US20160212109A1 - Managing distribution and retrieval of security key fragments among proxy storage devices - Google Patents

Managing distribution and retrieval of security key fragments among proxy storage devices Download PDF

Info

Publication number
US20160212109A1
US20160212109A1 US14/600,497 US201514600497A US2016212109A1 US 20160212109 A1 US20160212109 A1 US 20160212109A1 US 201514600497 A US201514600497 A US 201514600497A US 2016212109 A1 US2016212109 A1 US 2016212109A1
Authority
US
United States
Prior art keywords
storage devices
key
proxy storage
key fragments
fragments
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US14/600,497
Other versions
US9413735B1 (en
Inventor
Geoffrey R. Hird
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CA Inc
Original Assignee
CA Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CA Inc filed Critical CA Inc
Priority to US14/600,497 priority Critical patent/US9413735B1/en
Assigned to CA, INC. reassignment CA, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: HIRD, GEOFFREY R.
Publication of US20160212109A1 publication Critical patent/US20160212109A1/en
Application granted granted Critical
Publication of US9413735B1 publication Critical patent/US9413735B1/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present disclosure relates to computing systems and, in particular, to management of security keys among computer systems including Bitcoin management systems.
  • Bitcoin is a software based peer-to-peer payment system. Bitcoins (especially personal Bitcoins) are typically stored in a digital wallet, which exists either in the cloud or on a user's computer or mobile device.
  • the digital wallet functions as a virtual bank account that allows users to send and receive Bitcoins and make payments. However, only users' credentials for Bitcoin ownership are stored in the digital wallets.
  • a Bitcoin payment occurs by transfer of value between Bitcoin addresses that gets recorded in a publically accessible transaction ledger (the “blockchain”), where Bitcoin address identifiers are listed.
  • blockchain publically accessible transaction ledger
  • Some embodiments of the present disclosure are directed to a method performed by a processor of a computer.
  • the method includes obtaining a security key associated with data, dividing the security key into key fragments, and distributing different ones of the key fragments to different proxy storage devices.
  • the method further includes receiving the key fragments from the proxy storage devices, generating a reconstructed security key based on the key fragments received from the proxy storage devices, and controlling programmatic access to the data based on the reconstructed security key.
  • Some related other embodiments are directed to a computer program product that includes a non-transitory computer readable storage medium storing computer readable program code which when executed by a processor of a computer causes the processor to perform operations including obtaining a security key associated with data, dividing the security key into key fragments, and distributing different ones of the key fragments to different proxy storage devices.
  • the operations further include receiving the key fragments from the proxy storage devices, generating a reconstructed security key based on the key fragments received from the proxy storage devices, and controlling programmatic access to the data based on the reconstructed security key.
  • FIG. 1 is a block diagram of a system including an access control computer that distributes fragments of a security key to proxy storage devices, reconstructs the security key based on the key fragments received from the proxy storage devices, and controls programmatic access to data based on the reconstructed security key, in accordance with some embodiments of the present disclosure;
  • FIGS. 2-4 are flowcharts of operations that may be performed by an access control computer configured according to some embodiments of the present disclosure.
  • FIG. 5 is a block diagram of an access control computer according to some embodiments of the present disclosure.
  • security keys e.g., private key, password, etc.
  • data such as application program code, user information, etc.
  • a fundamental problem is that a weak security key short enough for a human to reliably remember may be guessed or determined by brute-force (e.g., repetitive logical attempts) by an attacker.
  • a stronger security key increases the risk that it will be recorded by the user somewhere (whether on paper or in digital form) and the protection of the recorded format then becomes a challenge.
  • characteristics of a security key can affect other system operations, such as system robustness (recovery), system convenience of use, and unauthorized attempted access detection and response by the system.
  • a security key refers to a cryptographic key, a password, and/or other information that can be used to control access to data.
  • Increased protection of a security keys may be obtained by the use of “n-of-n or n-of-m secret sharing” to split each security key into fragments that are dispersed across email accounts, social media accounts, websites, text message addresses, trusted associates, and various types of storage media, each of which may have different security processes that control access thereto.
  • the original security keys can be regenerated responsive to receiving all or a threshold number of the key fragments from the distributed storage locations.
  • access control computers disclosed herein may be used to control access to any type of data, such as application program code and/or user information accessed by application program code, including online user account information such as financial accounts, email accounts, streaming media service accounts, etc.
  • FIG. 1 is a block diagram of a system including an access control computer 100 configured according to some embodiments of the present disclosure.
  • the access control computer 100 controls a user's programmatic access to a Bitcoin digital wallet 104 .
  • Bitcoin uses public key cryptography, whereby keys are created in pairs—each pair has a private key and a public key. With Bitcoin, rather than use a public key directly, a small sequence of alphanumeric characters is derived which is called a “Bitcoin address”. Each Bitcoin address is the possible destination of a Bitcoin payment, such as to a network addressable Bitcoin transaction ledger. An address functions like an account number or name and a private key functions as an ownership credential. The Bitcoin wallet 104 may securely store many pairs of addresses and private keys.
  • the Bitcoin wallet 104 may be encrypted by the access control computer 100 as a whole using a password security key and/or individual private keys storable within the Bitcoin wallet 104 may be encrypted separately using corresponding security keys.
  • the Bitcoin wallet 104 data can be encrypted under a password by generating a symmetric password security key from the password via a well-known mechanism such as one of the public-key cryptography standards (PKCS), e.g., PKCS #5.
  • PKCS public-key cryptography standards
  • AES Advanced Encryption Standard
  • a key management program manages a plurality of security keys
  • the operations can be repeated to divide the security key into key fragments and to distribute different ones of the key fragments to different ones of the proxy storage devices 170 and/or 150 .
  • the key fragments from one of the plurality of security keys can be distributed to a group of the proxy storage devices which is selected based on the group containing at least one proxy storage device that is not within another group of the proxy storage devices that receives distribution of key fragments from another one of the plurality of security keys. Distributing key fragments of different ones of the security keys to different groups containing at least some different proxy storage devices may increase a level of security by which the collection of security keys is protected.
  • the key splitter 110 , the key fragment distributor 120 , and/or the key fragment receiver 130 of the access control computer 100 may encapsulate application programming interfaces of the key management program. Providing the key fragment generation, distribution, and receiving functionality through program code that encapsulates key management program code which uses the regenerated security key, facilitates deployment of enhanced security features without necessitating modification of program code for the key management program.
  • a security key associated with data is split into key fragments, and the key fragments are then distributed across different proxy storage devices.
  • a password key, private key, and/or public key may be split into key fragments.
  • a key splitter 110 may operate to divide a security key into key fragments. The key fragments are distributed to different proxy storage devices for storage.
  • a key fragment distributor 120 may operate to distribute the key fragments. The key fragments can be later received from the proxy storage devices.
  • a key fragment receiver 130 may operate to receive the key fragments.
  • a reconstructed security key can be generated based on the key fragments received from the proxy storage devices.
  • a security key regenerator 140 may operate to generate the reconstructed security key. Programmatic access to the data can be controlled based on the reconstructed security key.
  • the Bitcoin wallet 104 or other program code of the access control computer 100 may operate to control access to the data.
  • Controlling programmatic access to the data can include attempting a login process to a user account using the reconstructed security key, attempting to decrypt previously encrypted data, etc.
  • a password may be reconstructed from the key fragments and used to attempt to obtain access to data contained in the Bitcoin wallet 104
  • an encryption key may be may be reconstructed from the key fragments and used to attempt to decrypt individual private keys, addresses, and/or other content of the Bitcoin wallet 104 .
  • the access control computer 100 may decrypt the Bitcoin wallet 104 or a private key therein based on the reconstructed security key matching the original security key.
  • the security key is a password for a user account
  • the access control computer 100 may grant user access to the user account via a user interface program based on the reconstructed security key matching the password for the user account.
  • FIG. 2 is a flowchart of operations that may be performed by these and/or other components of the access control computer 100 .
  • a security key associated with data is obtained (block 200 ).
  • the security key is divided (block 202 ) into key fragments. Different ones of the key fragments are distributed (block 204 ) to different proxy storage devices.
  • the key fragments are separately received (block 206 ) from the proxy storage devices.
  • the reconstructed security key is generated (block 208 ) based on the key fragments received from the proxy storage devices.
  • Programmatic access to the data e.g., the Bitcoin digital wallet 104
  • Multiple key fragments may be distributed to a same proxy storage device which is determined to provide at least a threshold level of security.
  • the levels of security provided by the proxy storage devices for storage of key fragments can be determined.
  • a subset of the proxy storage devices can be selected for storage of the key fragments based on the levels of security, and the key fragments can be distributed to the subset of the proxy storage devices for storage.
  • some proxy storage devices that are determined to have less than the threshold level of security based on user defined parameters and/or defined rules, may not be selected for storage of key fragments or may be selected for storage of only a single key fragment each.
  • some other proxy storage devices that have at least the threshold level of security may be selected for storage of one or more key fragments.
  • the proxy storage devices may include local applications and storage devices 150 which can include application programs processed by a same computer component as the access control computer 100 and/or removable memory devices (e.g., USB storage devices).
  • the proxy storage devices may alternatively or additionally include network proxy storage devices 170 which are communicatively connected to the access control computer 100 via a data network 160 (e.g., a public network such as the Internet, and/or a private network).
  • the network proxy storage devices 170 can include, but are not limited to, social media servers 180 , email servers 190 , web page servers 192 , and/or mobile terminals 194 .
  • the social media servers 180 may include a social network server 182 (e.g., FacebookTM), a blog network server 186 (e.g., TumblrTM, server providing Web2.0 Properties/Networks, etc.), a micro blog network server 184 (e.g., TwitterTM), and/or another type of social media server.
  • a social media server 180 receives a message containing a key fragment and a message string from the key fragment distributor 120 , and publishes the message for receipt by one or more computers 188 who have registered with the social media server 180 to track publishing of messages on the social media server 120 containing a defined message string.
