Patent Grant
10547444
This application for letters patent disclosure document describes inventive aspects directed at various novel innovations (hereinafter “disclosure”) and contains material that is subject to copyright, mask work, and/or other intellectual property protection. The respective owners of such intellectual property have no objection to the facsimile reproduction of the disclosure by anyone as it appears in published Patent Office file/records, but otherwise reserve all rights.
The present innovations are directed generally to multi-party encryption approaches and more particularly, to CLOUD ENCRYPTION KEY BROKER APPARATUSES, METHODS AND SYSTEMS or CEKB.
In light of recent credit card and personal information leaks the need for a more secure method for securing encryption keys is evident. In recent breaches the data was encrypted on a secure server but the keys were stolen with the data allowing the data to be exposed.
As an illustration, these breaches involved “secure” computers where a merchant stores encryption/decryption keys. When the hacker breached the secure computer, the hacker stole the key that was needed for cryptographic operations used in accessing the merchant's data. In view of this situation and others, security approaches associated with encryption/decryption operations can be improved.
The accompanying appendices and/or drawings illustrate various non-limiting, example, innovative aspects in accordance with the present descriptions:
The leading number of each reference number within the drawings indicates the figure in which that reference number is introduced and/or detailed. As such, a detailed discussion of reference number 101 would be found and/or introduced in
Computer-implemented systems and methods are disclosed herein, such as, for use with cryptographic operations. For example, a processor-implemented system and method are disclosed for use with cryptographic operations over a cloud-based service. The cloud-based service securely stores and transmits parts of encryption/decryption keys. Split key processing can include splitting the key in two and storing one of them on a remote secure server.
As another example, a processor-implemented system and method are disclosed for cryptographic operations. A payment processor provides a cloud service that combines split key processing as well as risk analysis of requests, IP blocking and access rule restrictions to securely store and transmit parts of encryption keys.
As yet another example, a processor-impairment system and method are disclosed for cryptographic operations through a remote networked service where a first portion of a key is stored. A remote request is received for retrieval of the first portion of the key, and a security analysis is performed upon the request. The first portion of the key is transmitted to the requester after security analysis criteria has been satisfied. A complete key is generated by combining the first portion of the key with a second portion of the key. The complete key is used to perform a cryptographic operation.
The merchant applications 112 may be open to hacking, spoofing, and other security threats. As such, the encryption key broker system 106 stores securely the encryption/decryption keys against potential malicious activities that may occur during payment transaction processing or otherwise. However, it should be understood that the cloud encryption key broker system 106 is not limited to only purchasing-type transactions but may be used in many other types of operations outside of a financial/purchasing environment.
The consumer users 104 can directly or indirectly interact with a cloud encryption key broker system 106 through a number of ways, such as over one or more networks 108. Server(s) 110 accessible through the network(s) 108 can host the system 106. One or more data stores 102 can store the data to be analyzed and processed by the system 106 as well as any intermediate or final data generated by the system 106.
As an illustration, if the key were 123456, then the key would be split into two partial keys: 123 and 456. In this way, a hacker would have to breach a merchant's computer as well as bypass the remote secure server's security measures to gain access to the entire key. This approach prevents a hacker from breaching the system and stealing a key where a merchant has stored an encryption/decryption key on a secure computer.
The cloud service can also combine additional security via processing 204. Secure processing operations 204 can include techniques for detecting a network intrusion or other type of unauthorized access request.
Security analysis is performed in this operational scenario upon the request at step 306. Such analysis at step 306 can include a combination of risk analysis of requests, IP blocking and access rule restrictions to securely store and transmit parts of encryption/decryption keys. For example, this can include at step 306 using artificial intelligence for intrusion detection. Prim's algorithm can also be used within step 306 for security operations. A description of the algorithm is provided in U.S. Pat. No. 8,924,270 entitled “Risk Assessment Rule Set Application For Fraud Prevention”, which document is incorporated herein for all purposes. It should be understood that many other types of security operations can be performed upon the request for the presence of malicious or unauthorized activity.
