Systems and methods for securing data using multi-factor or keyed dispersal
Abstract
A secure data parser is provided that may be integrated into any suitable system for securely storing and communicating data. The secure data parser parses data and then splits the data into multiple portions that are stored or communicated distinctly. Encryption of the original data, the portions of data, or both may be employed for additional security. The secure data parser may be used to protect data in motion by splitting original data into portions of data, that may be communicated using multiple communications paths. A keyed information dispersal algorithm (keyed IDA) may also be used. The key for the keyed IDA may additionally be protected by an external workgroup key, resulting in a multi-factor secret sharing scheme.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method for securing a data set, the method comprising:
receiving, using a processor that includes processing circuitry, two or more encrypted data set shares, wherein the encrypted data set shares correspond to a data set and are secured using a session key, each encrypted data set share being based on less than all of the units of data of the data set; encrypting the session key using a workgroup key; forming two or more user shares, wherein each user share is formed by inserting a portion of the encrypted session key into a respective encrypted data set share at a location that is based on the workgroup key; and providing the two or more user shares for non-transitory storage, whereby the data set is restorable from a minimum number of the two or more user shares.
2 . The method of claim 1 , wherein the workgroup key is stored separately from the two or more user shares.
3 . The method of claim 2 , further comprising causing the storage of the workgroup key on a data depository on which at least one of the two or more user shares is stored, wherein the workgroup key is stored at a different location from a location at which the at least one of the two or more user shares is stored.
4 . The method of claim 2 , further comprising causing the storage of the workgroup key on a different data depository from a data depository on which the two or more user shares are stored.
5 . The method of claim 2 , wherein the workgroup key is stored in a hardware-based key.
6 . The method of claim 2 , wherein generating the session key shares comprises generating the session key shares using robust computational secret sharing (RCSS).
7 . The method of claim 2 , wherein causing the storage of the two or more user shares comprises causing the storage of the two or more user shares separately on at least one data depository.
8 . The method of claim 7 , wherein causing the storage of the two or more user shares separately on at least one data depository comprises causing the storage of the two or more user shares on different locations of the same data depository.
9 . The method of claim 7 , wherein causing the storage of the two or more user shares separately on at least one data depository comprises causing the storage of the two or more user shares on different data depositories.
10 . The method of claim 1 , further comprising generating the two or more encrypted data set shares, wherein the generating comprises:
generating, based at least in part on the session key, random or pseudo-random numbers; associating the random or pseudo-random numbers with the two or more encrypted data set shares; associating the random or pseudo-random numbers with units of data from the encrypted data set; and determining into which of the two or more encrypted data set shares to distribute each unit of data based at least in part on the association of the random or pseudo-random numbers with the two or more user shares and with the units of data.
11 . An apparatus for securing a data set, the apparatus comprising a physical processor configured to:
receive two or more encrypted data set shares, wherein the encrypted data set shares correspond to a data set and are secured using a session key, each encrypted data set share being based on less than all of the data units of the data set; encrypt the session key using a workgroup key; form two or more user shares, wherein each user share is formed by inserting a portion of the encrypted session key into a respective encrypted data set share at a location that is based on the workgroup key; and provide the two or more user shares for non-transitory storage, whereby the data set is restorable from a minimum number of the two or more user shares.
12 . The apparatus of claim 11 , wherein the physical processor is configured to store the workgroup key separately from the two or more user shares.
13 . The apparatus of claim 12 , further the physical processor is configured to cause the storage of the workgroup key on a data depository on which at least one of the two or more user shares is stored, wherein the workgroup key is stored at a different location from a location at which the at least one of the two or more user shares is stored.
14 . The apparatus of claim 12 , further the physical processor is configured to cause the storage of the workgroup key on a different data depository from a data depository on which the two or more user shares are stored.
15 . The apparatus of claim 12 , wherein the physical processor is configured to store the workgroup key in a hardware-based key.
16 . The apparatus of claim 12 , wherein the physical processor is configured to generate the session key shares by generating the session key shares using robust computational secret sharing (RCSS).
17 . The apparatus of claim 12 , wherein the physical processor is configured to cause the storage of the two or more user shares by causing the storage of the two or more user shares separately on at least one data depository.
18 . The apparatus of claim 17 , wherein the physical processor is configured to cause the storage of the two or more user shares separately on at least one data depository by causing the storage of the two or more user shares on different locations of the same data depository.
19 . The apparatus of claim 17 , wherein the physical processor is configured to cause the storage of the two or more user shares separately on at least one data depository by causing the storage of the two or more user shares on different data depositories.
20 . The apparatus of claim 11 , the physical processor is configured to store generating the two or more encrypted data set shares by:
generating, based at least in part on the session key, random or pseudo-random numbers; associating the random or pseudo-random numbers with the two or more encrypted data set shares; associating the random or pseudo-random numbers with units of data from the encrypted data set; and determining into which of the two or more encrypted data set shares to distribute each unit of data based at least in part on the association of the random or pseudo-random numbers with the two or more user shares and with the units of data.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.