Key Escrow Or Recovery Patents (Class 380/286)
  • Patent number: 9979536
    Abstract: An encryption device 200 outputs a ciphertext ct including a ciphertext c and a ciphertext c˜. The ciphertext c has been set with one of attribute information x and attribute information v related to each other. The ciphertext c˜ has been set with one of attribute information y and attribute information z related to each other. A decryption device 300 outputs a re-encryption key rk including a decryption key k*rk, a decryption key k˜*rk, and encrypted conversion information ?rk. The decryption key k*rk is obtained by converting the decryption key k* which is set with the other one of attribute information x and attribute information v, with conversion information W1,t. The decryption key k˜*rk has been set with the other one of the attribute information y and the attribute information z. The encrypted conversion information ?rk is obtained by encrypting the conversion information W1,t by setting one of attribute information x? and attribute information v? related to each other.
    Type: Grant
    Filed: October 9, 2013
    Date of Patent: May 22, 2018
    Assignee: MITSUBISHI ELECTRIC CORPORATION
    Inventors: Yutaka Kawai, Katsuyuki Takashima
  • Patent number: 9979546
    Abstract: The present invention provides methods of, and computer programs and systems for, controlling access to a resource via a computing device configured to perform a method that enables new encrypted versions of a key, encrypted with code values in a sequence of code values that are valid at a future time, to be provided and made available for future performance of the method. This in turn enables a method of user verification that does not require access to a remote server in order to provide one-time passcode verification, and so provides an offline one-tome passcode authentication method that is self-sustaining.
    Type: Grant
    Filed: May 29, 2015
    Date of Patent: May 22, 2018
    Assignee: BlackBerry Limited
    Inventor: Nicholas B. Van Someren
  • Patent number: 9967239
    Abstract: The invention provides a method of verifiable generation of public keys. According to the method, a self-signed signature is first generated and then used as input to the generation of a pair of private and public keys. Verification of the signature proves that the keys are generated from a key generation process utilizing the signature. A certification authority can validate and verify a public key generated from a verifiable key generation process.
    Type: Grant
    Filed: January 11, 2016
    Date of Patent: May 8, 2018
    Assignee: Certicom Corp.
    Inventor: Daniel R. Brown
  • Patent number: 9965270
    Abstract: Systems, methods, and computer-readable storage media for updating a computer firmware. The system generates a user firmware volume within a computer firmware volume containing computer firmware used by the system during a boot process. In some cases, the user firmware volume can be a file system. The system also obtains a firmware file for updating the computer firmware used by the system during the boot process. Next, the system compares the firmware file with a content of the computer firmware volume to yield a comparison and, based on the comparison, stores the firmware file on the user firmware volume within the computer firmware volume without flashing an entire portion of the computer firmware used by the system during the boot process.
    Type: Grant
    Filed: July 1, 2015
    Date of Patent: May 8, 2018
    Assignee: QUANTA COMPUTER INC.
    Inventor: Keng-Wei Chang
  • Patent number: 9954900
    Abstract: Embodiments of the present invention provide for a method, system, and apparatus for creating a publishable computer file. The method includes selecting a first computer file encapsulating a source security policy for a computing device and creating a second computer file using the source security policy of the first computer file to create a local security policy and to encapsulate the created local security policy and also an operating system security policy. The method further includes calculating a hash value for the second computer file and storing the hash value in a header for the second computer file. The method yet further includes encrypting the second computer file, wherein the encrypted second computer file once loaded into memory of the computing device is processed by the computing device.
    Type: Grant
    Filed: June 13, 2016
    Date of Patent: April 24, 2018
    Assignee: STEELCLOUD, LLC
    Inventors: Brian H. Hajost, Fredi Jaramillo
  • Patent number: 9954680
    Abstract: A master encryption key is split at a key splitting server such that three key shares are required to reconstruct it, and is then destroyed. The key shares are distributed such that an encrypted remote management server key share is stored at a remote management server, an encrypted managed device key share is stored at a managed device, and a key splitting server key share is stored on the key splitting server. Incoming communications to the key splitting server from managed devices are prevented, and outgoing communications from the key splitting server are only allowed to managed devices. The managed device obtains the master encryption key at startup by sending its managed device key share to the remote management server, which sends the managed device key share and the remote management server key share to the key splitting server. The key splitting server reconstructs the master encryption key, encrypts it using a public key of the managed device, and sends it to the managed device.
    Type: Grant
    Filed: December 18, 2015
    Date of Patent: April 24, 2018
    Assignee: EMC IP Holding Company LLC
    Inventors: Salah Machani, Lawrence N. Friedman
  • Patent number: 9942044
    Abstract: A server receives a piece of data for encryption. The server encrypts the piece of data such that no single key can decrypt the encrypted piece of data and any combination of a first multiple of unique keys taken a second multiple at a time are capable of decrypting the encrypted piece of data. Each of the first multiple of unique keys is tied to account credentials of a different user. The second multiple is less than or equal to the first multiple. The encrypted piece of data is returned.
