Key Escrow Or Recovery Patents (Class 380/286)
  • Patent number: 11128452
    Abstract: A data set shared by multiple nodes is encrypted. The data set can be split into independent records. The records can be encrypted and shared independently, without the need to modify and transmit the full data set. Although the records are encrypted with their own encryption key, they are all accessible by a single authentication method.
    Type: Grant
    Filed: March 22, 2018
    Date of Patent: September 21, 2021
    Assignee: Avast Software s.r.o.
    Inventors: Petr Van{hacek over (e)}k, Jan Schwarz, Pavel Studený
  • Patent number: 11115196
    Abstract: Methods and apparatus are provided for secret sharing with a verifiable reconstruction type. An exemplary method comprises receiving a plurality of shares of a secret generated using a secret splitting scheme; reconstructing the secret if the plurality of shares satisfies a predefined reconstruction threshold; and generating a proof identifying at least one of the plurality of shares used in the reconstruction. The proof is optionally verified by a verifier and the verification is optionally based on auxiliary information derived by the secret splitting scheme used to share the secret. The verifier optionally implements layered access control, for example, based on a rank of the shares used for reconstruction. The reconstructed secret is optionally provided to the verifier. A user can be granted a level of access to a protected resource based on the proof, the reconstructed secret and one or more predefined policies. One or more steps can be proactivized to maintain share freshness.
    Type: Grant
    Filed: December 8, 2015
    Date of Patent: September 7, 2021
    Assignee: EMC IP Holding Company LLC
    Inventors: Nikolaos Triandopoulos, Kevin D. Bowers, Yupeng Zhang
  • Patent number: 11106549
    Abstract: Secure logging systems and methods using cryptography and/or encryption with crash recovery. In some embodiments, the secure logging system includes an initialization module to initialize cells of a logging database, including inserting a pseudorandom number into each cell of the logging database. In some embodiments, the secure logging system includes an addition module to encrypt new log messages and add them to the logging database in a given number of pseudorandom cells of the logging database. In some embodiments, the secure logging system includes a listing module to determine where in the logging database the log message was stored and then to decrypt the encrypted log messages. These systems and methods improve computer related technology including by improving crash reconstruction, root cause analysis, network systems security, and logging system encryption and security.
    Type: Grant
    Filed: February 18, 2019
    Date of Patent: August 31, 2021
    Assignees: Airbus Defence and Space GmbH, Northeastern University
    Inventors: Erik-Oliver Blass, Guevara Noubir
  • Patent number: 11095635
    Abstract: A client seeking to establish a cryptographically-secure channel to a server has an associated public key acceptance policy. The policy specifies a required number of certificates that must be associated with the server's public key, as well as one or more conditions associated with those certificates, that must be met before the client “accepts” the server's public key. The one or more conditions typically comprise a trust function that must be satisfied before a threshold level of trust of the client is met. A representative public key acceptance policy would be that certificate chains for the public key are valid and non-overlapping with different root CAs, and that some configurable number of those chains be present. The technique may be implemented within the context of an existing client-server SSL/TLS handshake.
    Type: Grant
    Filed: December 18, 2019
    Date of Patent: August 17, 2021
    Assignee: International Business Machines Corporation
    Inventors: Dimitrios Pendarakis, Enriquillo Valdez
  • Patent number: 11095455
    Abstract: The present disclosure describes techniques that improve upon the use of authentication tokens as a means of verifying a user identity. Rather than facilitating the issuance of authentication tokens as bearer tokens, whereby any user may present an authentication token to a secure service provider for access to secure service, this disclosure describes techniques for generating recursive authentication tokens that are digitally signed by an Identity Service Provider (IDP) and the entity that purports to present the authentication token to the service provider. Additionally, a recursive token application is described that is configured to nest preceding authentication tokens that trace back to an initial secure service request. For example, a recursive authentication token received by a second service provider may include, nested therein, the first service provider recursive authentication token and a preceding client recursive authentication token that is associated with the initial secure service request.
    Type: Grant
    Filed: March 27, 2019
    Date of Patent: August 17, 2021
    Assignee: T-Mobile USA, Inc.
    Inventors: Michael Engan, Douglas McDorman, James Latham, Vikash Kodati
  • Patent number: 11057210
    Abstract: A user device can segment a secret (e.g., a data recovery key) into a master segment and a shared segment such that possession of both segments is necessary and sufficient to reconstruct the secret. The user device can provide the master segment to a server system. The user device can further segment the shared segment to generate a set of M shares such that any subset of the shares that includes at least a threshold number t of the shares can be used to reconstruct the shared segment, while fewer than t shares provide no information about the shared segment. The M shares can be distributed to shareholder devices. To reconstruct the secret, a recovery device can obtain the master segment and at least t of the M shares, then reconstruct the secret.
