Patent Application Titled “System And Method For Managing Fragmented Encryption Keys For Granting Access” Published Online (USPTO 20240007279): Micro Focus LLC

2024 JAN 22 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- According to news reporting originating from Washington, D.C., by NewsRx journalists, a patent application by the inventors Angelo, Michael F. (Houston, Tx, Us); Arlitt, Martin Fraser (Calgary, Ca); Grover, Douglas Max (Rigby, Id, Us), filed on June 29, 2022, was made available online on January 4, 2024.

The assignee for this patent application is Micro Focus LLC (Santa Clara, California, United States).

Reporters obtained the following quote from the background information supplied by the inventors: “One of the problems with storing data is that the data may be subject to the laws of various jurisdictions. For example, the data may require access control/management based on the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and/or the like. To comply with these laws, access may need to be revoked based on the legal requirements of the various laws. Existing systems are currently difficult to administer and manage records associated with these types of laws.”

In addition to obtaining background information on this patent application, NewsRx editors also obtained the inventors’ summary information for this patent application: “These and other needs are addressed by the various embodiments and configurations of the present disclosure. The present disclosure can provide a number of advantages depending on the particular configuration. These and other advantages will be apparent from the disclosure contained herein.

“A secondary fragment of an encryption key is received. The secondary fragment is associated with an authentication process of a user. The secondary fragment is one of a plurality of secondary fragments of the encryption key. The user is authenticated (e.g., by validating a username/password). The encryption key is regenerated using the secondary fragment and a primary fragment of the encryption key. In response to regenerating the encryption key using the secondary fragment and the primary fragment, and authenticating the user: access is granted, to the user, by unencrypting an encrypted data record using the regenerated encryption key.

“The phrases “at least one”, “one or more”, “or,” and “and/or” are open-ended expressions that are both conjunctive and disjunctive in operation. For example, each of the expressions “at least one of A, B and C”, “at least one of A, B, or C”, “one or more of A, B, and C”, “one or more of A, B, or C”, “A, B, and/or C”, and “A, B, or C” means A alone, B alone, C alone, A and B together, A and C together, B and C together, or A, B and C together.

“The term “a” or “an” entity refers to one or more of that entity. As such, the terms “a” (or “an”), “one or more” and “at least one” can be used interchangeably herein. It is also to be noted that the terms “comprising,” “including,” and “having” can be used interchangeably.

“The term “automatic” and variations thereof, as used herein, refers to any process or operation, which is typically continuous or semi-continuous, done without material human input when the process or operation is performed. However, a process or operation can be automatic, even though performance of the process or operation uses material or immaterial human input, if the input is received before performance of the process or operation. Human input is deemed to be material if such input influences how the process or operation will be performed. Human input that consents to the performance of the process or operation is not deemed to be “material.”

“Aspects of the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” Any combination of one or more computer readable medium(s) may be utilized. The computer readable medium may be a computer readable signal medium or a computer readable storage medium.

“A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain or store a program for use by or in connection with an instruction execution system, apparatus, or device.

“A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

“The terms “determine,” “calculate” and “compute,” and variations thereof, as used herein, are used interchangeably, and include any type of methodology, process, mathematical operation, or technique.

“The term “means” as used herein shall be given its broadest possible interpretation in accordance with 35 U.S.C., Section 112(f) and/or Section 112, Paragraph 6. Accordingly, a claim incorporating the term “means” shall cover all structures, materials, or acts set forth herein, and all of the equivalents thereof. Further, the structures, materials or acts and the equivalents thereof shall include all those described in the summary, brief description of the drawings, detailed description, abstract, and claims themselves.

“The preceding is a simplified summary to provide an understanding of some aspects of the disclosure. This summary is neither an extensive nor exhaustive overview of the disclosure and its various embodiments. It is intended neither to identify key or critical elements of the disclosure nor to delineate the scope of the disclosure but to present selected concepts of the disclosure in a simplified form as an introduction to the more detailed description presented below. As will be appreciated, other embodiments of the disclosure are possible utilizing, alone or in combination, one or more of the features set forth above or described in detail below. Also, while the disclosure is presented in terms of exemplary embodiments, it should be appreciated that individual aspects of the disclosure can be separately claimed.

“In the appended figures, similar components and/or features may have the same reference label. Further, various components of the same type may be distinguished by following the reference label by a letter that distinguishes among the similar components. If only the first reference label is used in the specification, the description is applicable to any one of the similar components having the same first reference label irrespective of the second reference label.”

The claims supplied by the inventors are:

“1. A system comprising: a microprocessor; and a computer readable medium, coupled with the microprocessor and comprising microprocessor readable and executable instructions that, when executed by the microprocessor, cause the microprocessor to: receive a first secondary fragment of a first encryption key, wherein the first secondary fragment is associated with an authentication process of a first user and wherein the first secondary fragment is one of a plurality of secondary fragments of the first encryption key; authenticate the first user; regenerate the first encryption key using the first secondary fragment and a first primary fragment of the first encryption key; and in response to regenerating the first encryption key using the first secondary fragment and the first primary fragment, and authenticating the first user: grant access, by the first user, by unencrypting a first encrypted data record using the regenerated first encryption key.

“2. The system of claim 1, wherein the microprocessor readable and executable instructions further cause the microprocessor to: receive a second secondary fragment of the first encryption key, wherein the second secondary fragment is associated with an authentication process of a second user and wherein the second secondary fragment is one of the plurality of secondary fragments of the first encryption key; authenticate the second user; regenerate the first encryption key using the second secondary fragment of the first encryption key and the first primary fragment of the first encryption key; and in response to regenerating the first encryption key using the second secondary fragment and the first primary fragment, and authenticating the second user: grant access, by the second user, by unencrypting the first encrypted data record using the regenerated first encryption key.

