Key Escrow Or Recovery Patents (Class 380/286)
  • Patent number: 10043166
    Abstract: Methods and systems for providing protection to an individual or party from penalties associated with late or missed payments of bills, invoices and other charges are described. The methods and systems can warn a user of possible penalties and take correction action to avoid incurring the penalty. In an example, a computerized method, and system for performing the method can include receiving data about a plurality of payments to be paid by at least one party, the data includes at least one penalty associated with at least one of the payments, ranking the payments based at least partially upon the penalty and determining an order for the payments to be paid.
    Type: Grant
    Filed: February 5, 2013
    Date of Patent: August 7, 2018
    Assignee: UNITED SERVICES AUTOMOBILE ASSOCIATION (USAA)
    Inventors: Joseph Alfred Kazenas, Teddy Joseph Edmond Voutour
  • Patent number: 10044703
    Abstract: A password registration method of a user device which uses a password-based authentication manner is provided. The password registration method includes combining a salt to an input password to generate a combination password; expanding the combination password to generate an expanded password of which a data length is increased; compressing the expanded password to output authentication data; and storing the authentication data in an authentication database.
    Type: Grant
    Filed: January 22, 2015
    Date of Patent: August 7, 2018
    Assignee: Samsung Electronics Co., Ltd.
    Inventors: Jesang Lee, Sunghyun Kim, Minja Han
  • Patent number: 10038719
    Abstract: In one embodiment, a cloud client device identifies a configuration event. The cloud client device identifies a configuration associated with the configuration event. The cloud client device stores a first security key associated with the configuration and configures the cloud client device in accordance with the configuration.
    Type: Grant
    Filed: April 29, 2014
    Date of Patent: July 31, 2018
    Assignee: Dell Products L.P.
    Inventors: Gabriel Jakobus Grosskopf, Richard Graham Cook, Leela Seshu Reddy Cheedepudi
  • Patent number: 10025597
    Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for erasing user data stored in a file system. The method includes destroying all key bags containing encryption keys on a device having a file system encrypted on a per file and per class basis, erasing and rebuilding at least part of the file system associated with user data, and creating a new default key bag containing encryption keys. Also disclosed herein is a method of erasing user data stored in a remote file system encrypted on a per file and per class basis. The method includes transmitting obliteration instructions to a remote device, which cause the remote device to destroy all key bags containing encryption keys on the remote device, erase and rebuild at least part of the file system associated with user data, and create on the remote device a new default key bag containing encryption keys.
    Type: Grant
    Filed: January 11, 2016
    Date of Patent: July 17, 2018
    Assignee: Apple Inc.
    Inventors: Dallas Blake De Atley, Gordon Freedman, Thomas Brogan Duffy, Jr., Tahoma Madrone Toelkes, Michael John Smith, Paul William Chinn, David Rahardja
  • Patent number: 10027717
    Abstract: Providing peer-to-peer network security includes collecting, by a local trusted network device, local trust data related to behavior of the local trusted network device, receiving, by one or more remote trusted network devices, additional trust data for the local trusted network device, calculating a combined trust score for the local trusted network device based on the local trust data and additional trust data, and modifying activity of the local trusted network device based on the combined trust score.
    Type: Grant
    Filed: June 26, 2015
    Date of Patent: July 17, 2018
    Assignee: McAfee, LLC
    Inventors: Omer Ben-Shalom, Alex Nayshtut, Oleg Pogorelik, Igor Muttik
  • Patent number: 10019859
    Abstract: An identification device includes, but is not limited to, a deformable substrate configured to conform to a skin surface of a body portion of an individual subject; a sensor assembly coupled to the deformable substrate, the sensor assembly including one or more identity sensors configured to generate one or more identity sense signals associated with at least one physical characteristic of the individual subject; circuitry configured to compare the one or more identity sense signals generated by the sensor assembly to reference data indicative of one or more physical characteristics associated with an identity; circuitry configured to compare at least one of the one or more identity sense signals or the identity with one or more authorization parameters; and a reporter operably coupled to the circuitry and configured to generate one or more communication signals associated with the comparison with the one or more authorization parameters.
    Type: Grant
    Filed: January 26, 2017
    Date of Patent: July 10, 2018
    Assignee: ELWHA LLC
    Inventors: Roderick A. Hyde, Jordin T. Kare, Gary L. McKnight, Robert C. Petroski, Elizabeth A. Sweeney
  • Patent number: 10015144
    Abstract: A method for transmitting data involves receiving the data, identifying, by a sender system, a first data element in the data to protect, encrypting, by the sender system, the first data element with a sender session key, generating, by the sender system, a combined key using a receiver key value and a sender compartmentalization key (SK). The method also involves encrypting, by the sender system, the sender session key using the combined key to obtain an encrypted session key, generating, by the sender system, a data passport comprising the encrypted session key, a dictionary classification key (DK) index, a SK index, and a receiver compartmentalization key (RK) index, generating, by the sender system, protected data comprising the data passport and the encrypted first data element, and transmitting, by the sender system and across a network, the protected data to a receiver system.