  • the message string may correspond to a username used for the Bitcoin wallet 104 , an identifier associated with the access control computer 100 , and/or a string of characters that is defined by a user and which is defined as being tracked by an intended recipient computer 188 .
  • a key splitter 110 divides a security key into any plural number of key fragments.
  • the security key regenerator 140 can regenerate the original security key so long as at least 4 of the key fragments are received back from those proxy storage devices.
  • the key splitter 110 may be configured to form different groups of the proxy storage devices 170 associated with different ones of a plurality of security keys.
  • the key splitter 110 may select one of the groups of proxy storage devices 170 based on the security key obtained matching a security key associated with the selected one of the groups of proxy storage devices.
  • a number of the proxy storage devices 170 in the selected one of the groups can be determined and used by the key splitter 110 to control a number of the key fragments generated from a security key based on the number of the proxy storage devices 170 in the selected one of the groups of proxy storage devices 170 .
  • Which of the proxy storage devices 170 are members of which of the groups may be defined by a user and/or defined by one or more defined rules based on characteristics of the proxy storage devices 170 which, for example, seek to store the key fragments using a threshold number of different types of access security mechanisms provided by the various proxy storage devices 170 .
  • the key fragment distributor 120 distributes different ones of the key fragments to selected ones of the proxy storage devices 170 .
  • FIG. 3 is a flowchart of operations that may be performed by the key fragment distributor 120 and the key fragment receiver 130 according to some embodiments.
  • the key fragment distributor 120 receives the key fragments from the key splitter 110 , and distributes the key fragments to a plurality of the proxy storage devices.
  • the distributor 120 determines an email address for an email account hosted by one of the email servers 190 , and communicates (block 300 ) an email message containing one of the key fragments (“first key fragment”) with the email address.
  • the distributor 120 determines a mobile terminal identifier for one of the mobile terminals 194 , and communicates (block 302 ) a text message containing another one of the key fragments (“second key fragment”) with the mobile terminal identifier.
  • the distributor 120 determines a device address of one of the local application and/or storage devices 150 having a direct non-network connection to the security computer (e.g., the access control computer 100 ), and generates (block 304 ) a command to write another one of the key fragments (“third key fragment”) to the device address.
  • the distributor 120 selects an application programming interface (API) from among a plurality of APIs based on information identifying one of the proxy storage devices 170 and/or 150 , and communicates (block 306 ) another one of the key fragments (“fourth key fragment”) through the API that was selected.
  • the distributor 120 determines a web address for one of the web servers 192 , and communicates (block 308 ) another one of the key fragments (“fifth key fragment”) as a web feed with the web address.
  • the key fragment receiver 130 receives key fragments from the different proxy storage devices.
  • a security key regenerator 140 reconstructs the security key using the key fragments from the key fragment receiver 130 .
  • the security key regenerator 140 may be configured to reconstruct the security key from less than all of the key fragments that were generated by the key splitter 110 from the security key.
  • the security key regenerator 140 can regenerate the original security key.
  • the security key regenerator 140 may attempt to regenerate and verify the regenerated security key for correctness upon receipt of each key fragment from various ones of the proxy storage devices, and upon successful verification output the regenerated security key for use in controlling access to the data.
  • the key fragment receiver 130 receives (block 310 ) an email message from the email address for the user account hosted by the email server 190 , and obtains the first key fragment from the email message.
  • the key fragment receiver 130 receives (block 312 ) a text message containing the second key fragment.
  • the key fragment receiver 130 generates (block 314 ) a command to read the third key fragment from the device address for the local application and/or the storage device 150 having a direct non-network connection to the security computer (e.g., the access control computer 100 ).
  • the key fragment receiver 130 receives (block 316 ) the fourth key fragment through an API and selectively uses the fourth key fragment based on whether the API through which it was received corresponds to the API that was selected (block 306 ) for indication of the fourth key fragment.
  • the key fragment receiver 130 receives (block 318 ) the fifth key fragment in a web feed from the web address for the web server 192 to which the fifth key fragment was communicated (block 308 ).
  • the security key regenerator 140 reconstructs (block 320 ) the security key based on the first, second, third, fourth, and fifth key fragments.
  • a key fragment When a key fragment is stored in a user account on an email server 190 , access to the key fragment can be controlled based on a secure user ID and password received from the user and/or from the key fragment receiver 130 .
  • a key fragment When a key fragment is stored on a web server 192 at a defined URI, access to the key fragment can be controlled based on a secure user ID and password received from the user and/or from the key fragment receiver 130 .
  • the receiving mobile terminal 194 can control access to the stored key fragment via a security program layer processed by the mobile terminal 194 (e.g., screen-lock functionality). Accordingly, increased protection of the security key can be obtained by splitting the security key into fragments that are dispersed across a plurality of different locations and types of proxy storage devices each having local security processes that control access to the respective locally stored key fragments.
  • Key fragments may additionally or alternatively be stored on one or more of the social media servers 180 .
  • the key fragment can be stored in a private area having secured user ID and password controlled access.
  • the key fragment distributor 120 determines (block 400 ) a first message string tracked by a first computer 188 on one of the social media servers 180 (e.g., a social network server 182 ), and posts (block 402 ) a message containing one of the key fragments (“first key fragment”) and the message string to the social media server 180 for publishing through the social media server 180 to the first computer 188 .
  • the key fragment distributor 120 determines (block 404 ) a second message string tracked by a second computer 188 on the same or another one of the social media servers 180 (e.g., a micro blog network server 184 ), and posts (block 406 ) a message containing another one of the key fragments (“second key fragment”) and the message string to the social media server 180 for publishing through the social media server 180 to the second computer 188 .
  • the social media servers 180 e.g., a micro blog network server 184
  • the key fragment distributor 120 may select the message strings from among a plurality of defined message strings that identify different groupings of messages published by the social media servers 180 that can be separately tracked by the computers 188 .
  • the first message string can be selected based on it being defined as tracked by the first computer, so that the first computer will receive and locally store the first key fragment.
  • the second message string can be selected based on it being defined as tracked by the second computer, so that the second computer will receive and locally store the second key fragment.
  • the first and/or second computers may fetch the respective first and second key fragments from respective user accounts on the social media servers 180 and/or may receive the key fragments in one or more communications pushed to the respective computers from the social media servers 180 .
  • the key fragment receiver 130 may receive the first key fragment by tracking (block 408 ) informational postings by the first computer 188 to one of the social media servers 180 (e.g., the social network server 182 ), and identifying (block 410 ) one of the informational postings by the first computer 188 as containing the first key fragment.
  • the key fragment receiver may receive the second key fragment by tracking (block 412 ) informational postings by the second computer 188 to one of the social media servers 180 (e.g., the micro blog network server 184 ), and identifying (block 414 ) one of the informational postings by the second computer 188 as containing the second key fragment.
  • FIG. 5 is a block diagram of an access control computer 100 according to some embodiments of the present disclosure.
  • the access control computer 100 includes a processor 500 , a memory 510 , and a network interface which may include a radio access network transceiver 526 and/or a wired network interface 524 (e.g., Ethernet interface).
  • the radio access network transceiver 526 can include, but is not limited to, a LTE or other cellular transceiver, WLAN transceiver (IEEE 802.11), WiMax transceiver, or other radio communication transceiver configured to communicate with the network proxy storage devices 170 via a radio access network which may form part of the network 160 .
  • the processor 500 may include one or more data processing circuits, such as a general purpose and/or special purpose processor (e.g., microprocessor and/or digital signal processor) that may be collocated or distributed across one or more networks.
  • the processor 500 is configured to execute computer program code 512 in the memory 510 , described below as a non-transitory computer readable medium, to perform at least some of the operations described herein as being performed by an access control computer.
  • the computer program code 512 when executed by the processor 500 causes the processor 500 to perform operations in accordance with one or more embodiments disclosed herein for the access control computer 100 .
  • the access control computer 100 may further include a user input interface 520 (e.g., touch screen, keyboard, keypad, etc.) and a display device 522 .
  • aspects of the present disclosure may be illustrated and described herein in any of a number of patentable classes or contexts including any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof. Accordingly, aspects of the present disclosure may be implemented in entirely hardware, entirely software (including firmware, resident software, micro-code, etc.) or combining software and hardware implementation that may all generally be referred to herein as a “circuit,” “module,” “component,” or “system.” Furthermore, aspects of the present disclosure may take the form of a computer program product comprising one or more computer readable media having computer readable program code embodied thereon.
  • the computer readable media may be a computer readable signal medium or a computer readable storage medium.
  • a computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing.
  • a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
  • a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof.
  • a computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
  • Program code embodied on a computer readable signal medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
  • Computer program code for carrying out operations for aspects of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Scala, Smalltalk, Eiffel, JADE, Emerald, C++, C#, VB.NET, Python or the like, conventional procedural programming languages, such as the “C” programming language, Visual Basic, Fortran 2003, Perl, COBOL 2002, PHP, ABAP, dynamic programming languages such as Python, Ruby and Groovy, or other programming languages.
  • the program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server.
  • the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider) or in a cloud computing environment or offered as a service such as a Software as a Service (SaaS).
  • LAN local area network
  • WAN wide area network
  • SaaS Software as a Service
  • These computer program instructions may also be stored in a computer readable medium that when executed can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions when stored in the computer readable medium produce an article of manufacture including instructions which when executed, cause a computer to implement the function/act specified in the flowchart and/or block diagram block or blocks.
  • the computer program instructions may also be loaded onto a computer, other programmable instruction execution apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatuses or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
  • each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s).
  • the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.