“3. The system of claim 1, further comprising a key management table, wherein the key management table comprises: a plurality of primary fragments and a plurality of corresponding encrypted data records.

“4. The system of claim 1, wherein access to the first encrypted data record is prevented by permanently deleting the first primary fragment.

“5. The system of claim 1, wherein the microprocessor readable and executable instructions further cause the microprocessor to: revoke the first secondary fragment, wherein revoking the first secondary fragment comprises adding the first secondary fragment to a revoked fragment list associated with the first encryption key.

“6. The system of claim 1, further comprising a key management table, wherein the key management table comprises at least one of: a first record, wherein the first record comprises plain text data; and a second record, wherein the second record comprises non-fragmented key encrypted data; and a third record, wherein the third record comprises the first encrypted data and the first primary fragment.

“7. The system of claim 1, further comprising a key management table, wherein the key management table comprises: a first row, wherein the first row comprises the first encrypted data record and the first primary fragment and wherein the first primary fragment is associated with the first encrypted data record, the first encryption key, and a first authentication level; and a second row, wherein the second row comprises a second encrypted data record and a second primary fragment, wherein the second primary fragment is associated with the second encrypted data record, a second encryption key, and a second authentication level.

“8. The system of claim 7, wherein the first authentication level comprises a different number of authentication factors and/or one or more different types of authentication factors than the second authentication level and wherein a plurality of different users can access the first encrypted data record and the second encrypted data record based on the first authentication level and the second authentication level.

“9. The system of claim 1, wherein the primary fragment comprises a plurality of fragments and wherein regenerating the first encryption key requires the primary fragment and a plurality of secondary fragments associated with a plurality different of users to unencrypt the first encrypted data record.

“10. The system of claim 1, wherein the primary fragment is a secondary fragment and wherein regenerating the first encryption key requires a plurality of secondary fragments associated with a plurality different of users to unencrypt the first encrypted data record.

“11. The system of claim 1, wherein the first primary fragment comprises a plurality of fragments, wherein the plurality of fragments of the first primary fragment are one less than the minimum number of fragments required to regenerate the first encryption key, and wherein at least one of a plurality of secondary fragments is permanently deleted or not provided to a user so that the first encryption key cannot be regenerated using remaining fragments of the plurality of secondary fragments.

“12. A method comprising: receiving, by a microprocessor, a first secondary fragment of a first encryption key, wherein the first secondary fragment is associated with an authentication process of a first user and wherein the first secondary fragment is one of a plurality of secondary fragments of the first encryption key; authenticating, by the microprocessor, the first user; regenerating, by the microprocessor, the first encryption key using the first secondary fragment and a first primary fragment of the first encryption key; and in response to regenerating the first encryption key using the first secondary fragment and the first primary fragment, and authenticating the first user: granting, by the microprocessor, access, by the first user, by unencrypting a first encrypted data record using the regenerated first encryption key.

“13. The method of claim 12, further comprising: receiving a second secondary fragment of the first encryption key, wherein the second secondary fragment is associated with an authentication process of a second user and wherein the second secondary fragment is one of the plurality of secondary fragments of the first encryption key; authenticating the second user; regenerating the first encryption key using the second secondary fragment of the first encryption key and the first primary fragment of the first encryption key; and in response to regenerating the first encryption key using the second secondary fragment and the first primary fragment, and authenticating the second user: granting access, by the second user, by unencrypting the first encrypted data record using the regenerated first encryption key.

“14. The method of claim 12, further comprising a key management table, wherein the key management table comprises: a plurality of primary fragments and a plurality of corresponding encrypted data records.

“15. The method of claim 12, wherein access to the first encrypted data record is prevented by permanently deleting the first primary fragment.

“16. The method of claim 12, further comprising: revoking the first secondary fragment, wherein revoking the first secondary fragment comprises adding the first secondary fragment to a revoked fragment list associated with the first encryption key.

“17. The method of claim 12, further comprising a key management table, wherein the key management table comprises at least one of: a first record, wherein the first record comprises plain text data; and a second record, wherein the second record comprises non-fragmented key encrypted data; and a third record, wherein the third record comprises the first encrypted data and the first primary fragment.

“18. The method of claim 12, further comprising a key management table, wherein the key management table comprises: a first row, wherein the first row comprises the first encrypted data record and the first primary fragment and wherein the first primary fragment is associated with the first encrypted data record, the first encryption key, and a first authentication level; and a second row, wherein the second row comprises a second encrypted data record and a second primary fragment, wherein the second primary fragment is associated with the second encrypted data record, a second encryption key, and a second authentication level.

“19. The method of claim 18, wherein the first authentication level comprises a different number of authentication factors and/or one or more different types of authentication factors than the second authentication level and wherein a plurality of different users can access the first encrypted data record and the second encrypted data record based on the first authentication level and the second authentication level.

“20. A key management table stored in a memory comprising: a primary fragment, wherein the primary fragment is generated based on a split-key encryption process and wherein an encryption key to unencrypt an encrypted data record is generated from the primary fragment and a secondary fragment; and the encrypted data record, wherein unencrypting the encrypted data record is based on proving the secondary fragment in response to a user authentication associated with the secondary fragment.”

For more information, see this patent application: Angelo, Michael F.; Arlitt, Martin Fraser; Grover, Douglas Max. System And Method For Managing Fragmented Encryption Keys For Granting Access. U.S. Patent Application Number 20240007279, filed June 29, 2022 and posted January 4, 2024. Patent URL (for desktop use only): https://ppubs.uspto.gov/pubwebapp/external.html?q=(20240007279)&db=US-PGPUB&type=ids

(Our reports deliver fact-based news of research and discoveries from around the world.)