Researchers Submit Patent Application, “Systems And Methods For Secure Storage And Transmission Of A Data Stream”, for Approval (USPTO 20190280865)

2019 SEP 27 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- From Washington, D.C., NewsRx journalists report that a patent application by the inventors TOBIAS, Eric (La Jolla, CA); IASI, Anthony (San Diego, CA); KAHLE, Charles (Escondido, CA); SCHNEIR, Gary (Carlsbad, CA); TYNER, John (San Diego, CA), filed on March 7, 2019, was made available online on September 12, 2019.

The patent’s assignee is Ubiq Security Inc. (San Diego, California, United States).

News editors obtained the following quote from the background information supplied by the inventors: “Various embodiments described herein relate generally to the field of electronic data security and more particularly to the secure storage, management, and transmission of data, credentials and encryption keys at a client endpoint and during transmission.

“The vision of a paperless modern society is quickly becoming a reality, as more and more communications, services and transactions take place digitally across networks such as the Internet. The need for paper copies of correspondence, financial documents, receipts, contracts and other legal instruments is dwindling as electronic methods for securely transmitting, updating and accessing these documents increases. In addition to the electronic transmission and access to documents and correspondence, the process of electronically submitting information is also commonplace, such as with online shopping or applications for loans, credit cards, health insurance, college or job applications, etc.

“Security of electronic data is of paramount importance for private individuals and for almost every conceivable business and government entity. A tremendous volume of electronic data is being generated, stored, and transmitted on a constant basis. Moreover, the breadth of electronic data, which nowadays inevitably extends to private and sensitive information, necessarily attracts a host of bad actors.

“Conventional data security solutions are relatively static. For example, one or more data security mechanisms (e.g., password protection, encryption scheme) may be deployed at a particular data storage location. The same data security mechanisms will generally remain in place until a significant security breach is detected, at which point the entire data storage location may have already been compromised.

“Data that have been stored based on standard relational data models are particularly vulnerable to unauthorized access. Individual data records (e.g., name, address, social security number, credit card number, and bank account number) stored in separate storage locations are typically accompanied by a common record locator indicating a logical nexus between the data records (e.g., associated with the same user). For example, individual data records may each be associated with the same user identification number. As such, unauthorized access to any one data record may expose sufficient information (i.e., the user identification number) to gain access to the remainder of the data records.

“Although numerous data security methods are available, implementing a flexible roster of seamlessly integrated and complementary data security solutions at a single data storage location remains an enormous challenge. For example, while combining security solutions will normally increase data security, incompatibilities between different solutions may in fact give rise to additional security risks.

“Moreover, in order for a user to be able to store and retrieve data, there must be a way to identify that user and protect their data from being accessed by any other user. Traditionally, this is performed by ‘front-end’ software where the user is authenticated and authorized through a login process.

“The conventional login process is associated with a number of documented weaknesses. For example, in many systems, the login step is commonly considered a part of the user interface (UI) and a separate entity from the security bubble. The problem is magnified in cases where in-house developers, having limited background in security, attempt to build custom login authentication and authorization systems. As such, a malicious user can potentially have access to other users’ data once that user successfully completes the login process.

“But these issues are also exacerbated by the fact that much of the data that is created today is created or accessed at a client endpoint, e.g., a computer, laptop, smartphone, tablet, Internet of Things device, etc. Even if the issues described above can be solved for data stored and retrieved at a server, there is the additional problem of securing the data at the endpoint. Thus, any solution to the above issues should take into account the fact that the client endpoint must also be secured.

“Key Exchange Methodologies

“There are many forms of key exchange methodologies in current use for establishing a trusted communication link between two devices and to encrypt/decrypt transmitted data such as through symmetric shared secret keys or public/private asymmetric keys. Symmetric encryption uses the same key for both encrypting and decrypting data through any number of algorithms such as AES, Blowfish, DES, and Skipjack and is typically faster than asymmetric encryption. It is often used for bulk data encryption and when high rates of data throughput are necessary. In contrast, asymmetric encryption utilizes a pair of keys, public and private, where a public key is typically used to encrypt the data and the private key is used to decrypt the data. Asymmetric key algorithms can be 1000 times slower than symmetric key algorithms and therefore more commonly applied to key management or initial device authentication where there is not a continuous exchange of key pairs which would require enormous resource capability.

“Encrypted Data Transmission

“In a common scenario where a large object needs to be sent encrypted to multiple client destinations and each client should have a uniquely encrypted copy, the traditional approach is to encrypt the original object using a different key for each client. If there are N clients and it takes an amount of time T to encrypt each object, the total encryption time is N.times.T.