Abstract

A method performed by a processor of a computer, includes obtaining a security key associated with data, dividing the security key into key fragments, and distributing different ones of the key fragments to different proxy storage devices. Key fragments are received from the proxy storage devices, a reconstructed security key is generated based on the key fragments received from the proxy storage devices, and programmatic access to the data is controlled based on the reconstructed security key. Related computer program products and systems are disclosed.

Description

    BACKGROUND
  • The present disclosure relates to computing systems and, in particular, to management of security keys among computer systems including Bitcoin management systems.
  • Bitcoin is a software based peer-to-peer payment system. Bitcoins (especially personal Bitcoins) are typically stored in a digital wallet, which exists either in the cloud or on a user's computer or mobile device. The digital wallet functions as a virtual bank account that allows users to send and receive Bitcoins and make payments. However, only users' credentials for Bitcoin ownership are stored in the digital wallets. A Bitcoin payment occurs by transfer of value between Bitcoin addresses that gets recorded in a publically accessible transaction ledger (the “blockchain”), where Bitcoin address identifiers are listed.
  • Security of digital wallets is an increasing concern in view of hackers stealing Bitcoins due to insufficient security mechanisms for digital wallets. The most sensitive data in a digital wallet is the collection of private keys associated with the Bitcoin addresses that occur in the public blockchain. Some Bitcoin owners have resorted to dividing their Bitcoins between less secure “hot storage” residing in a network accessible digital wallet and more secure “cold storage” residing on a non-network accessible device such as a removable non-volatile memory device.
    • SUMMARY
  • Some embodiments of the present disclosure are directed to a method performed by a processor of a computer. The method includes obtaining a security key associated with data, dividing the security key into key fragments, and distributing different ones of the key fragments to different proxy storage devices. The method further includes receiving the key fragments from the proxy storage devices, generating a reconstructed security key based on the key fragments received from the proxy storage devices, and controlling programmatic access to the data based on the reconstructed security key.
  • Some related other embodiments are directed to a computer program product that includes a non-transitory computer readable storage medium storing computer readable program code which when executed by a processor of a computer causes the processor to perform operations including obtaining a security key associated with data, dividing the security key into key fragments, and distributing different ones of the key fragments to different proxy storage devices. The operations further include receiving the key fragments from the proxy storage devices, generating a reconstructed security key based on the key fragments received from the proxy storage devices, and controlling programmatic access to the data based on the reconstructed security key.
  • Other methods, computer program products, and/or systems according to embodiments of the inventive subject matter will be or become apparent to one with skill in the art upon review of the following drawings and detailed description. It is intended that all such additional methods, computer program products, and/or systems be included within this description, be within the scope of the present inventive subject matter, and be protected by the accompanying claims. Moreover, it is intended that all embodiments disclosed herein can be implemented separately or combined in any way and/or combination.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • Other features of embodiments will be more readily understood from the following detailed description of specific embodiments thereof when read in conjunction with the accompanying drawings, in which:
  • FIG. 1 is a block diagram of a system including an access control computer that distributes fragments of a security key to proxy storage devices, reconstructs the security key based on the key fragments received from the proxy storage devices, and controls programmatic access to data based on the reconstructed security key, in accordance with some embodiments of the present disclosure;
  • FIGS. 2-4 are flowcharts of operations that may be performed by an access control computer configured according to some embodiments of the present disclosure; and
  • FIG. 5 is a block diagram of an access control computer according to some embodiments of the present disclosure.
    •  DETAILED DESCRIPTION
  • In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of embodiments of the present disclosure. However, it will be understood by those skilled in the art that the present invention may be practiced without these specific details. In other instances, well-known methods, procedures, components and circuits have not been described in detail so as not to obscure the present invention. It is intended that all embodiments disclosed herein can be implemented separately or combined in any way and/or combination.
  • Many computer systems use various forms of security keys (e.g., private key, password, etc.) to control access to data such as application program code, user information, etc. A fundamental problem is that a weak security key short enough for a human to reliably remember may be guessed or determined by brute-force (e.g., repetitive logical attempts) by an attacker. In contrast, a stronger security key increases the risk that it will be recorded by the user somewhere (whether on paper or in digital form) and the protection of the recorded format then becomes a challenge. In addition to providing data security, characteristics of a security key can affect other system operations, such as system robustness (recovery), system convenience of use, and unauthorized attempted access detection and response by the system.
  • When stored locally, sensitive data can be protected by encryption, under either a password or a cryptographic key. As used herein a security key refers to a cryptographic key, a password, and/or other information that can be used to control access to data.
  • Increased protection of a security keys may be obtained by the use of “n-of-n or n-of-m secret sharing” to split each security key into fragments that are dispersed across email accounts, social media accounts, websites, text message addresses, trusted associates, and various types of storage media, each of which may have different security processes that control access thereto. The original security keys can be regenerated responsive to receiving all or a threshold number of the key fragments from the distributed storage locations. Some approaches for n-of-m secret sharing that may be used with various embodiments of the present disclosure are described in the publication, Shamir, Adi (1979), How to share a secret, Communications of the ACM 22 (11): 612-613, the contents of which are incorporated herein by reference.
  • Various embodiments of the present disclosure are described in the context of controlling access to data of a Bitcoin digital wallet program, also referred to herein as a Bitcoin wallet. However, the embodiments are not limited thereto and may be applied to other systems that can benefit from improved data security. For example, access control computers disclosed herein may be used to control access to any type of data, such as application program code and/or user information accessed by application program code, including online user account information such as financial accounts, email accounts, streaming media service accounts, etc.
  • FIG. 1 is a block diagram of a system including an access control computer 100 configured according to some embodiments of the present disclosure. The access control computer 100 controls a user's programmatic access to a Bitcoin digital wallet 104.
  • Bitcoin uses public key cryptography, whereby keys are created in pairs—each pair has a private key and a public key. With Bitcoin, rather than use a public key directly, a small sequence of alphanumeric characters is derived which is called a “Bitcoin address”. Each Bitcoin address is the possible destination of a Bitcoin payment, such as to a network addressable Bitcoin transaction ledger. An address functions like an account number or name and a private key functions as an ownership credential. The Bitcoin wallet 104 may securely store many pairs of addresses and private keys.
  • The Bitcoin wallet 104 may be encrypted by the access control computer 100 as a whole using a password security key and/or individual private keys storable within the Bitcoin wallet 104 may be encrypted separately using corresponding security keys. For example, the Bitcoin wallet 104 data can be encrypted under a password by generating a symmetric password security key from the password via a well-known mechanism such as one of the public-key cryptography standards (PKCS), e.g., PKCS #5. The data is then encrypted using the generated password security key and a corresponding algorithm, such as Advanced Encryption Standard (AES).
  • When a key management program manages a plurality of security keys, for each of the plurality of security keys the operations can be repeated to divide the security key into key fragments and to distribute different ones of the key fragments to different ones of the proxy storage devices 170 and/or 150. The key fragments from one of the plurality of security keys can be distributed to a group of the proxy storage devices which is selected based on the group containing at least one proxy storage device that is not within another group of the proxy storage devices that receives distribution of key fragments from another one of the plurality of security keys. Distributing key fragments of different ones of the security keys to different groups containing at least some different proxy storage devices may increase a level of security by which the collection of security keys is protected. The key splitter 110, the key fragment distributor 120, and/or the key fragment receiver 130 of the access control computer 100 may encapsulate application programming interfaces of the key management program. Providing the key fragment generation, distribution, and receiving functionality through program code that encapsulates key management program code which uses the regenerated security key, facilitates deployment of enhanced security features without necessitating modification of program code for the key management program.
  • Various embodiments of the present disclosure provide increased security and/or flexibility for storing and/or sharing security keys. A security key associated with data is split into key fragments, and the key fragments are then distributed across different proxy storage devices. For example, a password key, private key, and/or public key may be split into key fragments. A key splitter 110 may operate to divide a security key into key fragments. The key fragments are distributed to different proxy storage devices for storage. A key fragment distributor 120 may operate to distribute the key fragments. The key fragments can be later received from the proxy storage devices. A key fragment receiver 130 may operate to receive the key fragments. A reconstructed security key can be generated based on the key fragments received from the proxy storage devices. A security key regenerator 140 may operate to generate the reconstructed security key. Programmatic access to the data can be controlled based on the reconstructed security key. The Bitcoin wallet 104 or other program code of the access control computer 100 may operate to control access to the data.
  • Controlling programmatic access to the data can include attempting a login process to a user account using the reconstructed security key, attempting to decrypt previously encrypted data, etc. For example, a password may be reconstructed from the key fragments and used to attempt to obtain access to data contained in the Bitcoin wallet 104, and/or an encryption key may be may be reconstructed from the key fragments and used to attempt to decrypt individual private keys, addresses, and/or other content of the Bitcoin wallet 104. In the embodiment of FIG. 1, the access control computer 100 may decrypt the Bitcoin wallet 104 or a private key therein based on the reconstructed security key matching the original security key. Alternatively or additionally, when the security key is a password for a user account, the access control computer 100 may grant user access to the user account via a user interface program based on the reconstructed security key matching the password for the user account.
  • FIG. 2 is a flowchart of operations that may be performed by these and/or other components of the access control computer 100. A security key associated with data is obtained (block 200). The security key is divided (block 202) into key fragments. Different ones of the key fragments are distributed (block 204) to different proxy storage devices. The key fragments are separately received (block 206) from the proxy storage devices. The reconstructed security key is generated (block 208) based on the key fragments received from the proxy storage devices. Programmatic access to the data (e.g., the Bitcoin digital wallet 104) is controlled (block 210) based on the reconstructed security key.
  • Multiple key fragments may be distributed to a same proxy storage device which is determined to provide at least a threshold level of security. For example, the levels of security provided by the proxy storage devices for storage of key fragments can be determined. A subset of the proxy storage devices can be selected for storage of the key fragments based on the levels of security, and the key fragments can be distributed to the subset of the proxy storage devices for storage. In this manner, some proxy storage devices that are determined to have less than the threshold level of security, based on user defined parameters and/or defined rules, may not be selected for storage of key fragments or may be selected for storage of only a single key fragment each. In contrast, some other proxy storage devices that have at least the threshold level of security may be selected for storage of one or more key fragments.
  • These and other operations of the access control computer 100 and other components of the system of FIG. 1 are explained in more detail below.
  • The proxy storage devices may include local applications and storage devices 150 which can include application programs processed by a same computer component as the access control computer 100 and/or removable memory devices (e.g., USB storage devices). The proxy storage devices may alternatively or additionally include network proxy storage devices 170 which are communicatively connected to the access control computer 100 via a data network 160 (e.g., a public network such as the Internet, and/or a private network). The network proxy storage devices 170 can include, but are not limited to, social media servers 180, email servers 190, web page servers 192, and/or mobile terminals 194.
  • The social media servers 180 may include a social network server 182 (e.g., Facebook™), a blog network server 186 (e.g., Tumblr™, server providing Web2.0 Properties/Networks, etc.), a micro blog network server 184 (e.g., Twitter™), and/or another type of social media server. A social media server 180 receives a message containing a key fragment and a message string from the key fragment distributor 120, and publishes the message for receipt by one or more computers 188 who have registered with the social media server 180 to track publishing of messages on the social media server 120 containing a defined message string. The message string may correspond to a username used for the Bitcoin wallet 104, an identifier associated with the access control computer 100, and/or a string of characters that is defined by a user and which is defined as being tracked by an intended recipient computer 188.
