US2018041485A1PendingUtilityA1

Systems and methods for securing data using multi-factor or keyed dispersal

55
Assignee: SECURITY FIRST CORPPriority: Jan 7, 2008Filed: Oct 20, 2017Published: Feb 8, 2018
Est. expiryJan 7, 2028(~1.5 yrs left)· nominal 20-yr term from priority
H04L 9/321H04L 63/062H04L 2209/56G06F 21/6209H04L 9/0822H04L 9/3226H04L 63/065H04L 9/085H04L 9/3263H04L 2209/80
55
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A secure data parser is provided that may be integrated into any suitable system for securely storing and communicating data. The secure data parser parses data and then splits the data into multiple portions that are stored or communicated distinctly. Encryption of the original data, the portions of data, or both may be employed for additional security. The secure data parser may be used to protect data in motion by splitting original data into portions of data, that may be communicated using multiple communications paths. A keyed information dispersal algorithm (keyed IDA) may also be used. The key for the keyed IDA may additionally be protected by an external workgroup key, resulting in a multi-factor secret sharing scheme.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method for securing a data set, the method comprising:
 receiving, using a processor that includes processing circuitry, two or more encrypted data set shares, wherein the encrypted data set shares correspond to a data set and are secured using a session key, each encrypted data set share being based on less than all of the units of data of the data set;   encrypting the session key using a workgroup key;   forming two or more user shares, wherein each user share is formed by inserting a portion of the encrypted session key into a respective encrypted data set share at a location that is based on the workgroup key; and   providing the two or more user shares for non-transitory storage, whereby the data set is restorable from a minimum number of the two or more user shares.   
     
     
         2 . The method of  claim 1 , wherein the workgroup key is stored separately from the two or more user shares. 
     
     
         3 . The method of  claim 2 , further comprising causing the storage of the workgroup key on a data depository on which at least one of the two or more user shares is stored, wherein the workgroup key is stored at a different location from a location at which the at least one of the two or more user shares is stored. 
     
     
         4 . The method of  claim 2 , further comprising causing the storage of the workgroup key on a different data depository from a data depository on which the two or more user shares are stored. 
     
     
         5 . The method of  claim 2 , wherein the workgroup key is stored in a hardware-based key. 
     
     
         6 . The method of  claim 2 , wherein generating the session key shares comprises generating the session key shares using robust computational secret sharing (RCSS). 
     
     
         7 . The method of  claim 2 , wherein causing the storage of the two or more user shares comprises causing the storage of the two or more user shares separately on at least one data depository. 
     
     
         8 . The method of  claim 7 , wherein causing the storage of the two or more user shares separately on at least one data depository comprises causing the storage of the two or more user shares on different locations of the same data depository. 
     
     
         9 . The method of  claim 7 , wherein causing the storage of the two or more user shares separately on at least one data depository comprises causing the storage of the two or more user shares on different data depositories. 
     
     
         10 . The method of  claim 1 , further comprising generating the two or more encrypted data set shares, wherein the generating comprises:
 generating, based at least in part on the session key, random or pseudo-random numbers;   associating the random or pseudo-random numbers with the two or more encrypted data set shares;   associating the random or pseudo-random numbers with units of data from the encrypted data set; and   determining into which of the two or more encrypted data set shares to distribute each unit of data based at least in part on the association of the random or pseudo-random numbers with the two or more user shares and with the units of data.   
     
     
         11 . An apparatus for securing a data set, the apparatus comprising a physical processor configured to:
 receive two or more encrypted data set shares, wherein the encrypted data set shares correspond to a data set and are secured using a session key, each encrypted data set share being based on less than all of the data units of the data set;   encrypt the session key using a workgroup key;   form two or more user shares, wherein each user share is formed by inserting a portion of the encrypted session key into a respective encrypted data set share at a location that is based on the workgroup key; and   provide the two or more user shares for non-transitory storage, whereby the data set is restorable from a minimum number of the two or more user shares.   
     
     
         12 . The apparatus of  claim 11 , wherein the physical processor is configured to store the workgroup key separately from the two or more user shares. 
     
     
         13 . The apparatus of  claim 12 , further the physical processor is configured to cause the storage of the workgroup key on a data depository on which at least one of the two or more user shares is stored, wherein the workgroup key is stored at a different location from a location at which the at least one of the two or more user shares is stored. 
     
     
         14 . The apparatus of  claim 12 , further the physical processor is configured to cause the storage of the workgroup key on a different data depository from a data depository on which the two or more user shares are stored. 
     
     
         15 . The apparatus of  claim 12 , wherein the physical processor is configured to store the workgroup key in a hardware-based key. 
     
     
         16 . The apparatus of  claim 12 , wherein the physical processor is configured to generate the session key shares by generating the session key shares using robust computational secret sharing (RCSS). 
     
     
         17 . The apparatus of  claim 12 , wherein the physical processor is configured to cause the storage of the two or more user shares by causing the storage of the two or more user shares separately on at least one data depository. 
     
     
         18 . The apparatus of  claim 17 , wherein the physical processor is configured to cause the storage of the two or more user shares separately on at least one data depository by causing the storage of the two or more user shares on different locations of the same data depository. 
     
     
         19 . The apparatus of  claim 17 , wherein the physical processor is configured to cause the storage of the two or more user shares separately on at least one data depository by causing the storage of the two or more user shares on different data depositories. 
     
     
         20 . The apparatus of  claim 11 , the physical processor is configured to store generating the two or more encrypted data set shares by:
 generating, based at least in part on the session key, random or pseudo-random numbers;   associating the random or pseudo-random numbers with the two or more encrypted data set shares;   associating the random or pseudo-random numbers with units of data from the encrypted data set; and   determining into which of the two or more encrypted data set shares to distribute each unit of data based at least in part on the association of the random or pseudo-random numbers with the two or more user shares and with the units of data.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.