“Data Encryption Speed

“Currently, there are several approaches to increase performance (speed at which data can be encrypted). One approach is by using hardware-based acceleration. 128 bit and 256-bit AES ciphers can be accelerated 4 to 8 times through AES-NI hardware encryption (where available on Intel and AMD processors). It is also possible to decrease the key size at the expense of security. AES with 256-bit keys is about 40% slower than AES with 128-bit keys. Another tactic is to use alternative encryption algorithms such as Blowfish which can produce a 20% speed improvement.

“Encryption Key Management

“Encryption keys are typically used to encrypt data or to encrypt other keys which are then used to encrypt data, the later commonly known as Key Encryption Keys (KEK). Managing keys and who has access to keys can be a daunting task. Key Management Software (KMS) attempts to make this job easier by providing user and administration access to all of the necessary keys. A KMS may also provide backup and redundancy services to safeguard a copy of the keys in case of a catastrophic server failure. User uptime is maintained when a replacement KMS is spun up quickly since access to encrypted data will not be possible unless the KMS is constantly up.

“Data Encryption

“Data is traditionally encrypted while in any number of states. For example, an entire hard-drive may be encrypted for data-at-rest. In another example, data-in-motion may be encrypted as it travels through a secure https connection. Data in databases may also be encrypted using methods where data in individual fields are encrypted in place while preserving the original table format. Other ad-hoc scenarios include encrypting single desktop folders or mounted disk drives.

“In all these cases, the data to be encrypted is not organized into a format that is much different from their original footprint. The encrypted data merely replaces the original data in-place, or if replicated to other media, transferred to storage using a similar data and file hierarchy as the original data. Other techniques exist which do reorganize the data storage format, such as in the case with Data Sharding and Erasure Coding algorithms. These distribute the original data and that data may also be encrypted. However, the distribution and storage formats follow a rigid protocol imposed by the underlying algorithm thereby making it difficult to apply higher level capabilities and integration with existing legacy formats and/or third-party solutions.”

As a supplement to the background information on this patent application, NewsRx correspondents also obtained the inventors’ summary information for this patent application: “Disclosed herein are systems and methods for secure storage, transmission and management of data, credentials and encryption keys to and from the client endpoint. According to one aspect, a method for secured communications between devices is provided. The method comprises: establishing communications for data streaming of a data object between a first device and a second device; receiving, at the second device, a plurality of datasets encrypted based on a first dataset key derived based, in part, on a first encryption algorithm, each encrypted dataset comprising encryption keys used to encrypt corresponding data fragments constituting the data object; decrypting a first encrypted dataset of the plurality of datasets using the first dataset key to retrieve encryption keys for decrypting corresponding data fragments; evaluating key regeneration criteria to determine whether the first dataset key should be regenerated for a second encrypted dataset of the plurality of encrypted datasets; in response to determining that the dataset key should not be regenerated, determining a second dataset key based, in part, on a second encryption algorithm; and decrypting the second encrypted dataset using the second dataset key to retrieve unique encryption keys for decrypting corresponding data fragments.

“In another aspect, a method for secured communications between devices is provided. The method comprises: establishing communications for data streaming of a data object between a first device and a second device; generating, by the first device, a plurality of datasets corresponding to a plurality of data fragments constituting the data object, each dataset comprising encryption keys used to encrypt the corresponding data fragments; encrypting a first dataset of the plurality of datasets using a first dataset key derived based, in part, on a first encryption algorithm; evaluating key regeneration criteria to determine whether the first dataset key should be regenerated for a second encrypted dataset of the plurality of encrypted datasets; and in response to determining that the first dataset key should not be regenerated, determining a second dataset key based, in part, on a second encryption algorithm.

“In another aspect, a system for authenticated communications between devices is provided. The system comprises a plurality of devices comprising at least a first and second device; and one or more communication pathways configured to communicatively couple the first and second devices for data streaming of a data object. The first device comprises a memory coupled to at least one processor, the first device configured to: generate a plurality of datasets corresponding to a plurality of data fragments constituting the data object, each dataset comprising encryption keys used to encrypt the corresponding data fragments, encrypt a first dataset of the plurality of datasets using a first dataset key derived based, in part, on a first encryption algorithm, and determine a second dataset key based, in part, on at least one of the first encryption algorithm and second encryption algorithm.