  • In the embodiment of FIG. 1, a key splitter 110 divides a security key into any plural number of key fragments. The key splitter 110 may utilize a “n-of-m” secret sharing algorithm to split the security key into m different key fragments, which enables a security key regenerator to reconstruct the security key from a fewer number n (e.g., n=m−1) of the key fragments received from the proxy storage devices. For example, using a 4-of-5 secret sharing algorithm, a security key is divided into 5 different key fragments that are distributed to 5 different proxy storage devices for storage. The security key regenerator 140 can regenerate the original security key so long as at least 4 of the key fragments are received back from those proxy storage devices.
  • The key splitter 110 may be configured to form different groups of the proxy storage devices 170 associated with different ones of a plurality of security keys. The key splitter 110 may select one of the groups of proxy storage devices 170 based on the security key obtained matching a security key associated with the selected one of the groups of proxy storage devices. A number of the proxy storage devices 170 in the selected one of the groups can be determined and used by the key splitter 110 to control a number of the key fragments generated from a security key based on the number of the proxy storage devices 170 in the selected one of the groups of proxy storage devices 170. Which of the proxy storage devices 170 are members of which of the groups may be defined by a user and/or defined by one or more defined rules based on characteristics of the proxy storage devices 170 which, for example, seek to store the key fragments using a threshold number of different types of access security mechanisms provided by the various proxy storage devices 170.
  • The key fragment distributor 120 distributes different ones of the key fragments to selected ones of the proxy storage devices 170. FIG. 3 is a flowchart of operations that may be performed by the key fragment distributor 120 and the key fragment receiver 130 according to some embodiments.
  • The key fragment distributor 120 receives the key fragments from the key splitter 110, and distributes the key fragments to a plurality of the proxy storage devices. The distributor 120 determines an email address for an email account hosted by one of the email servers 190, and communicates (block 300) an email message containing one of the key fragments (“first key fragment”) with the email address. The distributor 120 determines a mobile terminal identifier for one of the mobile terminals 194, and communicates (block 302) a text message containing another one of the key fragments (“second key fragment”) with the mobile terminal identifier. The distributor 120 determines a device address of one of the local application and/or storage devices 150 having a direct non-network connection to the security computer (e.g., the access control computer 100), and generates (block 304) a command to write another one of the key fragments (“third key fragment”) to the device address. The distributor 120 selects an application programming interface (API) from among a plurality of APIs based on information identifying one of the proxy storage devices 170 and/or 150, and communicates (block 306) another one of the key fragments (“fourth key fragment”) through the API that was selected. The distributor 120 determines a web address for one of the web servers 192, and communicates (block 308) another one of the key fragments (“fifth key fragment”) as a web feed with the web address.
  • The key fragment receiver 130 receives key fragments from the different proxy storage devices. A security key regenerator 140 reconstructs the security key using the key fragments from the key fragment receiver 130. The security key regenerator 140 may be configured to reconstruct the security key from less than all of the key fragments that were generated by the key splitter 110 from the security key. When the security key regenerator 140 receives a threshold number of the key fragments, which can be less than all of the key fragments generated by the key splitter 110, the security key regenerator 140 can regenerate the original security key. The security key regenerator 140 may attempt to regenerate and verify the regenerated security key for correctness upon receipt of each key fragment from various ones of the proxy storage devices, and upon successful verification output the regenerated security key for use in controlling access to the data.
  • Continuing with the example of FIG. 3, the key fragment receiver 130 receives (block 310) an email message from the email address for the user account hosted by the email server 190, and obtains the first key fragment from the email message. The key fragment receiver 130 receives (block 312) a text message containing the second key fragment. The key fragment receiver 130 generates (block 314) a command to read the third key fragment from the device address for the local application and/or the storage device 150 having a direct non-network connection to the security computer (e.g., the access control computer 100). The key fragment receiver 130 receives (block 316) the fourth key fragment through an API and selectively uses the fourth key fragment based on whether the API through which it was received corresponds to the API that was selected (block 306) for indication of the fourth key fragment. The key fragment receiver 130 receives (block 318) the fifth key fragment in a web feed from the web address for the web server 192 to which the fifth key fragment was communicated (block 308). The security key regenerator 140 reconstructs (block 320) the security key based on the first, second, third, fourth, and fifth key fragments.
  • When a key fragment is stored in a user account on an email server 190, access to the key fragment can be controlled based on a secure user ID and password received from the user and/or from the key fragment receiver 130. When a key fragment is stored on a web server 192 at a defined URI, access to the key fragment can be controlled based on a secure user ID and password received from the user and/or from the key fragment receiver 130. When a key fragment is sent via text messaging (e.g., SMS), the receiving mobile terminal 194 can control access to the stored key fragment via a security program layer processed by the mobile terminal 194 (e.g., screen-lock functionality). Accordingly, increased protection of the security key can be obtained by splitting the security key into fragments that are dispersed across a plurality of different locations and types of proxy storage devices each having local security processes that control access to the respective locally stored key fragments.
  • Key fragments may additionally or alternatively be stored on one or more of the social media servers 180. When communicated to a social media server 180, the key fragment can be stored in a private area having secured user ID and password controlled access. Referring to the flowchart of example operations shown in FIG. 4, the key fragment distributor 120 determines (block 400) a first message string tracked by a first computer 188 on one of the social media servers 180 (e.g., a social network server 182), and posts (block 402) a message containing one of the key fragments (“first key fragment”) and the message string to the social media server 180 for publishing through the social media server 180 to the first computer 188. Similarly, the key fragment distributor 120 determines (block 404) a second message string tracked by a second computer 188 on the same or another one of the social media servers 180 (e.g., a micro blog network server 184), and posts (block 406) a message containing another one of the key fragments (“second key fragment”) and the message string to the social media server 180 for publishing through the social media server 180 to the second computer 188.
  • When determining the first and second message strings (block 400 and 404), the key fragment distributor 120 may select the message strings from among a plurality of defined message strings that identify different groupings of messages published by the social media servers 180 that can be separately tracked by the computers 188. Thus, for example, the first message string can be selected based on it being defined as tracked by the first computer, so that the first computer will receive and locally store the first key fragment. Similarly, the second message string can be selected based on it being defined as tracked by the second computer, so that the second computer will receive and locally store the second key fragment. The first and/or second computers may fetch the respective first and second key fragments from respective user accounts on the social media servers 180 and/or may receive the key fragments in one or more communications pushed to the respective computers from the social media servers 180.
  • The key fragment receiver 130 may receive the first key fragment by tracking (block 408) informational postings by the first computer 188 to one of the social media servers 180 (e.g., the social network server 182), and identifying (block 410) one of the informational postings by the first computer 188 as containing the first key fragment. Similarly, the key fragment receiver may receive the second key fragment by tracking (block 412) informational postings by the second computer 188 to one of the social media servers 180 (e.g., the micro blog network server 184), and identifying (block 414) one of the informational postings by the second computer 188 as containing the second key fragment.
  • In this manner, increased security and/or flexibility for storing and/or sharing security keys can be obtained.
    • Example Access Control Computer
  • FIG. 5 is a block diagram of an access control computer 100 according to some embodiments of the present disclosure. Referring to FIG. 5, the access control computer 100 includes a processor 500, a memory 510, and a network interface which may include a radio access network transceiver 526 and/or a wired network interface 524 (e.g., Ethernet interface). The radio access network transceiver 526 can include, but is not limited to, a LTE or other cellular transceiver, WLAN transceiver (IEEE 802.11), WiMax transceiver, or other radio communication transceiver configured to communicate with the network proxy storage devices 170 via a radio access network which may form part of the network 160.
  • The processor 500 may include one or more data processing circuits, such as a general purpose and/or special purpose processor (e.g., microprocessor and/or digital signal processor) that may be collocated or distributed across one or more networks. The processor 500 is configured to execute computer program code 512 in the memory 510, described below as a non-transitory computer readable medium, to perform at least some of the operations described herein as being performed by an access control computer. The computer program code 512 when executed by the processor 500 causes the processor 500 to perform operations in accordance with one or more embodiments disclosed herein for the access control computer 100. The access control computer 100 may further include a user input interface 520 (e.g., touch screen, keyboard, keypad, etc.) and a display device 522.
    • Further Definitions and Embodiments
  • In the above-description of various embodiments of the present disclosure, aspects of the present disclosure may be illustrated and described herein in any of a number of patentable classes or contexts including any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof. Accordingly, aspects of the present disclosure may be implemented in entirely hardware, entirely software (including firmware, resident software, micro-code, etc.) or combining software and hardware implementation that may all generally be referred to herein as a “circuit,” “module,” “component,” or “system.” Furthermore, aspects of the present disclosure may take the form of a computer program product comprising one or more computer readable media having computer readable program code embodied thereon.
  • Any combination of one or more computer readable media may be used. The computer readable media may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an appropriate optical fiber with a repeater, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
  • A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable signal medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
  • Computer program code for carrying out operations for aspects of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Scala, Smalltalk, Eiffel, JADE, Emerald, C++, C#, VB.NET, Python or the like, conventional procedural programming languages, such as the “C” programming language, Visual Basic, Fortran 2003, Perl, COBOL 2002, PHP, ABAP, dynamic programming languages such as Python, Ruby and Groovy, or other programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider) or in a cloud computing environment or offered as a service such as a Software as a Service (SaaS).
  • Aspects of the present disclosure are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable instruction execution apparatus, create a mechanism for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
  • These computer program instructions may also be stored in a computer readable medium that when executed can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions when stored in the computer readable medium produce an article of manufacture including instructions which when executed, cause a computer to implement the function/act specified in the flowchart and/or block diagram block or blocks. The computer program instructions may also be loaded onto a computer, other programmable instruction execution apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatuses or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
  • It is to be understood that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of this specification and the relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
  • The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various aspects of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
  • The terminology used herein is for the purpose of describing particular aspects only and is not intended to be limiting of the disclosure. As used herein, the singular forms “a”, “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises” and/or “comprising,” when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. As used herein, the term “and/or” includes any and all combinations of one or more of the associated listed items. Like reference numbers signify like elements throughout the description of the figures.
  • The corresponding structures, materials, acts, and equivalents of any means or step plus function elements in the claims below are intended to include any disclosed structure, material, or act for performing the function in combination with other claimed elements as specifically claimed. The description of the present disclosure has been presented for purposes of illustration and description, but is not intended to be exhaustive or limited to the disclosure in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the disclosure. The aspects of the disclosure herein were chosen and described in order to best explain the principles of the disclosure and the practical application, and to enable others of ordinary skill in the art to understand the disclosure with various modifications as are suited to the particular use contemplated.

