What technology area does this patent fall under?

Primary CPC classification H04L9/085. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Feb 11 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Secure shared key establishment for peer to peer communications

US12225115B2 · US · B2

Patent metadata
Field	Value
Publication number	US-12225115-B2
Application number	US-202318149565-A
Country	US
Kind code	B2
Filing date	Jan 3, 2023
Priority date	Sep 27, 2017
Publication date	Feb 11, 2025
Grant date	Feb 11, 2025

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Systems and methods for secure peer-to-peer communications are described. Devices registered into trusted network may be capable of establishing a shared data encryption key (DEK). In embodiments, each device may be configured to obtain a share of a data encryption key (DEKi) that can be stored locally. The shares may be shares in an M of N Secret Sharing Scheme. This may involve a network that includes an integer, N, devices, and in which M devices may share a secret (i.e. the DEK) during communications, M being an integer less than or equal to N. To obtain the entire DEK during encryption/decryption, a requesting device may send requests to M of N devices for their shares of the DEK. Once M shares are obtained, they may be used generate the DEK for encrypting/decrypting data between the devices.

First claim

Opening claim text (preview).

What is claimed is: 1. A method performed by a computing device, the method comprising: receiving, from a requesting device in a trusted network, a share request for a share of a data encryption key, the trusted network including the requesting device, the computing device, and one or more other computing devices; retrieving a first encrypted local share of the data encryption key from a memory, wherein the first encrypted local share of the data encryption key is encrypted using a local public key of the computing device; decrypting the first encrypted local share using a local private key of the computing device to obtain a local share, wherein the local private key is derived by a key generator using a plurality of derivation components including a network address of the computing device, a random number generated by the computing device, and an encrypted secret of the computing device, and wherein the local public key of the computing device is derived based on the local private key; re-encrypting the local share using a public key of the requesting device to obtain a second encrypted local share; and sending the second encrypted local share to the requesting device, wherein the requesting device (1) generates the data encryption key from (a) the second encrypted local share and one or more encrypted local shares received from the one or more other computing devices and (b) a local encrypted share stored in the requesting device and (2) uses the data encryption key to perform a cryptographic operation. 2. The method of claim 1 , wherein the share request comprises a certificate or identifier associated with the certificate for the requesting device, the method further comprising: comparing the certificate for the requesting device to a registry of certificates for N devices in the trusted network; and determining that the requesting device is trusted based on the comparing. 3. The method of claim 1 , wherein a total number of devices included in the trusted network is N devices, the computing device generating the data encryption key from M of N shares, wherein N is an integer, and M is an integer less than or equal to N. 4. The method of claim 1 , wherein the local private key and the local public key are generated by: generating the random number; obtaining the network address of the computing device; sending the random number and the network address of the computing device to the key generator as derivation components, wherein the key generator derives the local private key from the derivation components and derives the public key from the local private key; receiving the local private key and the local public key from the key generator; and storing the local private key and the local public key in the memory of the computing device. 5. The method of claim 4 , wherein decrypting the local share comprises: retrieving the local private key from the memory of the computing device; and decrypting the local share using the local private key. 6. The method of claim 1 , further comprising: checking one or more of: a location of the requesting device, an authentication state of the requesting device, and system parameters of the requesting device; and authenticating the requesting device based on the checking. 7. The method of claim 3 , wherein the N shares of the data encryption key are shares in a Shamir's Secret Sharing Scheme. 8. A system comprising: one or more processors; and a non-transitory computer readable medium storing a plurality of instructions that, when executed, control the one or more processors to perform a method comprising: receiving, from a requesting device in a trusted network, a share request for a share of a data encryption key, the trusted network including the requesting device, a computing device, and one or more other computing devices; retrieving a first encrypted local share of the data encryption key from a memory, wherein the first encrypted local share of the data encryption key is encrypted using a local public key of the computing device; decrypting the first encrypted local share using a local private key of the computing device to obtain a local share, wherein the local private key is derived by a key generator using a plurality of derivation components including a network address of the computing device, a random number generated by the computing device, and an encrypted secret of the computing device, and wherein the local public key of the computing device is derived based on the local private key; re-encrypting the local share using a public key of the requesting device to obtain a second encrypted local share; and sending the second encrypted local share to the requesting device, wherein the requesting device (1) generates the data encryption key from (a) one or more shares including the second encrypted local share and one or more encrypted local shares received from the one or more other computing devices and (b) a local encrypted share stored in the requesting device and (2) uses the data encryption key to perform a cryptographic operation. 9. The system of claim 8 , wherein the share request comprises a certificate or identifier associated with the certificate for the requesting device, the method further comprising: comparing the certificate for the requesting device to a registry of certificates for N devices included in the trusted network; and determining that the requesting device is trusted based on the comparing. 10. The system of claim 8 , wherein N is an integer, and wherein M is an integer less than or equal to N. 11. The system of claim 8 , wherein the local private key and the local public key are generated by: generating the random number; obtaining the network address of the computing device; sending the random number and the network address of the computing device to the key generator as derivation components, wherein the key generator derives the local private key from the derivation components and derives the public key from the local private key; receiving the local private key and the public key from the key generator; and storing the local private key and the local public key in the memory of the computing device. 12. The system of claim 11 , wherein decrypting the local share comprises: retrieving the local private key from the memory of the computing device; and decrypting the local share using the local private key. 13. The system of claim 8 , wherein the method further comprises: checking one or more of: a location of the requesting device, an authentication state of the requesting device, and system parameters of the requesting device; and authenticating the requesting device based on the checking. 14. The system of claim 8 , wherein N shares of the data encryption key are shares in a Shamir's Secret Sharing Scheme. 15. A non-transitory computer readable medium storing specific computer-executable instructions that, when executed by a processor, cause: receiving, from a requesting device in a trusted network, a share request for a share of a data encryption key, the trusted network including the requesting device, a computing device, and one or more other computing devices; retrieving a first encrypted local share of the data encryption key from a memory, wherein the first encrypted local share of the data encryption key is encrypted using a local public key of the computing device; decrypting the first encrypted local share using a local private key of the computing device to obtain a local share, wherein the local private key is derived by a key generator using a plurality of derivation compon

Assignees

Visa Int Service Ass

Inventors

Le Saint Eric

Classifications

H04L2209/84
Vehicles · CPC title
H04L9/3263
involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements (network architectures or network communication protocols for supporting authentication of entities using certificates in a packet data network H04L63/0823) · CPC title
H04L9/3247
involving digital signatures · CPC title
H04L9/0897
involving additional devices, e.g. trusted platform module [TPM], smartcard or USB · CPC title
H04L9/0869
involving random numbers or seeds · CPC title

Patent family

Related publications grouped by family.

View patent family 65902637

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US12225115B2 cover?: Systems and methods for secure peer-to-peer communications are described. Devices registered into trusted network may be capable of establishing a shared data encryption key (DEK). In embodiments, each device may be configured to obtain a share of a data encryption key (DEKi) that can be stored locally. The shares may be shares in an M of N Secret Sharing Scheme. This may involve a network that…
Who is the assignee on this patent?: Visa Int Service Ass
What technology area does this patent fall under?: Primary CPC classification H04L9/085. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Feb 11 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).