shares is based on a portion less than all of the encrypted data set; and
  
  in response to detecting that one or more of the plurality of data shares is unavailable for restoring the encrypted data set;
  
  (a) reconstructing the encrypted data set using the first split key and the first set of data shares without decrypting the first set of data shares to obtain a reconstructed encrypted data set, and(b) generating a second set of data shares from the reconstructed encrypted data set using a second split key without decrypting the reconstructed encrypted data set, wherein the second split key is different from the first split keyretrieving headers associated with the first set of data shares;
  
  extracting a key encryption key from the retrieved headers;
  
  encrypting an authentication key with the key encryption key; and
  
  storing the encrypted authentication key within headers of the second set of data shares.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising detecting that one or more of the plurality of data shares is unavailable for restoring the encrypted data set in response to a determination that one or more of the first set of data shares have been compromised.
  - 3. The method of claim 1, further comprising storing at least one data share of the second set of data shares on a storage network.
  - 4. The method of claim 3, wherein the storing comprises storing the at least one data share on a storage network that includes one of a private cloud, a public cloud, a hybrid cloud, a removable storage device, and a mass storage device.
  - 5. The method of claim 1, wherein the reconstructing comprises:
    - authenticating the first set of data shares with a first authentication key to obtain an authenticated first set of data shares; and
      
      reconstructing the encrypted data set from the authenticated first set of data shares using the first split key.
  - 6. The method of claim 5, further comprising authenticating the second set of data shares with a second authentication key.
  - 7. The method of claim 6, further comprising:
    - encrypting the second authentication key with the key encryption key; and
      
      storing the encrypted second authentication key within headers of the second set of data shares.
  - 8. The method of claim 1, further comprising:
    - encrypting the second split key with the key encryption key; and
      
      storing the encrypted second split key within headers of the second set of data shares.

9. A method for securing data, the method comprising:
- receiving, using a programmed hardware processor, a first set of data shares that were generated from an encrypted data set by an information dispersal algorithm using a first encryption key, wherein;
  
  (1) the first set of data shares includes at least a minimum number less than all of a plurality of data shares generated from the encrypted data set,(2) the first set of data shares is associated with a first authentication key, and(3) each data share of the first set of data shares is based on a portion less than all of the encrypted data set; and
  
  in response to detecting that one or more of the plurality of data shares is unavailable for restoring the encrypted data set;
  
  (a) reconstructing the encrypted data set using the first authentication key and the first set of data shares without decrypting the first set of data shares to obtain a reconstructed encrypted data set,(b) generating a second set of data shares from the reconstructed encrypted data set without decrypting the reconstructed encrypted data set, and(c) rekeying the second set of data shares by associating the second set of data shares with a second authentication key, wherein the second authentication key is different from the first authentication keyretrieving headers associated with the first set of data shares;
  
  extracting a key encryption key from the retrieved headers;
  
  encrypting the second authentication key with the key encryption key; and
  
  storing the encrypted second authentication key within headers of the second set of data shares.
- View Dependent Claims (10, 11)
- - 10. The method of claim 9, further comprising storing at least one data share of the second set of data shares on a storage network.
  - 11. The method of claim 10, wherein the storing comprises storing the at least one data share on a storage network that includes one of a private cloud, a public cloud, a hybrid cloud, a removable storage device, and a mass storage device.

12. A system for securing data, the system comprising:
- a programmed hardware processor; and
  
  a non-transitory computer readable medium storing computer executable instructions that, when executed by the processing circuitry, cause the computer system to carry out a method for securing data, the method comprising;
  
  receiving a first set of data shares that were generated from an encrypted data set by an information dispersal algorithm using a first split key, wherein;
  
  (1) the first set of data shares includes at least a minimum number less than all of a plurality of data shares generated from the encrypted data set, and(2) each data share of the first set of data shares is based on a portion less than all of the encrypted data set; and
  
  in response to detecting that one or more of the plurality of data shares is unavailable for restoring the encrypted data set;
  
