SYSTEM AND METHOD FOR SECURELY STORING AND SHARING INFORMATION
20210385069 · 2021-12-09
Inventors
Cpc classification
H04L9/3239
ELECTRICITY
G06F21/6218
PHYSICS
H04L63/0861
ELECTRICITY
H04L9/083
ELECTRICITY
H04L2209/56
ELECTRICITY
G06F21/32
PHYSICS
H04L9/3073
ELECTRICITY
International classification
H04L9/08
ELECTRICITY
G06F21/62
PHYSICS
H04L9/32
ELECTRICITY
Abstract
The present application generally relates to systems, devices, and methods to conduct the secure exchange of encrypted data using a three-element-core mechanism consisting of the key masters, the registries and the cloud lockboxes with application programming interfaces providing interaction with a wide variety of user-facing software applications. Together the mechanism provides full lifecycle encryption enabling cross-platform sharing of encrypted data within and between organizations, individuals, applications and devices. Further the mechanism generates chains of encrypted blocks to provide a distributed indelible ledger and support external validation. Triangulation among users, applications and the mechanism deliver both enterprise and business ecosystem cyber security features. Crowdsourcing of anomaly detection extends to users and to subjects of the data. Robust identity masking offers the benefits of anonymization while retaining accountability and enabling two-way communications. The mechanism may also provide high availability through multi-level fail over or operations to multiple instances of the core mechanism.
Claims
1. A system for use by a plurality of participants within a community of interest, the system comprising: a tightly-coupled, distributed three-element-core mechanism consisting of: a registry, a key master, and a cloud lockbox configured to store data; wherein the three-element-core mechanism is configured to interface with a software application to provide triangulation for enabling the plurality of participants to securely share the data via the software application, the triangulation comprising: a 1.sup.st factor authentication to the software application, a 2.sup.nd factor authentication directly to the registry, bypassing the software application, and an authenticated application programming interface call from the application to the key master, thereby preventing unauthorized access to the data protected by the three-element-core mechanism.
2. The system of claim 1, wherein the 2.sup.nd factor user authentication employs at least one of a: one-time, periodic or continuous biometric input, password, and texted session code; to identity a participant of the plurality of participants.
3. The system of claim 1, wherein software application cross-verifies the 1.sup.st factor authentication by querying the registry regarding the status of 2.sup.nd factor authentication to the registry to prevent unauthorized access to the software application.
4. The system of claim 1, further comprising an identity management software configured to control the 1.sup.st factor user authentication for access to the software application, wherein the identify management software utilizes the 2.sup.nd factor authentication directly to the registry to prevent unauthorized access to the data protected by the three-element-core mechanism.
5. The system of claim 1, wherein biometric factors are utilized for the 2.sup.nd factor authentication with biometric profiles stored in one of the registry and the cloud lockbox to enable cross-device biometric authentication.
6. The system of claim 1, further comprising a proximity between a second device used for the 2.sup.nd factor authentication and a first device used for the 1.sup.st factor user authentication, thereby providing for an additional level of operational security.
7. The system of claim 1, further comprising a proximity between a second device used for the 2.sup.nd factor authentication and a first device used for the 1.sup.st factor authentication, wherein the proximity is in itself sufficient for the 2.sup.nd factor authentication in order to simplify user operations.
8. The system of claim 1, wherein unauthorized use of the application programming interface is detected and blocked due to the triangulation.
9. The system of claim 4, wherein the identity management software synchronizes with the registry user names for a participant of the plurality of participants in the software application it serves, thus that software application served by the identity management software cross-verifies the 2.sup.nd factor authentication with the registry to protect the software application from unauthorized access and to detect if the identity management software has been compromised.
10. The system of claim 1, wherein a systems administrator of the software application adheres to the 1.sup.st factor and 2.sup.nd factor authentication and whose access to the data protected in the mechanism is limited to privileges controlled by the authenticated application programming interface call from the software application to the key master.
11. The system of claim 1, wherein the registry and the key master are provisioned on a single computing instance.
12. The system of claim 1, wherein different organizations, or different departments within a single organization, separately manage the registry and the key master in order to improve operational security by minimizing access by a participant, department or organization to the core mechanism.
13. A system for use by a plurality of participants within a community of interest, the system comprising a tightly-coupled, distributed three-element-core mechanism consisting of: a registry, a key master, and a cloud lockbox configured to store data; wherein the three-element-core mechanism is configured to interface with a software application to generate a chain of encrypted blocks to serve as a distributed indelible ledger of transactions for a verification process in which the indelible ledgers are verifiable by a party or parties provided access to the chain of encrypted blocks.
14. The system of claim 13, wherein contents of the encrypted blocks in the chain are flexible for adapting to a specific use case.
15. The system of claim 13, wherein identity tokens and corresponding identity key pairs enable identity assertion within the chain of encrypted blocks.
16. The system of claim 13, wherein identity masking tokens and corresponding identity masking key pairs enable anonymity within the chain of encrypted blocks.
17. The system of claim 13, wherein the chain of encrypted blocks is configured to be transformed into additional and related chains of encrypted blocks to support a complex, multi-step use case.
18. The system of claim 13, wherein the verification process traverses all related chains of encrypted blocks.
19. The system of claim 16, wherein a participant may trace their own anonymized activity through a series of transactions and through all related chains of encrypted blocks.
20. The system of claim 13, wherein contents of a block include data encrypted with two or more cryptographic keys.
21. The system of claim 13, wherein the chain of encrypted blocks is configured to enable full public access to the chain of encrypted blocks for verification purposes.
22. The system of claim 21, wherein enabling full public access to the chain of encrypted blocks maintains anonymity of individual identities.
23. The system of claim 13, wherein the software application may process the chain of encrypted blocks without interaction with the three-element-core mechanism.
24. The system of claim 13, wherein the chain of encrypted blocks is replicated to multiple storage locations as blocks are generated.
25. The system of claim 13, wherein the system comprises a voting system, wherein the chain of encrypted blocks, identity tokens and corresponding identity key pairs, and masking tokens and corresponding making key pairs provide for a voting application that meets requirements of voter identification, anonymity of the ballot, and robust verification.
26. The system of claim 13, wherein the system comprises a smart contract system, wherein the chain of encrypted blocks, identity tokens and corresponding identity key pairs, and project tokens and corresponding project key pairs provide for a smart contract application.
27. The system of claim 13, wherein the system comprises a crypto currency system, wherein the chain of encrypted blocks, identity tokens and corresponding identity key pairs, masking tokens and corresponding masking key pairs, coin tokens and related data provide for a crypto currency application including commissioning a new coin offering.
28. The system of claim 27, wherein the crypto currency system adapts to trade any commodity.
29. The system of claim 13, further comprising hash values and digital signatures generated by multiple parties for the same data and configured to be used in the verification process.
30. The system of claim 13, wherein a single block may include segments encrypted with different key lengths or different encryption algorithms.
31. A system for use by a plurality of participants within a community of interest, the system comprising a tightly-coupled, distributed three-element-core mechanism consisting of: a registry, a key master, and a cloud lockbox configured to store data; wherein the three-element-core mechanism is configured to interface with a software application to enable de-identification of identities in a dataset or a transaction by generating and managing a masking token and a related masking key pair.
32. The system of claim 31, wherein a two-way communication between the recipient of the de-identified data and a subject of the data occurs while maintaining anonymity of a subject.
33. The system of claim 31, wherein data regarding the subject is added longitudinally to de-identified data while maintaining anonymity of a subject.
34. The system of claim 31, wherein the data provided to the recipient of the de-identified data is tokenized to prevent re-identification and to eliminate value of the data to a third party.
35. A system for use by a plurality of participants within a community of interest the system comprising a tightly-coupled, distributed three-element-core mechanism consisting of: a registry, a key master, and a cloud lockbox; wherein the three-element-core mechanism is configured to enlist the plurality of participants, wherein the participants are users of integrated software applications and subjects of protected data represented in the integrated software applications, to participate in a watchdog function to detect unauthorized activity regarding the protected data.
36. The system of claim 35, wherein the watchdog function queries the users and the subjects to determine appropriate and inappropriate types of activities related to the protected data.
37. The system of claim 35, wherein the watchdog function alerts the users and the subjects to activity deemed inappropriate related to the protected data.
38. The system of claim 35, wherein the users or subjects respond to the watchdog alert by one of blocking or allowing activity related to the protected data.
39. A system for use by a plurality of participants within a community of interest, the system comprising a tightly-coupled, distributed three-element-core mechanism consisting of: a registry, a key master, and a cloud lockbox configured to store data; wherein the three-element-core mechanism is configured to interface with a software application, for generating a vault that spans the three-element-core mechanism for securing the data, wherein elements of control are split across the registry, the key master, and the cloud lockbox, the elements of control including identity assertion, cryptography key pairs, unique file identifiers, and encrypted files.
40. The system of claim 39, wherein multiple vaults are generated for different sub-categories of data about one of a person, a project, a case or a mission to provide additional granularity for sharing access to the data and to micro segment the data by using numerous encryption key pairs.
41. The system of claim 39, wherein a file of the data to be protected is broken into small pieces and stored under separate, unrelated file identification numbers and wherein the pieces of the file are stored in different physical locations.
42. The system of claim 40, wherein a plurality of vaults are generated to represent a given person and are mapped to generate a unified view relative to a role of an individual for accessing the data associated with the person.
43. The system of claim 40, wherein a plurality of vaults are generated to represent a given project and are mapped to generate a unified view relative to a role an individual for accessing the data associated with the project.
44. The system of claim 39, wherein access to a vault is restricted by individual files or file groupings of the data or to one of deposit-only, read-only or metadata-only privileges.
45. The system of claim 39, wherein the interfaced software application is configured to retrieve the data and deliver the data directly to a workstation using the software application.
46. The system of claim 39, further comprising hash values for encrypted files stored in the registry, wherein the hash values enable verification that file contents are unaltered.
47. The system of claim 39, wherein the data stored in the cloud lockbox is replicated based on settings in the registry to another location.
48. The system of claim 40, wherein the system enables an enterprise to retain control and visibility of the data while the enterprise shares access to the data, thereby eliminating the need for duplication.
49. The system of claim 39, wherein the system enables an enterprise to utilize a uniform encryption solution across a plurality of applications, devices and organizations to eliminate data silos caused by incompatible encryption solutions.
50. The system of claim 39, wherein the system is configured to provision the vault on at least one of a public cloud, a private cloud, an on-premise operating environment, and a mobile operating environment.
51. The system of claim 39, wherein the key master is configured to encrypt a file of the data by generating a unique file identifier, wherein the unique file identifier refrains from providing an indication of a key required for decryption.
52. The system of claim 39, wherein the system is configured to use symmetric encryption either in place of or in combination with asymmetric encryption.
53. A system for use by a plurality of participants within a community of interest, the system comprising a tightly-coupled, distributed three-element-core mechanism consisting of: one or more registries, one or more key masters, and one or more cloud lockboxes; wherein the three-element-core mechanism is configured to interface with a software application to generate an identity assertion that spans a plurality of applications and organizations.
54. The system of claim 53, wherein the system is configured to represent an asserted identity with a plurality of masked identities.
55. The system of claim 53, wherein the system is configured to use a plurality of levels of identity verification to rank a quality of the identity assertion to enable the participants of the community of interest to make trusted decisions based on the quality of identity assertion.
56. A system for use by a plurality of participants within a community of interest, the system comprising a tightly-coupled, distributed three-element-core mechanisms consisting of: a registry, a key master, and a cloud lockbox configured to store data; wherein the three-element-core mechanism is configured to interface with a software application to form a multi-level hierarchy for caching and sharing the data to improve local response time and survivability of operations in the event of communications disruption or destruction of related equipment.
57. The system of claim 56, wherein the data comprises mission data, and wherein the system is configured to distribute and synchronize the mission data across the hierarchy prior to launch of a mission, during mission operations, and for post-mission assessments.
58. The system of claim 56, wherein during mission execution, the registry, the key master, and the cloud lockbox are configured to function independently with fail-over capability between the registry, the key master, and the cloud lockbox at any of the multiple levels of the hierarchy in the event of communications disruption or destruction of equipment.
59. A system for use by a plurality of participants within a community of interest, the system comprising a tightly-coupled, distributed three-element-core mechanisms consisting of: one or more registries, one or more key masters, and one or more cloud lockboxes configured to store data; wherein the three-element-core mechanism is configured to interface with one or more software applications, wherein the three-element-core mechanism is configured to internally manage and securely exchange keys.
Description
BRIEF DESCRIPTION OF THE FIGURES
[0036] The accompanying figures, which are incorporated in and constitute as part of the specification, illustrate various example systems, devices methods, and so on, and are used merely to illustrate various example embodiments. It should be noted that various components illustrated in the figures may not be drawn to scale, and that the various assemblies and designs illustrated in the figures are presented for purposes of illustration only, and should not be considered in any way as limiting.