    Type: Grant
    Filed: May 2, 2017
    Date of Patent: April 10, 2018
    Assignee: CLOUDFLARE, INC.
    Inventor: Nicholas Thomas Sullivan
  • Patent number: 9942051
    Abstract: The present invention provides systems and methods for supporting encrypted communications with a medical device, such as an implantable device, through a relay device to a remote server, and may employ cloud computing technologies. An implantable medical device is generally constrained to employ a low power transceiver, which supports short distance digital communications. A relay device, such as a smartphone or WiFi access point, acts as a conduit for the communications to the internet or other network, which need not be private or secure. The medical device supports encrypted secure communications, such as a virtual private network technology. The medical device negotiates a secure channel through a smartphone or router, for example, which provides application support for the communication, but may be isolated from the content.
    Type: Grant
    Filed: December 14, 2015
    Date of Patent: April 10, 2018
    Assignee: Poltorak Technologies LLC
    Inventor: Alexander Poltorak
  • Patent number: 9934409
    Abstract: A method includes receiving a plurality of data sets. Each data set includes a customer identifier field specifying a unique customer identifier associated with each entry in each data set. The plurality of data sets includes a first group of data sets and a second group of data sets. The method further includes storing the plurality of data sets, and generating a key map including the customer identifier field including unique customer identifiers of the first group of data sets of the plurality of data sets, and an anonymous identifier field including unique anonymous identifiers. Each anonymous identifier corresponds to a customer identifier of the key map. The method further includes replacing each unique customer identifier in the second group of data sets with the corresponding anonymous identifier.
    Type: Grant
    Filed: March 9, 2015
    Date of Patent: April 3, 2018
    Assignee: Datalogix Holdings, Inc.
    Inventor: Robert John Cuthbertson
  • Patent number: 9935923
    Abstract: A secure data parser is provided that may be integrated into any suitable system for securely storing and communicating data. The secure data parser parses data and then splits the data into multiple portions that are stored or communicated distinctly. Encryption of the original data, the portions of data, or both may be employed for additional security. The secure data parser may be used to protect data in motion by splitting original data into portions of data, that may be communicated using multiple communications paths.
    Type: Grant
    Filed: February 10, 2012
    Date of Patent: April 3, 2018
    Assignee: Security First Corp.
    Inventors: Mark S. O'Hare, Rick L. Orsini, Roger S. Davenport, Steven Winick
  • Patent number: 9930014
    Abstract: A key delivery mechanism that delivers keys to an OS platform (e.g., iOS platform) devices for decrypting encrypted HTTP live streaming data. An HTTPS URL for a stateless HTTPS service is included in the manifest for an encrypted HTTP live stream obtained by an application (e.g., a browser) on an OS platform device. The URL includes an encrypted key, for example as a query parameter value. The application passes the manifest to the OS. The OS contacts the HTTPS service to obtain the key using the URL indicated in the manifest. Since the encrypted key is a parameter of the URL, the encrypted key is provided to the HTTPS service along with information identifying the content. The HTTPS service decrypts the encrypted key and returns the decrypted key to the OS over HTTPS, thus eliminating the need for a database lookup at the HTTPS service.
    Type: Grant
    Filed: March 13, 2015
    Date of Patent: March 27, 2018
    Assignee: Adobe Systems Incorporated
    Inventors: Viswanathan Swaminathan, Kelly Kishore, Srinivas R. Manapragada
  • Patent number: 9922063
    Abstract: A method for secure storage of secret data begins with an originating device transforming the secret data to produce a plurality of secret data shares and encrypting the plurality of secret data shares using unique encryption values of trusted agent modules of a dispersed storage network (DSN) to produce a plurality of encrypted secret data shares for storage in storage nodes of the DSN. Retrieval of the secret data begins with the originating device sending a secret data retrieval request to the trusted agent modules and recovering, by the trusted agent modules, the plurality of encrypted secret data shares from the storage nodes. The method continues with the trusted agent modules decrypting the plurality of encrypted secret data shares using a decryption function corresponding to the unique encryption values and sending the plurality of secret data shares to the originating device.
    Type: Grant
    Filed: May 6, 2013
    Date of Patent: March 20, 2018
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Jason K. Resch, Wesley Leggette
  • Patent number: 9904793
    Abstract: Systems, methods, and apparatus to provide private information retrieval. A disclosed example system includes a first trusted processing unit to store a first portion of data such that entities other than the first trusted processing unit are unable to access the first portion of the data in the first trusted processing unit; a second trusted processing unit to store a second portion of the data such that entities other than the second trusted processing unit are unable to access the second portion of the data in the second trusted processing unit; and a third trusted processing unit to: determine that a data element specified in a request is stored in the first trusted processing unit; request the data element from the first trusted processing unit; send a dummy request to the second trusted processing unit; and send the data element to a requester.