    Type: Grant
    Filed: January 31, 2014
    Date of Patent: July 3, 2018
    Assignee: Schedule1 Inc.
    Inventors: Jacob Katz, Kevin Ellison
  • Patent number: 9992170
    Abstract: A secure data parser is provided that may be integrated into any suitable system for securely storing and communicating data. The secure data parser parses data and then splits the data into multiple portions that are stored or communicated distinctly. Encryption of the original data, the portions of data, or both may be employed for additional security. The secure data parser may be used to protect data in motion by splitting original data into portions of data that may be communicated using multiple communications paths.
    Type: Grant
    Filed: June 11, 2013
    Date of Patent: June 5, 2018
    Assignee: Security First Corp.
    Inventors: Mark S. O'Hare, Rick L. Orsini, Roger S. Davenport, Steven Winick
  • Patent number: 9992190
    Abstract: Even when an intermediate server exists, a plurality of servers simultaneously authenticates a user securely. A user apparatus disperses a password. The user apparatus obtains a ciphertext, which is obtained by encrypting a dispersed value. The intermediate server transmits the ciphertext to an authentication server. The authentication server decrypts the ciphertext to obtain the dispersed value. The authentication server determines a verification value. The authentication server obtains a ciphertext. The intermediate server decrypts the ciphertext to obtain the verification value. The intermediate server verifies whether a sum total of the verification values is equal to 0 or not. The authentication server determines a verification value. The authentication server obtains a ciphertext. The authentication server decrypts the ciphertext to obtain the verification value. The authentication server verifies whether a sum total of the verification values is equal to 0 or not.
    Type: Grant
    Filed: August 21, 2014
    Date of Patent: June 5, 2018
    Assignee: NIPPON TELEGRAPH AND TELEPHONE CORPORATION
    Inventors: Ryo Kikuchi, Dai Ikarashi, Koji Chida, Koki Hamada
  • Patent number: 9985932
    Abstract: A secure data parser is provided that may be integrated into any suitable system for securely storing and communicating data. The secure data parser parses data and then splits the data into multiple portions that are stored or communicated distinctly. Encryption of the original data, the portions of data, or both may be employed for additional security. The secure data parser may be used to protect data in motion by splitting original data into portions of data that may be communicated using multiple communications paths.
    Type: Grant
    Filed: May 10, 2012
    Date of Patent: May 29, 2018
    Assignee: Security First Corp.
    Inventors: Mark S. O'Hare, Rick L. Orsini, Roger S. Davenport, Steven Winick
  • Patent number: 9979546
    Abstract: The present invention provides methods of, and computer programs and systems for, controlling access to a resource via a computing device configured to perform a method that enables new encrypted versions of a key, encrypted with code values in a sequence of code values that are valid at a future time, to be provided and made available for future performance of the method. This in turn enables a method of user verification that does not require access to a remote server in order to provide one-time passcode verification, and so provides an offline one-tome passcode authentication method that is self-sustaining.
    Type: Grant
    Filed: May 29, 2015
    Date of Patent: May 22, 2018
    Assignee: BlackBerry Limited
    Inventor: Nicholas B. Van Someren
  • Patent number: 9979536
    Abstract: An encryption device 200 outputs a ciphertext ct including a ciphertext c and a ciphertext c˜. The ciphertext c has been set with one of attribute information x and attribute information v related to each other. The ciphertext c˜ has been set with one of attribute information y and attribute information z related to each other. A decryption device 300 outputs a re-encryption key rk including a decryption key k*rk, a decryption key k˜*rk, and encrypted conversion information ?rk. The decryption key k*rk is obtained by converting the decryption key k* which is set with the other one of attribute information x and attribute information v, with conversion information W1,t. The decryption key k˜*rk has been set with the other one of the attribute information y and the attribute information z. The encrypted conversion information ?rk is obtained by encrypting the conversion information W1,t by setting one of attribute information x? and attribute information v? related to each other.
    Type: Grant
    Filed: October 9, 2013
    Date of Patent: May 22, 2018
    Assignee: MITSUBISHI ELECTRIC CORPORATION
    Inventors: Yutaka Kawai, Katsuyuki Takashima
  • Patent number: 9967239
    Abstract: The invention provides a method of verifiable generation of public keys. According to the method, a self-signed signature is first generated and then used as input to the generation of a pair of private and public keys. Verification of the signature proves that the keys are generated from a key generation process utilizing the signature. A certification authority can validate and verify a public key generated from a verifiable key generation process.
    Type: Grant
    Filed: January 11, 2016
    Date of Patent: May 8, 2018
    Assignee: Certicom Corp.