[0037]
[0038]
[0039]
[0040]
[0041]
[0042]
[0043]
[0044]
[0045]
[0046]
[0047]
[0048]
[0049]
[0050]
[0051]
[0052]
[0053]
[0054]
[0055]
[0056]
[0057]
[0058]
FIGURE REFERENCE NUMERALS
[0059] The following reference characters identify the associated elements depicted in the figures describing the present invention. [0060] 112 Key Master [0061] 130 Cloud Lockbox [0062] 132 Non-SEED-Integrated Software [0063] 135 SEED-Integrated Software [0064] 137 Identity Management Software [0065] 138 Identity and Privilege Federation [0066] 139 List of Associated Usernames [0067] 160 Other Health-Related Entities [0068] 320 Executive Identity F [0069] 321 Identity Assertion F [0070] 322 Team Leader Identity G [0071] 323 Field Data Identity H [0072] 324 Researcher Identity J [0073] 325 Testing Identity K [0074] 326 Accounting Identity L [0075] 330 Project 5 [0076] 331 Vault F.5.a [0077] 332 Vault Token 20 [0078] 333 Key Pair 20 [0079] 334 Encryted Files 1 . . . n for Vault Token 20 [0080] 335 Project 6 [0081] 336 Vault F.6.a [0082] 337 Vault F.6.b [0083] 338 Vaults F.6.c . . . F.6.zz [0084] 339 File IDs for Vault Token 20 [0085] 340 Project 7 . . . n [0086] 341 Vaults F.7 . . . n.a . . . zz [0087] 342 Project 10 [0088] 343 Vault P.10.a [0089] 344 Block Vault P.10.b [0090] 345 Project 20 [0091] 346 Vault T.20.a [0092] 347 Block Vault T.20.b [0093] 350 Board of Elections Software [0094] 351 Voter ID Computer [0095] 352 Ballot Authorization Printer [0096] 353 Ballot Authorization Scanner [0097] 354 Voting Computer [0098] 355 Verifier's Software [0099] 356 Poll Worker 1 [0100] 357 Voter 1 [0101] 358 Voter 1 Identity [0102] 360 Voter 1 Identity Assertion [0103] 361 Voter 1 Identity Token [0104] 362 Voter 1 Identity Key Pair [0105] 363 Voter 1 Masking Token [0106] 364 Voter 1 Masking Key Pair [0107] 365 Voters 2 . . . n Identities [0108] 366 Voters 2 . . . n Identity Assertions [0109] 368 Poll Worker 2 [0110] 370 Election A [0111] 371 Data Loads for Voter ID and Voting Computers Vault [0112] 372 Completed Ballots Block Vault 1 [0113] 373 Completed Ballots Block Vault 2 . . . n [0114] 375 Verifier 1 Identity [0115] 376 Verifier 1 Identity Assertion [0116] 377 Race/Issue A Block Vault 1 [0117] 378 Race/Issue B . . . ZZ Block Vaults 1 [0118] 380 Verifier 2 . . . n Identity [0119] 381 Verifier 2 . . . n Identity Assertions [0120] 382 Race/Issue A . . . ZZ Block Vaults 2 . . . n [0121] 385 Election Results Block Vault 1 [0122] 386 Election Results Block Vault 2 . . . n [0123] 390 Elections B . . . ZZ [0124] 397 Voter ID Software [0125] 398 Voting Software [0126] 399 Workstation Ballot Application [0127] 400 Key Master Alpha [0128] 405 Trader 1 [0129] 406 SEED-Coin Application 1 [0130] 407 Key Master B [0131] 410 Trader 2 [0132] 411 SEED-Coin Application 2 [0133] 412 Key Master C [0134] 415 Verifier 1 [0135] 416 SEED-Coin Application 3 [0136] 417 Key Master D [0137] 425 Brokering Software [0138] 430 External Payment Gateway and Escrow [0139] 435 Payment Processors [0140] 450 Transactions Block Vault [0141] 451 Transactions Block Vault Duplicates 2 . . . n [0142] 460 Trader Identity 1 [0143] 461 Trader 1 Identity Assertion [0144] 462 Trader 1 Identity Token [0145] 463 Trader 1 Identity Key Pair [0146] 464 Trader 1 Masking Token [0147] 465 Trader 1 Masking Key Pair [0148] 466 Trader 1's Coin Vault [0149] 467 Trader 1's Transaction Vault 1 [0150] 468 Trader 1's Transaction Vaults 2 . . . n [0151] 470 Trader 2 Identity [0152] 471 Trader 2 Identity Assertion [0153] 472 Trader 2 Identity Token [0154] 473 Trader 2 Identity Key Pair [0155] 474 Trader 2 Masking Token [0156] 475 Trader 2 Masking Key Pair [0157] 476 Trader 2's Coin Vault [0158] 480 Verifier 1 Identity [0159] 481 Verifier 1's Identity Assertion [0160] 490 Traders 3 . . . n Identities [0161] 495 Verifiers 2 . . . n Identies [0162] 500 SEED Protocol [0163] 501 Core Components [0164] 505 Elements of Control [0165] 506 Identities & Permissions [0166] 507 Encrypted Files [0167] 508 Key Pair [0168] 510 Key Master Admin API [0169] 511 Key Master Admin [0170] 520 Key Vault [0171] 551 User A [0172] 553 New User [0173] 554 New User Application [0174] 557 Mobile Device [0175] 570 Consumer 1 Identity A [0176] 571 Identity Assertion A [0177] 572 Identity Token A.1 [0178] 573 Identity Key Pair A.1 [0179] 575 Category 1 [0180] 576 Category 2 [0181] 577 Categories 3 . . . n [0182] 578 Primary Care Physician Identity Assertion [0183] 580 Vault A.1.a [0184] 581 Vault Token 1 [0185] 582 Key Pair 1 [0186] 583 Encrypted Files 1 . . . n for Vault Token 1 [0187] 584 File IDs 1 . . . n for Vault Token 1 [0188] 585 Vault B.1.a [0189] 586 Vault Token 2 [0190] 587 Key Pair 2 [0191] 588 Encrypted Files 1 . . . n for Vault Token 2 [0192] 589 File IDs 1 . . . n for Vault Token 2 [0193] 590 Vault B.2.a [0194] 591 Vault Token 3 [0195] 592 Key Pair 3 [0196] 593 Encrypted Files 1 . . . n for Vault Token 3 [0197] 594 File IDs 1 . . . n for Vault Token 3 [0198] 595 Vault B.2.b [0199] 605 Vaults B.2.c . . . B.2.zz [0200] 606 Vaults B.3 . . . n.a . . . zz.3 . . . n [0201] 620 Registry [0202] 625 Watchdog [0203] 646 Consumer 1 [0204] 647 Primary Care Physician [0205] 648 Workstation Running SEED-Direct App [0206] 649 Workstation [0207] 651 Research Software [0208] 652 Non-Integrated Research Software [0209] 655 Masking Token A.1 [0210] 656 Masking Key Pair A.1 [0211] 661 Masking Token B.1 . . . n [0212] 662 Masking Key Pairs B.1 . . . n [0213] 670 Consumer 1 Identity B [0214] 671 Identity Assertion B [0215] 672 Identity Token B.1 [0216] 673 Identity Key Pair B.1 [0217] 674 Consumer 1 Identity C [0218] 675 Consumer 1 Identities C . . . ZZ [0219] 676 Identity Assertions C . . . ZZ [0220] 677 Vaults C.1.a . . . ZZ.1.a [0221] 678 Vault C.1.a [0222] 712 Old Key Master [0223] 714 New Key Master [0224] 725 Cyber Thieves [0225] 726 Rogue Insiders [0226] 727 Malware [0227] 728 Phishing [0228] 740 External Cryptography Service [0229] 741 Cloud Access Security Broker [0230] 742 Public or Private Cloud [0231] 750 Dissociative Masking [0232] 751 Analyst [0233] 754 Researcher [0234] 760 Healthcare Ecosystem [0235] 761 Specialist [0236] 762 Radiologist [0237] 763 Tracker [0238] 764 Lab [0239] 765 Payers [0240] 770 Project Ecosystem [0241] 771 Executive [0242] 772 Team Leader [0243] 773 Researcher [0244] 774 Field Data [0245] 775 Testing [0246] 777 Accounting [0247] 789 Squad Leader [0248] 790 Mission Planner [0249] 791 Soldier [0250] 792 Field Command [0251] 793 Squad or Platoon [0252] 794 User Interface and SEED APIs [0253] 795 Cloud Lockbox Isolated Mode [0254] 796 Key Master Isolated Mode [0255] 797 Registry Isolated Mode [0256] 798 Soldier's Handheld Device [0257] 799 Biometric Device [0258] 800 Registry A [0259] 801 Registry B [0260] 802 Registry C
DETAILED DESCRIPTION
Danger of Co-Mingled Functions
[0261] As we hear in the news every day, organizations and governments around the world struggle with the triple challenges of: securing sensitive data, sharing access for collaboration across a business ecosystem, and ensuring consumer privacy.
[0262] Non-SEED-Integrated Software 132 remains vulnerable due to co-mingling of functions as illustrated in
[0263] High privilege users, the most powerful being information technology professionals such as systems administrators, pose a particularly pernicious threat when they become Rogue Insiders 726 as depicted in reference numeral 6 or are themselves compromised by Cyber Thieves 725 as depicted in reference numeral 8. Rogue Insiders 726 thus pose an existential threat to the security of the data within the Non-SEED-Integrated Software 132 being responsible for some of the largest breaches as depicted in reference numeral 6.
[0264] 2nd factor authentication as depicted in reference numeral 2 helps reduce the threat; however, most 2nd factor solutions connect to the same Non-SEED-Integrated Software 132 thus reduces the ability to detect and stop unauthorized access. Once Cyber Thieves 725 or Malware 727 have established sufficient authority within the Non-SEED-Integrated Software 132, these intruders may bypass or spoof the 2nd factor authentication as depicted in reference numerals 4 and 5, respectively.
[0265] As an example, User A 551 may be tricked by Phishing 728 as depicted in reference numeral 7 to open an infected attachment that launches a Malware 727 that begins to take control of her Workstation 649. Once User A 551 completes 1.sup.st factor authentication using her Workstation 649 as depicted in reference numeral 1 and 2nd factor authentication from her Mobile Device 557 as depicted in reference numeral 2, then the Cyber Thieves 725 or Malware 727 have a trusted platform from which to launch additional phases of the criminal intrusion into Non-SEED-Integrated Software 132 numerals 4 and 5, respectively.
[0266] Enterprises deploy many cyber security tools to overcome these fundamental flaws with limited success. Product categories range from encryption, 2.sup.nd factor authentication, intrusion detection, and more. Within each of these categories, an enterprise deploys multiple, incompatible products. For instance, in encryption separate products generally address premise-based server encryption, cloud access security broker encryption, end-point encryption, and more.
[0267] Competing encryption solutions generally utilize symmetric encryption for data at rest with a single key protecting large quantities of data. External Cryptography Services 740 are sometimes deployed to provide encryption, decryption, and key management services for the Non-SEED-Integrated Software 132 as depicted in reference numeral 3. The External Cryptography Solution 740, though, responds to instructions from the Non-SEED-Integrated Software 132 as depicted in reference numeral 3. Thus, when the Non-SEED-Integrated Software 132 has been compromised by Cyber Thieves 725, Malware 727, or Rogue Insiders 726, the External Cryptography Service 740 continues to respond to the Non-SEED-Integrated Software 132 as depicted in reference numeral 3 without detecting the malicious activity.
[0268] Solutions for sharing data with business partners and consumers rely on duplicating data rather than sharing access to a single source of the information. Once shared, the originator has no control or knowledge of how the receiver protects or shares the data with others, further increasing the risks.
[0269] SEED Protocol Fundamentals
[0270] The systems, methods and devices described herein enables the secure exchange and sharing of encrypted data and shall be collectively referred to as the SEED Protocol 500 as illustrated in
[0271] The Elements of Control 505 utilized to control access to protected data include Identities and Permissions 506 governing access to the data, the Encrypted Files 507 which contain the protected data, and the Key Pairs 508 required to encrypt and decrypt the associated Encrypted Files 507. The Encrypted Files 507 may contain unstructured data or elements from a structured database stored, for instance, as JSON or XML files. The SEED Protocol delivers quantum-computer-resistant encryption using individualized or project centric asymmetric encryption, resulting in micro-segmentation encryption of the protected data that is computationally unbreakable.
[0272] The SEED Protocol 500 distributes the Elements of Control 505 across the Core Components 501 with Identities and Permissions 506 managed by the Registry 620, the Encrypted Files 507 managed by the Cloud Lockbox 130, and the Key Pairs 508 generated and managed by the Key Master 112. This separation of functions significantly improves security resilience by creating triangulation that requires approval by all three of the Core Components 501 for all deposits and retrievals of protected data. This results in the SEED Protocol 500 providing a no single point of failure cyber security solution.
Key Masters
[0273] Key Masters 112 create and manage asymmetric key pairs for themselves, individuals, organizations and devices. Key Masters 112 also provide encryption and decryption services for related applications such as SEED-Integrated Application 135.
[0274] A Key Master 112 generates its own asymmetric key pair and may share the public portion of the device-specific asymmetric key pair with the Registry 620 with which it associates. A Key Master 112 never shares its own private key.
[0275] Key Masters 112 may be provisioned as hardware appliances, dedicated servers, dedicated virtual servers, shared virtual servers, or any combination thereof. Hardware Key Masters 112 may scale horizontally, each serving a workgroup for instance, or scale vertically with multiple units serving the same large group of users. Virtual server Key Masters 112 may operate in on-premise or cloud environments. Virtual server Key Masters 112 may utilize auto-scaling to respond to changes in demand.
Registries
[0276] Registries 620 establish unique identities, verify authenticity, and create directories of individuals, members, organizations, Key Masters 112, Cloud Lockboxes 130 and other Registries 620. These directories may include public keys of all associated identities, components and devices.
[0277] The Registries 620 catalog all protected data files and the respective storage locations. The Registries 620 also manage permissions lists for access to encrypted files. In addition, the Registries 620 provide SEED-Direct 2.sup.nd factor authentication as describe herein.
Cloud Lockboxes
[0278] Cloud Lockboxes 130 manage encrypted files at rest, utilizing access controls of both the SEED Protocol 500 as well as the underlying file system. A Cloud Lockbox 130 may be implemented on public cloud, private cloud or premise-based storage, including on end-user devices. A given repository of files may occupy a single physical storage location or can be split across multiple physical locations.
[0279] Cloud Lockboxes 130 may be implemented on any file system with the inherent capabilities of that file system determining the level of related code required to support the SEED Protocol functions including but not limited to: [0280] On-premise storage area network, network addressable storage and other forms of storage; [0281] Cloud-based storage including both public and private infrastructure; [0282] Local storage such as a users' laptop computer.
[0283] Any storage that does not satisfy the SEED Protocol 500 requirements for a Cloud Lockbox 130 may be provided with a front-end software element to provide the needed functionality.
Watchdog
[0284] The Watchdog 625 adds an additional layer of triangulation by using machine learning to oversee activities of the Core Components 501 to detect unusual patterns of activity: in aggregate, based on activities by given users of the SEED-Integrated Software 135 applications, and across any subset of the protected data. The source of the data processed by the Watchdog 625 are the Core Components 501, and the application programming interfaces from SEED-Integrated Software 135 in the form of activity records produced by each step of a transaction.
[0285] The Watchdog 625 may further process external sources of data such as network activity “netflows” to further enhance the machine learning knowledge base, thus improving detection. Based on alerts from the machine learning, the Watchdog 625 may also be configured to halt access to protected data of any given user, of an entire SEED-Integrated Software 135 application, or to any subset of the protected data.
[0286] Similar to any other behavioral-based anomaly detection solution, the Watchdog 625 models normal behavior and alerts when activity exceeds behavioral norms. However, the Watchdog 625 benefits from: [0287] The closed network of the SEED Protocol 500 in which Core Components 501 should, under normal circumstances, communicate with a very narrow range of computers; [0288] The isolation of an organization's most valuable data within the Core Components 501 significantly narrows the detection focus; and [0289] The ability to “crowdsource” the creation of detection thresholds and anomaly response, as described herein, rather than just counting on detection from beleaguered information technology staff.