    Type: Grant
    Filed: August 26, 2019
    Date of Patent: July 6, 2021
    Assignee: Apple Inc.
    Inventors: Yannick L. Sierra, Mitchell D. Adler
  • Patent number: 11057198
    Abstract: In one or more embodiments, an encryption key of a device may be split into multiple segments. One of the segments may be retained by an owner of the device, and some of the segments may be distributed to multiple entities. For example, one of the segments may be provided to a service provider, and one of the segments may be provided to an escrow agent. The escrow agent may process its segment, provide information based on its segment to a public ledger, and destroy its segment. A proxy agent may retrieve, from the public ledger, the information based on the segment provided to the escrow agent and obtain compensation. When the proxy agent obtains the compensation, the public ledger exhibits information utilizable to obtain the segment provided to the escrow agent. With the segments provided to the escrow agent and the service provider, the encryption key may be obtained.
    Type: Grant
    Filed: March 1, 2017
    Date of Patent: July 6, 2021
    Assignee: Assured Enterprises, Inc.
    Inventor: Peter Robert Linder
  • Patent number: 11050762
    Abstract: A system for identifying one or more malicious parties participating in a secure multi-party computation (MPC), comprising one of a plurality of computing nodes communicating with the plurality of computing nodes through a network(s). The computing node is adapted for participating in an MPC with the plurality of computing nodes using secure protocol(s) established over the network(s), the secure protocol(s) support transmittal of private messages to each of the other computing nodes and transmittal of broadcast messages to all of the computing nodes, detecting invalid share value(s) of a plurality of share values computed and committed by the computing nodes during the MPC, verifying each of the share values according to a plurality of agreed share values valid for the MPC which are determined through a plurality of broadcast private messages, identifying identity of malicious computing node(s) which committed the invalid share value(s) failing the verification and outputting the identity.
    Type: Grant
    Filed: July 6, 2018
    Date of Patent: June 29, 2021
    Assignees: NEC Corporation Of America, Bar-Iian University
    Inventors: Jun Furukawa, Yehuda Lindell
  • Patent number: 11036620
    Abstract: Apparatuses and techniques to utilize a scratch organization as a unit of virtualization. Potential hosts for a scratch organization are evaluated. The potential hosts include at least the first group of hardware processing devices and a second group of the plurality of hardware processing devices to provide remote client computing environments. A target host is selected from the potential hosts. The scratch organization to be hosted by the target host is generated. Data is loaded from a test source that is not the subject organization into the scratch organization. One or more test operations are performed on the scratch organization using the loaded data with the target host. The scratch organization is destroyed on the selected host after the one or more test operations have been performed.
    Type: Grant
    Filed: July 2, 2019
    Date of Patent: June 15, 2021
    Assignee: salesforce.com, inc.
    Inventors: James Bock Wunderlich, George Murnock, Josh Kaplan, Michael Dwayne Miller, Mark Wilding
  • Patent number: 11032060
    Abstract: A first share value and a second share value may be received. A combination of the first share value and the second share value may correspond to an exponent value. The value of a first register is updated using a first equation that is based on the first and second share values and the value of a second register is updated using a second equation that is based on the second share value. One of the value of the first register or the value of the second register is selected based on a bit value of the second share value.
    Type: Grant
    Filed: August 7, 2019
    Date of Patent: June 8, 2021
    Assignee: Cryptography Research, Inc.
    Inventor: Michael Tunstall
  • Patent number: 11023591
    Abstract: A data processing system includes a plurality of subsystems, a plurality of local security controllers, and a central security controller. Each subsystem of the plurality of subsystems has a security component for providing a security function. A local security controller corresponds to each one of the subsystems. Each local security controller ensures compliance of the security component with local security policies of the subsystem to which the local security controller corresponds. The central security controller is coupled to the local security controller of each of the plurality of subsystems. The central security controller ensures data processing system compliance with system wide security policies. In the event of a detected security violation, the local security controller may respond automatically, without involvement of the central security controller. A method for securing the data processing system is also provided.
    Type: Grant
    Filed: January 14, 2019
    Date of Patent: June 1, 2021
    Assignee: NXP B.V.
    Inventors: Lawrence Loren Case, Mark Norman Fullerton, Thomas Ernst Friedrich Wille, Sebastian Stappert
  • Patent number: 11025423
    Abstract: In an example system for private key recovery performed by a processor of a key recovery computing system, a key recovery computing system is configured to provide an original private key. The original private key is associated with a storage location of a blockchain-based asset. The key recovery computing system is configured to receive supplemental recovery information provided by a user via a user computing device. A recovery seed is derived from at least a subset of the supplemental recovery information, wherein the recovery seed is non-invertible. The original private key and the recovery seed are stored relationally to the supplemental recovery information. In some embodiments, the processor is further configured to cryptographically protect at least one of the original private key and the recovery seed via a universal second-factor authentication (U2F) device.