    Inventor: Daniel R. Brown
  • Patent number: 9965270
    Abstract: Systems, methods, and computer-readable storage media for updating a computer firmware. The system generates a user firmware volume within a computer firmware volume containing computer firmware used by the system during a boot process. In some cases, the user firmware volume can be a file system. The system also obtains a firmware file for updating the computer firmware used by the system during the boot process. Next, the system compares the firmware file with a content of the computer firmware volume to yield a comparison and, based on the comparison, stores the firmware file on the user firmware volume within the computer firmware volume without flashing an entire portion of the computer firmware used by the system during the boot process.
    Type: Grant
    Filed: July 1, 2015
    Date of Patent: May 8, 2018
    Assignee: QUANTA COMPUTER INC.
    Inventor: Keng-Wei Chang
  • Patent number: 9954900
    Abstract: Embodiments of the present invention provide for a method, system, and apparatus for creating a publishable computer file. The method includes selecting a first computer file encapsulating a source security policy for a computing device and creating a second computer file using the source security policy of the first computer file to create a local security policy and to encapsulate the created local security policy and also an operating system security policy. The method further includes calculating a hash value for the second computer file and storing the hash value in a header for the second computer file. The method yet further includes encrypting the second computer file, wherein the encrypted second computer file once loaded into memory of the computing device is processed by the computing device.
    Type: Grant
    Filed: June 13, 2016
    Date of Patent: April 24, 2018
    Assignee: STEELCLOUD, LLC
    Inventors: Brian H. Hajost, Fredi Jaramillo
  • Patent number: 9954680
    Abstract: A master encryption key is split at a key splitting server such that three key shares are required to reconstruct it, and is then destroyed. The key shares are distributed such that an encrypted remote management server key share is stored at a remote management server, an encrypted managed device key share is stored at a managed device, and a key splitting server key share is stored on the key splitting server. Incoming communications to the key splitting server from managed devices are prevented, and outgoing communications from the key splitting server are only allowed to managed devices. The managed device obtains the master encryption key at startup by sending its managed device key share to the remote management server, which sends the managed device key share and the remote management server key share to the key splitting server. The key splitting server reconstructs the master encryption key, encrypts it using a public key of the managed device, and sends it to the managed device.
    Type: Grant
    Filed: December 18, 2015
    Date of Patent: April 24, 2018
    Assignee: EMC IP Holding Company LLC
    Inventors: Salah Machani, Lawrence N. Friedman
  • Patent number: 9942051
    Abstract: The present invention provides systems and methods for supporting encrypted communications with a medical device, such as an implantable device, through a relay device to a remote server, and may employ cloud computing technologies. An implantable medical device is generally constrained to employ a low power transceiver, which supports short distance digital communications. A relay device, such as a smartphone or WiFi access point, acts as a conduit for the communications to the internet or other network, which need not be private or secure. The medical device supports encrypted secure communications, such as a virtual private network technology. The medical device negotiates a secure channel through a smartphone or router, for example, which provides application support for the communication, but may be isolated from the content.
    Type: Grant
    Filed: December 14, 2015
    Date of Patent: April 10, 2018
    Assignee: Poltorak Technologies LLC
    Inventor: Alexander Poltorak
  • Patent number: 9942044
    Abstract: A server receives a piece of data for encryption. The server encrypts the piece of data such that no single key can decrypt the encrypted piece of data and any combination of a first multiple of unique keys taken a second multiple at a time are capable of decrypting the encrypted piece of data. Each of the first multiple of unique keys is tied to account credentials of a different user. The second multiple is less than or equal to the first multiple. The encrypted piece of data is returned.
    Type: Grant
    Filed: May 2, 2017
    Date of Patent: April 10, 2018
    Assignee: CLOUDFLARE, INC.
    Inventor: Nicholas Thomas Sullivan
  • Patent number: 9934409
    Abstract: A method includes receiving a plurality of data sets. Each data set includes a customer identifier field specifying a unique customer identifier associated with each entry in each data set. The plurality of data sets includes a first group of data sets and a second group of data sets. The method further includes storing the plurality of data sets, and generating a key map including the customer identifier field including unique customer identifiers of the first group of data sets of the plurality of data sets, and an anonymous identifier field including unique anonymous identifiers. Each anonymous identifier corresponds to a customer identifier of the key map. The method further includes replacing each unique customer identifier in the second group of data sets with the corresponding anonymous identifier.
    Type: Grant
    Filed: March 9, 2015
    Date of Patent: April 3, 2018
    Assignee: Datalogix Holdings, Inc.
    Inventor: Robert John Cuthbertson
  • Patent number: 9935923
    Abstract: A secure data parser is provided that may be integrated into any suitable system for securely storing and communicating data. The secure data parser parses data and then splits the data into multiple portions that are stored or communicated distinctly. Encryption of the original data, the portions of data, or both may be employed for additional security. The secure data parser may be used to protect data in motion by splitting original data into portions of data, that may be communicated using multiple communications paths.