    Type: Grant
    Filed: March 23, 2015
    Date of Patent: February 27, 2018
    Assignee: Intel Corporation
    Inventors: Richard Chow, Edward Wang, Vinay Phegade
  • Patent number: 9906558
    Abstract: A method sends a request for a delegated authorization grant data set, receives a delegated authorization grant data set that defines the delegated authorization grant scope, with respect to a resource. The delegated authorization grant data set includes a scope variable value having been selected by a delegator entity through a delegation grant scope user interface on the delegator device. The scope controls access to the resource in a manner limited by the scope of the delegated authorization grant defined by the delegated authorization grant data set.
    Type: Grant
    Filed: June 24, 2015
    Date of Patent: February 27, 2018
    Assignee: International Business Machines Corporation
    Inventors: David P. Moore, Craig Pearson
  • Patent number: 9906500
    Abstract: A secure data parser is provided that may be integrated into any suitable system for securely storing and communicating data. The secure data parser parses data and then splits the data into multiple portions that are stored or communicated distinctly. Encryption of the original data, the portions of data, or both may be employed for additional security. The secure data parser may be used to protect data in motion by splitting original data into portions of data, that may be communicated using multiple communications paths.
    Type: Grant
    Filed: May 12, 2015
    Date of Patent: February 27, 2018
    Assignee: Security First Corp.
    Inventors: Mark S. O'Hare, Rick L. Orsini, Roger S. Davenport
  • Patent number: 9900288
    Abstract: Embodiments are directed to allowing a user to store encrypted, third-party-accessible data in a data store and to providing third party data access to a user's encrypted data according to a predefined policy. A data storage system receives encrypted data from a user at a data storage system. The data is encrypted using the user's private key. The data storage system stores the received encrypted data according to a predefined policy. The encryption prevents the storage system from gaining access to the encrypted data, while the policy allows the encrypted data to be released upon receiving a threshold number of requests from verified third parties. The data storage system implements a verifiable secret sharing scheme to verify that the encrypted data can be reconstituted without the data storage system accessing the encrypted data. The data storage system synchronously acknowledges that the received encrypted data has been verified and successfully stored.
    Type: Grant
    Filed: November 18, 2014
    Date of Patent: February 20, 2018
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Roy Peter D'Souza, Omkant Pandey
  • Patent number: 9894151
    Abstract: A method begins by a module to generate a secure signature on an item by selecting a first key representation index of a set of key representation indexes, wherein a first mathematical encoding of a private key generates a first plurality of key shares as a first key representation. The method continues with the module determining whether a first plurality of signature contributions have been received in response to a signature request for the item based on the first key representation index, wherein one of a first set of dispersed storage (DS) units executes a first mathematical signature function using one of the first plurality of key shares on the item to produce a signature contribution of the first plurality of signature contributions and when the first plurality of signature contributions have been received, generating the secure signature on the item from the first plurality of signature contributions.
    Type: Grant
    Filed: January 6, 2014
    Date of Patent: February 13, 2018
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Greg Dhuse, Jason K. Resch, Wesley Leggette
  • Patent number: 9881145
    Abstract: An indication of a change in a right to use a service or feature is received. For example, this can be based on an administrator granting access to a previously installed service or feature. In response, a notification is sent to a user of the change of the right to use the service or feature. The notification requests the user to provide a credential to approve the change of the right to use the service or feature. For example, a link may be provided in an email or text message that the user can click on to provide a password/user name. The credential is received and verified. In response to validating the credential, access is allowed according to the change of the right to use the service or feature. The user then has access to the service/feature without the administrator having to know the user's credential.
    Type: Grant
    Filed: December 1, 2015
    Date of Patent: January 30, 2018
    Assignee: Avaya Inc.
    Inventors: Manish Dusad, Ping Lin, Gordon Brunson, Mark Mackenzie, Navjot Singh, Geoff Baskwill
  • Patent number: 9871944
    Abstract: An image forming apparatus transmits a database to an external server. The image forming apparatus includes a storage section, a replication section, an encipherment section, a transmission section, a generation section, and an acquisition section. The storage section stores a database therein. The replication section generates a replica of the database stored in the storage section as a replicated database. The encipherment section enciphers the replicated database. The transmission section transmits the enciphered database to the external server each time a predetermined time period elapses. The generation section generates a deciphering key for deciphering the enciphered database. The acquisition section acquires disaster information. Upon the acquisition section acquiring the disaster information, the transmission section transmits the deciphering key to the external server.
    Type: Grant
    Filed: November 20, 2015
    Date of Patent: January 16, 2018
    Assignee: KYOCERA Document Solutions Inc.