Communities of Interest
[0290] Any community of interest can establish its own operating parameters including: [0291] Selecting one or more asymmetric and/or symmetric encryption algorithms; [0292] Selecting a registry or registries; [0293] Establishing related membership requirements and identity verification thresholds; [0294] Selecting a cloud storage provider or providers at which to establish Cloud Lockboxes; [0295] Selecting from among the optional security measures; [0296] Determining hosting environments in which multiple hosting environments may be supported simultaneously; and [0297] Determining the minimum application integration levels.
Levels of Security
[0298] The SEED Protocol 500 can be deployed in various ways to achieve the security level desired by the community of interest ranging from: [0299] The stringent Federal Information Processing Standards 140-2 Level 4; [0300] Rigorous civilian standards for protecting confidentiality such as Health Information Portability and Accountability Act and the European Union General Data Protection Regulation; [0301] The relatively low-level security required for non-sensitive information; and [0302] And many levels in between.
[0303] The design traverses these various security levels based on: [0304] Deploying the key master as an appliance, thus keeping critical processes such as key management, encryption, and decryption within a hardened environment rather than running this software on a general purpose computer; [0305] Depth of integration with the applications; [0306] Depth of identity verification applied; [0307] Use of SEED-Direct 2.sup.nd factor authentication as described herein including use of a second device, a second network and a variety of biometric options; [0308] Organizational separation of control of the Core Components 501 as described herein; and [0309] Optional registered IP address restrictions.
Organizational Separation
[0310] Optimal security of the SEED Protocol 500 requires organizational separation of control over the individual elements that make up the Core Components 501. As an example, if a single person has high level access to both the Registry 620 and the Key Master 112, then an organization has vested too much control in a single person risking the integrity of the SEED Protocol 500 to a Rogue Insider 726 as depicted in
[0311] As with good accounting standards in which accounts payable is separate from accounts receivable, functional separation of the Core Components 501 improves security.
[0312] Control may be split within a single organization. For instance, the information technology department might manage a Registry 620 and Cloud Lockboxes 130 but not the associated Key Masters 112. The Key Master 112 could be managed by a different department such as human resources. Key Masters 112 operate semi-autonomously thus the administrative duties of a department such as human resources fits well with the required Key Master 112 management.
[0313] Control may also be split across organizations. For instance, an outside service provider might control the Registry 620, while the internal information technology staff controls the Key Masters 112, and a cloud hosting company controls the Cloud Lockbox 130.
[0314] One skilled in the art will recognize that multiple options existing for creating the desired organization separation of control over the Core Components 501.
Identity Assertion and Identity Masking
[0315] Upon establishing an identity for a person within the SEED Protocol 500, a Key Master 112 will create an identity assertion. This process will generate an identity token, an identity asymmetric key pair, and may generate one or more masking tokens and masking key asymmetric key pairs.
[0316] Using the healthcare industry as example as illustrated in
[0317] The SEED-Integrated Software 135 may use application programming interface (API) commands to establish a new SEED Protocol 500 identity for Consumer 1 646 as depicted in reference numeral 2.
[0318] In response, the SEED Protocol 500 establishes Consumer 1 Identity A 570 for Consumer 1 646. A Key Master 112 may then generate Identity Assertion A 571 which includes Identity Token A.1 572, and Identity Key Pair A.1 573 as depicted in reference numeral 7. Identity tokens, such as Identity Token A.1 571, may be shared with the Registry 620 and with SEED-Protected Software 135 as depicted in reference numerals 2 and 8 respectively.
[0319] To support anonymization, the Key Master 112 may also generate an Masking Key Pair A.1 656 and the related Masking Token A.1 655 for Identity Assertion A 571 as illustrated in
[0320] As illustrated in
[0321] While many aspects of the SEED Protocol 500 may operate without identity tokens and identity key pairs, the benefits of these aspects are vast and will be described herein.
Levels of Identity Assertion
[0322] One may create a ranking within the Registry 620 regarding the method of identity assertion to reveal to all parties the level of identity verification conducted when establishing any given identity in SEED Protocol 500. For instance, identity verification might be differentiated as follows: [0323] In-person with government issued identification document, [0324] In-person based on familiarity, [0325] Endorsed by other identity, [0326] On-line registration demographics question and answer, [0327] Invited by e-mail, and [0328] Self-registered with no proof of identity.
[0329] Individuals and applications could then utilize the identity assertion ranking to determine whether to trust any given identity assertion.
The Abstraction of Vaults
[0330] SEED Protocol 500 may be deployed to support many uses for any given person described herein as categories and vaults. The vault exists as an abstraction supported by all three components of the SEED Protocol 500.
[0331] As illustrated in
[0332] A Key Master 112 generates Vault Token 1 581 and corresponding Key Pair 1 582. The Key Master 112 shares the Vault Token 1 581 with the Registry 620, as depicted in reference numeral 8, and may share the Vault Token 1 581 with a SEED-Integrated Application 135 as depicted in reference numeral 2. The Key Master 112 retains the Vault Token 1 581 and Key Pair 1 582, but does not retain information regarding the Category 1 575 nor the Consumer 1 Identity A 570.
[0333] The Registry 620 retains the mapping of identity tokens to identities and vault tokens to vault categories.
Depositing a File
[0334] In the API call to deposit a file, a SEED-Integrated Application 135 transmits a file to a Key Master 112 for encryption as illustrated in
[0335] A Key Master 112 will encrypt the file received from SEED-Integrated Software 135 with the public key portion of Key Pair 1 582. A Key Master 112 also generates a file identification number (File ID) that uniquely identifies the file across the entire SEED Protocol 500 community of interest.
[0336] The Key Master 112 transmits to the Registry 620 the newly generated File ID, the Vault Token 1 581, and the identity of Primary Care Physician 647 as depicted in reference numeral 8. The Primary Care Physician 647 will be identified using an identity token established for the identity assertion of Primary Care Physician 647, or represented as a user name if an identity token has not been created.
[0337] The Registry 620 catalogs the new File ID among the File IDs 1 . . . n for Vault Token 1 584 and maps these to Consumer 1 Identity A 570 and Category 1 575. In addition, The Registry 620 catalogs and maps the permissions of other SEED Protocol 500 identities to access Vault A.1.a. 580. Access permissions may be granular down to the file level, groupings of files, or the entire contents of a vault.
[0338] The specific application of the SEED Protocol 500 may also include unencrypted metadata associated with the file to be deposited. In such cases, the Registry 620 may also receive such unencrypted metadata and append it to the catalog entry for a given file.
[0339] The Key Master 112 also shares the new file identification number with the SEED-Integrated Application 135 as depicted in reference numeral 2 for use in retrieving the file. The Key Master 112 does not retain the file identification numbers it creates. Multiple Key Masters 112 may contribute file identification numbers to File IDs 1 . . . n for Vault Token 1 584.
[0340] The Key Master 112 also transmits the encrypted file, identified with the new File ID, to the Cloud Lockbox 130, as depicted in reference numeral 10, to be added to the Encrypted Files 1 . . . n for Vault Token 1 583, a process that may involve a secure relay as described herein. Encrypted Files 1 . . . n for Vault Token 1 583 are the files associated with Vault A.1.a. 580, but the Cloud Lockbox 130 does not receive the vault token information, such as Vault Token 1 581. As a result, the Cloud Lockbox 130 only identifies the file by the unique file identification number such as File IDs 1 . . . n for Vault Token 1 584.
[0341] The deposit of the file to the Cloud Lockbox 130 from the Key Master 112 may utilize a secure relay as described herein or may be a direct transmission.
Retrieval of Protected Data
[0342] Retrieval of a file from Vault A.1.a 580 begins with an API call by the SEED-Integrated Software 135 to the Key Master 112 as illustrated in
[0343] If the Key Master 112 approves the API call, the Key Master 112 transmits the identity of the Primary Care Physician 647, Vault Token 1 581, and the requested File ID from the set of File IDs 1 . . . n for Vault Token 1 584 to the Registry 620 as depicted in reference numeral 8. The Registry 620 verifies whether Primary Care Physician 647 has permission to retrieve the specified file from Vault A.1.a 580 containing files related to Consumer 1 646.
[0344] If the Registry 620 denies the request, the denial is transmitted to the Key Master 112 as depicted in reference numeral 8 and the Key Master 112 returns an error code to the SEED-Integrated Software 135 as depicted in reference numeral 2.
[0345] If the Registry 620 approves the requested retrieval, then Registry 620 transmits a file retrieval request for the specific File ID to the Cloud Lockbox 130 as depicted in reference numeral 9. The Cloud Lockbox 130 generates a download token for the requested File ID which is returned to the Registry 620 as depicted in reference numeral 9. The download token may operate on a one-time basis and may further be time-sensitive in validity.
[0346] The Registry 620 transmits the download token to the Key Master 112 as depicted in reference numeral 8. Next, the Key Master 112 transmits the download token to the Cloud Lockbox 130 as depicted in reference numeral 10. The Cloud Lockbox 130 then transmits the encrypted file that corresponds to the requested File ID to the Key Master 112 as depicted in reference numeral 10.
[0347] The Key Master 112 then decrypts the file and transmits the contents to SEED-Integrated Software 135 as depicted in reference numeral 2, a transmission that may be encrypted with session encryption such as SSL/TLS.
Secure Relay Communications Option
[0348] One of ordinary skill in the art will recognize that the network environments hosting Key Masters 112 may restrict inbound communications to the Key Masters 112 and/or do not readily support direct Key Master 112-to-Key Master 112 communications or Key Master 112-to-Cloud Lockbox 130 communications.
[0349] An alternative solution illustrates the flexibility of the SEED Protocol 500 while maintaining the same level of security. The transmission of the file to the Cloud Lockbox 130 by the Key Master 112 may pass through the Registry 620 as an alternative method of communications. Key Masters 112 may maintain routine contact with Registry 620 in a type of polling process that lets Registry 620 both detect the status of Key Masters 112 as well as provide opportunities to transmit waiting files, keys, etc. to Key Masters 112 using the Registry 620 as a secure relay as depicted in reference numerals 8 and 9 as illustrated in
[0350] In such a secure relay configuration, the Registry 620 does not have the keys required to decrypt the file being relayed thus the security model is not affected. Furthermore, the secure relay for depositing files retains the authority of the Registry 620 over deposits to the Cloud Lockbox 130.
[0351] Furthermore, keeping the Registry 620 with authority over deposits enables additional features such as replicating files to multiple locations and rotating the storage locations of files.
[0352] One of ordinary skill in the art will recognize that the secure relay function could be similarly facilitated by the Registry 620 even if the secure relay utilizes some temporary caching storage location other than the Registry 620.
Heartbeat Monitoring
[0353] The Key Masters 112 routine contact with the Registry 620 also enables optional security features, using the contact as a form of “heartbeat” for the Key Master 112. For instance, a Key Master 112 that goes offline for a period of time may trigger the Registry 620 to disable that Key Master's 112 functions such as retrieving and decrypting files.
[0354] Similarly, a Key Master 112 that goes offline may, after reappearing online again, report its IP address information and, if equipped with a GPS chip, report its physical location. These data points would provide additional information for the Registry 620 to act upon.
[0355] One of ordinary skill in the art will recognize numerous ways in which these “heartbeats,” IP and location information about a Key Master 620 could be used to further improve the security of the mechanism.
Separation of Functions
[0356] The vault abstraction highlights the separation of functions and the isolation of data elements operating with the SEED Protocol 500 to improve security as illustrated in
[0357] The Registry 620 retains the information related to Consumer 1 Identity A 570, Category 1 575, the Vault Token 1 581, and the File IDs 1 . . . n for Vault Token 1 584. The Registry 620 does not, however, have the Encrypted Files 1 . . . n for Vault Token 1 583. The Registry 620 may receive the public key portion of Key Pair 1 582 from the Key Master 112 but will never receive access to the private key portion of Key Pair 1 582.
[0358] The Cloud Lockbox 130 retains the Encrypted Files 1 . . . n for Vault Token 1 583, but does not retain information regarding the Vault A.1.a. 580, the associated Vault Token 1 581, the Key Pair 1 582, the Category 1 575, or the Consumer 1 Identity A 570.
[0359] Thus, as illustrated in
Delivery Direct to Workstation in Client-Server Application
[0360] Data retrieved from the Core Components 501 would generally temporarily exist in an unencrypted state in the memory of the server hosting the SEED-Protected Software 135. Thus if a Cyber Thief 725 or Rogue Insider 726 had become deeply embedded in SEED-Protected Software 135, then he may be able to opportunistically siphon unencrypted data from the server memory as illustrated in
[0361] To combat such scenarios, a software designer may elect to deliver the decrypted file from the Key Master 112 directly to the Workstation 649 as illustrated in
[0362] Deposits of sensitive data may follow the reverse path with the Workstation 649 using an API call to a Key Master 112, as depicted in reference numeral 4, to submit data for encryption, cataloging, and storage. The subsequent File ID may be returned to the SEED-Integrated Software 135 as depicted in reference numeral 2 and, based on the design of the software, may be returned to the Workstation 649 as depicted in reference numeral 4.
[0363] Similarly, Workstation 649 could itself be equipped with encryption/decryption capabilities as well as generating and managing its own key pairs in accordance with the requirements of the community of interest as described herein. In such a configuration, Workstation 649 may generate and deposit as well as retrieve and decrypt files to/from the Core Components 501.
[0364] Alternatively, a Key Master 112 may serve as a go-between from the Workstation 649 encryption and decryption functionality and the Cloud Lockbox 130. For instance, in retrieving a file, a Key Master 112 could first decrypt the retrieved data and then re-encrypt the retrieved data file with the public key of Workstation 649. A Key Master 112 could then transmit the file to Workstation 649 for local decryption. A reversal of this process would provide the same go-between function for deposits of data to the Core Elements 501.
Activity Tracking-Only Vault Access
[0365] One may provide a very low level of access to a vault, allowing a party access to only the metadata retained by a Registry 620, enabling the ability to track activity that has occurred but not access any of the protected data.
Computing File Hash Values
[0366] To further assert the integrity of the data retrieved from the SEED Protocol 500, whenever the Key Master 112 encrypts a file, it may also generate a cryptographic hash value for the file using an algorithm such as MD5. The cryptographic hash value for the file is transmitted to the Registry 620 along with the corresponding File ID as illustrated in
[0367] In some instances, the Registry may apply a “hash-lock” based on metadata received from SEED-Integrated Software 135 or determined on another basis. The hash-lock would focus on information that should remain indelible, such as lab results from a blood test. The hash-lock would mean that the original hash generated for the file must remain the sole hash for that file.