    Type: Grant
    Filed: February 10, 2012
    Date of Patent: April 3, 2018
    Assignee: Security First Corp.
    Inventors: Mark S. O'Hare, Rick L. Orsini, Roger S. Davenport, Steven Winick
  • Patent number: 9930014
    Abstract: A key delivery mechanism that delivers keys to an OS platform (e.g., iOS platform) devices for decrypting encrypted HTTP live streaming data. An HTTPS URL for a stateless HTTPS service is included in the manifest for an encrypted HTTP live stream obtained by an application (e.g., a browser) on an OS platform device. The URL includes an encrypted key, for example as a query parameter value. The application passes the manifest to the OS. The OS contacts the HTTPS service to obtain the key using the URL indicated in the manifest. Since the encrypted key is a parameter of the URL, the encrypted key is provided to the HTTPS service along with information identifying the content. The HTTPS service decrypts the encrypted key and returns the decrypted key to the OS over HTTPS, thus eliminating the need for a database lookup at the HTTPS service.
    Type: Grant
    Filed: March 13, 2015
    Date of Patent: March 27, 2018
    Assignee: Adobe Systems Incorporated
    Inventors: Viswanathan Swaminathan, Kelly Kishore, Srinivas R. Manapragada
  • Patent number: 9922063
    Abstract: A method for secure storage of secret data begins with an originating device transforming the secret data to produce a plurality of secret data shares and encrypting the plurality of secret data shares using unique encryption values of trusted agent modules of a dispersed storage network (DSN) to produce a plurality of encrypted secret data shares for storage in storage nodes of the DSN. Retrieval of the secret data begins with the originating device sending a secret data retrieval request to the trusted agent modules and recovering, by the trusted agent modules, the plurality of encrypted secret data shares from the storage nodes. The method continues with the trusted agent modules decrypting the plurality of encrypted secret data shares using a decryption function corresponding to the unique encryption values and sending the plurality of secret data shares to the originating device.
    Type: Grant
    Filed: May 6, 2013
    Date of Patent: March 20, 2018
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Jason K. Resch, Wesley Leggette
  • Patent number: 9906500
    Abstract: A secure data parser is provided that may be integrated into any suitable system for securely storing and communicating data. The secure data parser parses data and then splits the data into multiple portions that are stored or communicated distinctly. Encryption of the original data, the portions of data, or both may be employed for additional security. The secure data parser may be used to protect data in motion by splitting original data into portions of data, that may be communicated using multiple communications paths.
    Type: Grant
    Filed: May 12, 2015
    Date of Patent: February 27, 2018
    Assignee: Security First Corp.
    Inventors: Mark S. O'Hare, Rick L. Orsini, Roger S. Davenport
  • Patent number: 9904793
    Abstract: Systems, methods, and apparatus to provide private information retrieval. A disclosed example system includes a first trusted processing unit to store a first portion of data such that entities other than the first trusted processing unit are unable to access the first portion of the data in the first trusted processing unit; a second trusted processing unit to store a second portion of the data such that entities other than the second trusted processing unit are unable to access the second portion of the data in the second trusted processing unit; and a third trusted processing unit to: determine that a data element specified in a request is stored in the first trusted processing unit; request the data element from the first trusted processing unit; send a dummy request to the second trusted processing unit; and send the data element to a requester.
    Type: Grant
    Filed: March 23, 2015
    Date of Patent: February 27, 2018
    Assignee: Intel Corporation
    Inventors: Richard Chow, Edward Wang, Vinay Phegade
  • Patent number: 9906558
    Abstract: A method sends a request for a delegated authorization grant data set, receives a delegated authorization grant data set that defines the delegated authorization grant scope, with respect to a resource. The delegated authorization grant data set includes a scope variable value having been selected by a delegator entity through a delegation grant scope user interface on the delegator device. The scope controls access to the resource in a manner limited by the scope of the delegated authorization grant defined by the delegated authorization grant data set.
    Type: Grant
    Filed: June 24, 2015
    Date of Patent: February 27, 2018
    Assignee: International Business Machines Corporation
    Inventors: David P. Moore, Craig Pearson
  • Patent number: 9900288
    Abstract: Embodiments are directed to allowing a user to store encrypted, third-party-accessible data in a data store and to providing third party data access to a user's encrypted data according to a predefined policy. A data storage system receives encrypted data from a user at a data storage system. The data is encrypted using the user's private key. The data storage system stores the received encrypted data according to a predefined policy. The encryption prevents the storage system from gaining access to the encrypted data, while the policy allows the encrypted data to be released upon receiving a threshold number of requests from verified third parties. The data storage system implements a verifiable secret sharing scheme to verify that the encrypted data can be reconstituted without the data storage system accessing the encrypted data. The data storage system synchronously acknowledges that the received encrypted data has been verified and successfully stored.