    Inventors: Masayoshi Hayama, Masaru Sato, Kazunori Goto, Masaki Kikuchi, Toshiya Miyai
  • Patent number: 9867042
    Abstract: Disclosed is a radio frequency identification (RFID) tag comprising: an RFID functional portion configured to enable wireless communication between the RFID tag and an RFID reader; a data processing functional portion with asymmetric cryptographic capability; and a power source configured to power the data processing functional portion.
    Type: Grant
    Filed: August 8, 2012
    Date of Patent: January 9, 2018
    Assignee: MIKOH CORPORATION
    Inventor: Peter Samuel Atherton
  • Patent number: 9843928
    Abstract: A method and apparatus is provided for connecting a communication device to a deployable system. The deployable system obtains at least one deployable key derived on a fixed system for the deployable system based on an existing key stored on a database of the fixed system, wherein the existing key is used to authenticate a communication device. The deployable system stores the derived key. Subsequent to the storing, the deployable system is activated to provide communication resources to communication devices disconnected from the fixed system. The activated deployable system is not connected to the fixed system. The activated deployable system receives an authentication request from the communication device requesting connection to the deployable system; generates authentication vectors using the at least one derived deployable key; and authenticates an authentication response received from the communication device using the authentication vectors.
    Type: Grant
    Filed: October 30, 2014
    Date of Patent: December 12, 2017
    Assignee: MOTOROLA SOLUTIONS, INC.
    Inventors: Steven D Upp, Isam R Makhlouf, Francesca Schuler, Gino A Scribano
  • Patent number: 9832025
    Abstract: A policy server that is associated with a secure element owner receives a request, from a service provider, to provision access, by an application, to the secure element. The policy server creates, in response to the request, a policy ticket, for the service provider, that defines privileges for the service provider to create a security domain or a new profile within the secure element. The policy server provides, to a service provider trusted service manager (TSM), the policy ticket and a signed certificate, the signed certificate corresponding to a root certificate that is inserted into a Controlling Authority Security Domain (CASD) portion of the secure element prior to receiving the request. When the CASD receives the policy ticket and signed certificate from the service provider TSM, the CASD validates based on the root certificate and provisions access to the secure element based on information in the policy ticket.
    Type: Grant
    Filed: May 19, 2015
    Date of Patent: November 28, 2017
    Assignee: Verizon Patent and Licensing Inc.
    Inventors: Manuel Enrique Caceres, Warren Hojilla Uy, Ruben Cuadrat, Taussif Khan
  • Patent number: 9811869
    Abstract: A system, method, server processing system, and computer program product for operating a registry. In one aspect, the server processing system is configured to: receive, from a user processing system in data communication with the server processing system, document data relating to an entity; receive, from the user processing system, access data indicative of an accessing party to be provided access to the document data if a defined trigger event occurs; store, in a data store associated with the server processing system, a registry for the entity indicative of the document data and the access data; determine that a defined trigger event has occurred; and in response to determining that that a defined trigger event has occurred, provide the accessing party read-only access to the document data via an access processing system in data communication with the server processing system.
    Type: Grant
    Filed: October 25, 2012
    Date of Patent: November 7, 2017
    Assignee: YDF Global Party Ltd.
    Inventors: Jamie Robert Wilson, Craig Steven Wright
  • Patent number: 9800411
    Abstract: In a general aspect, a secret generator is used in an elliptic curve cryptography (ECC) scheme. In some aspects, an elliptic curve subgroup is specified by a public generator of an ECC system, and the secret generator is an element of the elliptic curve subgroup. In some instances, the secret generator is used to generate an ECC key pair that includes a public key and a private key, and the private key is used to generate a digital signature based on a message. In some instances, the public key and the secret generator are used to verify the digital signature.
    Type: Grant
    Filed: May 5, 2016
    Date of Patent: October 24, 2017
    Assignee: ISARA Corporation
    Inventors: Michael Kenneth Brown, Gustav Michael Gutoski, Marinus Struik, Atsushi Yamada
  • Patent number: 9787472
    Abstract: Described is a system for mobile proactive secret sharing amongst a set of servers. A First protocol distributes a block of secret data among the set of servers, the block of secret data including shares of data. Each server holds one share of data encoding the block of secret data. A Second protocol periodically refreshes shares of data such that each server holds a new share of data that is independent of the previous share of data. A Third protocol reveals the block of secret data. Shares of data are periodically erased to preserve security against the adversary. The Second protocol provides statistical security or non-statistical security against the adversary.
    Type: Grant
    Filed: October 31, 2016
    Date of Patent: October 10, 2017
    Assignee: HRL Laboratories, LLC
    Inventors: Joshua D. Lampkins, Karim El Defrawy
  • Patent number: 9787672
    Abstract: A method and system for emulating a smartcard which includes receiving a one time password and a container PIN for a container, validating the container PIN, upon validating the container PIN, and sending a request to validate the one time password to an authentication server based on a credential ID and a user ID, wherein the request includes the credential ID, the user ID, and the one time password. Upon validation of the one time password by the authentication server, a response is received from the authentication server, and the response includes at least one of: at least a portion of a private key or an authorization to access a at least a portion of the private key stored locally.