“Other features and advantages should become apparent from the following description of the preferred embodiments, taken in conjunction with the accompanying drawings.”

The claims supplied by the inventors are:

“1. A method for secured communications between devices, the method comprising: establishing communications for data streaming of a data object between a first device and a second device; receiving, at the second device, a plurality of datasets encrypted based on a first dataset key derived based, in part, on a first encryption algorithm, each encrypted dataset comprising encryption keys used to encrypt corresponding data fragments constituting the data object; decrypting a first encrypted dataset of the plurality of datasets using the first dataset key to retrieve encryption keys for decrypting corresponding data fragments; evaluating key regeneration criteria to determine whether the first dataset key should be regenerated for a second encrypted dataset of the plurality of encrypted datasets; in response to determining that the dataset key should not be regenerated, determining a second dataset key based, in part, on a second encryption algorithm; and decrypting the second encrypted dataset using the second dataset key to retrieve unique encryption keys for decrypting corresponding data fragments.

“2. The method of claim 1, further comprising: in response to determining that the first dataset key should be regenerated, retrieving a third dataset key based, in part, on the first encryption algorithm; and decrypting the second dataset using the third dataset key.

“3. The method of claim 1, wherein the data object is stored in one or more data storage devices locally connected to the first device, wherein the method further comprises: requesting the data object by the second device; in response to requesting the data object, receiving the first encrypted dataset; and requesting data fragments corresponding to the first encrypted dataset based on decrypting the first encrypted dataset.

“4. The method of claim 1, further comprising: receiving, by the second device, the first dataset key encrypted using a public portion of an asymmetric encryption key, and retrieving the first dataset key from a server configured to decrypt the encrypted first dataset key using a private portion of the asymmetric encryption key.

“5. The method of claim 4, wherein the first device and second device are authenticated for communication with the server based, in part, on a public portion of a server asymmetric key.

“6. The method of claim 1, further comprising: generating the first dataset key, at the second device, based on an exchange of key information between the first and second devices, the key information comprising at least a seed parameter based, in part, on a public portion of an asymmetric key received from the first device and derived from the first encryption algorithm.

“7. The method of claim 6, further comprising verifying the key information using a public portion of an authentication asymmetric key, wherein the key information received from the first device is signed using a private portion of the authentication asymmetric key by the first device.

“8. The method of claim 1, wherein the first encryption algorithm is based, in part, on a Diffie-Hellman key exchange methodology.

“9. The method of claim 1, wherein the second encryption algorithm is based, in part, on a ratchet function using a pseudo random function and a number of steps to execute the ratchet function.

“10. A method for secured communications between devices, the method comprising: establishing communications for data streaming of a data object between a first device and a second device; generating, by the first device, a plurality of datasets corresponding to a plurality of data fragments constituting the data object, each dataset comprising encryption keys used to encrypt the corresponding data fragments; encrypting a first dataset of the plurality of datasets using a first dataset key derived based, in part, on a first encryption algorithm; evaluating key regeneration criteria to determine whether the first dataset key should be regenerated for a second encrypted dataset of the plurality of encrypted datasets; and in response to determining that the first dataset key should not be regenerated, determining a second dataset key based, in part, on a second encryption algorithm.

“11. The method of claim 10, further comprising: in response to determining that the first dataset key should be regenerated, determining a third dataset key based in part on the first encryption algorithm; and encrypting the second dataset using the third dataset key.

“12. The method of claim 11, further comprising: receiving the data object from a remote data capture device as a data stream of a plurality of portions of the data object; upon receipt of each portion of the plurality of portions: disassembling the received portion into the plurality of data fragments; individually encrypting the plurality of data fragments using a plurality of unique keys; generating one or more datasets of the plurality of datasets based on the plurality of data fragments and plurality of unique keys; encrypting at least one dataset using the first dataset key; and storing the encrypted dataset and the plurality of encrypted data fragments in a plurality of different data storage locations.

“13. The method of claim 11, wherein the data object is stored in one or more data storage devices locally connected to the first device, wherein the method further comprises: receiving a request for the data object from the second device; in response to receiving the request, transmitting the encrypted first dataset to the second device.

“14. The method of claim 11, further comprising: encrypting, by the first device, the first dataset key using a public portion of an asymmetric encryption key, and transmitting the encrypted first dataset key to the second device.

“15. The method of claim 11, further comprising: generating the first dataset key, at the first device, based on an exchange of key information between the first and second devices, the key information comprising at least a seed parameter based, in part, on a public portion of an asymmetric key received from the second device and derived from the first encryption algorithm.