    Type: Grant
    Filed: November 18, 2014
    Date of Patent: February 20, 2018
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Roy Peter D'Souza, Omkant Pandey
  • Patent number: 9894151
    Abstract: A method begins by a module to generate a secure signature on an item by selecting a first key representation index of a set of key representation indexes, wherein a first mathematical encoding of a private key generates a first plurality of key shares as a first key representation. The method continues with the module determining whether a first plurality of signature contributions have been received in response to a signature request for the item based on the first key representation index, wherein one of a first set of dispersed storage (DS) units executes a first mathematical signature function using one of the first plurality of key shares on the item to produce a signature contribution of the first plurality of signature contributions and when the first plurality of signature contributions have been received, generating the secure signature on the item from the first plurality of signature contributions.
    Type: Grant
    Filed: January 6, 2014
    Date of Patent: February 13, 2018
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Greg Dhuse, Jason K. Resch, Wesley Leggette
  • Patent number: 9881145
    Abstract: An indication of a change in a right to use a service or feature is received. For example, this can be based on an administrator granting access to a previously installed service or feature. In response, a notification is sent to a user of the change of the right to use the service or feature. The notification requests the user to provide a credential to approve the change of the right to use the service or feature. For example, a link may be provided in an email or text message that the user can click on to provide a password/user name. The credential is received and verified. In response to validating the credential, access is allowed according to the change of the right to use the service or feature. The user then has access to the service/feature without the administrator having to know the user's credential.
    Type: Grant
    Filed: December 1, 2015
    Date of Patent: January 30, 2018
    Assignee: Avaya Inc.
    Inventors: Manish Dusad, Ping Lin, Gordon Brunson, Mark Mackenzie, Navjot Singh, Geoff Baskwill
  • Patent number: 9871944
    Abstract: An image forming apparatus transmits a database to an external server. The image forming apparatus includes a storage section, a replication section, an encipherment section, a transmission section, a generation section, and an acquisition section. The storage section stores a database therein. The replication section generates a replica of the database stored in the storage section as a replicated database. The encipherment section enciphers the replicated database. The transmission section transmits the enciphered database to the external server each time a predetermined time period elapses. The generation section generates a deciphering key for deciphering the enciphered database. The acquisition section acquires disaster information. Upon the acquisition section acquiring the disaster information, the transmission section transmits the deciphering key to the external server.
    Type: Grant
    Filed: November 20, 2015
    Date of Patent: January 16, 2018
    Assignee: KYOCERA Document Solutions Inc.
    Inventors: Masayoshi Hayama, Masaru Sato, Kazunori Goto, Masaki Kikuchi, Toshiya Miyai
  • Patent number: 9867042
    Abstract: Disclosed is a radio frequency identification (RFID) tag comprising: an RFID functional portion configured to enable wireless communication between the RFID tag and an RFID reader; a data processing functional portion with asymmetric cryptographic capability; and a power source configured to power the data processing functional portion.
    Type: Grant
    Filed: August 8, 2012
    Date of Patent: January 9, 2018
    Assignee: MIKOH CORPORATION
    Inventor: Peter Samuel Atherton
  • Patent number: 9843928
    Abstract: A method and apparatus is provided for connecting a communication device to a deployable system. The deployable system obtains at least one deployable key derived on a fixed system for the deployable system based on an existing key stored on a database of the fixed system, wherein the existing key is used to authenticate a communication device. The deployable system stores the derived key. Subsequent to the storing, the deployable system is activated to provide communication resources to communication devices disconnected from the fixed system. The activated deployable system is not connected to the fixed system. The activated deployable system receives an authentication request from the communication device requesting connection to the deployable system; generates authentication vectors using the at least one derived deployable key; and authenticates an authentication response received from the communication device using the authentication vectors.
    Type: Grant
    Filed: October 30, 2014
    Date of Patent: December 12, 2017
    Assignee: MOTOROLA SOLUTIONS, INC.
    Inventors: Steven D Upp, Isam R Makhlouf, Francesca Schuler, Gino A Scribano
  • Patent number: 9832025
    Abstract: A policy server that is associated with a secure element owner receives a request, from a service provider, to provision access, by an application, to the secure element. The policy server creates, in response to the request, a policy ticket, for the service provider, that defines privileges for the service provider to create a security domain or a new profile within the secure element. The policy server provides, to a service provider trusted service manager (TSM), the policy ticket and a signed certificate, the signed certificate corresponding to a root certificate that is inserted into a Controlling Authority Security Domain (CASD) portion of the secure element prior to receiving the request. When the CASD receives the policy ticket and signed certificate from the service provider TSM, the CASD validates based on the root certificate and provisions access to the secure element based on information in the policy ticket.
