USRE49673EActiveUtilityPatentIndex 57
Systems and methods for secure data exchange
Est. expiryJan 29, 2035(~8.6 yrs left)· nominal 20-yr term from priority
H04L 63/061H04L 63/045
57
PatentIndex Score
0
Cited by
25
References
20
Claims
Abstract
Embodiments described herein provide enhanced computer- and network-based systems and methods for providing data security with respect to computing services, such as a digital transaction service (DTS). Example embodiments further provide a discovery service that enables nodes that are included in, or otherwise communicatively coupled to, the DTS to actively or passively “discover” roles and keys associated with the nodes. These node roles are associated with the various services provided by the DTS.
Claims
exact text as granted — not AI-modifiedThe embodiments of the invention in which an exclusive property or privilege is claimed are defined as follows:
1. A computing system comprising:
one or more processorsof a machine; and
a memory storing instructions that, when executed by the one or more processors, cause the machine a first node to perform operations comprising:
providingreceiving discovery data to a plurality of nodes including a first node and a second nodefrom a discovery server, the discovery data including a list of public keys for each of the nodes in the plurality of nodes, the list of public keys including a first public key of the first node and a second public key of thea second node, and service role data specifying roles in a network for nodes of the plurality of nodes, the first public key being from a first public and private key pair associated with the first node, the second public key being from a second public and private key pair associated with the second node, the discovery data also received by the second node from the discovery server, the private keys of each key pair being used to decrypt messages encrypted using their respective public keys, the first node and the second node verifying that the discovery data is trustworthy by verifying a private key signature applied to the discovery data by the discovery server using a public key of the discovery server that is obtained in a secure session from an external key manager other than the discovery server;
generating a first message by encrypting, via the first node, a plaintext message using a unidirectional session key for messages from the first node to the second node, the unidirectional session key in the first message further encrypted, via the first node, using the second public key of the second node; and
transmitting, by the first note, the first message to the second node;, wherein the second node:
stores the unidirectional session key for subsequent use;
generatinggenerates a second message by encrypting, via the second node, an additional plaintext message using an additional unidirectional session key for additional messages from the second node to the first node, the additional unidirectional session key in the second message encrypted, via the second node, using the first public key of the first node; and
transmitting, by the second node,transmits the second message to the first node.
2. The computing system of claim 1 , the operations further comprising:
assigningreceiving an assignment of a first service role tofor the first node based on the service role data included in the discovery data; and assigning, wherein a second service role is assigned to the second node based on the service role data included in the discovery data, wherein each of the first service role and the second service role map authorizations to resources.
3. The computing system of claim 1 , wherein the discovery data is a discovery manifest signed by a trusted entity.
4. The computing system of claim 1 , wherein the transmitted first message is signed by a trusted entity.
5. The computing system of claim 1 , the operations further comprising: decrypting, via wherein the second node, decrypts the unidirectional session key using the second private key; and decrypting, via, and wherein the second node, decrypts the plaintext message using the unidirectional session key.
6. The computing system of claim 1 , wherein the network is an internal network and the plurality of nodes connect over the internal network.
7. The computing system of claim 1 , the operations further comprising:
decrypting, via the first node, the additional unidirectional session key using the first private key; and
decrypting, via the first node, the additional plaintext message using the additional unidirectional session key.
8. The computing system of claim 1 , the operations further comprising: storing, via wherein the second node, stores the unidirectional session key in a decrypted state; receiving, via, wherein the second node, receives a subsequent message from the first node, where wherein the subsequent message includes a further plaintext message that is encrypted by the unidirectional session key; and decrypting, via, and wherein the second node, decrypts the further plaintext message using the unidirectional session key.
9. The computing system first node of claim 1 , wherein the discovery data is provided using at least one of a push or a pull service.
10. The computing system of claim 1 , wherein the unidirectional session key is a symmetric key and the additional unidirectional session key is a different symmetric key.
11. The computing system of claim 1 , wherein the first message that comprises the plaintext message encrypted by the unidirectional session key and the unidirectional session key encrypted by the second public key is a first communication between the first node and the second node.