If the security analysis does not indicate any inappropriate activity with respect to the request, the partial key is provided at step 308 to the requester. At step 310, a software tool at the client side receives the partial key and combines it with one or more other partial keys for use in encryption/decryption operations.
A client tool known as the encryption key broker 404 (EKB) is provided that performs encrypting/decrypting routines. When started, the EKB 404 calls out to a remote server on the cloud 406 to provide the necessary parts to complete the data encryption/decryption key. The key parts are transmitted in an encrypted form. These parts are decrypted, combined and the resulting data key is stored in memory 402.
Also as shown at 508, partners can define set rules, such as hours of the day or IP locations for restricting access. Batch risk models at 510 look for abnormal behavior across all partners. Keys involved in known breaches cannot be retrieved.
A “payment request” may include a message having a request to process or initiate a payment. For example, the payment request may be sent from mobile device associated with a consumer in relation to a purchase transaction associated with goods or services provided by a merchant. The payment request may include any relevant information to the transaction including payment information (e.g., account identifiers, personal information, etc.), transaction information (e.g., merchant information, items being purchased, etc.), device information (e.g., mobile device phone number, secure element identifier, etc.), routing information (e.g., internet protocol (IP) address of a destination computer, identifier for destination computer, bank identification number (BIN), etc.), and any other relevant information to a payment transaction. For example, a payment request may include encrypted payment information for a transaction and may be sent to a third party computer that is configured to authenticate the payment request, validate a public key certificate, decrypt the encrypted payment information, extract a public key from the validated certificate, re-encrypt the decrypted payment information, and send the re-encrypted payment information to a transaction processor for initiation of a payment transaction. Accordingly, the payment request may include any information relevant to the secure process for transmitting sensitive data to a merchant server for processing a remote transaction.
As used herein, “transaction information” may include any data associated with a transaction. For example, transaction information may include a transaction amount, transaction time, transaction date, merchant information (e.g., registered merchant identifier, address, merchant computer IP address, etc.), product information (e.g., serial numbers, product names or other identifiers, etc.). The transaction information may be provided to a mobile device by a merchant server computer before or after the consumer initiates a payment transaction through the merchant application. In some embodiments, the transaction information may be used to identify a specific merchant associated with a transaction using the merchant information included in the transaction information.
As used herein, “encrypted payment information” may include any payment information that has been made unintelligible to some parties to prevent unauthorized access to the payment information. For example, the encrypted payment information may not be read by a recipient without access to a shared secret or access to a designated encryption key. As such, the encrypted payment information may be made unintelligible through a process that is reversible and repeatable such that two entities can share information using a shared secret or encryption keys without unauthorized entities being able to understand or gain access to the sensitive payment information or sensitive payment credentials within the payment information (unless they gain access to the shared secret or encryption keys).
In
Each of the element managers, real-time data buffer, conveyors, file input processor, database index shared access memory loader, reference data buffer and data managers may include a software application stored in one or more of the disk drives connected to the disk controller, the ROM and/or the RAM. The processor may access one or more components as required.
A display interface may permit information from the bus to be displayed on a display in audio, graphic, or alphanumeric format. Communication with external devices may optionally occur using various communication ports.
In addition to these computer-type components, the hardware may also include data input devices, such as a keyboard, or other input device, such as a microphone, remote control, pointer, mouse and/or joystick.
Additionally, the methods and systems described herein may be implemented on many different types of processing devices by program code comprising program instructions that are executable by the device processing subsystem. The software program instructions may include source code, object code, machine code, or any other stored data that is operable to cause a processing system to perform the methods and operations described herein and may be provided in any suitable language such as C, C++, JAVA, for example, or any other suitable programming language. Other implementations may also be used, however, such as firmware or even appropriately designed hardware configured to carry out the methods and systems described herein.