    Type: Grant
    Filed: May 19, 2015
    Date of Patent: November 28, 2017
    Assignee: Verizon Patent and Licensing Inc.
    Inventors: Manuel Enrique Caceres, Warren Hojilla Uy, Ruben Cuadrat, Taussif Khan
  • Patent number: 9811869
    Abstract: A system, method, server processing system, and computer program product for operating a registry. In one aspect, the server processing system is configured to: receive, from a user processing system in data communication with the server processing system, document data relating to an entity; receive, from the user processing system, access data indicative of an accessing party to be provided access to the document data if a defined trigger event occurs; store, in a data store associated with the server processing system, a registry for the entity indicative of the document data and the access data; determine that a defined trigger event has occurred; and in response to determining that that a defined trigger event has occurred, provide the accessing party read-only access to the document data via an access processing system in data communication with the server processing system.
    Type: Grant
    Filed: October 25, 2012
    Date of Patent: November 7, 2017
    Assignee: YDF Global Party Ltd.
    Inventors: Jamie Robert Wilson, Craig Steven Wright
  • Patent number: 9800411
    Abstract: In a general aspect, a secret generator is used in an elliptic curve cryptography (ECC) scheme. In some aspects, an elliptic curve subgroup is specified by a public generator of an ECC system, and the secret generator is an element of the elliptic curve subgroup. In some instances, the secret generator is used to generate an ECC key pair that includes a public key and a private key, and the private key is used to generate a digital signature based on a message. In some instances, the public key and the secret generator are used to verify the digital signature.
    Type: Grant
    Filed: May 5, 2016
    Date of Patent: October 24, 2017
    Assignee: ISARA Corporation
    Inventors: Michael Kenneth Brown, Gustav Michael Gutoski, Marinus Struik, Atsushi Yamada
  • Patent number: 9787472
    Abstract: Described is a system for mobile proactive secret sharing amongst a set of servers. A First protocol distributes a block of secret data among the set of servers, the block of secret data including shares of data. Each server holds one share of data encoding the block of secret data. A Second protocol periodically refreshes shares of data such that each server holds a new share of data that is independent of the previous share of data. A Third protocol reveals the block of secret data. Shares of data are periodically erased to preserve security against the adversary. The Second protocol provides statistical security or non-statistical security against the adversary.
    Type: Grant
    Filed: October 31, 2016
    Date of Patent: October 10, 2017
    Assignee: HRL Laboratories, LLC
    Inventors: Joshua D. Lampkins, Karim El Defrawy
  • Patent number: 9787672
    Abstract: A method and system for emulating a smartcard which includes receiving a one time password and a container PIN for a container, validating the container PIN, upon validating the container PIN, and sending a request to validate the one time password to an authentication server based on a credential ID and a user ID, wherein the request includes the credential ID, the user ID, and the one time password. Upon validation of the one time password by the authentication server, a response is received from the authentication server, and the response includes at least one of: at least a portion of a private key or an authorization to access a at least a portion of the private key stored locally.
    Type: Grant
    Filed: June 14, 2013
    Date of Patent: October 10, 2017
    Assignee: Symantec Corporation
    Inventors: Alan Dundas, Eirik Herskedal
  • Patent number: 9780950
    Abstract: A method and system for authenticating a credential via a one time password which includes receiving a user ID, a client ID, and the one time password from a client device, and then validating the one time password based on the user ID and the credential ID. Upon validating the one time password, a response is sent to the client device, and the response includes at least one of an authorization to access a private key stored on the client device or at least a portion of the private key.
    Type: Grant
    Filed: June 14, 2013
    Date of Patent: October 3, 2017
    Assignee: Symantec Corporation
    Inventors: Alan Dundas, Eirik Herskedal
  • Patent number: 9768953
    Abstract: A processor-based method for secret sharing in a computing system is provided. The method includes encrypting shares of a new secret, using a previous secret and distributing unencrypted shares of the new secret and the encrypted shares of the new secret, to members of the computing system. The method includes decrypting at least a subset of the encrypted shares of the new secret, using the previous secret and regenerating the new secret from at least a subset of a combination of the unencrypted shares of the new secret and the decrypted shares of the new secret.
    Type: Grant
    Filed: September 30, 2015
    Date of Patent: September 19, 2017
    Assignee: Pure Storage, Inc.
    Inventors: Andrew R. Bernat, Ethan L. Miller
  • Patent number: 9754253
    Abstract: Identity certificates such as SSL certificates can be issued in such a way that their use can be disabled upon short notice. In one embodiment, private signing information associated with a certificate is used by an infrastructure service on behalf of an entity, without making the private signing information accessible to the entity. In another embodiment, short-term certificates are dynamically issued to an application based on a previous certificate authorization.
    Type: Grant
    Filed: November 28, 2011
    Date of Patent: September 5, 2017
    Assignee: Amazon Technologies, Inc.