  (a) reconstructing the encrypted data set using the first split key and the first set of data shares without decrypting the first set of data shares to obtain a reconstructed encrypted data set, and(b) generating a second set of data shares from the reconstructed encrypted data set using a second split key without decrypting the reconstructed encrypted data set, wherein the second split key is different from the first split keyretrieving headers associated with the first set of data shares;
  
  extracting a key encryption key from the retrieved headers;
  
  encrypting an authentication key with the key encryption key; and
  
  storing the encrypted authentication key within headers of the second set of data shares.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The system of claim 12, further comprising detecting that one or more of the plurality of data shares is unavailable for restoring the encrypted data set in response to a determination that one or more of the first set of data shares have been compromised.
  - 14. The system of claim 12, wherein the method further comprises storing at least one data share of the second set of data shares on a storage network.
  - 15. The system of claim 14, wherein the storing comprises storing the at least one data share on a storage network that includes one of a private cloud, a public cloud, a hybrid cloud, a removable storage device, and a mass storage device.
  - 16. The system of claim 12, wherein the reconstructing comprises:
    - authenticating the first set of data shares with a first authentication key to obtain an authenticated first set of data shares; and
      
      reconstructing the encrypted data set from the authenticated first set of data shares using the first split key.
  - 17. The system of claim 16, wherein the method further comprises authenticating the second set of data shares with a second authentication key.
  - 18. The system of claim 17, further comprising:
    - encrypting the second authentication key with the key encryption key; and
      
      storing the encrypted second authentication key within headers of the second set of data shares.
  - 19. The system of claim 12, wherein the method further comprises:
    - encrypting the second split key with the key encryption key; and
      
      storing the encrypted second split key within headers of the second set of data shares.

20. A system for securing data, the system comprising:
- a programmed hardware processor; and
  
  a non-transitory computer readable medium storing computer executable instructions that, when executed by the processing circuitry, cause the computer system to carry out a method for securing data, the method comprising;
  
  receiving a first set of data shares that were generated from an encrypted data set by an information dispersal algorithm using a first encryption key, wherein;
  
  (1) the first set of data shares includes at least a minimum number less than all of a plurality of data shares generated from the encrypted data set,(2) the first set of data shares is associated with a first authentication key, and(3) each data share of the first set of data shares is based on a portion less than all of the encrypted data set; and
  
  in response to detecting that one or more of the plurality of data shares is unavailable for restoring the encrypted data set;
  
  (a) reconstructing the encrypted data set using the first authentication key and the first set of data shares without decrypting the first set of data shares to obtain a reconstructed encrypted data set,(b) generating a second set of data shares from the reconstructed encrypted data set without decrypting the reconstructed encrypted data set, and(c) rekeying the second set of data shares by associating the second set of data shares with a second authentication key, wherein the second authentication key is different from the first authentication keyretrieving headers associated with the first set of data shares;
  
  extracting a key encryption key from the retrieved headers;
  
  encrypting the second authentication key with the key encryption key; and
  
  storing the encrypted second authentication key within headers of the second set of data shares.
- View Dependent Claims (21, 22)
- - 21. The system of claim 20, wherein the method further comprises storing at least one data share of the second set of data shares on a storage network.
  - 22. The system of claim 21, wherein the storing comprises storing the at least one data share on a storage network that includes one of a private cloud, a public cloud, a hybrid cloud, a removable storage device, and a mass storage device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Security First Innovations, LLC
Original Assignee
Security First Corp
Inventors
O'Hare, Mark S., Orsini, Rick L.
Primary Examiner(s)
Desrosiers, Evans

Application Number

US13/077,770
Publication Number

US 20110246766A1
Time in Patent Office

1,993 Days
Field of Search

713/160, 713/150, 709/236, 709/245, 380227-232, 380247-250, 726 1- 36
US Class Current

1/1
CPC Class Codes

G06F 11/1076   Parity data used in redunda...

G06F 11/182   based on mutual exchange of...

G06F 11/2094   Redundant storage or storag...

G06F 21/60   Protecting data

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 21/72   in cryptographic circuits

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2107   File encryption

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/0861   using biometrical features,...

H04L 67/1097   for distributed storage of ...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0894   Escrow, recovery or storing...

Systems and methods for securing data in motion

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

352 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for securing data in motion

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

352 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links