[0368] In contrast, data subject to revision would result in different hash values for each generation of the file. For example, a file containing a draft patent application may be deposited by one co-inventor and later accessed by a second co-inventor. The original hash related to the file would assure the second co-inventor that the file has not been altered. After the second co-inventor re-deposits the file with his edits, a different hash value will be calculated for the revised draft patent application.
End-Point Encryption
[0369] Cloud Lockbox 130 capability may be extended to end point devices such as laptop computers. In such a scenario, the laptop-located-files may be: [0370] An extension of one or more existing vaults, receiving copies of files. [0371] One or more separate vaults each with unique key pairs.
[0372] A Key Master 112 functionality may be provided to the laptop user using a mobile computer fob, such as a computer in a USB format, to provide local processing and/or offline access to the encrypted files. Such offline access would require pre-authorization by a Registry 620 function or be supported by a mobile Registry 620 function, which may be provided using a mobile computer fob such as a computer in a USB format or other similarly capable device.
Support for Multiple Encryption Algorithms and Key Lengths
[0373] The SEED Protocol 500 may be configured to support a variety of asymmetric encryption algorithms and key lengths on a vault-by-vault basis. For instance, our initial configuration utilizes RSA encryption with 2,048 bit keys. A single Key Master 112 with sufficient processing capacity and memory may simultaneously support keys of various lengths and other encryption algorithms such as elliptical curve.
Support for Symmetric Encryption
[0374] While many benefits arise from the use of asymmetric encryption with the SEED Protocol 500 as described herein, the SEED Protocol 500 may also support symmetric encryption.
IP Address Restrictions
[0375] In addition to the methods of controlling access described herein, the SEED Protocol 500 may also be configured to restrict access to specific IP addresses of devices as asserted in either/both the Key Masters 112 and Registries 620.
Individual Initiation and Use of SEED Protocol Vaults
[0376] As illustrated in
[0377] For any given category such as Category 2 576, any number of vaults may be created and depicted as Vault B.2.a 590, Vault B.2.b 595, and Vaults B.2.c . . . B.2.zz 605. One purpose for creating multiple vaults in one category is to create another mechanism for differential sharing of data with various parties. For instance, Consumer 1 646 may elect to share Vault B.2.a 590 with her parents but share Vault B.2.b 595 only with her business partner.
SEED Ecosystem
Joining Multiple SEED Identities Created for the Same Person
[0378] As illustrated in
[0379] Rather than creating copies of data and/or merging the two identities for Consumer 1 646 into a single SEED identity, the Registry 620 may employ mapping of the two identities as depicted in reference numeral 4. After the mapping by the Registry 620, Primary Care Physician 647 will remain in control of Vault A.1.a. 580 and Consumer 1 646 will remain in control of Vault B.1.a 585. Primary Care Physician 647 will gain access to all, or any portion of, the contents of Vault B.1.a 585 as determined by Consumer 1 646. Consumer 1 646 will gain access to all, or any portion of, the contents of Vault A.1.a 580 as determined by Primary Care Physician 647. Thus, both parties will have real-time access to the up-to-date contents of both vaults as per the permissions established. Either Consumer 1 646 or Primary Care Physician 647 may delegate any level of control over their respective vaults, but the “ownership” of the vault remains with the originating party.
[0380] Naturally, this model may be extended to any number of vaults created by Other Health-Related Entities 160 to protect healthcare related data of Consumer 1 646. For instance, healthcare providers, insurance companies, testing laboratories, and other parties may create Consumer 1 Identities C . . . ZZ 675 and related Vaults C.1.a . . . ZZ.1.a 677 for storing the data created in relation to Consumer 1 646.
[0381] Similarly, the originators of Consumer 1 Identities C . . . ZZ 675, Primary Care Physician 647, or Consumer 1 646 may trigger similar mapping of Vaults C.1.a . . . ZZ.1.a 677 to expand the unified view of the data related to Consumer 1 646 as illustrated in
[0382] Also, one may imagine situations in which vaults from other Categories may be mapped to create a unified view of data associated with Consumer 1 646.
Avoiding Encryption Silos
[0383] This ability to map multiple vaults to create a shared set of data as illustrated in
[0385] Each of these encryption solutions utilize different encryption algorithms and varied methods of control. Sharing data among the various solutions requires both decryption and re-encryption. Interfaces built to create a unified corporate information system from the varied encryption solutions create attack surfaces for exploitation by Cyber Thieves 725, Malware 727, and Rogue Insiders 726, numerals 4, 5, and 6 respectively as illustrated in
[0386] In the normal course of business, a company's confidential data needs to be shared with one or more other companies. Such sensitive data may move repeatedly in whole or in part among parties as updated or based on process progression. As with internal exchange of data, these inter-company movements of data require that sensitive information be decrypted before sharing outside the company. The originator of the sensitive data has no idea how the receiving company protects the data, nor with what other parties the receiving company shares the sensitive data. When such sensitive information has been updated by one party, the other parties have no clear methodology for synchronizing the unknown number of copies.
Healthcare Ecosystem Organized Around the Patient
[0387] The SEED Protocol 500 offers a comprehensive solution to these issues by facilitating the sharing of a single set of data among multiple parties.
[0388] For instance, consider the example of integrating health care data from multiple providers, each using different electronic health care record solutions. As illustrated in
[0392] One of normal skill in the art will realize that the Healthcare Ecosystem 760 as illustrated in
[0393] The three SEED Identities for Consumer 1 646 have been joined as described herein as depicted in reference numerals 1 and 2 respectively. Despite the data regarding Consumer 1 646 being stored in three separate vaults, all three parties have real time access to the latest version of the data. One of normal skill in the art will realize that other parties, such as the Radiologist 762, may also be added to the Healthcare Ecosystem 760 for Consumer 1 646.
[0394] As illustrated in
[0395] Payers 765 may be added by Primary Care Physician 647 as depicted in reference numeral 3 to access the contents of Vault A.1.a. 580 as depicted in reference numeral 5. Such permission grants Payers 765 limited access to claims forms for Consumer 1 646 but not the additional healthcare data in Vault A.1.a 580. Similarly, Specialist 761 may grant Payers 765 as depicted in reference numeral 8 access to Vault Cia 678 as depicted in reference numeral 7. One of normal skill in the art will realize that access for Payers 765 to claim forms may be configured in numerous ways.
Internal Integration
[0396] The example provided in
Micro Segmentation Encryption
[0397] For any given individual, numerous asymmetric key pairs may be generated related to her identity, to vaults protecting information about her, and to vaults protecting information regarding projects in which she is involved. For instance, Consumer 1 646, as illustrated in
[0403] Other parties also generate asymmetric key pairs regarding Consumer 1 646 as illustrated in
[0406] This multitude of key pairs related to a single person such as Consumer 1 646 results in the micro segmentation encryption of sensitive data protected by the SEED Protocol 500. Rather than a single key protecting the records of many people as is common in symmetric encryption, in the SEED Protocol 500 a single asymmetric key pair may protect only a small portion of the data regarding a single person such as Consumer 1 646. This micro segmentation encryption creates insurmountable computational cracking hurdles due to the quantity of key pairs employed, impractical to crack even if one employed a quantum computer. While a quantum computer may decrypt the data protected by a single key pair, the computational effort to crack the contents of a large data set representing millions of people would remain infeasible.
[0407] Further, if one had both a set of keys and access to a Cloud Lockbox 130 containing the records of many patients, the File IDs of the encrypted files provide neither an indication of what keys are required to decrypt the file nor any link back to the identity of the patient whose data is in the file. Thus one would have to attempt decryption on every file in order to find out what files a stolen key might decrypt, if any, as the pertinent encrypted data may be stored in a different location.
Key Management
[0408] Unlike most implementation of asymmetric encryption, the key pairs in the SEED Protocol 500 are managed by the Core Components 501, primarily by the Key Masters 112. In some cases, such as SEED-Coin Application 1 406 as illustrated in
[0409] The SEED Protocol 500 encompasses multiple types of asymmetric encryption key pairs: [0410] Key Masters 112 generate: [0411] Their own public and private key pair, [0412] Identity key pairs and masking key pairs, and [0413] Vault key pairs. [0414] Individual workstations, in some use cases described herein, may generate their own key pairs.
Sharing Access to a Vault
[0415] In one of the more unorthodox aspects of the SEED Protocol 500, the respective Key Masters 112 may exchange private keys of specific vaults to share a common set of files. For instance, a Key Master 112 serving an individual, such as Consumer 1 646, as illustrated in
[0416] Similarly, Primary Care Physician 647 may authorize Specialist 761 to have access to some portion of Primary Care Physician's 647 files regarding Consumer 1 646 to which Specialist's 761 Key Master 112 does not currently have the private key required for decryption.
[0417] Primary Care Physician 647 updates permissions at Registry 620 for Specialist 761 to access all, or a designated portion of, Primary Care Physician's 647 files regarding Consumer 1 646 as illustrated in
Vault Private Key Exchange Process
[0418] The Specialist's 761 now has the permission in the Registry 620 to access files for Consumer 1 646 created by Primary Care Physician 647 and protected in Vault A.1.a 580. However, the Key Master 112 serving the Specialist 761 does not have the private key required to decrypt the files. related to Consumer 1 646 shared by Primary Care Physician 647.
[0419] In order to share a copy of the relevant private vault key, a Registry 620 transmits the public key of Specialist's 761 Key Master 112 to Primary Care Physician's 647 Key Master 112 as depicted in reference numeral 3 as illustrated in
[0420] To create the key exchange file, the Primary Care Physician's 647 Key Master 112 may assemble: [0421] Consumer 1 Identity A 570 identity token; [0422] Vault A.1.a 580 vault token; and [0423] Private key portion of Vault A.1.a 580 key pair.
The Key Master 112 serving the Primary Care Physician 647 then performs two levels of encryption on the key exchange file as follows: [0424] Level 1: Using the public key of Specialist's 761 Key Master 112; and [0425] Level 2: Using the private key Consumer 1 Identity A 570 created at the request of Primary Care Physician 647 for Consumer 1 646, serving as a digital signature by proxy.
[0426] Primary Care Physician's 647 Key Master 112 then transmits the encrypted key exchange file to Specialist's 761 Key Master 112 as depicted in reference numeral 7, a process that may utilize secure relay as described herein.
[0427] Upon receipt of the key exchange, Specialist's 761 Key Master 112: [0428] Decrypts the level 1 encryption using the private key of the Key Master 112 serving the Specialist 761; and [0429] Decrypts the level 2 encryption using the public key of Consumer 1 Identity A 570 retrieved from the Registry 620 as depicted in reference numeral 8.
[0430] This process can also be reversed to provide a mechanism for Primary Care Physician's 647 Key Master 112 to request deletion of a previously shared private key of Vault A.1.a 580 if Primary Care Physician 647 revokes access.
[0431] This approach also retains the benefit of the Registry 620 never knowing the decryption keys because the Registry 620 will not have the respective Key Masters' 112 private keys required to decrypt the exchanged keys.
[0432] Alternatively, rather than sharing the private keys of vaults, a Key Master 112 to Key Master 112 relay may achieve the same goals for sharing access to a single set of files. In this scenario, rather than passing the private key for the vault from Key Master 112 to Key Master 112, the exchange will instead progress as follows as illustrated in
Identity Private Keys
[0437] One of skill in the art will realize that tradition dictates that the private key portions of asymmetric key pairs related to identities are never shared due to concerns regarding non-repudiation and information security. To aid consumer mobility, the Core Components 501 do support the Key Master 112-to-Key Master 112 exchange of the private key of identity key pairs, such as Identity Key Pair B.1 673 as illustrated in
[0438] Securely sharing the private key of Consumer 1 Identity B 670 enables a secondary Key Master 112 to provide service to Consumer 1 646. For instance, Consumer 1 646 may utilize an at-home Key Master 112 appliance for day-to-day activities but when travelling does not have access to her at-home Key Master 112 due to a condition such as firewall settings in her home network. Thus, sharing the private portion of the asymmetric key pair for Consumer 1 Identity B 670 from her at-home Key Master 112 to a cloud-based Key Master 112 would enable full access to the SEED Protocol 500 while traveling.
[0439] When identity private keys are exchanged, the process is the same as used for the exchange of vault private keys as described herein: [0440] Level 1: Using the public key of the receiving Key Master 112, and [0441] Level 2: Using the private key of the identity to serve as a digital signature.
[0442] In terms of security of the protected information, possession of a private key for a vault or an identity is not in itself sufficient to compromise any protected data nor impersonate an individual, instead requiring successful triangulation as described herein.
[0443] The Key Masters 112 never share their own private keys. Thus, Key Masters 112 may assert their own identity using digital signatures. Key Masters 112 may also exchange data with other Key Masters 112 without any other device or software element in possession of either of the Key Masters' 112 private keys required to decrypt the Key Master 112-to-Key Master 112 communications.
[0444] One of ordinary skill in the art will recognize that the secure relay alternative method of communications as described herein may be used to facilitate key exchange for situations in which the networks to which Key Masters 112 are connected do not readily support direct Key Master 112-to-Key Master 112 communications.
Key Exchange and Non-Repudiation
[0445] In terms of the impact on non-repudiation, the SEED Protocol 500 does not rely on the identity key pair alone to deliver non-repudiation. Instead, the SEED Protocol 500 employs triangulation among SEED-Direct 2.sup.nd factor authentication, 1.sup.st factor authentication to the application accessing the Core Components 501, and authenticated API calls to the Key Master 112 as described herein.
Identity Masking and Dissociative Tokenization
[0446] Businesses of all kinds conduct analysis of company data to better understand trends and gain insights. The company data under analysis often contains valuable and sensitive data about customers, products, and market trends. Such aggregations of valuable and sensitive data create a risk of theft by Rogue Insiders 726 or external Cyber Thieves 725. Furthermore, companies often engage third parties to conduct data analysis, expanding the number of participants who have access to the valuable and sensitive data, resulting in the expansion of associated risks.
[0447] Masking identities has long been a practice to diminish the risks associated with data analysis yet re-identification has proven simpler than anticipated. With the addition of machine learning combined with an increase in the availability of large databases housing personal data, re-identification risks have risen drastically. Adding to the complexity, longitudinal research requires timely updates of the data set about any given individual, product, project, or other object of the analysis.
[0448] In addition, the individuals conducting the analysis may want to request further details about the object of analysis, e.g. ask a set of individuals represented in the data a question. Finally, particularly in relation to healthcare research, an individual who agrees to have his/her data included in a research program may want to check on the specifics of the analysis in their particular case. Traditional de-identification methods do not allow such two-way communications.
[0449] Finally, just because data has been de-identified does not mean that it loses all value in the wrong hands. For example, the consumer behaviors captured through web activity tracking offers valuable marketing insights to one's competitors even though the consumer identities have been masked.