The systems' and methods' data (e.g., associations, mappings, data input, data output, intermediate data results, final data results, etc.) may be stored and implemented in one or more different types of computer-implemented data stores, such as different types of storage devices and programming constructs (e.g., RAM, ROM, Flash memory, flat files, databases, programming data structures, programming variables, IF-THEN (or similar type) statement constructs, etc.). It is noted that data structures describe formats for use in organizing and storing data in databases, programs, memory, or other computer-readable media for use by a computer program.
The computer components, software modules, functions, data stores and data structures described herein may be connected directly or indirectly to each other in order to allow the flow of data needed for their operations. It is also noted that a module or processor includes but is not limited to a unit of code that performs a software operation, and can be implemented for example as a subroutine unit of code, or as a software function unit of code, or as an object (as in an object-oriented paradigm), or as an applet, or in a computer script language, or as another type of computer code. The software components and/or functionality may be located on a single computer or distributed across multiple computers depending upon the situation at hand.
While the disclosure has been described in detail and with reference to specific embodiments thereof, it will be apparent to one skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the embodiments. Thus, it is intended that the present disclosure cover the modifications and variations of this disclosure.
This application claims priority to U.S. Patent Application Ser. No. 62/117,080, filed Feb. 17, 2015 and entitled “Cloud Encryption Key Broker Apparatuses, Methods And Systems.” The entire contents of the aforementioned application is expressly incorporated by reference herein.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5222136 | Rasmussen | Jun 1993 | A |
| 5237611 | Rasmussen | Aug 1993 | A |
| 5301247 | Rasmussen | Apr 1994 | A |
| 5535276 | Ganesan | Jul 1996 | A |
| 5737419 | Ganesan | Apr 1998 | A |
| 5748735 | Ganesan | May 1998 | A |
| 5784463 | Chen | Jul 1998 | A |
| 6385316 | Rose | May 2002 | B1 |
| 6636966 | Lee | Oct 2003 | B1 |
| 7051211 | Matyas, Jr. | May 2006 | B1 |
| 7069435 | Sandhu | Jun 2006 | B2 |
| 7085744 | Morrison | Aug 2006 | B2 |
| 7299357 | Karamchedu | Nov 2007 | B2 |
| 7788501 | Abdallah | Aug 2010 | B2 |
| 8290165 | Allen | Oct 2012 | B2 |
| 8423789 | Poo | Apr 2013 | B1 |
| 9113042 | Bennett | Aug 2015 | B2 |
| 9160535 | Burchett | Oct 2015 | B2 |
| 9231925 | Lundstrom | Jan 2016 | B1 |
| 9306742 | Folkmanis | Apr 2016 | B1 |
| 9455832 | Brown | Sep 2016 | B2 |
| 9455968 | Machani | Sep 2016 | B1 |
| 9838205 | Lundstrom | Dec 2017 | B2 |
| 20020078344 | Sandhu | Jun 2002 | A1 |
| 20020078345 | Sandhu | Jun 2002 | A1 |
| 20020078346 | Sandhu | Jun 2002 | A1 |
| 20020078361 | Giroux | Jun 2002 | A1 |
| 20020091640 | Gupta | Jul 2002 | A1 |