Claims (23)

1. A method comprising:
performing operations as follows on a processor of a computer:
obtaining a security key associated with data;
dividing the security key into key fragments;
distributing different ones of the key fragments to different proxy storage devices;
receiving the key fragments from the proxy storage devices;
generating a reconstructed security key based on the key fragments received from the proxy storage devices; and
controlling programmatic access to the data based on the reconstructed security key.
2. The method of claim 1, further comprising:
forming different groups of proxy storage devices associated with different security keys;
selecting one of the groups of proxy storage devices based on the security key obtained matching a security key associated with the selected one of the groups of proxy storage devices; and
determining a number of the proxy storage devices in the selected one of the groups,
wherein the dividing the security key into key fragments, comprises controlling a number of the key fragments generated by the dividing based on the number of the proxy storage devices in the selected one of the groups of proxy storage devices.
3. The method of claim 1, further comprising:
determining levels of security provided by the proxy storage devices for storage of key fragments; and
selecting a subset of the proxy storage devices for storage of the key fragments based on the levels of security,
wherein the key fragments are distributed to the subset of the proxy storage devices for storage.
4. The method of claim 1, wherein:
the distributing different ones of the key fragments to different proxy storage devices, comprises:
determining an email address for one of the proxy storage devices; and
communicating an email message containing one of the key fragments with the email address for the one of the proxy storage devices; and
the receiving the key fragments from the proxy storage devices, comprises:
receiving an email message from the email address for the one of the proxy storage devices; and
obtaining the one of the key fragments from the email message.
5. The method of claim 1, wherein:
the distributing different ones of the key fragments to different proxy storage devices, comprises:
determining a mobile terminal identifier for one of the proxy storage devices; and
communicating a text message containing one of the key fragments with the mobile terminal identifier for the one of the proxy storage devices; and
the receiving the key fragments from the proxy storage devices, comprises:
receiving a text message from the mobile terminal identifier for the one of the proxy storage devices; and
obtaining the one of the key fragments from the text message.
6. The method of claim 1, wherein:
the distributing different ones of the key fragments to different proxy storage devices, comprises:
determining a device address of one of the proxy storage devices having a direct non-network connection to the security computer; and
generating a command to write one of the key fragments to the device address for the one of the proxy storage devices; and
the receiving the key fragments from the proxy storage devices, comprises:
generating a command to read the one of the key fragments from the device address for the one of the proxy storage devices.
7. The method of claim 1, wherein the distributing different ones of the key fragments to different proxy storage devices, comprises:
selecting an application programming interface (API) from among a plurality of APIs based on information identifying one of the proxy storage devices; and
communicating one of the key fragments through the API that was selected.
8. The method of claim 7, wherein the receiving the key fragments from the proxy storage devices, comprises:
receiving the one of the key fragments through one of the APIs; and
selectively using the one of the key fragments received through one of the APIs based on whether the one of the APIs corresponds to the API that was selected.
9. The method of claim 1, wherein the distributing different ones of the key fragments to different proxy storage devices, comprises:
determining a message string tracked by one of the proxy storage devices; and
posting a message containing one of the key fragments and the message string to a social media server for publishing through the social media server to the one of the proxy storage devices.
10. The method of claim 9, wherein the distributing different ones of the key fragments to different proxy storage devices, further comprises:
determining another message string tracked by another one of the proxy storage devices; and
posting a message containing another one of the key fragments and the another message string to the social media server for publishing through the social media server to the another one of the proxy storage devices.
11. The method of claim 10, wherein the determining a message string tracked by one of the proxy storage devices and the determining another message string tracked by another one of the proxy storage devices, comprises:
selecting the message string and the another message string from among a plurality of defined message strings that identify different groupings of messages published by the social media server that can be separately tracked by the proxy storage devices.
12. The method of claim 10, wherein the receiving the key fragments from the proxy storage devices, comprises:
tracking informational postings by the one of the proxy storage devices to the social media server;
identifying one of the informational postings by the one of the proxy storage devices as containing the one of the key fragments;
tracking informational postings by the another one of the proxy storage devices to the social media server; and
identifying one of the informational postings by the another one of the proxy storage devices as containing the another one of the key fragments.
13. The method of claim 1, wherein:
the distributing different ones of the key fragments to different proxy storage devices, comprises:
determining a web address for one of the proxy storage devices; and
communicating one of the key fragments as a web feed with the web address for the one of the proxy storage devices; and
the receiving the key fragments from the proxy storage devices, comprises:
receiving the one of the key fragments in a web feed from the web address for the one of the proxy storage devices.
14. The method of claim 1, wherein:
the obtaining a security key associated with data, comprises:
obtaining a password for a user account; and
the controlling programmatic access to the data based on the reconstructed security key, comprises:
granting user access to the user account via a user interface program based on the reconstructed security key matching the password for the user account.
15. The method of claim 1, wherein the controlling programmatic access to the data based on the reconstructed security key, comprises:
decrypting data using the reconstructed security key.
16. The method of claim 1, wherein the security key comprises a private key associated with an address to a network addressable Bitcoin transaction ledger.
17. The method of claim 1,
wherein the obtaining a security key associated with data, comprises obtaining a plurality of security keys managed by a key management program;
further comprising repeating for each of the plurality of security keys, the dividing the security key into key fragments and the distributing different ones of the key fragments to different proxy storage devices, wherein the key fragments from one of the plurality of security keys are distributed to a group of the proxy storage devices selected based on the group containing at least one proxy storage device that is not within another group of the proxy storage devices that receives distribution of key fragments from another one of the plurality of security keys.
18. The method of claim 17, wherein the obtaining a security key associated with data, the dividing the security key into key fragments, and the distributing different ones of the key fragments to different proxy storage devices are performed by program code that encapsulates application programming interfaces of the key management program.
19. A computer program product, comprising:
a non-transitory computer readable storage medium storing computer readable program code which when executed by a processor of a computer causes the processor to perform operations comprising:
obtaining a security key associated with data;
dividing the security key into key fragments;
distributing different ones of the key fragments to different proxy storage devices;
receiving the key fragments from the proxy storage devices;