[0450] The SEED Protocol's 500 dissociative masking may be used to: [0451] De-identify a data set, [0452] Dissociate the meaning of the data by tokenizing sensitive fields, [0453] Re-identify and re-associate as needed, [0454] Add to a de-identified data set longitudinally, and [0455] Enable two-way communications between individuals and researchers without compromising anonymity.
[0456] Given the tremendous impact of dissociative masking in supporting healthcare research, we use a healthcare example to illustrate the mechanism below.
[0457] Consumer 1 646, or Consumer 1's 646 designee such as her Primary Care Physician 647, authorizes contribution of Consumer 1's 646 data for medical research as illustrated in
[0458] Registry 620 flags Consumer 1 646 as a research participant and sends notification to a Key Master 112 as depicted in reference numeral 5. Key Master 112 sends Dissociative Masking 750 and Research Software 651 the selected masking token for Consumer 1 646, as illustrated in
[0459] Dissociate Masking 750 maintains tables of masking tokens for various patients, such as Consumer 1 646 mapped to various research programs.
[0460] Registry 620 sends a catalog digest to Key Master 112 including the file identification numbers of all files eligible for inclusion in research efforts from the patient such as Consumer1 646 identified with Consumer 1's 646 identity token as depicted in reference numeral 5.
[0461] Key Master 112 replaces identity token with corresponding masking token and forwards the digest to Dissociative Masking 750 as depicted in reference numeral 3. The same process may be repeated each time data eligible for inclusion in the research efforts is updated for Consumer 1 646.
[0462] An analyst, such as Analyst 751, who has already completed 1.sup.st factor and SEED-Direct 2.sup.nd factor authentication as described herein, uses Dissociative Masking 750 to create and transmit file retrieval requests to a Key Master 112 by using the file identification numbers provided in the digest of files eligible for inclusion in research efforts and the masking token of the related patient as illustrated in
[0463] To avoid abuse in the case that the Dissociative Masking 750 is hijacked by Cyber Thieves 725, retrieval processes from Dissociative Masking 750 may only trigger for a given patient such as Consumer 1 646 when: [0464] Consumer 1 646 initially consents to contributing data to research program, or [0465] New data has been added for Consumer 1 646 in the associated vaults, making detection of abnormal activity easily spotted by the Watchdog 625 function as described herein.
[0466] As with other retrieval processes by applications, the cross-verification among the Key Master 112, Registry 620, and Cloud Lockbox 130 will apply to retrievals by Dissociative Masking 750 as described herein.
[0467] Upon receipt of a new file for Consumer 1 646, Dissociative Masking 750 searches for and deletes personal identifiers, e.g. Consumer 1's 646 name in a continuity of care document. Dissociative Masking 750 performs any additional de-identification, such as removal of address as prescribed by agreement with patients, healthcare providers, and participating research programs.
[0468] Next, Dissociative Masking 750 performs tokenization as prescribed by agreement among patients, healthcare providers, and participating research programs. For instance, a translation table in Dissociative Masking 750 may convert medical diagnoses into tokens with the translation tables retained in Dissociative Masking 750. In this way, the data can be dissociated from personal medical information allowing for wide distribution of resulting data sets to data scientists searching for and analyzing patterns in the data but whose research does not require explicit revelation of the various medical conditions.
[0469] To be effective, Dissociative Masking 750 will have to be trained to understand the various types of documents and data sources being processed by people such as Analyst 751. Dissociative Masking 750 may elect not to process data files that do not adhere to a known field mapping, providing a process error message for further human intervention. Once the files have been processed, Dissociative Masking 750 may delete the original files to avoid retention of data meant to be de-identified or dissociated.
[0470] Consumer 1's 646 data has now been both de-identified and dissociated as agreed to among patients, healthcare providers, and participating research programs. The data of Consumer 1 646 is now ready for delivery to researchers such as Researcher 754 in accordance with the specific subset of data required by the research program being conducted with Research Software 651.
[0471] Dissociative Masking 750 may conduct either push or pull notifications to Research Software 651 regarding availability of new data as illustrated in
[0472] Given that the same masking token for Consumer 1 646 will be mapped to all eligible data sources, the Research Software 651 may construct a longitudinal record for Consumer 1 646.
[0473] Research programs may request additional information from Consumer 1 646 or her proxy using her masking token. A message is created by the Researcher 754 using the Research Software 651 as illustrated in
[0474] As an example to illustrate the use for such two-way communications, consider that the postal code and street address may have been removed from the de-identified data as part of the research agreement to avoid re-identification. Researcher 754 may, however, request additional location information if etiology of a medical condition is suspected to include a geographic clustering effect. Depending on the conditions of the research agreement, obtaining this additional information may require explicit consent from the patients such as Consumer 1 646.
[0475] Resulting amendments to the research agreements will be reflected in the data masking plan in Dissociative Masking 750. Rather than Consumer 1 646 directly providing additional information, the flow may proceed as with the original flow of data with Dissociative Masking 750 ensuring that personal identifiers remain absent from the data flows.
[0476] Consumer 1 646, or her designee, may also initiate communications with the researcher such as Researcher 754 to, as an example, retrieve any available results regarding her health uncovered in the study from Research Software 651. Naturally, for such a potentially sensitive data retrieval effort one would expect Consumer 1 646 or her designess had completed both 1.sup.st factor and SEED-Direct 2.sup.nd factor authentication as described herein.
[0477] As with all other types of transactions in the SEED Protocol 500, the movement of data for Dissociated Masking 750 and Research Software 651 would be logged and analyzed by the Watchdog 625 function, as well as made available for review by Consumer 1 646 and/or her designee.
[0478] Alternatively, one may envision a set of applications empowering Consumer 1 646 or her designee such as Primary Care Physician 647 to de-identity and dissociate Consumer 1's 646 healthcare records independent of any centralized application.
[0479] Alternatively, one may elect to allow Non-Integrated Research Software 652 to receive de-identified and dissociated data from Dissociative Masking 750 as illustrated in
Use of SEED Protocol for Projects, Missions, and Cases
[0480] One of normal skill in the art will understand that the SEED Protocol 500 mechanism may organize around a project, mission, or case instead of being person-centric. The operations of the mechanism remain the same as SEED Protocol 500 adapts to these varying use cases. Both project-centric and person-centric use cases may co-exist within the same SEED Protocol 500 instance.
[0481] As illustrated in
[0485] A Key Master 112 participating in the creation of a vault for a project, as with all vaults, creates a vault token and a corresponding key pair as described herein.
Project Ecosystem Organized Around a Project, Case, and/or Mission
[0486] One of normal skill in the art will realize that the Project Ecosystem 770, as illustrated in
[0487] Proceeding with project execution, consider the example Project Ecosystem 770 as illustrated in
[0488] Using Team Leader Identity G 322, Team Leader 772 creates Vault F.6.a 336 associated with Project 6 335 as depicted in reference numeral 2. Team Leader 772, using Team Leader Identity G 322, authorizes deposit and retrieve privileges for Vault F.6.a 336 to Field Data 774, Researcher 773 and, in the same manner, to other team members as depicted in reference numeral 2. Now, the Field Data Identity H 323 and Researcher Identity J 324 share real time access to Vault F.6.a 336. The access may be unrestricted or restricted to specific files or groupings of files as determined by Team Leader 772.
[0489] Similarly, Team Leader 772 using Team Leader Identity G 322 authorizes deposit and retrieve privileges to Vault F.6.a 336, as depicted in reference numeral 2, to Accounting 777 with restrictions to specific files or groups of files related to the accounting job function. Subsequently, Accounting Identity L 326 shares real time access to the specific files or groups of files in Vault F.6.a 336 as depicted in
[0490] Team Leader 772 may establish a second vault for Project 6 335 as depicted in reference numeral 4, which results in the generation of Vault F.6.b 337. Due to secrecy or other “need to know” purposes, Team Leader 772 may limit access to Vault F.6.b 337 to Testing 775 as depicted in reference numeral 6. Subsequently, the Testing Identity K 325, Team Leader Identity G 322, and Executive Identity F 320 share real time access to Vault F.6.b 337. Team Leader 772 may limit Testing 775 to deposit-only access wherein, as depicted in reference numeral 6, Testing 775 may deposit information but may not retrieve information.
[0491] One of normal skill in the art will recognize that any number of vaults may be created for any given project. Use of multiple vaults to segregate access, as illustrated in
Abstraction of the Cloud Lockbox and Option for Multiple Locations for Encrypted Files
[0494] Given that a Registry 620 catalogs storage location information on a file-by-file basis, the Registry 620 may designate any number of storage locations to serve the Cloud Lockbox 130 functions. As an example illustrated in
[0495] In logical extension, encrypted files could also be stored in local storage operated by Consumer 1 646 including, but not limited to, a laptop computer or mobile device such as a smartphone if such local storage operates within the functional requirements of a Cloud Lockbox 130 as illustrated in
[0496] While the initial implementation of SEED Protocol 500 utilizes a public cloud providing data replication, instances may occur in which it is helpful for the SEED Protocol 500 to replicate protected data. For example, as illustrated in
Levels of Integration
[0497] While the SEED Protocol 500 may be used to create a tightly coupled business ecosystem in which all parties share access to a single set of data, the solution offers logical stages of integration in which a single enterprise may commence with utilization of the SEED Protocol 500 and grow into wider use over time. For instance, an enterprise might pursue the following sequence in adoption of SEED Protocol 500: [0498] Level 1: Use for encrypted backup and archive. [0499] Level 2: Encrypt unstructured data files. [0500] Level 3: Engage SEED-Direct 2.sup.nd factor authentication. [0501] Level 4: Utilize for internal integration of applications surrounding a shared set of data. [0502] Level 5: Tokenize fields in relational databases. [0503] Level 6: Conduct selective exchange of data resulting in data duplication. [0504] Level 7: Conduct selective exchange of data using shared access to a common set of data. [0505] Level 8: Unify data across a business ecosystem.
One skilled in the art will recognize that any number of integration and adoption phases may be created to adapt to the particular needs and circumstances of the customer.
SEED-Direct 2.SUP.nd .Factor
[0506] To further bolster the security model, the SEED Protocol 500 supports triangulation as illustrated in
[0510] A higher level of security is obtained when the SEED-Direct 2.sup.nd factor authentication utilizes both a separate device and separate network from the original device and network used for 1.sup.st factor authentication to the SEED-Integrated Software 135. For instance, the 1.sup.st factor authentication may utilize a Workstation 649 and the internal local area network as depicted in reference numeral 1. SEED-Direct 2.sup.nd factor authentication, on the other hand, may use a Mobile Device 557 and a mobile carrier network, as depicted in reference numeral 3.
[0511] SEED-Direct 2.sup.nd factor authentication may employ a variety of biometric, password, and/or SMS texted session codes to identify User A 551 allowing for multi-factor authentication directly with the Registry 620 as depicted in reference numeral 3. The Registry 620 may verify the authentication event by comparing previously stored data related to User A 551, including previously stored biometric data. The Registry 620 may also generate one-time, time-sensitive passcodes to be transmitted to User A 551.
Continuous SEED-Direct 2.SUP.nd .Factor Authentication
[0512] For a higher level of security, continuous SEED-Direct 2.sup.nd factor authentication, as illustrated in
SEED-Direct 2.SUP.nd .Factor and Proximity
[0513] In the cases where a Mobile Device 557 is utilized for SEED-Direct 2.sup.nd factor authentication, the SEED-Direct 2.sup.nd factor process may support location-based information from the Mobile Device 557 to determine authorization for User A 551 to access data protected within the Core Operational Components 501 of SEED-Integrated Software 135 as illustrated in
[0514] As another option, in the cases in which a Mobile Device 557 is utilized for SEED-Direct 2.sup.nd factor authentication, SEED-Direct 2.sup.nd factor authentication may support proximity as an aspect of the authentication event. For instance, a Bluetooth connection between the Mobile Device 557 and the Workstation 649, as depicted in reference numeral 9, could be required to maintain authorization to access the SEED-Integrated Software 135 and the related data protected within the Core Operational Components 501.
SEED-Direct 2.sup.nd Factor with Single Envelope Implementation of Core Components 501
[0515] Although the Core Components 501 offer the most robust security when operated on three separate computing envelopes, one could operate a Key Master 112 and a Registry 620 of the Core Components 501 on a single computing instance using memory isolated application containers. Such a collapsed instance of the Core Components 501 retains the triangulation benefits illustrated in
SEED-Direct 2.sup.nd Factor Cross-Verifying 1.sup.st Factor Authentication
[0516] SEED-Direct 2.sup.nd factor authentication may also be used to verify 1.sup.st factor authentication to the SEED-Integrated Software 135 as illustrated in
[0517] Such verification would require that the SEED-Integrated Software 135 query the Registry 620, as depicted in reference numeral 4, prior to authorizing User A 551 access to the SEED-Integrated Software 135. Upon completion of User A's 551 first factor authentication as depicted in reference numeral 1, the SEED-Integrated Software 135 would issue an API call to the Registry 620, as depicted in reference numeral 4, to query whether User A 551 had completed SEED-Direct 2.sup.nd factor authentication.
[0518] Until Registry 620 affirmatively responds to the inquiry from SEED-Integrated Software 135, User A 551 will not have access to the SEED-Integrated Software 135. Error messages from the SEED-Integrated Software 135 may be used to alert User A 551 of the reason for failed authentication. The Registry 620 may also share data with the Watchdog 625 regarding failed authentication attempts. The Watchdog 625 may be configured to alert any number of concerned parties including User A 551, IT staff, compliance staff, etc.
[0519] This verification of 1.sup.st factor authentication may operate with or without the use of other features of the SEED Protocol 500 providing, for example, the benefits of the authentication triangulation without moving any data from the SEED-Integrated Software 135 into the Core Operational Components 501.
[0520] The addition of SEED-Direct 2.sup.nd factor to the 1.sup.st factor authentication to SEED-Integrated Software 135 enables the SEED Protocol 500 to detect a variety of breach scenarios. For instance: [0521] Hijacking of User A's 551 workstation through Phishing 728 as depicted in reference numeral 8; [0522] Compromise of User A 551's user account used by Cyber Thieves 725 as depicted in reference numeral 5 or Malware 727 as depicted in reference numeral 6; [0523] Unauthorized access by a Rogue Insider 726 as depicted in reference numeral 7.