    Type: Grant
    Filed: October 3, 2019
    Date of Patent: June 1, 2021
    Assignee: SquareLink, Inc.
    Inventor: Alexander Patin
  • Patent number: 10999306
    Abstract: A network monitoring “sensor” is built on initial startup by checking the integrity of the bootstrap system and, if it passes, downloading information from which it builds the full system including an encrypted and an unencrypted portion. Later, the sensor sends hashes of files, configurations, and other local information to a data center, which compares the hashes to hashes of known-good versions. If they match, the data center returns information (e.g., a key) that the sensor can use to access the encrypted storage. If they don't, the data center returns information to help remediate the problem, a command to restore some or all of the sensor's programming and data, or a command to wipe the encrypted storage. The encrypted storage stores algorithms and other data for processing information captured from a network, plus the captured/processed data itself.
    Type: Grant
    Filed: January 31, 2020
    Date of Patent: May 4, 2021
    Assignee: Vigilant IP Holdings LLC
    Inventors: Christopher M. Nyhuis, Michael Pananen
  • Patent number: 10958447
    Abstract: An apparatus, a security device, a security system comprising the security device and the apparatus, and a method for generating an apparatus-specific apparatus certificate for the apparatus includes coupling the security device to the apparatus, a one-time useable private signing key being stored in the security device, storing apparatus-specific identification information in the security device, accessing the private signing key in the security device, generating the apparatus-specific apparatus certificate depending on the stored identification information in the security device, the apparatus-specific apparatus certificate being signed using the private signing key, and preventing a further access to the private signing key such that it becomes possible to generate an apparatus-specific apparatus certificate for an apparatus with little complexity, in particular without using a public key infrastructure.
    Type: Grant
    Filed: June 27, 2018
    Date of Patent: March 23, 2021
    Assignee: Siemens Aktiengesellschaft
    Inventor: Rainer Falk
  • Patent number: 10958448
    Abstract: In embodiments, an authentication server interfaces between a user device with a self-signed certificate and a verifying computer that accepts a user name and password. The user device generates a self-signed certificate signed by a private key on the user device. The self-signed certificate is transmitted to a verifying party computer over a network. The verifying party stores the self-signed certificate with user identification data. The user migrates trust to another device by providing the root certificate and intermediate certificate as a certificate chain to a second device, which then adds a new intermediate certificate to create a longer certificate chain with the same root certificate. In subsequent communications, the verifying party receives a certificate chain including the self-signed certificate from the second user device, and matches that with the user identification data stored in a database.
    Type: Grant
    Filed: June 18, 2020
    Date of Patent: March 23, 2021
    Assignee: BEYOND IDENTITY INC.
    Inventors: Nelson Melo, Michael Clark, James Clark
  • Patent number: 10943028
    Abstract: A computer-implemented method includes producing medical information that characterizes a group of individuals from a set of private data representing pre or post-encounter characteristics of the individuals, wherein the individuals have had encounters with a healthcare facility. The identity of the individuals is unattainable from the produced medical information. The method also includes providing the produced medical information to report the pre or post-encounter characteristics of the group.
    Type: Grant
    Filed: March 29, 2018
    Date of Patent: March 9, 2021
    Assignee: Vigilytics LLC
    Inventor: Andrew L. Paris, III
  • Patent number: 10936510
    Abstract: A locking key secondary access system includes a key management system coupled to a secondary locking key access device and a server device via a network. The server device includes a managed device. The server device receives a request to unlock the managed device, and determines that a first access path via a first communication subsystem and through the network to the key management system is unavailable. In response, the server device provides locking key request information via a second communication subsystem to the secondary locking key access device. The secondary locking key access device may use the locking key information to retrieve a locking key for the managed device from the key management system. The secondary locking key access device sends the locking key to the server device via the second communication subsystem, and the server device uses the locking key to unlock the managed device.
    Type: Grant
    Filed: January 25, 2019
    Date of Patent: March 2, 2021
    Assignee: Dell Products L.P.
    Inventors: Chitrak Gupta, Sushma Basavarajaiah, Rama Rao Bisa, Mukund P. Khatri
  • Patent number: 10931444
    Abstract: Some embodiments relate to a data processing method comprising selecting a key from a plurality of previously stored keys, depending on at least on predefined criterion relating to at least one current value of at least one given repository. Other embodiments relate to a reception method comprising receiving second data obtained by applying, to first obtained data, a first cryptographic function using a key selected from a plurality of previously stored keys, depending on at least one predefined criterion relating to a current value of at least one given repository and for obtaining the first data by applying, to the second received data, a second cryptographic function using a second key associated with the selected key. Further embodiments relate to a processing device and a reception device that respectively implement the processing method and the reception method.