| 20030026432 | Woodward | Feb 2003 | A1 |
| 20030048906 | Vora | Mar 2003 | A1 |
| 20030115452 | Sandhu | Jun 2003 | A1 |
| 20030147536 | Andivahis | Aug 2003 | A1 |
| 20030226029 | Porter | Dec 2003 | A1 |
| 20040030893 | Karamchedu | Feb 2004 | A1 |
| 20040030916 | Karamchedu | Feb 2004 | A1 |
| 20040030917 | Karamchedu | Feb 2004 | A1 |
| 20040030918 | Karamchedu | Feb 2004 | A1 |
| 20040062400 | Sovio | Apr 2004 | A1 |
| 20040114766 | Hileman | Jun 2004 | A1 |
| 20060015358 | Chua | Jan 2006 | A1 |
| 20060182283 | Sandhu | Aug 2006 | A1 |
| 20060184788 | Sandhu | Aug 2006 | A1 |
| 20070033392 | Ganesan | Feb 2007 | A1 |
| 20070067618 | Sandhu | Mar 2007 | A1 |
| 20070150723 | Estable | Jun 2007 | A1 |
| 20080056501 | McGough | Mar 2008 | A1 |
| 20080091947 | Dancer | Apr 2008 | A1 |
| 20080170693 | Spies | Jul 2008 | A1 |
| 20080172730 | Sandhu | Jul 2008 | A1 |
| 20080267033 | Morinaga | Oct 2008 | A1 |
| 20090101707 | Kurasaki | Apr 2009 | A1 |
| 20100125739 | Creary | May 2010 | A1 |
| 20100131755 | Zhu | May 2010 | A1 |
| 20100131759 | Pintsov | May 2010 | A1 |
| 20100192201 | Shimoni | Jul 2010 | A1 |
| 20100299313 | Orsini | Nov 2010 | A1 |
| 20100325431 | Mordetsky | Dec 2010 | A1 |
| 20100333186 | Chan | Dec 2010 | A1 |
| 20110019822 | Khan | Jan 2011 | A1 |
| 20110191248 | Bishop | Aug 2011 | A1 |
| 20110202755 | Orsini | Aug 2011 | A1 |
| 20110296440 | Laurich | Dec 2011 | A1 |
| 20120072736 | Kudoh | Mar 2012 | A1 |
| 20120198228 | Oberheide | Aug 2012 | A1 |
| 20120198241 | O'Hare | Aug 2012 | A1 |
| 20120254619 | Dhuse | Oct 2012 | A1 |
| 20120260349 | Nagai | Oct 2012 | A1 |
| 20130046985 | Allen | Feb 2013 | A1 |
| 20130108045 | Sanders | May 2013 | A1 |
| 20130138961 | Tsuji | May 2013 | A1 |
| 20130185214 | Azen | Jul 2013 | A1 |
| 20130226812 | Landrok | Aug 2013 | A1 |
| 20130262317 | Collinge | Oct 2013 | A1 |
| 20130272521 | Kipnis | Oct 2013 | A1 |
| 20130290708 | Diaz | Oct 2013 | A1 |
| 20130291056 | Gaudet | Oct 2013 | A1 |
| 20140003608 | MacMillan | Jan 2014 | A1 |
| 20140208112 | McDonald | Jul 2014 | A1 |
| 20140310527 | Veugen | Oct 2014 | A1 |
| 20150047001 | Izumi | Feb 2015 | A1 |
| 20150235020 | Nagai | Aug 2015 | A1 |
| 20150372770 | Ouzounov | Dec 2015 | A1 |
| 20160080157 | Lundstrom | Mar 2016 | A1 |
| 20160119292 | Kaseda | Apr 2016 | A1 |
| 20160125141 | Raisaro | May 2016 | A1 |
| 20160132699 | Miller | May 2016 | A1 |
| 20160224735 | Ayday | Aug 2016 | A1 |
| 20170024729 | Huxham | Jan 2017 | A1 |
| 20170124348 | Pourzandi | May 2017 | A1 |
| 20170142579 | Gaudet | May 2017 | A1 |
| Entry |
|---|
| International Search Report and Written Opinion issued in connection with corresponding application No. PCT/US2016/015165 dated Apr. 22, 2016 (12 pages). |
| PCT International Preliminary Report on Patentability for PCT/US2016/018165, dated Aug. 31, 2017, 12 pages. |
| European Extended Search Report dated Aug. 18, 2018 for EP Patent Application No. 16752945.2, 11 pages. |
| Number | Date | Country | |
|---|---|---|---|
| 20160241390 A1 | Aug 2016 | US |
| Number | Date | Country | |
|---|---|---|---|
| 62117080 | Feb 2015 | US |