“16. The method of claim 15, further comprising verifying the key information using a public portion of an authentication asymmetric key, wherein the public portion of the asymmetric key received from the second device is signed using a private portion of the authentication asymmetric key by the second device.

“17. A system for authenticated communications between devices, the system comprising: a plurality of devices comprising at least a first and second device; one or more communication pathways configured to communicatively couple the first and second devices for data streaming of a data object; and the first device comprising a memory coupled to at least one processor, the first device configured to: generate a plurality of datasets corresponding to a plurality of data fragments constituting the data object, each dataset comprising encryption keys used to encrypt the corresponding data fragments, encrypt a first dataset of the plurality of datasets using a first dataset key derived based, in part, on a first encryption algorithm, and determine a second dataset key based, in part, on at least one of the first encryption algorithm and second encryption algorithm.

“18. The system of claim 17, wherein the first device is further configured to: evaluate key regeneration criteria to determine whether the first dataset key should be regenerated for the second encrypted dataset; in response to determining that the first dataset key should not be regenerated, determine the second dataset key based, in part, on the second encryption algorithm; and in response to determining that the first dataset key should be regenerated, determine a third dataset key based, in part, on the first encryption algorithm.

“19. The system of claim 17, further comprising: a remote device communicatively coupled to the first device, the remote device configured to capture the data object as a plurality of portions of data and transmit a data stream of the plurality of portions of data to the first device, wherein the first device configured to, upon receipt of each portion of the data: disassemble the received portion into the plurality of data fragments; individually encrypt the plurality of data fragments using a plurality of unique keys; generate one or more datasets of the plurality of datasets based on the plurality of data fragments and plurality of unique keys; encrypt at least one dataset using the first dataset key; and store the encrypted dataset and the plurality of encrypted data fragments in a plurality of different data storage locations.

“20. The system of claim 17, further comprising a second device comprising at least one processor, the second device configured to: decrypt the first encrypted dataset using the first dataset key to retrieve encryption keys for decrypting the corresponding data fragments, determine the second dataset key based, in part, one at least one of the first encryption algorithm and the second encryption algorithm, and decrypt the second encrypted dataset using the second dataset key to retrieve encryption keys for decrypting the corresponding data fragments.

“21. The system of claim 20, wherein the first and second devices are configured to: exchange key information between the first device and second device, the key information comprising at least the seed parameter based, in part, on a public portion of an asymmetric key received from the respective device and derived from the first encryption algorithm; and generate the first dataset key based on the exchanged key information.

“22. The system of claim 20, wherein the first device and the second device are configured to each determine dataset keys for the plurality of datasets without exchanging the dataset keys.

“23. The system of claim 20, further comprising a server communicatively coupled to the first and second device and configured to install authentication credentials onto the first and second devices, wherein the first device and the second device are configured to authenticate communications with each respective device based on an exchange of the authentication credentials.

“24. The system of claim 23, wherein the first device is configured to encrypt the first dataset key using a public portion of an asymmetric encryption key and transmit the encrypted first dataset key to the second device, wherein the second device is configured to request the first dataset key from the server in response to receiving the encrypted first dataset key from the first device, and wherein the server is configured to, in response to receiving the request from the second device, decrypt the encrypted first dataset key using a private portion of the asymmetric encryption key and transmit the decrypted dataset key to the second device.

“25. The system of claim 24, wherein the private portion of the asymmetric encryption key is only stored at a storage device coupled to the server.

“26. The system of claim 17, wherein the one or more communication pathways comprises a plurality of communication pathways, and wherein the first device is configured to stream data of the data object over the plurality of communication pathways.

“27. The system of claim 26, wherein the first device is configured to transmit at least one of one or more data fragments and one or more of the plurality of datasets over different communication pathways of the plurality of communication pathways.

“28. The system of claim 26, wherein the first device is configured to transmit at least one of one or more data fragments and one or more of the plurality of datasets over the plurality of the communication pathways approximately simultaneously.”

For additional information on this patent application, see: TOBIAS, Eric; IASI, Anthony; KAHLE, Charles; SCHNEIR, Gary; TYNER, John. Systems And Methods For Secure Storage And Transmission Of A Data Stream. Filed March 7, 2019 and posted September 12, 2019. Patent URL: http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PG01&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.html&r=1&f=G&l=50&s1=%2220190280865%22.PGNR.&OS=DN/20190280865&RS=DN/20190280865

(Our reports deliver fact-based news of research and discoveries from around the world.)