    Type: Grant
    Filed: June 14, 2013
    Date of Patent: October 10, 2017
    Assignee: Symantec Corporation
    Inventors: Alan Dundas, Eirik Herskedal
  • Patent number: 9780950
    Abstract: A method and system for authenticating a credential via a one time password which includes receiving a user ID, a client ID, and the one time password from a client device, and then validating the one time password based on the user ID and the credential ID. Upon validating the one time password, a response is sent to the client device, and the response includes at least one of an authorization to access a private key stored on the client device or at least a portion of the private key.
    Type: Grant
    Filed: June 14, 2013
    Date of Patent: October 3, 2017
    Assignee: Symantec Corporation
    Inventors: Alan Dundas, Eirik Herskedal
  • Patent number: 9768953
    Abstract: A processor-based method for secret sharing in a computing system is provided. The method includes encrypting shares of a new secret, using a previous secret and distributing unencrypted shares of the new secret and the encrypted shares of the new secret, to members of the computing system. The method includes decrypting at least a subset of the encrypted shares of the new secret, using the previous secret and regenerating the new secret from at least a subset of a combination of the unencrypted shares of the new secret and the decrypted shares of the new secret.
    Type: Grant
    Filed: September 30, 2015
    Date of Patent: September 19, 2017
    Assignee: Pure Storage, Inc.
    Inventors: Andrew R. Bernat, Ethan L. Miller
  • Patent number: 9754118
    Abstract: A method of performing an operation on a data storage for storing data being encrypted with a key KD associated with an owner of the data is provided. The method includes deriving, for each authorized client Cj, a first key KCj and a second key KTj, providing the client Cj with the first key KCj, and providing a Trusted Third Party (TTP) with the second key KTj. The method further includes, at a Policy Enforcement Point, receiving a request for performing the operation on the data storage from a client Ck of the authorized clients, acquiring a first key KCk from the client Ck, acquiring a second key KTk from the TTP, deriving the key KD from the first key KCk and the second key KTk, and performing the operation on the data storage using the derived key KD. The disclosed trust model uses two-part secret sharing.
    Type: Grant
    Filed: September 9, 2013
    Date of Patent: September 5, 2017
    Assignee: Telefonaktiebolaget LM Ericsson (publ)
    Inventors: Mats Näslund, Christian Schaefer
  • Patent number: 9754253
    Abstract: Identity certificates such as SSL certificates can be issued in such a way that their use can be disabled upon short notice. In one embodiment, private signing information associated with a certificate is used by an infrastructure service on behalf of an entity, without making the private signing information accessible to the entity. In another embodiment, short-term certificates are dynamically issued to an application based on a previous certificate authorization.
    Type: Grant
    Filed: November 28, 2011
    Date of Patent: September 5, 2017
    Assignee: Amazon Technologies, Inc.
    Inventor: Eric J. Brandwine
  • Patent number: 9742561
    Abstract: A method for authentication of a computing device so that shares of a secret may be delivered, over a network that uses a communications protocol which does not require use of an address, and on which an authentication server is listening, comprising the steps of dividing the secret into a first share and a second share, or more; destroying the secret; transmitting the second share, together with a unique identifier, out of band to a pre-designated location; erasing the second share from the computing device; storing the first share at the computing device; broadcasting the unique identifier over the network; accepting a request over the network from an authentication server to initiate an authentication protocol; responding to the request; receiving the second share from the authentication server; and reconstructing the secret using the received second share and the stored first share.
    Type: Grant
    Filed: March 17, 2017
    Date of Patent: August 22, 2017
    Assignee: SPYRUS, INC.
    Inventors: Michael Perretta, Burton Tregub
  • Patent number: 9735959
    Abstract: A method for enforcing access control policies on data owned by a plurality of users includes evaluating the access control policies of users, applying a collusion resistant sharing scheme for generating key shares of an encryption key and delegating the key shares to one or more designated users based on a result of the evaluation. The data is securely dispersed by applying an encryption scheme on all parts of the data to be encrypted to produce encrypted data shares. The encryption scheme is provided such that for decryption of the encrypted data, the encryption key and at least a predetermined number of data shares are provided. Each data share is delegated to one or more designated users, and the data shares and the key shares are distributed to the respective designated users.