    Inventor: Eric J. Brandwine
  • Patent number: 9754118
    Abstract: A method of performing an operation on a data storage for storing data being encrypted with a key KD associated with an owner of the data is provided. The method includes deriving, for each authorized client Cj, a first key KCj and a second key KTj, providing the client Cj with the first key KCj, and providing a Trusted Third Party (TTP) with the second key KTj. The method further includes, at a Policy Enforcement Point, receiving a request for performing the operation on the data storage from a client Ck of the authorized clients, acquiring a first key KCk from the client Ck, acquiring a second key KTk from the TTP, deriving the key KD from the first key KCk and the second key KTk, and performing the operation on the data storage using the derived key KD. The disclosed trust model uses two-part secret sharing.
    Type: Grant
    Filed: September 9, 2013
    Date of Patent: September 5, 2017
    Assignee: Telefonaktiebolaget LM Ericsson (publ)
    Inventors: Mats Näslund, Christian Schaefer
  • Patent number: 9742561
    Abstract: A method for authentication of a computing device so that shares of a secret may be delivered, over a network that uses a communications protocol which does not require use of an address, and on which an authentication server is listening, comprising the steps of dividing the secret into a first share and a second share, or more; destroying the secret; transmitting the second share, together with a unique identifier, out of band to a pre-designated location; erasing the second share from the computing device; storing the first share at the computing device; broadcasting the unique identifier over the network; accepting a request over the network from an authentication server to initiate an authentication protocol; responding to the request; receiving the second share from the authentication server; and reconstructing the secret using the received second share and the stored first share.
    Type: Grant
    Filed: March 17, 2017
    Date of Patent: August 22, 2017
    Assignee: SPYRUS, INC.
    Inventors: Michael Perretta, Burton Tregub
  • Patent number: 9735959
    Abstract: A method for enforcing access control policies on data owned by a plurality of users includes evaluating the access control policies of users, applying a collusion resistant sharing scheme for generating key shares of an encryption key and delegating the key shares to one or more designated users based on a result of the evaluation. The data is securely dispersed by applying an encryption scheme on all parts of the data to be encrypted to produce encrypted data shares. The encryption scheme is provided such that for decryption of the encrypted data, the encryption key and at least a predetermined number of data shares are provided. Each data share is delegated to one or more designated users, and the data shares and the key shares are distributed to the respective designated users.
    Type: Grant
    Filed: April 24, 2014
    Date of Patent: August 15, 2017
    Assignee: NEC CORPORATION
    Inventors: Ghassan Karame, Claudio Soriente, Srdjan Capkun
  • Patent number: 9735962
    Abstract: Securing encryption keys in a data storage system using three layer key wrapping that encrypts a data encryption key using a key encryption key, encrypts the key encryption key using a controller encryption key, and encrypts the controller encryption key using a public key of an asymmetric key pair. The private key is stored on a removable storage device. A separate encryption accelerator component decrypts the encryption keys in order to encrypt and/or decrypt host data from a memory of a storage processor. The removable storage drive must be inserted into a receptacle of the encryption accelerator for encryption and/or decryption to be performed, since the encryption accelerator accesses the private key from the removable storage device in order to decrypt the encrypted controller key. The encryption accelerator generates key handles for the storage processor to use when requesting encryption and/or decryption operations.
    Type: Grant
    Filed: September 30, 2015
    Date of Patent: August 15, 2017
    Assignee: EMC IP Holding Company LLC
    Inventors: Lifeng Yang, Jian Gao, Xinlei Xu, Ruiyong Jia, Lili Chen
  • Patent number: 9712499
    Abstract: A cryptographic processing apparatus that holds a first key, and receives authentication object data upon authentication includes a communication unit and a computing unit. The communication unit communicates with a calculation apparatus and a determination apparatus. In the calculation apparatus, encrypted registration data obtained by encrypting registration data twice, once with the first key and once with a second key, is registered. The registration data is data against which the authentication object data is verified. The determination apparatus uses the second key upon the authentication. When registering the encrypted registration data in the calculation apparatus, the computing unit generates a key different from the first key, generates encrypted data by encrypting the registration data twice, once with the first key and once with the different key, transmits the different key to the determination apparatus, and the encrypted data to the calculation apparatus, through the communication unit.
    Type: Grant
    Filed: March 25, 2015
    Date of Patent: July 18, 2017
    Assignee: FUJITSU LIMITED
    Inventors: Yumi Sakemi, Tetsuya Izu, Masahiko Takenaka
  • Patent number: 9705856
    Abstract: Methods (500) of a network node (111) for creating and joining secure sessions for members (111-114) of a group of network nodes are provided. The methods comprise receiving an identity certificate and an assertion for the network node as well as a secret group key for the group. The method for creating a session further comprises creating (501) a session identifier and a secret session key for the session, and sending (502) an encrypted and authenticated broadcast message comprising the session identifier. The method for joining a session further comprises sending an encrypted and authenticated discovery message comprising the identity certificate and the assertion, and receiving an encrypted and authenticated discovery response message from another network node which is a member of the group. The disclosed combined symmetric key and public key scheme is based on the availability of three credentials at each node, i.e.