    Type: Grant
    Filed: March 27, 2015
    Date of Patent: February 23, 2021
    Assignee: ORANGE
    Inventors: Apostolos Kountouris, Francis Klay, Giyyarpuram Madhusudan
  • Patent number: 10931453
    Abstract: Authentication of tokens and associated are used to provide a just-in-time key synchronization for user access to a service in a cloud computing environment which includes a plurality of availability zones with an identity service, a storage system, and a keystore. The encryption keys are distributed by the storage system based on a user access request containing a token with a payload and a current user cryptographic key. The token is then sent to the keystore to authenticate the user. The keystore authenticates the user and sends the token with the current cryptographic key to the storage system. The storage system receives the token with the current cryptographic key and grants access to the user for the service.
    Type: Grant
    Filed: March 5, 2018
    Date of Patent: February 23, 2021
    Assignee: International Business Machines Corporation
    Inventors: Fernando J. Diaz, Shawn P. Mullen, Michael Perng, Karen Mariela Siles, Elvin Dalipe Tubillara
  • Patent number: 10911424
    Abstract: A registry apparatus is provided for maintaining a device registry of agent devices for communicating with application providing apparatus. The registry comprises authentication information for uniquely authenticating at least one trusted agent device. In response to an authentication request from an agent device, the authentication information for that device is obtained from the registry, and authentication of the agent device is performed. If the authentication is successful, then application key information is transmitted to at least one of the agent device and the application providing apparatus.
    Type: Grant
    Filed: July 16, 2018
    Date of Patent: February 2, 2021
    Assignee: ARM IP Limited
    Inventors: William Allen Curtis, Douglas Miles Anson, Kerry Balanza
  • Patent number: 10904001
    Abstract: Embodiments of the present disclosure relate to vaultless format-preserving tokenization systems and methods. Some methods include encoding a first data set to produce encoded input data; generating a secure tweak for the encoded input data based on a token format schema by: encoding a tweak input to produce an encoded tweak input; and hashing the encoded tweak input along with a unique hashing key to generate the secure tweak; applying a format preserving encryption algorithm that utilizes the encoded input data, the secure tweak, and a unique encryption key to generate ciphertext output; and generating a token from the ciphertext output.
    Type: Grant
    Filed: May 24, 2019
    Date of Patent: January 26, 2021
    Assignee: TOKENEX, INC.
    Inventors: Justin Stanley, Jacob Burcham, Ulf Mattsson
  • Patent number: 10903991
    Abstract: System and method for digitally signing messages using multi-party computation.
    Type: Grant
    Filed: August 3, 2020
    Date of Patent: January 26, 2021
    Assignee: Coinbase, Inc.
    Inventors: Jake Craige, Jesse Posner, Adam Everspaugh
  • Patent number: 10878080
    Abstract: Disclosed are various embodiments for replicating authentication data between computing devices. A computing device detects a change to a user account made by a first client device associated with the user account. The computing device then determines that a second client device associated with the user account comprises locally stored authentication data that fails to reflect the change. The computing device then sends an update to the second client device.
    Type: Grant
    Filed: August 2, 2017
    Date of Patent: December 29, 2020
    Assignee: AMAZON TECHNOLOGIES, INC.
    Inventors: Daniel Wade Hitchcock, Darren Ernest Canavor, Jesper Mikael Johansson
  • Patent number: 10860728
    Abstract: Data storage nodes that participate in a requested data statistical analysis as participant data storage nodes are determined and divided into a plurality of node sets. Data stored in each participant data storage node associated with a particular node set is encrypted, where the encrypted data is divided into a number of fragments at least equal to a number of participant data storage nodes associated with the particular node set. Each participant data storage node sends a portion of the encrypted data to each of the other participant data storage nodes within the particular node set. Each participant data storage node processes received encrypted data and data remaining on the particular participant data storage node to obtain a processing result. Each participant data storage node sends the processing result to a proxy node, wherein the proxy node performs data statistical analysis based on the processing result.
    Type: Grant
    Filed: December 19, 2019
    Date of Patent: December 8, 2020
    Assignee: Advanced New Technologies Co., Ltd.
    Inventor: Wenzhen Lin
  • Patent number: 10855465
    Abstract: Methods and apparati for auditing uses of cryptographic keys. In a method embodiment of the present invention, a set of audited uses for a cryptographic key is defined; the key is generated inside a protected execution environment of a digital computer; all software and firmware that is usable in the execution environment to access the key is demonstrated to an auditor; and, for each audited use of the key, a non-tamperable audit record describing said use is released.
    Type: Grant
    Filed: November 11, 2019
    Date of Patent: December 1, 2020
    Inventor: Ernest Brickell
  • Patent number: 10846411
    Abstract: Methods and systems are provided for selectively employing storage engines in a distributed database environment. The methods and systems can include a processor configured to execute a plurality of system components, that comprise an operation prediction component for determining an expected set of operations to be performed on a portion of the database; a data format selection component for selecting, based on at least one characteristic of the expected set of operations, and at least one storage engine for writing the portion of the database in a selected data format. According to one embodiment, the system includes an encryption API configured to initialize callback functions for encrypting and decrypting database data, a storage API for executing the call back functions, a database API configured to manage database operations (e.g., read and write requests), wherein the database API calls the storage API to access data on a stable storage medium.