    Type: Grant
    Filed: April 24, 2014
    Date of Patent: August 15, 2017
    Assignee: NEC CORPORATION
    Inventors: Ghassan Karame, Claudio Soriente, Srdjan Capkun
  • Patent number: 9735962
    Abstract: Securing encryption keys in a data storage system using three layer key wrapping that encrypts a data encryption key using a key encryption key, encrypts the key encryption key using a controller encryption key, and encrypts the controller encryption key using a public key of an asymmetric key pair. The private key is stored on a removable storage device. A separate encryption accelerator component decrypts the encryption keys in order to encrypt and/or decrypt host data from a memory of a storage processor. The removable storage drive must be inserted into a receptacle of the encryption accelerator for encryption and/or decryption to be performed, since the encryption accelerator accesses the private key from the removable storage device in order to decrypt the encrypted controller key. The encryption accelerator generates key handles for the storage processor to use when requesting encryption and/or decryption operations.
    Type: Grant
    Filed: September 30, 2015
    Date of Patent: August 15, 2017
    Assignee: EMC IP Holding Company LLC
    Inventors: Lifeng Yang, Jian Gao, Xinlei Xu, Ruiyong Jia, Lili Chen
  • Patent number: 9712499
    Abstract: A cryptographic processing apparatus that holds a first key, and receives authentication object data upon authentication includes a communication unit and a computing unit. The communication unit communicates with a calculation apparatus and a determination apparatus. In the calculation apparatus, encrypted registration data obtained by encrypting registration data twice, once with the first key and once with a second key, is registered. The registration data is data against which the authentication object data is verified. The determination apparatus uses the second key upon the authentication. When registering the encrypted registration data in the calculation apparatus, the computing unit generates a key different from the first key, generates encrypted data by encrypting the registration data twice, once with the first key and once with the different key, transmits the different key to the determination apparatus, and the encrypted data to the calculation apparatus, through the communication unit.
    Type: Grant
    Filed: March 25, 2015
    Date of Patent: July 18, 2017
    Assignee: FUJITSU LIMITED
    Inventors: Yumi Sakemi, Tetsuya Izu, Masahiko Takenaka
  • Patent number: 9705856
    Abstract: Methods (500) of a network node (111) for creating and joining secure sessions for members (111-114) of a group of network nodes are provided. The methods comprise receiving an identity certificate and an assertion for the network node as well as a secret group key for the group. The method for creating a session further comprises creating (501) a session identifier and a secret session key for the session, and sending (502) an encrypted and authenticated broadcast message comprising the session identifier. The method for joining a session further comprises sending an encrypted and authenticated discovery message comprising the identity certificate and the assertion, and receiving an encrypted and authenticated discovery response message from another network node which is a member of the group. The disclosed combined symmetric key and public key scheme is based on the availability of three credentials at each node, i.e.
    Type: Grant
    Filed: July 27, 2012
    Date of Patent: July 11, 2017
    Assignee: TELEFONAKTIEBOLAGET L M ERICSSON
    Inventors: Christian Gehrmann, Oscar Ohlsson, Ludwig Seitz
  • Patent number: 9673984
    Abstract: Scalable session management is achieved by generating a cookie that includes an encrypted session key and encrypted cookie data. The cookie data is encrypted using the session key. The session key is then signed and encrypted using one or more public/private key pairs. The encrypted session key can be decrypted and verified using the same private/public key pair(s). Once verified, the decrypted session key can then be used to decrypt and verify the encrypted cookie data. A first server having the private/public key pair(s) may generate the cookie using a randomly generated session key. A second server having the same private/public key pair(s) may decrypt and verify the cookie even if the session key is not initially installed on the second server. A session key cache may be used to provide session key lookup to save public/private key operations on the servers.
    Type: Grant
    Filed: October 31, 2013
    Date of Patent: June 6, 2017
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Wei Jiang, Adam Back, John D. Whited, Yordan I. Rouskov, Ismail Cem Paya, Wei-QUiang Michael Guo
  • Patent number: 9667616
    Abstract: A communication apparatus sends a processing request, including request information, a digital signature, and an electronic certificate, to a control apparatus. The control apparatus sends a verification request including the electronic certificate to a verification server. The verification server verifies the electronic certificate included in the verification request, and sends authentication-use reference information, including the verification result, as a verification response, to the control apparatus. When the verification result included in the authentication-use reference information indicates validity, the control apparatus, using the request information and a public key included in the electronic certificate, verifies whether or not the digital signature is valid. When the digital signature is valid, the control apparatus performs the requested processing in accordance with the request information, and sends a processing response, to the communication apparatus.
    Type: Grant
    Filed: January 8, 2013
    Date of Patent: May 30, 2017
    Assignee: Mitsubishi Electric Corporation
    Inventors: Nobuhiro Kobayashi, Tsutomu Sakagami, Manabu Misawa
  • Patent number: 9667599
    Abstract: Embodiments are directed to allowing a user to store encrypted, third-party-accessible data in a data store and to providing third party data access to a user's encrypted data according to a predefined policy. A data storage system receives encrypted data from a user at a data storage system. The data is encrypted using the user's private key. The data storage system stores the received encrypted data according to a predefined policy. The encryption prevents the storage system from gaining access to the encrypted data, while the policy allows the encrypted data to be released upon receiving a threshold number of requests from verified third parties. The data storage system implements a verifiable secret sharing scheme to verify that the encrypted data can be reconstituted without the data storage system accessing the encrypted data. The data storage system synchronously acknowledges that the received encrypted data has been verified and successfully stored.