    Type: Grant
    Filed: July 27, 2012
    Date of Patent: July 11, 2017
    Assignee: TELEFONAKTIEBOLAGET L M ERICSSON
    Inventors: Christian Gehrmann, Oscar Ohlsson, Ludwig Seitz
  • Patent number: 9673984
    Abstract: Scalable session management is achieved by generating a cookie that includes an encrypted session key and encrypted cookie data. The cookie data is encrypted using the session key. The session key is then signed and encrypted using one or more public/private key pairs. The encrypted session key can be decrypted and verified using the same private/public key pair(s). Once verified, the decrypted session key can then be used to decrypt and verify the encrypted cookie data. A first server having the private/public key pair(s) may generate the cookie using a randomly generated session key. A second server having the same private/public key pair(s) may decrypt and verify the cookie even if the session key is not initially installed on the second server. A session key cache may be used to provide session key lookup to save public/private key operations on the servers.
    Type: Grant
    Filed: October 31, 2013
    Date of Patent: June 6, 2017
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Wei Jiang, Adam Back, John D. Whited, Yordan I. Rouskov, Ismail Cem Paya, Wei-QUiang Michael Guo
  • Patent number: 9667599
    Abstract: Embodiments are directed to allowing a user to store encrypted, third-party-accessible data in a data store and to providing third party data access to a user's encrypted data according to a predefined policy. A data storage system receives encrypted data from a user at a data storage system. The data is encrypted using the user's private key. The data storage system stores the received encrypted data according to a predefined policy. The encryption prevents the storage system from gaining access to the encrypted data, while the policy allows the encrypted data to be released upon receiving a threshold number of requests from verified third parties. The data storage system implements a verifiable secret sharing scheme to verify that the encrypted data can be reconstituted without the data storage system accessing the encrypted data. The data storage system synchronously acknowledges that the received encrypted data has been verified and successfully stored.
    Type: Grant
    Filed: November 17, 2014
    Date of Patent: May 30, 2017
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Roy Peter D'Souza, Omkant Pandey
  • Patent number: 9667616
    Abstract: A communication apparatus sends a processing request, including request information, a digital signature, and an electronic certificate, to a control apparatus. The control apparatus sends a verification request including the electronic certificate to a verification server. The verification server verifies the electronic certificate included in the verification request, and sends authentication-use reference information, including the verification result, as a verification response, to the control apparatus. When the verification result included in the authentication-use reference information indicates validity, the control apparatus, using the request information and a public key included in the electronic certificate, verifies whether or not the digital signature is valid. When the digital signature is valid, the control apparatus performs the requested processing in accordance with the request information, and sends a processing response, to the communication apparatus.
    Type: Grant
    Filed: January 8, 2013
    Date of Patent: May 30, 2017
    Assignee: Mitsubishi Electric Corporation
    Inventors: Nobuhiro Kobayashi, Tsutomu Sakagami, Manabu Misawa
  • Patent number: 9648046
    Abstract: A computer-implemented method for managing an authentication policy for a user on a network of an organization includes determining at least one social media attribute of the user, and a social media risk value is assigned based on the at least one social media attribute of the user. The method further includes determining at least one network activity risk attribute of the user, and a network activity risk score is assigned based on the at least one network activity risk attribute. A current risk assessment score of the user is calculated based on the social media risk value and the network activity risk value. An authentication policy for the user is determined based on the current risk assessment score.
    Type: Grant
    Filed: February 16, 2016
    Date of Patent: May 9, 2017
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Gregory J. Boss, Andrew R. Jones, C. Steven Lingafelt, Kevin C. McConnell, John E. Moore, Jr.
  • Patent number: 9641325
    Abstract: A server system for implementing a distributed cryptographic protocol includes a machine management server which comprises a current virtual machine configured to implement the protocol using a set of communication keys and state information for the protocol. The system further includes a memory and a refresh server. The system is configured, for each of successive new time periods in operation of the protocol, to perform a refresh operation wherein: the refresh server retrieves the state information from the memory, generates a new set of communication keys, and sends the state information and new set of keys to the machine management server; the machine management server configures a new virtual machine for implementing the protocol, whereby the new virtual machine receives the new set of keys and state information sent by the refresh server; and the new virtual machine assumes operation as the current virtual machine for the new time period and stores state information for that time period in the memory.
    Type: Grant
    Filed: October 30, 2015
    Date of Patent: May 2, 2017
    Assignee: International Business Machines Corporation
    Inventors: Jan L. Camenisch, Mark Korondi, Daniel Kovacs, Michael C. Osborne