    Type: Grant
    Filed: May 25, 2017
    Date of Patent: November 24, 2020
    Assignee: MongoDB, Inc.
    Inventors: Eliot Horowitz, Per Andreas Nilsson
  • Patent number: 10848324
    Abstract: An HEMS controller receives a certificate revocation list distributed from a certificate authority server and listing serial numbers of revoked electronic certificates. The serial number of the electronic certificate includes a first identifying part that indicates a value for identifying a type of a participation node maintaining the electronic certificate and a second identifying part that indicates a value for identifying an individual participation node. In the case the certificate revocation list includes a serial number in which the second identifying part is a predetermined value, the HEMS controller determines that the electronic certificate of a participation node that meets the type indicated by the first identifying part of the serial number is invalid.
    Type: Grant
    Filed: April 11, 2018
    Date of Patent: November 24, 2020
    Assignee: PANASONIC INTELLECTUAL PROPERTY MANAGEMENT CO., LTD.
    Inventors: Yoichi Masuda, Tomoki Takazoe
  • Patent number: 10841080
    Abstract: A computing device includes an interface configured to interface and communicate with a communication system, a memory that stores operational instructions, and processing circuitry operably coupled to the interface and to the memory that is configured to execute the operational instructions to perform various operations. The computing device processes an input value associated with a key based on a blinding key in accordance with an Oblivious Pseudorandom Function (OPRF) blinding operation to generate a blinded value and transmits it to another computing device (e.g., that is associated with a Key Management System (KMS) service). The computing device then receives a blinded key that is based on processing of the blinded value based on an OPRF using an OPRF secret. The computing device processes the blinded key based on the blinding key in accordance with the OPRF unblinding operation to generate the key (e.g., to be used for secure information access).
    Type: Grant
    Filed: March 20, 2018
    Date of Patent: November 17, 2020
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Jason K. Resch, Hugo M. Krawczyk, Mark D. Seaborn
  • Patent number: 10841102
    Abstract: To easily identify an invalid device certificate by means of a validity check when signing keys that are used to create device certificates are compromised, a piece of status information is provided for device certificates that comprises positive evidence of the existence and validity of the device certificate, and alternatively or additionally to apply a special validity model for device certificates, wherein the time of issue of the device certificate is documented by means of a signed electronic timestamp, and wherein a different signing key is used for signing the timestamp than for signing the device certificate. Additionally, all information that is required for the validity check of a device certificate is stored in a memory of the device or in a memory associated with the device, so that an identity check on the device can be performed at any time without fetching additional data.
    Type: Grant
    Filed: February 20, 2015
    Date of Patent: November 17, 2020
    Assignee: Phoenix Contact GmbH & Co. KG
    Inventor: Torsten Nitschke
  • Patent number: 10819515
    Abstract: Examples described herein relate to systems, apparatuses, methods, and non-transitory computer-readable medium for recovering a session object associated with a secure session established by a security protocol server, including receiving, by a recovery server, an encrypted session object from the security protocol server, wherein the encrypted session object is unique to the secure session, generating, by the recovery server, a recovery key based on a first initial key and a recovery key sequence number, wherein the recovery key sequence number corresponds to a number of times that secure sessions have been established since the first initial key is received by the security protocol server, and decrypting, by the recovery server, the encrypted session object using the recovery key to generate the session object associated with the secure session.
    Type: Grant
    Filed: March 9, 2018
    Date of Patent: October 27, 2020
    Assignee: Wells Fargo Bank, N.A.
    Inventors: Phillip H. Griffin, Jeffrey J. Stapleton
  • Patent number: 10778435
    Abstract: Systems and methods for enhanced mobile device authentication are disclosed. Systems and methods for enhanced mobile authentication are disclosed. In one embodiment, method for electronic device authentication may include (1) a server comprising at least one computer processor communicating a one-time passcode to an electronic device over a first communication channel; (2) the server receiving, from the electronic device over a second communication channel the one-time passcode encrypted with a private key associated with the electronic device; (3) the server decrypting the one-time passcode using a public key; (4) the server validating the one-time passcode; (5) the server generating a device identifier for the electronic device; and (6) the server persisting an association between the device identifier and the electronic device.
    Type: Grant
    Filed: December 29, 2016
    Date of Patent: September 15, 2020
    Assignee: JPMORGAN CHASE BANK, N.A.