Integration with Identity Management Software 137
[0524] Many organizations have implemented identity management strategies, using Identity Management Software 137 that, as illustrated in
[0528] The Identity Management Software 137 solutions may seamlessly integrate with the SEED Protocol 500. In this scenario, User A 551 uses Workstation 649 to complete 1.sup.st factor authentication with Identity Management Software 137 as depicted in reference numeral 1. User A 551 also completes SEED-Direct 2.sup.nd factor authentication with the Registry 620 using Mobile Device 557 as depicted in reference numeral 3. Then, Identity Management Software 137 may verify completion of User A 551 SEED-Direct 2.sup.nd factor authentication with a query to the Registry 620 as depicted in reference numeral 4 prior to authorizing User A 551 access to SEED-Integrated Software 135, Non-SEED-Integrated Software 132, and any other software associated with Identity Management Software 137.
[0529] While in many organizations User A 551 would have a single username and password for Identity Management Software 137, User A 551 may have multiple different usernames and passwords for software associated with Identity Management Software 137 such as SEED-Integrated Software 135, Non-SEED-Integrated Software 132, etc. The Identity Management Software 137 maintains a List of Associated Usernames 139 for User A 551. This list allows Identity Management Software 137 to, upon successful authentication to Identity Management Software 137 by User A 551, provide access to software associated with Identity Management Software 137, such as SEED-Integrated Software 135 and Non-SEED-Integrated Software 132.
[0530] Organizations adopting the SEED Protocol 500 may synchronize Identity Management Software 137 with the Registry 620 so that the Registry 620 has additional access to the List of Associated Usernames 139 for User A's 551. Such synchronization enables SEED-Integrated Software 135 and Non-SEED-Integrated Software 132 to query Registry 620 for verification of completion of User A 551 SEED-Direct 2.sup.nd factor authentication as depicted in reference numerals 5 and 6 respectively, providing triangulation to detect whether Identity Management Software 137 has been compromised by cyber thieves.
Watchdog 625 Crowdsourcing
[0531] Traditional anomaly detection solutions depend on the work of information technology professionals who are frequently over-tasked. Further exacerbating the situation, the many alerts generated by anomaly detection systems frequently result in alert fatigue. Thus many breaches go undetected for months.
[0532] The SEED Protocol 500 offers the opportunity to crowdsource anomaly detection, engaging users of the applications such as Primary Care Physician 647 and subjects of the data such as Consumer 1 646 as illustrated in
[0533] With users such as User A 551 and consumers such as Consumer 1 646 independently training the Watchdog 625 regarding levels of sensitivity for triggering alerts, a multitude of alert thresholds make it very difficult for Cyber Thieves 725 and Rogue Insiders 726 to determine an activity level that will evade detection. For instance, one consumer may elect to receive notification every time one of her medical records is accessed, while a second consumer may elect to receive notification only if his records are accessed outside of normal business hours, while yet a third consumer may elect to receive notification only if his records are accessed en masse.
[0534] Watchdog 625 training methods vary widely ranging from: text messaging queries and answers, to responses by users and consumers, to prompts in a SEED-Direct application, to a gamified web interface. The Watchdog 625 training may serve to both educate and determine alarm thresholds.
[0535] Responses to training prompts and activity alerts from users and consumers create a ledger to establish accountability.
Dynamic Distribution of Mission Data for Resilience
[0536] The flexibility of storage locations for the contents of a Cloud Lockbox 130 and related vaults, as described herein, enables the SEED Protocol 500 to be utilized for dynamic distribution of mission data to provide resilience in the event of communications disruptions and/or component destruction. For instance, the SEED Protocol 500 may be used to meet the information resiliency and secrecy needs for military activities across a battlespace including coordination with one or more allies. Full lifecycle encryption from the point of data creation protects data at-rest, in-motion, and as it traverses devices, applications and coalitions. This obviates the need for any additional network security such as VPNs. Since the SEED Protocol 500 is network-agnostic, the solution will function on any IP-capable network, adapting to varying speeds and quality.
[0537] As illustrated in
[0538] With the ability to establish multiple vaults for a single project or mission as described herein, the Mission Planner 790 may create separate vaults for various levels of secrecy. Similarly, if the mission is being coordinated with a coalition of forces from other countries, the Mission Planner 790 may create a separate vault for data to be shared with coalition partners. As with the example herein of using SEED Protocol 500 for managing projects, rather than duplicating data among the various vaults, a single participant's view of a mission will be crafted based on their role and the unification of the contents of various vaults will be crafted based on their level of privilege.
[0539] At the discretion of the Mission Planner 790 or based on pre-determined time intervals, the encrypted mission data will be distributed to one or more Squad or Platoon 793 instances of the Core Components 501 as depicted in reference numeral 2, populating the Cloud Lockbox 130 and the Registry 620 with the mission data.
[0540] Encrypted mission data is automatically cached and routinely synchronized prior to mission launch and distributed to the encapsulated Core Component 501 instances at various command levels, including to individual Soldier's Handheld Device 798 as depicted in reference numeral 3. Each Soldier's Handheld Device 798 may be pre-loaded with authentication data to support multiple soldiers, such as Soldier 791. Furthermore, the Soldier's Handheld Device 798 may be pre-loaded with data for multiple missions while preventing access to missions other than the current mission.
[0541] At the Squad or Platoon 793 level, the Core Components 501 may be provisioned on ruggedized hardware operating across the data communications network utilized by the Squad or Platoon 793.
[0542] Mission data, although distributed, may not be accessed until Mission Planner 790 releases the necessary vault-specific private keys required for decryption and authorizes Registry 620 to permit retrievals. As an example, until the Squad Leader 789 needs access to the data, the required private keys will not be sent from the Field Command 792 Key Master 112 to the Squad or Platoon 793 Key Master 112. Until the Mission Planner 790 releases the vault-specific private keys, no soldier in the Squad or Platoon 793 may access the mission data, even though the data will be accumulating in the Squad or Platoon 793 Core Components 501. When the mission data is released to the Squad or Platoon 793, Mission Planner 790 may elect to authorize only the Squad Leader 789 to access the mission data.
[0543] Once the mission is activated, updates and new information will flow up and down the chain of command including to/from individual soldiers such as Soldier 791. Soldier's 791 authentication to the Squad or Platoon 793 Core Components 501 utilizes Soldier's Handheld Device 798 and may include biometric methods, including possible continuous authentication using a Biometric Device 799 as depicted in reference numeral 6.
[0544] In normal operations, Soldier's Handheld Device 798 will primarily function as a user interface and authentication tool. If Soldier's Handheld Device 798 loses contact with the Squad or Platoon 793 Core Components 501, the Soldier's Handheld Device 798 may launch lightweight versions of the Core Components 501 so that Soldier 791 may still have access to the mission data. Such isolated function may require continued biometric authentication using a Biometric Device 799.
[0545] Soldier's Handheld Device 798 may use any communications channel to which it can connect, e.g. low signal strength LTE sufficient for text messages. Soldier's Handheld Device 798 resumes normal operations when sufficient network capacity is available for the device to reconnect to any Core Components 501 instance within the command hierarchy.
[0546] If the Soldier 791 is captured, he may trigger “capture mode” operations of the Soldier's Handheld Device 798. In this mode, as long as Soldier 791 remains in continuous biometric contact, the Soldier's Handheld Device 798 will continue to operate but degrade performance of information retrievals, retrieving only low-level intel and/or offer false intel (pre-loaded as part of mission planning data caching).
[0547] If in contact with any usable network, Soldier's Handheld Device 798 will return duress code and GPS location inside the encrypted heartbeat signal routinely sent from Soldier's Handheld Device's 798.
[0548] One skilled in the art will recognize that this dynamic distribution of mission data may also be applied to a variety of other use cases such as intelligence field operations and disaster response operations.
SEED-Chain of Encrypted Blocks
[0549] Many companies pursue blockchain implementations primarily due to the distributed indelible ledger and distributed validation features of the technology; however, blockchain's tremendous computational effort in reversing cryptographic functions through brute force cracking results in low transaction volume and high costs in compute power and the related electricity consumption.
[0550] These overhead factors diminish the peer-to-peer promise of blockchain as the complexity and cost of running a node relegates most participants to working through “exchanges,” i.e. the very middlemen blockchain is purported to eliminate. The exchanges have turned out to be the weak link in blockchain security with many large breaches affecting crypto currencies and smart contracts.
[0551] The cryptographic tools built into SEED Protocol 500 provide the option to construct next generation chains of encrypted blocks\that deliver distributed indelible ledgers and distributed validation, while maintaining very high transaction volume and consuming nominal amounts of electricity, which we call SEED-Chain herein. Combined with its cyber security features, the SEED Protocol 500 powers end-to-end protection for the next-generation blockchain applications using SEED-Chain.
[0552] The use cases described herein provide examples of how the SEED Protocol 500 may be used to generate chains of encrypted blocks for creation of distributed indelible ledgers suitable for distributed validation. These examples are themselves not exhaustive in detail regarding the relevant use cases nor are the examples intended to be limiting in the ways in which SEED-Chains of encrypted blocks may be created and used. Rather, the examples explain the general mechanisms and approaches.
Block Vaults
[0553] Vaults created for storing blocks in chains, thus named “block vaults,” have both similarities and differences from the SEED Protocol 500 vaults discussed up to this point, offering tremendous flexibility to accommodate a variety of use cases. All vaults, including block vaults, have related tokens, key pairs, file identification numbers, and encrypted files as described herein. Blocks are specialized encrypted files utilized to implement specific business processes. Blocks and block vaults utilize additional features such as differential encryption for varied portions of a block as well as use case dependent modifications to the protocol among the core components and the integrated applications. A given chain of encrypted blocks may be entirely contained within a single block vault or distributed across multiple block vaults.
[0554] When a block vault is established, conditions specific to block vaults are also automatically established: [0555] Blocks may be deposited by any authorized party but may not be deleted. [0556] Blocks may be retrieved by any authorized party but may not be deleted. [0557] Blocks may not be altered and re-deposited, a condition which may be verified in multiple ways as describe herein. [0558] Blocks may be automatically and simultaneously replicated to any number of block vaults.
[0559] Optionally, one may require that all processing of blocks occurs within an application fully integrated into the SEED Protocol 500.
Flexible Block Contents
[0560] For the examples in this application, a block in a SEED-Chain may include any of the following elements: [0561] Entire block encrypted with, depending on the use case, either the public key or private key portion of the block vault key pair: [0562] Unique File ID generated by a Key Master 112, which also serves as the filename for the block. File IDs are unique across the entirety of a SEED Protocol 500 community of interest as described herein. [0563] Block sequence number that is unique to the related chain of encrypted blocks and is generated by a Registry 620 for the associated File ID generated by a Key Master 112. [0564] Date/Time/KM Token generated by a Key Master 112 that serves as a unique identifier of the block creation event, unique across the entirety of a SEED Protocol 500 community of interest as described herein. [0565] Identity token or identity masking token as described herein of the subject of the data in or of the originator of the block. [0566] Additional metadata pertinent to the specific use case. [0567] Hash value of the 2.sup.nd portion of the block, if applicable. [0568] 2.sup.nd portion of the block encrypted with, depending on the use case, the private key or public key portion of key pair related to identity token or masking token contained in the first portion of the block: [0569] Date/Time/KM Token as in first portion of the block. [0570] Data elements specific to the use case.
[0571] One of ordinary skill in the art will recognize that many possible configurations exist for SEED-Chain, which are intended to be covered by the present application.
Voting Example Using Masking Tokens and SEED-Chains of Encrypted Blocks
[0572] The use of SEED Protocol 500, including the SEED-Chain and masking token capabilities, offers a uniquely powerful solution to the voting process. Voting represents a difficult use case due to the conflicting requirements to: [0573] Verify voter identity prior to voting; [0574] Maintain voter anonymity in relation to the votes he casts; [0575] Enable third party audit of the votes and vote counting to verify the accuracy, validity, and absence of tampering; and [0576] Enable voter verification of ballot contents and vote counting of his individual ballot selections.
[0577] The SEED Protocol 500 uniquely addresses all four requirements. The following paper proof of an election management solution offers one of many possible configurations of the SEED Protocol 500 to satisfy the requirements.
[0578] A Board of Elections interfaces Board of Elections Software 350 into the SEED Protocol 500 as illustrated in
[0579] Board of Elections Software 350 establishes voter identities using Application Programming Interface (API) calls to the Key Master 112 as illustrated in
[0580] As illustrated in
[0585] The Core Components 501 may return to the Board of Elections Software 350 voters' identity tokens, such as Voter 1 Identity Token 361, and may return the public portion of Voter 1 Identity Key Pair 362. The masking tokens and masking key pairs, such as Voter 1 Masking Token 363 and the Voter 1 Masking Key Pair 364, remain in the Key Master 112 rather than being shared with the Registry 620 or with the Board of Elections Software 350.
[0586] Alternately, the Core Components 501 may translate voter identification numbers utilized within the Board of Elections Software 350 to voter identity tokens such as Voter 1 Identity Token 361.
[0587] A Key Master 112 may also create a file containing Voter 1 Masking Token 363 and encrypt it with the public key portion of Voter 1 Identity Key Pair 362. The Key Master 112 may use Voter 1's Identity Token 361 to deposit the resulting file containing the Voter 1 Masking Token 363 into Voter 1's Cloud Lockbox 130, as described herein as depicted in reference numeral 7 as illustrated in
[0590] At any given time before the election, the Board of Elections Software 350 generates data sets for both the voter identification stations, such as Voter ID Computer 351, and the voting computers, such as Voting Computer 354 illustrated in
[0591] As illustrated in
[0592] Data sets for the voter identification computers, such as Voter ID Computer 351, will include necessary demographic information about each voter, each voter's identity token such as Voter 1 Identity Token 361, and ballot variation information, e.g. related to specific precincts, party affiliations, etc. These voter identification data sets may be encrypted and stored in a vault, such as Data Loads for Voter ID and Voting Computers Vault 371 as depicted in reference numeral 13 as illustrated in
[0593] Data sets for the voting computers, such as Voting Computer 354, will include the vault token for the designated completed ballots block vault such as Completed Ballots Block Vault 1 372, and the ballot variations, e.g. based on differences by precinct, party affiliation, etc. These voting computer data sets may be encrypted and stored in a vault such as Data Loads for Voter ID and Voting Computers Vault 371 as illustrated in
[0594] As illustrated in
[0595] Similarly, a poll worker, such as Poll Worker 2 368 logs into the Board of Elections Software 350 using Voting Computer 354 by using both 1.sup.st factor authentication as depicted in reference numerals 8, and SEED-Direct 2.sup.nd factor authentication using a Mobile Device 557 as described herein. Once authenticated, Poll Worker 2 368 may activate the download from the Core Components 501 of the data load specified for the Voting Computer 354 as depicted in reference numeral 3 as illustrated in
[0596] Each voter ID computer, such as Voter ID Computer 351, and voting computer, such as Voting Computer 354, may have unique identification numbers generated by the Board of Elections Software 350 or by a Key Master 112 used to better control access to API calls and which may be included in resulting blocks. Each voter ID computer such as Voter ID Computer 351 and voting computer such as Voting Computer 354 may also utilize unique application programming interface authorization keys assigned by the Core Components 501 that are utilized to further tighten access to API calls.
