Secure, Autonomous File Encryption and Decryption
US-2018139188-A1 · May 17, 2018 · US
Secure, autonomous file encryption and decryption
US10404667B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10404667-B2 |
| Application number | US-201615354371-A |
| Country | US |
| Kind code | B2 |
| Filing date | Nov 17, 2016 |
| Priority date | Nov 17, 2016 |
| Publication date | Sep 3, 2019 |
| Grant date | Sep 3, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
The disclosure includes novel encryption and/or decryption methods and systems that provide various security benefits. More specifically, the disclosure includes a description of a file encryption process and its ability to dynamically control permissions on who is allowed to decrypt the file. Moreover, the disclosed process permits an encrypted file to be freely distributed without losing the ability to govern/regulate decryption.
First claim
Opening claim text (preview).
We claim: 1. A method comprising: a. generating a file encryption key, wherein the file encryption key is symmetric; b. encrypting, at a client device, a data file using the file encryption key; c. transmitting from the client device, over a network, a portion of the encrypted data file to a central encryption server, wherein the portion is the first predetermined number of bytes of the encrypted data file; d. receiving at the client device, over the network, a twice-encrypted portion of the data file, wherein the twice-encrypted portion is encrypted using a secret, central encryption key stored only at the central encryption server; e. transmitting from the client device, over the network, the file encryption key to the central encryption server; f. receiving at the client device, over the network, the encrypted file encryption key; g. constructing a new file comprising the twice-encrypted portion of the data file, the encrypted file encryption key, and a remaining portion of the encrypted data file that was not sent to the central encryption server; and h. storing the new file in a data store. 2. The method of claim 1 , further comprising: a. computing a checksum of the data file; b. encrypting the checksum using the file encryption key; and c. storing the checksum in the new file. 3. The method of claim 1 , wherein the portion of the encrypted data file is 1024 bytes. 4. The method of claim 1 , wherein the data file is a blob data type. 5. The method of claim 1 , wherein the central encryption server centrally manages access to the data file by refusing to encrypt data files for unauthorized devices. 6. The method of claim 1 , wherein the file encryption key is discarded immediately after being transmitted to the central encryption server. 7. The method of claim 1 , further comprising: a. computing a checksum of the encrypted data file; b. transmitting, over the network, the checksum to the central encryption server; c. receiving, over the network, the encrypted checksum; and d. storing the encrypted checksum in the new file. 8. The method of claim 1 , wherein the new file is a single file stored in the data store. 9. A method comprising: a. receiving a data file from a data store; b. extracting the new file to obtain a twice-encrypted portion of the data file, an encrypted file encryption key, and a remaining portion of the encrypted data file that was not twice encrypted, wherein the twice-encrypted portion of the data file is a first predetermined number of bytes of the data file; c. transmitting, over a network, the twice-encrypted portion of the data file to a central encryption server; d. receiving, over the network, in response to transmitting the twice-encrypted portion of the data file, a single-encrypted portion of the data file, wherein the twice-encrypted portion is decrypted using a secret, central encryption key stored only at the central encryption server; e. merging the single-encrypted portion of the data file with the remaining portion of the encrypted data file; f. transmitting, over the network, the encrypted file encryption key to the central encryption server; g. receiving, over the network, in response to transmitting the encrypted file encryption key, a file encryption key; and h. decrypting the merged data file using the file encryption key. 10. The method of claim 9 , further comprising: a. computing a checksum of the data file; b. encrypting the checksum using the file encryption key; and c. storing the checksum in the new file. 11. The method of claim 9 , wherein the portion of the encrypted data file is 1024 bytes. 12. The method of claim 9 , wherein the data file is a blob data type. 13. The method of claim 9 , wherein the central encryption server centrally manages access to the data file by refusing to decrypt data files for unauthorized devices. 14. The method of claim 9 , wherein the file encryption key is discarded immediately after decrypting the merged data file. 15. The method of claim 9 , further comprising: a. computing a checksum of the encrypted data file; b. transmitting, over the network, the checksum to the central encryption server; c. receiving, over the network, the encrypted checksum; and d. storing the encrypted checksum in the new file. 16. The method of claim 9 , wherein the merged data file is a single file to be stored in the data store. 17. A system comprising: a data store storing a plurality of data structures, where a first data structure of the plurality of data structures comprises an encrypted file encryption key (FEK), a twice-encrypted portion of a data file, and a remaining portion of the data file that is not twice-encrypted; a network communicatively coupling a client computing machine with a central encryption server machine; the central encryption server machine comprising a central encryption key that is unknown to the client computing machine; and the client computing machine communicatively coupled with the data store, the client computing machine comprising a processor and a memory storing computer-executable instructions that when executed by the processor cause the client computing machine to: retrieve, from the data store, the first data structure; remove from the first data structure the encrypted FEK and the twice-encrypted portion of the data file; transmit, over the network to the central encryption server machine, the encrypted FEK and the twice-encrypted portion of the data file; receive, from the central encryption server machine, a single-encrypted portion of the data file corresponding to the twice-encrypted portion of the data file; receive, from the central encryption server machine, a plaintext file encryption (FEK) corresponding to encrypted FEK; concatenating, into a single new data file, the single-encrypted portion of the data file with the remaining portion of the data file; decrypt, using the plaintext FEK, the single new data file; and providing, by the client computing machine, the decrypted single new data file. 18. The system of claim 17 , wherein the memory storing further computer-executable instructions that when executed by the processor cause the client computing machine to: a. compute a checksum of the data file; and b. encrypt the checksum using the file encryption key. 19. The system of claim 17 , wherein the twice-encrypted portion of the data file is 1024 bytes, and the data file is larger than 1024 bytes. 20. The system of claim 17 , wherein the data file is a blob data type.
Assignees
Inventors
Classifications
applying encryption of the keys · CPC title
applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key (cryptographic mechanisms or cryptographic arrangements using a plurality of keys or algorithms H04L9/14) · CPC title
Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage · CPC title
to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself · CPC title
- H04L63/0435Primary
wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption (cryptographic mechanisms or cryptographic arrangements for symmetric key encryption H04L9/06) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10404667B2 cover?
- The disclosure includes novel encryption and/or decryption methods and systems that provide various security benefits. More specifically, the disclosure includes a description of a file encryption process and its ability to dynamically control permissions on who is allowed to decrypt the file. Moreover, the disclosed process permits an encrypted file to be freely distributed without losing the …
- Who is the assignee on this patent?
- Bank Of America
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0435. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Sep 03 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).