12. A method comprising:
providingreceiving, by a first node, from a discovery server, discovery data to a plurality of nodes including a first node and a second node, the discovery data including a list of public keys for each of the nodes in thea plurality of nodes including the first node and a second node, the list of public keys including a first public key of the first node and a second public key of the second node, and service role data specifying roles in a network for nodes of the plurality of nodes, the first public key being from a first public and private key pair associated with the first node, the second public key being from a second public and private key pair associated with the second node, the discovery data also received by the second node from the discovery server, the private keys of each key pair being used to decrypt messages encrypted using their respective public keys, the first node and the second node verifying that the discovery data is trustworthy by verifying a private key signature applied to the discovery data by the discovery server using a public key of the discovery server that is obtained in a secure session from an external key manager other than the discovery server;
generating a first message by encrypting, via the first node, a plaintext message using a unidirectional session key for messages from the first node to the second node, the unidirectional session key in the first message further encrypted, via the first node using the second public key of the second node; and
transmitting, by the first node, the first message to the second node;, wherein the second node:
stores the unidirectional session key for subsequent use;
generatinggenerates a second message by encrypting, via the second node, an additional plaintext message using an additional unidirectional session key for additional messages from the second node to the first node, the additional unidirectional session key in the second message encrypted, via the second node, using the first public key of the first node; and
transmitting, by the second node,transmits the second message to the first node.
13. The method of claim 12 , further comprising:
assigningreceiving an assignment of a first service role tofor the first node based on the service role data included in the discovery data; and assigning, wherein a second service role is assigned to the second node based on the service role data included in the discovery data, wherein each of the first service role and the second service role map authorizations to resources.
14. The method of claim 12 , wherein the discovery data is a discovery manifest signed by a trusted entity.
15. The method of claim 12 , further comprising: decrypting, via wherein the second node, decrypts the unidirectional session key using the second private key; and decrypting, via, and wherein the second node, decrypts the plaintext message using the unidirectional session key.
16. The method of claim 12 , wherein the network is an internal network and the plurality of nodes connect over the internal network.
17. The method of claim 12 , further comprising:
decrypting, via the first node, the additional unidirectional session key using the first private key; and
decrypting, via the first node, the additional plaintext message using the additional unidirectional session key.
18. A non-transitory computer-readable storage device including instructions that, when executed by a computing system, cause the computing system to perform operations comprising:
providingreceiving, by a first node, from a discovery server, discovery data to a plurality of nodes including a first node and a second node, the discovery data including a list of public keys for each of the nodes in thea plurality of nodes including the first node and a second node, the list of public keys including a first public key of the first node and a second public key of the second node, and service role data specifying roles in a network for nodes of the plurality of nodes, the first public key being from a first public and private key pair associated with the first node, the second public key being from a second public and private key pair associated with the second node, the discovery data also received by the second node from the discovery server, the private keys of each key pair being used to decrypt messages encrypted using their respective public keys, the first node and the second node verifying that the discovery data is trustworthy by verifying a private key signature applied to the discovery data by the discovery server using a public key of the discovery server that is obtained in a secure session from an external key manager other than the discovery server;
generating a first message by encrypting, via the first node, a plaintext message using a unidirectional session key for messages from the first node to the second node, the unidirectional session key in the first message further encrypted, via the first node using the second public key of the second node; and
transmitting, by the first node, the first message to the second node;, wherein the second node:
stores the unidirectional session key for subsequent use;
generatinggenerates a second message by encrypting, via the second node, an additional plaintext message using an additional unidirectional session key for additional messages from the second node to the first node, the additional unidirectional session key in the second message encrypted, via the second node, using the first public key of the first node; and
transmitting, by the second node,transmits the second message to the first node.
19. The non-transitory computer-readable storage device of claim 18 , the operations further comprising: decrypting, via wherein the second node, decrypts the unidirectional session key using the second private key; and
decrypting, via , and wherein the second node, decrypts the plaintext message using the unidirectional session key.
20. The non-transitory computer-readable storage device of claim 18 , wherein the unidirectional session key is a symmetric key and the additional unidirectional session key is a different symmetric key.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.