generating a reconstructed security key based on the key fragments received from the proxy storage devices; and
controlling programmatic access to the data based on the reconstructed security key.
20. The computer program product of claim 19, wherein:
the distributing different ones of the key fragments to different proxy storage devices, comprises:
determining an email address for one of the proxy storage devices;
communicating an email message containing one of the key fragments with the email address for the one of the proxy storage devices;
determining a mobile terminal identifier for another one of the proxy storage devices; and
communicating a text message containing another one of the key fragments with the mobile terminal identifier for the another one of the proxy storage devices; and
wherein the receiving the key fragments from the proxy storage devices, comprises:
receiving an email message from the email address for the one of the proxy storage devices;
obtaining the one of the key fragments from the email message;
receiving a text message from the mobile terminal identifier for the another one of the proxy storage devices; and
obtaining the one another one of the key fragments from the text message.
21. The computer program product of claim 19, wherein:
the distributing different ones of the key fragments to different proxy storage devices, further comprises:
determining a message string tracked by one of the proxy storage devices;
posting a message containing one of the key fragments and the message string to a social media server for publishing through the social media server to the one of the proxy storage devices;
determining another message string tracked by another one of the proxy storage devices; and
posting a message containing another one of the key fragments and the another message string to the social media server for publishing through the social media server to the another one of the proxy storage devices; and
the receiving the key fragments from the proxy storage devices, comprises:
tracking informational postings by the one of the proxy storage devices to the social media server;
identifying one of the informational postings by the one of the proxy storage devices as containing the one of the key fragments;
tracking informational postings by the another of the proxy storage devices to the social media server; and
identifying one of the informational postings by the another of the proxy storage devices as containing the another one of the key fragments.
22. The computer program product of claim 19, wherein the controlling programmatic access to the data based on the reconstructed security key, comprises:
decrypting data using the reconstructed security key.
23. The computer program product of claim 19, wherein the security key comprises a private key associated with an address to a network addressable Bitcoin transaction ledger.
US14/600,497 2015-01-20 2015-01-20 Managing distribution and retrieval of security key fragments among proxy storage devices Active 2035-02-22 US9413735B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/600,497 US9413735B1 (en) 2015-01-20 2015-01-20 Managing distribution and retrieval of security key fragments among proxy storage devices

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US14/600,497 US9413735B1 (en) 2015-01-20 2015-01-20 Managing distribution and retrieval of security key fragments among proxy storage devices

Publications (2)

Publication Number Publication Date
US20160212109A1 true US20160212109A1 (en) 2016-07-21
US9413735B1 US9413735B1 (en) 2016-08-09

Family

ID=56408669

Family Applications (1)

Application Number Title Priority Date Filing Date
US14/600,497 Active 2035-02-22 US9413735B1 (en) 2015-01-20 2015-01-20 Managing distribution and retrieval of security key fragments among proxy storage devices

Country Status (1)

Country Link
US (1) US9413735B1 (en)

Cited By (38)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170054756A1 (en) * 2015-08-21 2017-02-23 PushPull Technology Limited Data collaboration
US20170250801A1 (en) * 2014-09-24 2017-08-31 Hewlett Packard Enterprise Development Lp Utilizing error correction (ecc) for secure secret sharing
CN107465505A (en) * 2017-08-28 2017-12-12 阿里巴巴集团控股有限公司 A kind of key data processing method, device and server
US20170374049A1 (en) * 2016-05-23 2017-12-28 Accenture Global Solutions Distributed key secret for rewritable blockchain
US9881176B2 (en) 2015-06-02 2018-01-30 ALTR Solutions, Inc. Fragmenting data for the purposes of persistent storage across multiple immutable data structures
WO2018044951A1 (en) 2016-08-30 2018-03-08 Paypal, Inc. Expedited virtual currency transaction system
US20180337781A1 (en) * 2017-05-18 2018-11-22 Bank Of America Corporation Block Chain Encoding With Fair Delay For Distributed Network Devices
US10296248B2 (en) 2017-09-01 2019-05-21 Accenture Global Solutions Limited Turn-control rewritable blockchain
US10326733B2 (en) 2015-12-30 2019-06-18 Symantec Corporation Systems and methods for facilitating single sign-on for multiple devices
US10366247B2 (en) 2015-06-02 2019-07-30 ALTR Solutions, Inc. Replacing distinct data in a relational database with a distinct reference to that data and distinct de-referencing of database data
US10375114B1 (en) 2016-06-27 2019-08-06 Symantec Corporation Systems and methods for enforcing access-control policies
US10404697B1 (en) 2015-12-28 2019-09-03 Symantec Corporation Systems and methods for using vehicles as information sources for knowledge-based authentication
US10462184B1 (en) 2016-06-28 2019-10-29 Symantec Corporation Systems and methods for enforcing access-control policies in an arbitrary physical space
US10469457B1 (en) * 2016-09-26 2019-11-05 Symantec Corporation Systems and methods for securely sharing cloud-service credentials within a network of computing devices
US10484379B2 (en) * 2017-03-16 2019-11-19 Motorola Solutions, Inc. System and method for providing least privilege access in a microservices architecture
US10541811B2 (en) * 2015-03-02 2020-01-21 Salesforce.Com, Inc. Systems and methods for securing data
US10547598B2 (en) * 2017-02-13 2020-01-28 Thales Esecurity, Inc. Abstracted cryptographic material management across multiple service providers
CN110830242A (en) * 2019-10-16 2020-02-21 聚好看科技股份有限公司 Key generation and management method and server
CN111585760A (en) * 2017-10-27 2020-08-25 财付通支付科技有限公司 Key retrieving method, device, terminal and readable medium
US10812981B1 (en) 2017-03-22 2020-10-20 NortonLifeLock, Inc. Systems and methods for certifying geolocation coordinates of computing devices
US20210142319A1 (en) * 2017-04-27 2021-05-13 Refinitiv Us Organization Llc Systems and methods for distributed data mapping
US20210152371A1 (en) * 2018-04-05 2021-05-20 nChain Holdings Limited Computer implemented method and system for transferring access to a digital asset
US11038687B2 (en) 2015-08-21 2021-06-15 PushPull Technology Limited Data collaboration
WO2021142541A1 (en) * 2020-01-13 2021-07-22 Brane Capital Systems and methods for digital asset security
US11184169B1 (en) * 2018-12-24 2021-11-23 NortonLifeLock Inc. Systems and methods for crowd-storing encrypiion keys
US11201746B2 (en) 2019-08-01 2021-12-14 Accenture Global Solutions Limited Blockchain access control system
US20220166616A1 (en) * 2020-11-24 2022-05-26 International Business Machines Corporation Key reclamation in blockchain network via oprf
US11368292B2 (en) 2020-07-16 2022-06-21 Salesforce.Com, Inc. Securing data with symmetric keys generated using inaccessible private keys
US11386429B2 (en) * 2018-10-12 2022-07-12 Cybavo Pte. Ltd. Cryptocurrency securing method and device thereof
US11431494B2 (en) * 2018-03-15 2022-08-30 Atakama LLC Passwordless security system for data-at-rest
US11451391B1 (en) * 2017-11-01 2022-09-20 Pure Storage, Inc. Encryption key management in a storage system
US11461245B2 (en) 2017-11-16 2022-10-04 Accenture Global Solutions Limited Blockchain operation stack for rewritable blockchain
US11502833B2 (en) * 2016-01-29 2022-11-15 Mx Technologies, Inc. Secure data handling and storage
US11509459B2 (en) * 2019-05-10 2022-11-22 Conduent Business Services, Llc Secure and robust decentralized ledger based data management
US11522686B2 (en) 2020-07-16 2022-12-06 Salesforce, Inc. Securing data using key agreement
US11791992B2 (en) 2018-03-02 2023-10-17 Nchain Licensing Ag Computer implemented method and system for transferring control of a digital asset
CN117395000A (en) * 2023-12-06 2024-01-12 鼎铉商用密码测评技术(深圳)有限公司 Multiparty authorization method, multiparty authorization device and readable storage medium
US11941610B2 (en) 2018-07-13 2024-03-26 Circle Internet Financial, Ltd Cryptocurrency securing system and method