    Type: Grant
    Filed: November 17, 2014
    Date of Patent: May 30, 2017
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Roy Peter D'Souza, Omkant Pandey
  • Patent number: 9648046
    Abstract: A computer-implemented method for managing an authentication policy for a user on a network of an organization includes determining at least one social media attribute of the user, and a social media risk value is assigned based on the at least one social media attribute of the user. The method further includes determining at least one network activity risk attribute of the user, and a network activity risk score is assigned based on the at least one network activity risk attribute. A current risk assessment score of the user is calculated based on the social media risk value and the network activity risk value. An authentication policy for the user is determined based on the current risk assessment score.
    Type: Grant
    Filed: February 16, 2016
    Date of Patent: May 9, 2017
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Gregory J. Boss, Andrew R. Jones, C. Steven Lingafelt, Kevin C. McConnell, John E. Moore, Jr.
  • Patent number: 9641514
    Abstract: Technologies for distributed single sign-on operable to provide user access to a plurality of services via authentication to a single entity. The distributed single sign-on technologies provide a set of authentication servers and methods for privacy protection based on splitting secret keys and user profiles into secure shares and periodically updating shares among the authentication servers without affecting the underlying secrets. The correctness of the received partial token or partial profiles can be verified with non-interactive zero-knowledge proofs.
    Type: Grant
    Filed: October 7, 2015
    Date of Patent: May 2, 2017
    Assignee: MICROSOFT TECHNOLOGY LICENSING, LLC
    Inventors: Bin Benjamin Zhu, Min Feng
  • Patent number: 9639687
    Abstract: A server receives a piece of data for encryption. The server encrypts the piece of data such that no single key can decrypt the encrypted piece of data and any combination of a first multiple of unique keys taken a second multiple at a time are capable of decrypting the encrypted piece of data. Each of the first multiple of unique keys is tied to account credentials of a different user. The second multiple is less than or equal to the first multiple. The encrypted piece of data is returned.
    Type: Grant
    Filed: November 18, 2015
    Date of Patent: May 2, 2017
    Assignee: CLOUDFARE, INC.
    Inventor: Nicholas Thomas Sullivan
  • Patent number: 9641325
    Abstract: A server system for implementing a distributed cryptographic protocol includes a machine management server which comprises a current virtual machine configured to implement the protocol using a set of communication keys and state information for the protocol. The system further includes a memory and a refresh server. The system is configured, for each of successive new time periods in operation of the protocol, to perform a refresh operation wherein: the refresh server retrieves the state information from the memory, generates a new set of communication keys, and sends the state information and new set of keys to the machine management server; the machine management server configures a new virtual machine for implementing the protocol, whereby the new virtual machine receives the new set of keys and state information sent by the refresh server; and the new virtual machine assumes operation as the current virtual machine for the new time period and stores state information for that time period in the memory.
    Type: Grant
    Filed: October 30, 2015
    Date of Patent: May 2, 2017
    Assignee: International Business Machines Corporation
    Inventors: Jan L. Camenisch, Mark Korondi, Daniel Kovacs, Michael C. Osborne
  • Patent number: 9628479
    Abstract: Systems and methods for generating and using ephemeral identifiers are provided. One example method includes determining, by one or more computing devices, a current time-count. The method includes determining, by the one or more computing devices, a time-modified identifier based at least in part on a static identifier and the current time-count. The method includes determining, by the one or more computing devices, an ephemeral identifier based at least in part on the time-modified identifier and a rotation key. One example system includes a plurality of beacon devices, at least one observing entity, and at least one verifying entity.
    Type: Grant
    Filed: May 22, 2015
    Date of Patent: April 18, 2017
    Assignee: Google Inc.
    Inventors: Ken Krieger, Michel Weksler
  • Patent number: 9626525
    Abstract: Some aspects of the disclosure generally relate to providing single sign on features in mobile applications in a secure environment using a shared vault. An application may prompt a user to provide user entropy such as a passcode (e.g. a password and/or PIN). The application may use the user entropy to decrypt a user-entropy-encrypted vault key. Once the vault key is decrypted, the application may decrypt a vault database of the shared vault. The shared vault may store shared secrets, such as server credentials, and an unlock key. The application may store the unlock key, generate an unlock-key-encrypted vault key, and cause the shared vault to store the unlock-key-encrypted vault key, thereby “unlocking” the vault. The application may then use the unlock key to decrypt the vault database without prompting the user to provide user entropy again.
    Type: Grant
    Filed: December 30, 2015
    Date of Patent: April 18, 2017
    Assignee: CITRIX SYSTEMS, INC.