    Inventors: Ken Wimberley, Andrew Sloper, Ta-Wei Chen, Gautam Chhawchharia
  • Patent number: 10742404
    Abstract: Described is a system for verifiable secret sharing amongst a plurality of servers, including a dealer server and one or more recipient servers. In operation, the dealer server encrypts a secret s using a polynomial and a hash tree with points on the polynomial as leaves. The dealer broadcasts to recipient servers hash tree data, root of the hash tree, and shares of the secret. Through an evaluation process the recipient servers are verified such that upon verification, the recipient servers reconstruct the secret s.
    Type: Grant
    Filed: March 28, 2019
    Date of Patent: August 11, 2020
    Assignee: HRL Laboratories, LLC
    Inventor: Joshua D. Lampkins
  • Patent number: 10735186
    Abstract: Encryption of data across an environment, such as a shared resource environment, can be updated using keys generated using one or more revocable stream cipher algorithms. Data stored in the environment can be encrypted under a first key, or other such secret. When it is desired to update the encryption, a second key can be generated under which the data is to be re-encrypted. Instead of distributing the second key, a revocable stream cipher generator can generate an intermediate key based on the first and second keys, that when processed with the first key will produce the second key. Such an approach enables data to be re-encrypted under the second key without distributing the second key. Further, the unencrypted data will not be exposed in the process. In some embodiments, the re-encryption can be performed on an as-needed basis in order to reduce processing requirements.
    Type: Grant
    Filed: November 29, 2018
    Date of Patent: August 4, 2020
    Assignee: Amazon Technologies, Inc.
    Inventor: Gregory Branchek Roth
  • Patent number: 10693639
    Abstract: The present disclosure describes methods and systems, including computer-implemented methods, computer program products, and computer systems, for distributing recovery keys. One method includes: transmitting, from a first user device to a secure community server, a key distribution request, wherein the key distribution request identifies a second user device, and the first user device and the second user device are members of a same secure community managed by the secure community server; transmitting a first portion of a recovery key to secure community server for forwarding to the second user device; transmitting a second portion of the recovery key to the secure community server; and discarding the first portion and the second portion of the recovery key at the first user device.
    Type: Grant
    Filed: February 28, 2017
    Date of Patent: June 23, 2020
    Assignee: BlackBerry Limited
    Inventors: Roger Paul Bowman, Neil Patrick Adams
  • Patent number: 10686597
    Abstract: Described is a system for secure multiparty computation. The system uses a secret sharing protocol to share secrets among servers of a synchronous network. An Open-Semi-Robust protocol or an Open Robust protocol is used to allow the servers to open their shares of secret data. If a server is corrupt, the Open-Robust protocol is used, otherwise, the Open-Semi-Robust protocol is used. A Deal-Semi-Robust protocol or a Deal-Robust protocol is utilized by a server to distribute its shares of secret data among the other servers. If a server is corrupt, the Deal-Robust protocol is used, otherwise, the Deal-Semi-Robust protocol is used. A Recover-Semi-Robust protocol or a Recover-Robust protocol is used to allow servers that were previously corrupted to recover their shares of secret data, such that each uncorrupted server holds correct shares of secret data. If a server is corrupt, the Recover-Robust protocol is used, otherwise, the Recover-Semi-Robust protocol is used.
    Type: Grant
    Filed: March 5, 2018
    Date of Patent: June 16, 2020
    Assignee: HRL Laboratories, LLC
    Inventors: Joshua D. Lampkins, Karim El Defrawy, Benjamin Terner, Aleksey Nogin
  • Patent number: 10679212
    Abstract: A method of remotely configuring a pin-pad terminal involves a computer server receiving a merchant identifier over a network from a communications device associated with the pin-pad terminal. The computer server confirms from the merchant identifier that an entity associated with the communications device is authorized to use the pin-pad terminal, and authenticates the pin-pad terminal from a cryptographically-signed datum received from the communications device. The computer server then transmits to the pin-pad terminal via the communications device a configuration payload for installation in the pin-pad terminal. The configuration payload includes at least a payment symmetric cryptographic key set uniquely associated with the pin-pad terminal. The payment symmetric key set configures the pin-pad terminal to effect secure electronic payment via the communications device.
    Type: Grant
    Filed: May 26, 2015
    Date of Patent: June 9, 2020
    Assignee: The Toronto-Dominion Bank
    Inventors: Robert Hayhow, Jeffrey Aaron Ecker, Igor Elkhinovich, Keith Willard
  • Patent number: 10666436
    Abstract: A system uses information submitted in connection with a request to determine if and how to process the request. The information may be electronically signed by a requestor using a key such that the system processing the request can verify that the requestor has the key and that the information is authentic. The information may include information that identifies a holder of a key needed for processing the request, where the holder of the key can be the system or another, possibly third party, system. Requests to decrypt data may be processed to ensure that a certain amount of time passes before access to the decrypted data is provided, thereby providing an opportunity to cancel such requests and/or otherwise mitigate potential security breaches.