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10979410B1 (en) * 2015-05-04 2021-04-13 United Services Automobile Association (Usaa) Systems and methods for utilizing cryptology with virtual ledgers in support of transactions and agreements
US20180075677A1 (en) 2016-09-09 2018-03-15 Tyco Integrated Security, LLC Architecture for Access Management
US10491378B2 (en) * 2016-11-16 2019-11-26 StreamSpace, LLC Decentralized nodal network for providing security of files in distributed filesystems
CN108683509B (en) * 2018-05-15 2021-12-28 北京创世智链信息技术研究院 Block chain-based secure transaction method, device and system
US10402573B1 (en) * 2018-09-07 2019-09-03 United States Of America As Represented By The Secretary Of The Navy Breach resistant data storage system and method
KR20200034020A (en) 2018-09-12 2020-03-31 삼성전자주식회사 Electronic apparatus and control method thereof
CN109194465B (en) 2018-09-30 2022-02-18 巍乾全球技术有限责任公司 Method for managing keys, user equipment, management device and storage medium

Family Cites Families (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE69638307D1 (en) * 1995-06-05 2011-01-27 Cqrcert Llc Method and device for digital signature in several steps
EP1203332A4 (en) * 1999-02-12 2002-09-25 Mack Hicks System and method for providing certification-related and other services
US7162478B2 (en) * 2001-02-28 2007-01-09 International Business Machines Corporation System and method for correlated fragmentations in databases
CA2358980A1 (en) * 2001-10-12 2003-04-12 Karthika Technologies Inc. Distributed security architecture for storage area networks (san)
GB2382176A (en) * 2001-11-20 2003-05-21 Hewlett Packard Co A method and apparatus for providing a reminder service
US7406600B2 (en) * 2003-07-30 2008-07-29 Hewlett-Packard Development Company, L.P. Error-detectable license key fragmentation to facilitate errorless manual entry
US20060136713A1 (en) * 2004-12-22 2006-06-22 Zimmer Vincent J System and method for providing fault tolerant security among a cluster of servers
US8347407B2 (en) * 2007-01-26 2013-01-01 Nec Corporation Authority management method, system therefor, and server and information equipment terminal used in the system
US9165158B2 (en) * 2010-08-17 2015-10-20 Hewlett-Packard Development Company, L.P. Encryption key management using distributed storage of encryption-key fragments
US8538029B2 (en) * 2011-03-24 2013-09-17 Hewlett-Packard Development Company, L.P. Encryption key fragment distribution
US20130061298A1 (en) * 2011-09-01 2013-03-07 International Business Machines Corporation Authenticating session passwords
US20130254856A1 (en) * 2011-10-18 2013-09-26 Baldev Krishan Password Generation And Management
US8719590B1 (en) * 2012-06-18 2014-05-06 Emc Corporation Secure processing in multi-tenant cloud infrastructure
WO2014108183A1 (en) * 2013-01-09 2014-07-17 Qatar Foundation Storage system and method of storing and managing data
US20150120569A1 (en) * 2013-10-31 2015-04-30 Bitgo, Inc. Virtual currency address security
US9817953B2 (en) * 2013-09-26 2017-11-14 Rubicon Labs, Inc. Systems and methods for establishing and using distributed key servers
WO2015142765A1 (en) * 2014-03-17 2015-09-24 Coinbase, Inc Bitcoin host computer system
US10796302B2 (en) * 2014-04-23 2020-10-06 Minkasu, Inc. Securely storing and using sensitive information for making payments using a wallet application
US20150348017A1 (en) * 2014-06-03 2015-12-03 Jonathan Allmen Method for integrating cryptocurrency transfer on a social network interface
US9571464B2 (en) * 2014-08-11 2017-02-14 Intel Corporation Network-enabled device provisioning
US9275389B1 (en) * 2014-11-26 2016-03-01 Paypal, Inc. Modular device payment system