    Inventors: Georgy Momchilov, Ola Nordstrom
  • Patent number: 9614676
    Abstract: Described is a system for implementing proactive secret sharing. The system uses a Secret-Share protocol to distribute, by a computing device, a block of secret data comprising shares of secret data among a set of computing devices, wherein each computing device in the set of computing devices holds an initial share of secret data. The system uses at least one Secret-Redistribute protocol to periodically redistribute the plurality of shares of secret data among the set of computing devices, wherein each computing device in the set of computing devices holds a subsequent share of secret data from the block of secret data that is independent of the initial share of secret data. Finally, a Secret-Open protocol is initialized to reveal the block of secret data.
    Type: Grant
    Filed: August 3, 2015
    Date of Patent: April 4, 2017
    Assignee: HRL Laboratories, LLC
    Inventors: Karim El Defrawy, Joshua D. Lampkins, Joshua W. Baron
  • Patent number: 9614670
    Abstract: Systems and methods for securing or encrypting data or other information arising from a user's interaction with software and/or hardware, resulting in transformation of original data into ciphertext. Generally, the ciphertext is generated using context-based keys that depend on the environment in which the original data originated and/or was accessed. The ciphertext can be stored in a user's storage device or in an enterprise database (e.g., at-rest encryption) or shared with other users (e.g., cryptographic communication). The system generally allows for secure federation across organizations, including mechanisms to ensure that the system itself and any other actor with pervasive access to the network cannot compromise the confidentially of the protected data.
    Type: Grant
    Filed: February 5, 2016
    Date of Patent: April 4, 2017
    Assignee: Ionic Security Inc.
    Inventors: Adam Ghetti, James Jordan, Kenneth Silva, Jeremy Eckman, Robert McColl, Ryan Speers
  • Patent number: 9596574
    Abstract: A method and apparatus of communicating with multiple mobile station devices in a concerted effort is disclosed. According to one example method of operation content is provided to multiple mobile station devices in a pre-defined venue location. The method may also provide identifying the mobile station devices as being present at the pre-defined venue location via a server and initiating an application on the server that establishes a customized content delivery function utilized to deliver customized content to each of the identified mobile station devices. A command may be triggered to begin transmitting the customized content to each of the mobile station devices at a predetermined time and the customized content may be transmitted to each of the mobile station devices responsive to receiving the trigger command.
    Type: Grant
    Filed: July 22, 2015
    Date of Patent: March 14, 2017
    Assignee: West Corporation
    Inventor: Jason H. Groenjes
  • Patent number: 9596344
    Abstract: A system and method for recording media for a contact center where a processor is configured to determine that media exchanged between first and second communication devices during a telephony call is to be recorded; bridge a media path between the first and second communication devices; cause replicating of the media exchanged in the media path; encrypt the replicated media via a first cryptographic key for storing the encrypted media in a data storage device; and encrypt the first cryptographic key via a second cryptographic key for storing the encrypted first cryptographic key as metadata for the encrypted media.
    Type: Grant
    Filed: August 30, 2013
    Date of Patent: March 14, 2017
    Assignee: GENESYS TELECOMMUNICATIONS LABORATORIES, INC.
    Inventors: Henry R. Lum, Vladimir Filonov, Jeffrey Culbert, Daniel Blander, Somasundaram Subramaniam, Angelo Cicchitto, Paul Gvildys
  • Patent number: 9590807
    Abstract: A method for generating cryptographic parameters comprises generating a private_IGTABLE based on an Euler totient function of a composite number (?(n)), where the private_IGTABLE includes a plurality of random numbers (x). Further, a public_IGTABLE based on the private_IGTABLE, a composite number (n), and a group generator element (g) is generated, where the public_IGTABLE includes a corresponding modular exponentiation under modulo n for each of the plurality of random numbers with g as base. Further, a public key of a user is computed based on the public_IGTABLE, an identity number (ID) corresponding to the user, and n. Further, a secret key of the user is generated based on the ID, a master private key, the ?(n), and the private_IGTABLE. Thereafter, the cryptographic parameters are provided to the user for performing encryption and decryption, where the cryptographic parameters include at least one of the ID, the public key, and the secret key.
    Type: Grant
    Filed: March 28, 2014
    Date of Patent: March 7, 2017
    Assignee: TATA CONSULTANCY SERVICES LIMITED
    Inventors: Ravishankara Shastry, Barkur Suryanarayana Adiga, Rajan Mindigal Alasingara Bhattachar, Shivraj Vijayshankar Lokamathe, Balamuralidhar Purushotaman
  • Patent number: 9590804
    Abstract: Provided is an identification information generation device capable of generating identification information with its complete individual identifiability guaranteed.
    Type: Grant
    Filed: November 16, 2012
    Date of Patent: March 7, 2017
    Assignee: NEC CORPORATION
    Inventor: Sumio Morioka