    Type: Grant
    Filed: December 12, 2016
    Date of Patent: May 26, 2020
    Assignee: Amazon Technologies, Inc.
    Inventors: Gregory Branchek Roth, Matthew James Wren, Eric Jason Brandwine, Brian Irl Pratt
  • Patent number: 10666649
    Abstract: Systems, apparatuses and methods may provide for generating, in response to a decrease in trustworthiness with respect to a controller, a notification message and generating a message authentication code (MAC) based on the notification message and one or more locally stored keys. Additionally, the notification message and the MAC may be sent to the controller, wherein the notification message is directed to one or more peers in a network associated with the controller. In one example, the notification message includes one or more of an indication that the controller is compromised or an indication that the controller is suspected to be compromised.
    Type: Grant
    Filed: April 1, 2016
    Date of Patent: May 26, 2020
    Assignee: Intel Corporation
    Inventors: Mike Bursell, Timothy Verrall
  • Patent number: 10614914
    Abstract: A patient care environment includes a monitoring device and a vital sign device, where the vital sign device communicates patient vital sign data to the monitoring device. A site key, entity keys, and key combining algorithms are used to secure communications in the patient care environment. Neither the site key nor the entity keys are communicated between the monitoring device and the vital sign device. The monitoring device may use the site key and entity keys to decrypt encrypted messages that have been previously stored in the vital sign device and transmitted back to any monitoring device containing the correct set of site and entity keys. The site key and entity key may also be used during the discovery and/or connection operations between the monitoring device and the vital sign device to associate a wirelessly connected vital sign device with a patient record.
    Type: Grant
    Filed: October 27, 2017
    Date of Patent: April 7, 2020
    Assignee: WELCH ALLYN, INC.
    Inventors: Cory R. Gondek, Song Y. Chung, Kenzi Mudge, Steven D. Baker
  • Patent number: 10594713
    Abstract: Systems/method of securely propagating analytical models for detection of security threats and/or malicious actions among a threat intelligence community can be provided. Attributes of security data accessed members of the threat intelligence community can be determined and encoded. Analytical model(s) can be developed for detection of potential malicious actions using the encoded attributes of the security data and a derivation data schema, and this derivation data schema can be encrypted. The model(s) can be translated into common exchange formats for sharing the model with community members. The encrypted derivation data schema can be transmitted to the community members. After receipt, the derivation data schema can be decoded by the community members, and the derivation data schema can be applied to security data to determine if the encoded attributes are found. If the encoded attributes are derived, remedial or mitigating action can be taken.
    Type: Grant
    Filed: November 10, 2017
    Date of Patent: March 17, 2020
    Assignee: SECUREWORKS CORP.
    Inventor: Lewis McLean
  • Patent number: 10572654
    Abstract: Method for repeatable creation of random file enables to create and recreate random files at different places, different times and on different devices. Random files are based on aliases, which can contain any text, including specific information, such as serial number, start date, expiry date, etc. Random files can be used for generations of strong and unique passwords. The strength of the password doesn't depend on alias, so any alias will result in equally strong and unique password. Browser, using the method, would be able to register the user to any resource, by generating a password, using resource's URL as alias, and afterwards automatically log user in using same URL for generating the password again. Users can communicate securely by sending alias in plaintext together with ciphertext encrypted with password. IoT devices can establish master, slave, partner, alien relationship and communicate securely without human introduction.
    Type: Grant
    Filed: January 10, 2017
    Date of Patent: February 25, 2020
    Inventor: Vadim Zaver
  • Patent number: 10574459
    Abstract: A facility for enrolling a software implementer in a code signing. In one example facility, the facility receives information identifying the implementer, and credentials authenticating the implementer. The facility generates secret state for the implementer. Based on at least one or both of (1) at least a portion of the received credentials and (2) at least a portion of the generated secret state, the facility generates for the implementer a key pair comprising a private key and a public key, and persistently stores the secret state.
    Type: Grant
    Filed: September 30, 2015
    Date of Patent: February 25, 2020
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Prabu Raju, Fengfen Liu, Christopher Leonard Walstad, Levi P. Broderick, Himanshu Soni, Reed Molbak, Klaudia Leja
  • Patent number: 10546142
    Abstract: Systems and methods for zero-knowledge enterprise collaboration are provided herein. In some embodiments, the method may comprise receiving, at a host server, a request to store a file, wherein the file is encrypted with a data key prior to being received at the host server; receiving a request to perform a first service; determining whether the first service is authorized to access the file, wherein determining comprises unwrapping the data key with the private key of the first service; providing access to the first service when the private key of the first service successfully unwraps the data key for the file; and storing the encrypted file.
    Type: Grant
    Filed: August 23, 2017
    Date of Patent: January 28, 2020
    Assignee: Intralinks, Inc.