[0597] As voting commences, voters such as Voter 1 357, first confirm their identities at the voter identification station manned by a poll worker such as Poll Worker 1 356 using Voter ID Computer 351. At the completion of the voter identification process, the Poll Worker 1 356 will have determined within the Voter ID Computer 351 the appropriate ballot variation for Voter 1 357. The Voter ID Computer 351 will generate a ballot number for the voter such as Voter 1 357. API calls from the Voter ID Computer 351 to the Core Components 501 may contain the identity token for the poll worker such as Poll Worker 1 356.
[0598] The Voter ID Computer 351 will then conduct an API call to the Registry 620, providing the voter identity token, such as Voter 1 Identity Token 361, the ballot variation identifier and the unique identification number for Voter ID Computer 351 as depicted in reference numeral 2 as illustrated in
[0599] The Key Master 112 creates a ballot authorization containing the voter's masking token such as Voter 1 Masking Token 363, the ballot variation identifier, and the unique identification number for Voter ID Computer 351. Then, the Key Master 112 transmits the ballot authorization to a printer such as Ballot Authorization Printer 352 as depicted in reference numeral 4 as illustrated in
[0600] After successful printing of the ballot authorization by the Ballot Authorization Printer 352, the Key Master 112 returns a completion code to the Registry 620 as depicted in reference numeral 6 as illustrated in
[0601] Voter 1 357 takes printed ballot authorization and scans at the voting station using the Ballot Authorization Scanner 353. The Voting Computer 354 presents the designated ballot variation. Voter makes selections, reviews selections, and finalizes the ballot. Naturally, the Voting Computer 354 may be equipped with accommodations for the visually impaired.
[0602] Voting Computer 354 transmits to a Key Master 112 as depicted in reference numeral 3 as illustrated in
[0609] This transmission may include the identity token of the poll worker such as Poll Worker 2 368.
[0610] A Key Master 112 generates the File ID for the received ballot, which is unique across the entirety of the SEED Protocol 500 community of interest. The Key Master 112 sends the File ID and the token for the completed ballots block vault, such as Completed Ballots Block Vault 1 372, to a Registry 620 as depicted in
[0611] The Key Master 112 then generates a Date/Time/Key Master token that is unique across the entirety of the SEED Protocol 500 community of interest.
[0612] Next, The Key Master 112 generates a completed ballot block reflecting Voter 1's 357 selections that contains the following elements: [0613] Encryption with public key portion of block vault pair for block vault such as Completed Ballots Vault 1 372: [0614] Block sequence number, [0615] File ID of the completed ballot block, [0616] Date/Time/KM Ballot Token, [0617] Voter 1 Masking Token 363, [0618] Ballot variation number, [0619] Voting computer ID, [0620] Hash value for 2.sup.nd portion of block; [0621] 2.sup.nd portion of block contained within the first portion, with secondary encryption using the private key portion of Voter 1 Masking Key Pair 364 serving as a digital signature by proxy: [0622] Races A . . . ZZ=Candidates 1 . . . n, [0623] Issues 1 . . . n=For or against selections for each respective issue, [0624] Date/Time/KM Ballot Token.
Depositing the Completed Ballot
[0625] As illustrated in
[0626] After successfully forming and depositing the completed ballot block, a Key Master 112 confirms completion by returning to the Voting Computer 354 the Date/Time/KM Ballot Token and the Transaction Number as depicted in reference numeral 3 as illustrated in
[0627] As configured by the Board of Elections, a Registry 620 may replicate the completed ballot blocks to any number of pre-determined block vaults and storage locations as long as such storage locations adhere to the attributes of a Cloud Lockbox 130 and the associated block vaults.
[0628] The Key Master 112 may separately encrypt specific voter election data consisting of either: [0629] the File ID, and the Date/Time/Key Master Token, or [0630] the entirety of the completed ballot,
with the public key portion of Voter 1 Identity Key Pair 362. The Key Master 112 may then use Voter Identity Token 361 to deposit the encrypted voter election data into Voter 1's Cloud Lockbox 130 as depicted in reference numeral 7 as illustrated in
[0631] While a Registry 620 will catalog the File IDs associated with completed ballots and may know that the referenced file contains a completed ballot, a Registry 620 can neither decrypt the voter's voting data nor learn the mapping of the masking tokens to identity tokens, such as Voter 1 Masking Token 363 to the Voter 1 Identity Token 361.
Authorized Verifiers and Board of Elections
[0632] Authorized verifiers, including the Board of Elections, may operate Verifier's Software 355, any variation of which may be acceptable if the software complies with the SEED Protocol 500. Each verifier shall establish their identity in the SEED Protocol 500, such as Verifier 1 Identity 375 as depicted in reference numeral 5 as illustrated in
[0633] The verifier's software such as Verifier's Software 355, may be integrated with the SEED Protocol 500, including complying with configuration requirements of the application programming interfaces. Prior to gaining access to any data, verifiers such as Verifier 1 Identity 376 may complete 1.sup.st factor authentication with the Verifier's Software 355 and SEED-Direct 2.sup.nd factor authentication as described herein.
[0634] Verifier's Software 355 is authorized through the SEED Protocol 500 with the following privileges as illustrated in
[0641] A Verifier's Software 355 may decrypt or request that a Key Master 112 decrypt one ballot at a time. Once a completed ballot has been decrypted, a Verifier's Software 355: [0642] Verifies that the File ID and Block Sequence Number in a Registry 620 matches the File ID and Block Sequence Number in ballot block, [0643] Verifies the hash value of the 2.sup.nd portion of the block, and [0644] Verifies that the Date/Time/KM Ballot Token in the 1.sup.st section of the block matches the Date/Time/KM Ballot Token in the 2.sup.nd portion of the block, and
[0645] Depending on the agreed upon contents of the completed ballot blocks, verifiers may also cross check data points such as the voting computer identification, validity of ballot variations, etc.
[0646] Next, The Verifier's Software 355 creates or utilizes pre-created block vaults for each race/issue such as Race/Issue A Block Vault 1 377 and for additional race/issues using vaults such as Race/Issue B . . . ZZ Block Vault 1 378 numerals 7 and 8 respectively as illustrated in
[0647] For any given race/issue, such as Race/Issue A, the Verifier's Software 355 creates one block for each vote for deposit in the race/issue vault such as Race/Issue A Block Vault 1 377 as depicted in reference numeral 7 as illustrated in
[0648] The race/issue vote block may contain the following data elements: [0649] Encrypted with the public key of the associated race/issue block vault. [0650] Block sequence number assigned by a Registry 620 for this block in this race/issue block vault as described herein for block sequence numbers assigned for completed ballot blocks. [0651] File ID created by a Key Master 112 for this block in this race/issue block vault. [0652] Block sequence number from associated completed ballot block. [0653] File ID from the associated completed ballot block. [0654] Date/time/key master token from completed ballot block. [0655] Race/Issue identifier. [0656] Race/Issue vote value. [0657] Verifier identity token. [0658] Attestation by verifier encrypted with private portion of verifier's identity key pair serving as a digital signature.
[0659] For deposits to race and issue vaults, the Verifier's Software 355 may conduct the required encryption and decryption or may issue application programming interface calls to a Key Master 112 to conduct the encryption. The Verifier's Software 355 may proceed to populate additional race/issue block vaults such as Race/Issue B . . . ZZ Block Vault 1 378 as depicted in reference numeral 8 as illustrated in
[0660] Verifier 2 . . . n Identity 380 may commence simultaneously with vote counting, the processed contents of the Completed Ballots Block Vault 1 372, or other Completed Ballot Block Vaults 2 . . . n 373 as illustrated in
[0661] A Verifier's Software 355 may post a vote tally for any given race/issue in an election's results block vault such as Election Results Block Vault 385 as depicted in reference numeral 12 as illustrated in
[0669] The Board of Election Software 350 may query the Election Results Block Vault 385 and Election Results Block Vaults 2 . . . n 386 to establish official vote tallies based on confirmation of counts from multiple verifiers.
[0670] A Board of Elections may also open the vote counting process to the general public. As one skilled in the art will realize, many suitable methods could be developed to count the votes. If a self-deputized verifier found discrepancies, the Board of Election may enlist the help of one or more recognized and integrated verifiers to analyze the results from the self-deputized verifier.
[0671] To perform the tracking of an individual's vote, the voter such as Voter 1 357 may grant the application verifying the vote access to his Voter 1 Masking Token. The vote verification application may retrieve the Date/Time/KM Ballot Token of Voter 1's 357 completed ballot from a completed ballots vault, such as Completed Ballots Block Vault 1 372 as depicted in reference numeral 4 as illustrated in
[0672] Verifiers, including a Board of Elections, or other third parties, may streamline the ability of individual voters to verify that their own vote was properly counted by creating a separate log of the: [0673] Date/Time/Key Master Token [0674] Token for Race/Issue A Block Vault 1 372 and File ID. [0675] Tokens for Race/Issue B . . . ZZ Block Vault 1 378 and File IDs.
[0676] Such access may be automated using a simple desktop or mobile application with which the voter, after authenticating to the SEED Protocol 500, may trace their own ballot based on the unique Date/Time/KM Token created by the Key Master 112 serving the Voting Computer 354.
[0677] The SEED-Vote design uniquely tackles the combined challenge of maintaining the anonymity of the ballot and enabling robust integrity and multi-party verification of the vote.
Data Elements, Origins, Sources and Retention
[0678] As illustrated in
[0687] As illustrated in
[0690] Also, as illustrated in
[0694] Investigations of election irregularities would benefit from the unprecedented ability to trace a detailed replay of the voting activities through poll workers, voters, specific voting machines, voter identification computers, the distributed indelible ledgers of the completed ballots blocks, and the stages of the vote counting process.
TABLE-US-00001 TABLE 2 SEED-Chain Vote Counting Data Elements Voting Computer 354 [Vote] Origin Source Retn Voter Masking Token KM Auth Vrfd Ballot Variation # VID Auth Vrfd Voter ID Computer # KM Auth Vrfd Voting Computer ID KM Vote Vrfd Completed Ballots KM Vote Vrfd Block Vaults Token Completed Ballot Vote Vote Vrfd Date/Time/KM KM KM Vrfd Ballot Token Transaction # Vote Vote Vrfd Race/lssue Block Vault [RIV] Origin Source Retn Encrypted with public key of Block Vault Block Sequence # R KM Pers File ID KM KM Pers Ballot Block R Vote Pers Sequence # Ballot File ID KM Vote Pers Date/Time/KM KM V Pers Ballot Token Race/Issue BoE V Pers Identifier Race/Issue Vote Vote V Pers Value Verifier's KM V Pers Identity Token Encrypted with private portion of Verifier's identity key pair to serve as digital signature Attestation V V Pers Ballot Block Vaults [BV] Origin Source Retn Encrypted with public key of Block Vault Block Sequence # R KM Pers File ID KM KM Pers Date/Time/KM KM KM Pers Ballot Token Voter Masking Token KM Vote Pers Ballot Variation # VID Vote Pers Voting Computer ID KM Vote Pers Hash Value of 2.sup.nd KM KM Pers Block Portion Encrypted with private key of Voter Identity Masking Pair to serve as digital signature by proxy Race A . . . ZZ = Vote KM Pers Candidate 1 . . . n Issue 1 . . . n = Vote KM Pers Selection A or B Date/Time/KM KM KM Pers Ballot Token Verifiers Software 355 [V] Origin Source Retn Sequence # of R BV Temp Ballot Block File ID of Ballot KM BV Temp Block Voter Masking Token KM BV Temp Public portion of KM KM Temp Voter Masking Key Pair Date/Time/KM KM BV Temp Ballot Token Ballot Variation # VID Vote Temp Hash of 2.sup.nd Portion KM Vote Temp of Ballot Block Completed Ballot Vote BV Temp
[0695] The SEED Protocol 500 may support any number of elections such as Elections B . . . ZZ 390 as illustrated in
[0696] One of normal skill in the art will see that numerous variations of the SEED Protocol 500 mechanism may be employed to support voting and other activities requiring both positive identification and anonymity.
Enabling Remote Voting and Other Interactions with Voters
[0697] The face-to-face voter identification process creates the opportunity to establish strong online identity assertion within the SEED Protocol 500 that may be used to support remote voting and other types of electronic interactions among voters and their local, county, state, and federal governments. Commercial entities may also elect to trust identity assertion backed by the various boards of election that adopt SEED Protocol 500. Likewise, a board of elections may elect to accept identification processes from others, such as driver license bureaus.
[0698] At any time during the in-person voter identification and voting process, the voter such as Voter 1 357 may voluntarily establish a password for future 1.sup.st factor authentication to Voter ID Software 397 as illustrated in
[0699] Establishing credentials for both 1.sup.st factor and SEED-Direct 2.sup.nd factor authentication enables votes, such as Voter 1 357, to remotely access his own voting data that may have been deposited in the Cloud Lockboxes 130 established by a Board of Elections as described herein, but also to participate in remote voting.
[0700] At the same time, the Board of Elections may offer Voter 1 357 the opportunity to join in crowdsourced anomaly detection as described herein, further strengthening the integrity of the election process.
[0701] Subsequently, voting may be conducted from anywhere on the planet. A voter such as Voter 1 357 may complete 1.sup.st factor authentication to the Voter ID Software 397 using a Workstation 649 running Workstation Ballot Application 399 as depicted in reference numeral 1 as illustrated in
[0702] Once fully authenticated, Voter ID Software 397 may query the version of the Workstation Ballot Application 399 running on voter's Workstation 649 and update it accordingly as depicted in reference numeral 1 as illustrated in
[0703] As with the in-person voting process, the Voter ID Software 397 will send Voter 1 Identity Token 361, ballot variation number, and Voter ID Software's 397 unique identifier to the Registry 620, which will in turn transmit this data to a Key Master 112 as depicted in reference numerals 3 and 5 respectively as illustrated in
[0704] The Key Master 112 will send the Voter 1 Masking Token 363 and the ballot variation number to Voting Software 398 as depicted in reference numeral 6 as illustrated in
[0705] One of normal skill in the art will recognize that the remainder of the remote voting process, as illustrated in
Alternative Configurations
[0706] One skilled in the art will recognize any number of modifications of the elections mechanism described herein.