Cited By (71)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170250801A1 (en) * 2014-09-24 2017-08-31 Hewlett Packard Enterprise Development Lp Utilizing error correction (ecc) for secure secret sharing
US10721062B2 (en) * 2014-09-24 2020-07-21 Hewlett Packard Enterprise Development Lp Utilizing error correction for secure secret sharing
US10541811B2 (en) * 2015-03-02 2020-01-21 Salesforce.Com, Inc. Systems and methods for securing data
US9881176B2 (en) 2015-06-02 2018-01-30 ALTR Solutions, Inc. Fragmenting data for the purposes of persistent storage across multiple immutable data structures
US10366247B2 (en) 2015-06-02 2019-07-30 ALTR Solutions, Inc. Replacing distinct data in a relational database with a distinct reference to that data and distinct de-referencing of database data
US10742681B2 (en) * 2015-08-21 2020-08-11 PushPull Technology Limited Data collaboration
US11038687B2 (en) 2015-08-21 2021-06-15 PushPull Technology Limited Data collaboration
US20170054756A1 (en) * 2015-08-21 2017-02-23 PushPull Technology Limited Data collaboration
US10404697B1 (en) 2015-12-28 2019-09-03 Symantec Corporation Systems and methods for using vehicles as information sources for knowledge-based authentication
US10326733B2 (en) 2015-12-30 2019-06-18 Symantec Corporation Systems and methods for facilitating single sign-on for multiple devices
US11502833B2 (en) * 2016-01-29 2022-11-15 Mx Technologies, Inc. Secure data handling and storage
US10356066B2 (en) 2016-05-23 2019-07-16 Accenture Global Solutions Limited Wrapped-up blockchain
US9959065B2 (en) 2016-05-23 2018-05-01 Accenture Global Solutions Limited Hybrid blockchain
US10305875B1 (en) 2016-05-23 2019-05-28 Accenture Global Solutions Limited Hybrid blockchain
US20170374049A1 (en) * 2016-05-23 2017-12-28 Accenture Global Solutions Distributed key secret for rewritable blockchain
US10348707B2 (en) 2016-05-23 2019-07-09 Accenture Global Solutions Limited Rewritable blockchain
US10110576B2 (en) * 2016-05-23 2018-10-23 Accenture Global Solutions Limited Distributed key secret for rewritable blockchain
US9967088B2 (en) 2016-05-23 2018-05-08 Accenture Global Solutions Limited Rewritable blockchain
US9967096B2 (en) 2016-05-23 2018-05-08 Accenture Global Solutions Limited Rewritable blockchain
US10623387B2 (en) * 2016-05-23 2020-04-14 Accenture Global Solutions Limited Distributed key secret for rewritable blockchain
US11552935B2 (en) 2016-05-23 2023-01-10 Accenture Global Solutions Limited Distributed key secret for rewritable blockchain
US10375114B1 (en) 2016-06-27 2019-08-06 Symantec Corporation Systems and methods for enforcing access-control policies
US10462184B1 (en) 2016-06-28 2019-10-29 Symantec Corporation Systems and methods for enforcing access-control policies in an arbitrary physical space
WO2018044951A1 (en) 2016-08-30 2018-03-08 Paypal, Inc. Expedited virtual currency transaction system
EP3507753A4 (en) * 2016-08-30 2020-04-29 PayPal, Inc. Expedited virtual currency transaction system
US11551207B2 (en) 2016-08-30 2023-01-10 Paypal, Inc. Expedited virtual currency transaction system
US10469457B1 (en) * 2016-09-26 2019-11-05 Symantec Corporation Systems and methods for securely sharing cloud-service credentials within a network of computing devices
US10547598B2 (en) * 2017-02-13 2020-01-28 Thales Esecurity, Inc. Abstracted cryptographic material management across multiple service providers
US10484379B2 (en) * 2017-03-16 2019-11-19 Motorola Solutions, Inc. System and method for providing least privilege access in a microservices architecture
US10812981B1 (en) 2017-03-22 2020-10-20 NortonLifeLock, Inc. Systems and methods for certifying geolocation coordinates of computing devices
US20210142319A1 (en) * 2017-04-27 2021-05-13 Refinitiv Us Organization Llc Systems and methods for distributed data mapping
US10462213B2 (en) * 2017-05-18 2019-10-29 Bank Of America Corporation Block chain encoding with fair delay for distributed network devices
US11082482B2 (en) * 2017-05-18 2021-08-03 Bank Of America Corporation Block chain encoding with fair delay for distributed network devices
US20180337781A1 (en) * 2017-05-18 2018-11-22 Bank Of America Corporation Block Chain Encoding With Fair Delay For Distributed Network Devices
JP2020526050A (en) * 2017-08-28 2020-08-27 アリババ・グループ・ホールディング・リミテッドAlibaba Group Holding Limited Key data processing method and apparatus, and server
TWI686073B (en) * 2017-08-28 2020-02-21 香港商阿里巴巴集團服務有限公司 Key data processing method, device and server
US10797865B2 (en) * 2017-08-28 2020-10-06 Alibaba Group Holding Limited Key data processing method and apparatus, and server
US20200127817A1 (en) * 2017-08-28 2020-04-23 Alibaba Group Holding Limited Key data processing method and apparatus, and server
AU2018323458B2 (en) * 2017-08-28 2020-10-29 Advanced New Technologies Co., Ltd. Key data processing method and apparatus, and server
US10873449B2 (en) * 2017-08-28 2020-12-22 Advanced New Technologies Co., Ltd. Key data processing method and apparatus, and server
AU2018323458C1 (en) * 2017-08-28 2021-05-06 Advanced New Technologies Co., Ltd. Key data processing method and apparatus, and server
CN107465505A (en) * 2017-08-28 2017-12-12 阿里巴巴集团控股有限公司 A kind of key data processing method, device and server
WO2019046317A1 (en) * 2017-08-28 2019-03-07 (N)Alibaba Group Holding Limited Key data processing method and apparatus, and server
JP7118088B2 (en) 2017-08-28 2022-08-15 アドバンスド ニュー テクノロジーズ カンパニー リミテッド Key data processing method and device, and server
US11356250B2 (en) 2017-08-28 2022-06-07 Advanced New Technologies Co., Ltd. Key data processing
CN113765657A (en) * 2017-08-28 2021-12-07 创新先进技术有限公司 Key data processing method and device and server
US11095437B2 (en) 2017-08-28 2021-08-17 Advanced New Technologies Co., Ltd. Key data processing method and apparatus, and server
EP3879751A1 (en) * 2017-08-28 2021-09-15 Advanced New Technologies Co., Ltd. Key data processing method and apparatus, and server
US10404455B2 (en) 2017-09-01 2019-09-03 Accenture Global Solutions Limited Multiple-phase rewritable blockchain
US10296248B2 (en) 2017-09-01 2019-05-21 Accenture Global Solutions Limited Turn-control rewritable blockchain
CN111585760A (en) * 2017-10-27 2020-08-25 财付通支付科技有限公司 Key retrieving method, device, terminal and readable medium
US11451391B1 (en) * 2017-11-01 2022-09-20 Pure Storage, Inc. Encryption key management in a storage system
US11461245B2 (en) 2017-11-16 2022-10-04 Accenture Global Solutions Limited Blockchain operation stack for rewritable blockchain
US11791992B2 (en) 2018-03-02 2023-10-17 Nchain Licensing Ag Computer implemented method and system for transferring control of a digital asset
US11431494B2 (en) * 2018-03-15 2022-08-30 Atakama LLC Passwordless security system for data-at-rest
US20230231727A1 (en) * 2018-04-05 2023-07-20 Nchain Licensing Ag Computer implemented method and system for transferring access to a digital asset
US20210152371A1 (en) * 2018-04-05 2021-05-20 nChain Holdings Limited Computer implemented method and system for transferring access to a digital asset
US11641283B2 (en) * 2018-04-05 2023-05-02 Nchain Licensing Ag Computer implemented method and system for transferring access to a digital asset
US11941610B2 (en) 2018-07-13 2024-03-26 Circle Internet Financial, Ltd Cryptocurrency securing system and method
US11386429B2 (en) * 2018-10-12 2022-07-12 Cybavo Pte. Ltd. Cryptocurrency securing method and device thereof
US11184169B1 (en) * 2018-12-24 2021-11-23 NortonLifeLock Inc. Systems and methods for crowd-storing encrypiion keys
US11924333B2 (en) * 2019-05-10 2024-03-05 Conduent Business Services, Llc Secure and robust decentralized ledger based data management
US11509459B2 (en) * 2019-05-10 2022-11-22 Conduent Business Services, Llc Secure and robust decentralized ledger based data management
US20230040235A1 (en) * 2019-05-10 2023-02-09 Conduent Business Services, Llc Secure and robust decentralized ledger based data management
US11201746B2 (en) 2019-08-01 2021-12-14 Accenture Global Solutions Limited Blockchain access control system
CN110830242A (en) * 2019-10-16 2020-02-21 聚好看科技股份有限公司 Key generation and management method and server
WO2021142541A1 (en) * 2020-01-13 2021-07-22 Brane Capital Systems and methods for digital asset security
US11522686B2 (en) 2020-07-16 2022-12-06 Salesforce, Inc. Securing data using key agreement
US11368292B2 (en) 2020-07-16 2022-06-21 Salesforce.Com, Inc. Securing data with symmetric keys generated using inaccessible private keys
US20220166616A1 (en) * 2020-11-24 2022-05-26 International Business Machines Corporation Key reclamation in blockchain network via oprf
CN117395000A (en) * 2023-12-06 2024-01-12 鼎铉商用密码测评技术(深圳)有限公司 Multiparty authorization method, multiparty authorization device and readable storage medium

Also Published As

Publication number Publication date
US9413735B1 (en) 2016-08-09

Similar Documents

Publication Publication Date Title
US9413735B1 (en) Managing distribution and retrieval of security key fragments among proxy storage devices
US11818272B2 (en) Methods and systems for device authentication
US10904234B2 (en) Systems and methods of device based customer authentication and authorization
US20210344678A1 (en) System for accessing data from multiple devices
US10348715B2 (en) Computer-implemented systems and methods of device based, internet-centric, authentication
US11128471B2 (en) Accessibility controls in distributed data systems
US9373001B2 (en) Distributed encryption and access control scheme in a cloud environment
JP5361894B2 (en) Multi-factor content protection
US20170063811A1 (en) Secure Transfer and Use of Secret Material in a Shared Environment
US10225084B1 (en) Method, apparatus and computer program product for securely sharing a content item
US10462112B1 (en) Secure distributed authentication data
US20220014367A1 (en) Decentralized computing systems and methods for performing actions using stored private data
CN110708291B (en) Data authorization access method, device, medium and electronic equipment in distributed network
US11095620B1 (en) Secure method, system, and computer program product for exchange of data
US8732481B2 (en) Object with identity based encryption
US10740478B2 (en) Performing an operation on a data storage
EP3455763B1 (en) Digital rights management for anonymous digital content sharing
US10341110B2 (en) Securing user credentials
US11244069B2 (en) Controlling combination of information submitted to computing systems
EP3886355B1 (en) Decentralized management of data access and verification using data management hub
US10382430B2 (en) User information management system; user information management method; program, and recording medium on which it is recorded, for management server; program, and recording medium on which it is recorded, for user terminal; and program, and recording medium on which it is recorded, for service server
US11012245B1 (en) Decentralized management of data access and verification using data management hub
US10931454B1 (en) Decentralized management of data access and verification using data management hub
US9607159B2 (en) Intelligent key selection and generation
Björklund KeySafe The platform-independent password safe with external security

Legal Events

Date Code Title Description
AS Assignment

Owner name: CA, INC., NEW YORK

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:HIRD, GEOFFREY R.;REEL/FRAME:034758/0349

Effective date: 20150115

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8