    Inventor: Mushegh Hakhinian
  • Patent number: 10523659
    Abstract: A client seeking to establish a cryptographically-secure channel to a server has an associated public key acceptance policy. The policy specifies a required number of certificates that must be associated with the server's public key, as well as one or more conditions associated with those certificates, that must be met before the client “accepts” the server's public key. The one or more conditions typically comprise a trust function that must be satisfied before a threshold level of trust of the client is met. A representative public key acceptance policy would be that certificate chains for the public key are valid and non-overlapping with different root CAs, and that some configurable number of those chains be present. The technique may be implemented within the context of an existing client-server SSL/TLS handshake.
    Type: Grant
    Filed: December 13, 2018
    Date of Patent: December 31, 2019
    Assignee: International Business Machines Corporation
    Inventors: Dimitrios Pendarakis, Enriquillo Valdez
  • Patent number: 10523716
    Abstract: A computing resource service receives a request to perform a change to a configuration of a service provider account. In response to the request, the computing resource service determines if the service provider account has been designated as being immutable. If the service provider account is designated as being immutable, the computing resource service causes an account security service to transmit a notification to administrators of the service provider account to determine whether the administrators authorize the change to the service provider account. If the administrators approve of the requested change, the computing resource service fulfills the request.
    Type: Grant
    Filed: September 23, 2016
    Date of Patent: December 31, 2019
    Assignee: Amazon Technologies Inc.
    Inventors: Thomas Charles Stickle, Joshua Swaney, Blake Whaley
  • Patent number: 10511581
    Abstract: First and second computer systems exchange randomness and the first computer system derives a uniformly random key from the randomness. The first computer system encrypts a multitude of blocks of plaintext using the uniformly random key to create a corresponding multitude of blocks of ciphertexts. The exchanging, deriving, and encrypting each uses a public random permutation. The first computer system transmits the multitude of blocks of ciphertexts to the second computer system. Another example includes the first computer system exchanging randomness and deriving the uniformly random key. The first computer system generates an authentication tag on a multitude of blocks of plaintexts. The exchanging, deriving, and generating each uses a public random permutation. The first computer system sends the authentication tag and the multitude of blocks of plaintext to the second computer system for authentication of the plaintext by the second computer system. Systems, methods, and program products are disclosed.
    Type: Grant
    Filed: November 17, 2015
    Date of Patent: December 17, 2019
    Assignee: International Business Machines Corporation
    Inventor: Charanjit S. Jutla
  • Patent number: 10511742
    Abstract: In some embodiments, a method is provided for storing data in a storage device associated with a first electronic device. The first electronic device can receive a request for data from a remote electronic device. The request for data can include pairing information, which can be used to confirm the remote electronic device as an approved paired device. The request for data can also include authentication information, which can be used to authenticate the request for data. The first electronic device can retrieve the data from the storage device and transmit the data in encrypted form to the remote electronic device.
    Type: Grant
    Filed: February 11, 2016
    Date of Patent: December 17, 2019
    Assignee: DISH Technologies L.L.C.
    Inventor: Samuel Eber
  • Patent number: 10489576
    Abstract: Generating verification codes includes selecting at least two verification code generators from a verification code generator set comprising a plurality of verification code generators to compose a current use set, executing each verification code generator in the current use set to obtain corresponding partial verification codes, composing a current verification code from the partial verification codes, outputting the current verification code to a user, receiving a user response that is made in response to the current verification code, and comparing the current verification code and the user response to determine whether the user is verified.
    Type: Grant
    Filed: May 5, 2015
    Date of Patent: November 26, 2019
    Assignee: Alibaba Group Holding Limited
    Inventors: Jiajia Li, Xinlin Yu
  • Patent number: 10491387
    Abstract: A method for protecting an encryption key for a block storage device is provided. The includes reading from a superblock of the block storage device a secure key, referring to a clear key only accessible by a hardware security module, and a type indicator indicating that the secure key refers to the clear key which is only accessible by the hardware security module. The method also includes associating the block storage device with the hardware security module and converting the secure key into a protected clear key using the hardware security module, wherein the protected key refers to the clear key accessible by a central processing unit of a related computer system.
    Type: Grant
    Filed: November 15, 2016
    Date of Patent: November 26, 2019
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Hendrik S. Brueckner, Reinhard T. Buendgen, Harald Freudenberger
  • Patent number: 10484339
    Abstract: A method and system of securing data. A security client program stored in a memory of a user device intercepts an operating system call performed by a calling application of the user device for an unencrypted asset. A first key for the unencrypted asset from a server is requested. Upon receiving the first key for the unencrypted asset from a server, a secure resource is created by encrypting the unencrypted asset. Then, the operating system call is completed and an update message is sent to the server.
    Type: Grant
    Filed: March 24, 2016
    Date of Patent: November 19, 2019
    Assignee: Global Data Sentinel, Inc.
    Inventors: John-Philip Galinski, Nigel Walker