[0707] As an example of the flexibility of the SEED Protocol 500, when the Board of Elections Software 350 prompts the generation of voter identities, the resulting identity and masking tokens could be encrypted and stored in a Cloud Lockbox 130 and then be purged from the Key Master 112. Later as the election draws near, the identity tokens and masking tokens may be loaded into the Key Master 112.
[0708] Further, each polling place could be equipped with dual, load balancing Key Masters 112. The download of voter identification information could then also prompt the decryption and download of voter identity and masking tokens to the Key Masters 112 at the specific polling place. This approach would further disperse the mapping of identity tokens to the related masking tokens, segmenting the mapping to individual polling places.
[0709] As another example of the flexibility of the SEED Protocol 500, rather than using the voter masking token such as Voter 1 Masking Token 363 in the ballot block vault, a key master may instead generate a unique token used only one time that may not in any way be mapped back to the individual voter. While this ensures privacy of the ballot, one loses the ability for an individual to trace their own vote through the process and, generally, erodes some of the methods that could be used to verify the integrity of the election. However this may be an acceptable trade-off in situations in which even the minutest risk of identifying the voter to his ballot must be avoided.
Validation Without SEED Protocol 500 Integration
[0710] In creation of blocks and block vaults, many variations may be employed to support different use cases. For instance, in the election example described herein, the ballot block vaults are encrypted with the public key of the key pair for the block vault. This implies a need for one who wishes to access the block vault to have permission to do so. An alternative approach that is the most open configuration would be to: [0711] Use the private key of the block vault key pair to encrypt the block, [0712] Provide public read-only access to the block vault, [0713] Publish the public key of the block vault, and [0714] Publish the public keys for the voter identity masking key pairs.
[0715] Under these conditions, anyone would be able to access and validate the contents of a chain of encrypted blocks without using any other portions of or being integrated with the SEED Protocol 500.
Smart Contract Example of SEED-Chains of Encrypted Blocks
[0716] As another example of the power and flexibility of SEED-Chain, consider the application for “smart” contracts often discussed in relation to blockchain use cases. In this example of the smart contract use case, it is assumed that the identities of the parties do not require masking. One of normal skill in the art will recognize that by using identity masking tokens as in the voting example described herein, one may construct instead an anonymous smart contract solution.
[0717] Consider a project involving three; Party A, Party B and Party C in which identities do not need to be masked as illustrated in
[0724] The three parties may share a single vault for the project or, more likely, establish their own vaults for the project as illustrated in
[0728] As described herein, any party may elect to establish any number of vaults associated with a given project. Also, as described herein, the parties may elect to share the entirety of any vault's contents with other parties or may select specific files or file groups to share with other parties.
[0729] Given that the parties agreed to utilize SEED Protocol 500 SEED-Chains, they will need to establish at least one vault as the destination for the block deposits from the various parties. As illustrated in
[0733] The Registry 620 will duplicate the chain blocks to all three associated vaults created for this purpose. Any of the parties may also allow access to external verifiers if so desired, most likely requiring consent from the other parties.
Smart Contract Block Contents
[0734] One of the many options for content and structure of the blocks follow.
[0735] Encrypted with public key portion of block vault key pair: [0736] Unique File ID generated by a Key Master 112 that also serves as the filename for the block. File IDs are unique across the entirety of a SEED Protocol 500 community of interest as described herein. [0737] Block sequence number that is unique to the related SEED-Chain and is generated by a Registry 620 for the associated File ID generated by a Key Master 112. [0738] Date/Time/KM Token generated by a Key Master 112 that serves as a unique identifier of the block creation event across the entirety of a SEED Protocol 500 community of interest as described herein. [0739] Party Taking Action. [0740] Type of Action. [0741] Identity token of user authorizing action. [0742] Hash value of 2.sup.nd portion of block. [0743] 2.sup.nd Portion encrypted with private key portion of authorizing User's actions identity key pair serving as a digital signature: [0744] Associated File ID, e.g. of a related contract. [0745] Hash of Associated File ID contents. [0746] Date/Time/KM Token.
[0747] In the same way that one may map overlapping healthcare identities as described herein, the sharing configured in the Registry 620 provides a view of the project from the perspective of the different parties. For instance, Executive F will see Project 6 335 with: [0748] Vault F.6.a 336 that she owns, controls, and shares with others as needed. [0749] Vault P.10.a 343 as content, shared by Party B. [0750] Vault T.20.a 346 as content, shared by Party C. [0751] Block Vault F.6.b 337 as the location for blocks from all parties.
[0752] As one skilled in the art will realize, many options exist for variation on the project-related SEED-Chains: [0753] The block may include an entire file rather than simply a reference to the associated file in the form of the associated File ID. [0754] Blocks may be generated for internal actions as well as party-to-party actions to provide visibility into progress within one party for another party, e.g. verify whether invoice been approved for payment and passed to accounts payable. [0755] Metadata retained by a Registry 620 may be particularly useful in helping the parties determine which blocks they may want to inspect.
[0756] All parties may inspect all blocks but access to related File IDs may be restricted to specific parties as described herein. For instance, as illustrated in
[0757] Parties may validate a block as the following process: [0758] Stage 1 validation: [0759] Decrypt 1.sup.st portion of block with private key of block vault to verify that the block sequence number and File ID match between the Registry 620 and the block contents. [0760] Inspect data elements in 1.sup.st portion of block. [0761] Stage 2 validation: [0762] Decrypt 2.sup.nd portion of block with public key for the identity token of person authorizing action to verify digital signature. [0763] Verify Date/Time/KM is the same in 1.sup.st portion and 2.sup.nd portion. [0764] Verify hash value of 2.sup.nd portion of block. [0765] Verify hash of contents of associated File ID (if access to associated file allowed).
[0766] Parties may agree to invite external validators to conduct stage 1 only, or stage 1 and stage 2 validation, by providing access to the vault(s) containing the blocks, the private key of the block vault, and the public keys of related identity tokens. The security of the SEED Protocol 500 will not be compromised in the verification process because verifiers: [0767] Gain access to identity tokens of users authorizing actions and the associated public keys, but do not learn the users' identities. [0768] Gain access to File IDs, but not to the vault tokens where the associate files reside. [0769] Gain access to block vault tokens and the related private keys, but not to project vault tokens nor related keys.
[0770] If identity masking is needed, one may use masking tokens and corresponding masking key pairs of users authorizing actions for creating the blocks.
Support for Crypto Currencies
[0771] One of normal skill in the art may see how SEED Protocol 500 vaults, controlled by individuals as described herein, may be used as a “wallet” for storing tokens and cryptographic keys used in the exchange of any type of crypto currency. One may wed such a mechanism to the smart contract use case, as described herein, to create a payment mechanism. Beyond wallet functionality, the SEED Protocol 500 may be used to support distributing and trading any crypto currency by providing an end-to-end crypto currency solution using SEED-Chain coupled with the cyber security features described herein.
[0772] The SEED Protocol 500 may also generate unique crypto currencies, which we will refer to as SEED-Coin herein. The SEED-Coin use case illustrates the full range of crypto currency features of the SEED Protocol 500. Given the ability for true peer-to-peer operations, the verification of transactions may be conducted by the parties to a transaction. In the example presented herein, we have included 3.sup.rd party verifiers.
[0773] As illustrated in our exemplary SEED-Coin configuration depicted in
[0776] As illustrated in
[0780] As with the SEED-Coin software application, the Brokering Software 425 and External Payment Gateway and Escrow 430 provide useful functions as described herein, but are not required for all possible configurations for the SEED-Coin mechanism.
Initialization of the SEED-Coin Application
[0781] The SEED-Coin application software generates its own asymmetric public/private key pair as per the encryption algorithm and key length requirements of the community of interest being joined. Upon registration with the SEED Protocol 500, the SEED-Coin application such as SEED Coin Application 1 406 will provide its own public key to the Registry 620 as illustrated in
[0782] The Core Components 501 will generate and return a unique workstation identifier and API key for the SEED-Coin application software instance to use in operations within the SEED Protocol 500 as depicted in reference numerals 2 and 1. The workstation identifier and API key may further be restricted to the specific hardware running the SEED-Coin application.
[0783] For all SEED-Coin operations, we assume in this example that traders and verifiers will complete both 1.sup.st factor authentication to their respective workstations running the SEED-Coin application and SEED-Direct 2.sup.nd factor authentication using a Mobile Device 557 as described herein.
[0784] One skilled in the art will recognize that the workstation running the SEED-Coin application may employ additional security features to restrict access to the SEED-Coin application software to a specific user of the workstation, and that such access may require entry of a username and password or other form of authentication.
[0785] A single workstation running the SEED-Coin application software may participate in multiple SEED Protocol 500 communities of interest. The SEED-Coin software application functions could also be implemented within other software solutions such as those operating smart contracts.
Coin Vaults
[0786] As illustrated in
[0790] This triple encryption creates a very high level of security. For example, if Trader 1 405 wants to retrieve and decrypt a file from her Trader 1 Coin Vault 466, the program requires: [0791] For first level action by the Core Components 501 as with any retrieval from a SEED Protocol 500 vault as describe herein, [0792] For the second level action by her own Key Master B 407, in which the private portion of the masking key pair is isolated; and [0793] For the third level, action by her own SEED-Coin App 1 406 in which the private portion of the SEED-Coin App 1 406 private key is isolated.
[0794] As with all vaults in the SEED Protocol 500, a coin vault such as Trader 1's Coin Vault 466 may utilize any storage media including, but not limited to, the workstation being used by the trader to run the SEED-Coin application, removable media such as USB drives, alternative cloud storage, and on-premise network addressable storage, etc. For storage media that does not adhere to the requirements of a Cloud Lockbox 130, the SEED-Coin application may fulfill the unmet Cloud Lockbox 130 functions for the storage media of choice.
Selling a Crypto Currency Coin
[0795] While crypto currencies may be used to purchase goods or services, the example herein will focus on the sale of a coin owned by Trader 1 405 to Trader 2 410. The transaction process may be modified to support the use of any crypto currency. For the remainder of this example, we will assume the sale of a SEED-Coin.
[0796] Coin sellers and buyers may find one another using match making software such as Brokering Software 425 as illustrated in
Traders Agree
[0797] Trader 1 405 and Trader 2 410 will negotiate details of the transaction, which may include trader-to-trader encrypted messaging provided by the SEED-Coin application running on their workstations as illustrated in
[0798] Trader 1 405 will authorize Trader 2 410 to access to Trader 1's Pending Transaction Vault 467 as depicted in reference numerals 1 and 2 as illustrated in
[0799] Once agreement has been reached, Trader 1's 405 Key Master B 407 generates a pending transaction and deposits it in Trader 1 Transaction Vault 467, as depicted in reference numerals 2 and 4 as illustrated in
[0800] Trader 1 405 may operate multiple transaction vaults such as Trader 1's Transaction Vaults 2 . . . n 468. For simplicity of operations and security, Trader 1 405 may utilize a separate transaction vault for each pending transaction.
[0801] Next, Key Master B 407 provides the File ID of the pending transaction to the Registry 620, SEED-Coin Application 1 406, Key Master C 412, and SEED-Coin Application 2 411 with as depicted in reference numerals 2, 1, 3, and 5 respectively as illustrated in
[0802] The Registry 620 then posts the File ID of the pending transaction, along with the vault token for Trader 1 Transaction Vault 467, to its public record for the SEED-Coin sequence number being sold. This serves as public notification that the given SEED-Coin is the subject of a pending transaction. The Registry 620 allows only one pending transaction per SEED-Coin sequence number to prevent double spending.
[0803] Trader 2 410 uses SEED-Coin App 2 411 to confirm that Trader 1 405 recorded the pending transaction with the Registry 620 as illustrated in
[0806] Trader 1 405 then uses SEED-Coin App 1 406 to confirm that payment from Trader 2 410 has been received by External Payment Gateway and Escrow 430 as depicted in reference numerals 1, 2, and 9.
Transferring the Coin
[0807] Once receipt of payment has been confirmed in External Payment Gateway and Escrow 430, Trader 1 405 uses SEED-Coin App 1 406 to transfer the SEED-Coin being sold from Trader 1's Coin Vault 466 to Trader 2 410. The transfer includes: [0808] SEED-Coin Token, [0809] Sequence number of the SEED-Coin, [0810] Date/Time/KM Token of the SEED-Coin, [0811] Trader 1's Transactions Vault 467 Token, and [0812] File ID of Pending Transaction.
[0813] The SEED-Coin transfer file contents are triple encrypted as illustrated in Table 5 with: [0814] 1.sup.st level using public key of Trader 2's Key Master C 412, [0815] 2.sup.nd level using public key of Trader 2's Identity Key Pair 473, and [0816] 3.sup.rd level using public key of Trader 2's SEED-Coin Application 2 411 key pair.
[0817] These three layers of encryption provide tremendous security for the transfer of the coin such that: [0818] 1.sup.st level: Only Trader 2's Key Master C 412 may decrypt the outside of the SEED-Coin transfer file because Key Masters 112 never share their device-specific private key required for decryption, allowing for a wide variety of transmission methods without risk of exposure; [0819] 2.sup.nd level: Trader 2 410 will need to have completed 1.sup.st factor and SEED-Direct 2.sup.nd factor authentication to access the private portion of Trader 2 Identity Key Pair 473 required for decryption; and [0820] 3.sup.rd level: Trader 2 410 will require access to his workstation running the SEED-Coin Application 2 411 to access the private portion of the SEED-Coin Application 2's 411 key pair required for decryption.
[0821] Coin transfer could be accomplished without the use of the SEED-Coin Application 2 411 in which case level 3 of encryption would not apply. Even using only level 1 and level 2 encryption for the coin transfer as described herein, the coin transfer file could be publicly posted without risking compromise of the SEED-Coin due to the computationally unbreakable encryption.
[0822] Trader 2 410 may use the SEED-Coin Application 2 411 to verify the authenticity of the transferred SEED-Coin by comparing the contents of the coin transfer, the pending transaction, and the currently valid transaction block to verify, among other data points, the: [0823] Date/Time/KM Token of SEED-Coin in transfer to Date/Time/KM Token of SEED-Coin contained in the preceding transaction; [0824] Sequence number of SEED-Coin in the transfer to the sequence number contained in preceding transaction and to the sequence number recorded in the Registry 620; and [0825] File ID contained in preceding transaction comparing, the File ID recorded in the Registry 620 for the given SEED-Coin sequence number.
[0826] After confirming the SEED-Coin, Trader 2 410 uses SEED-Coin Application 2 411 to receive the coin and deposit it in his own Trader's 2 Coin Vault 476, which may include use of Trader 2 Masking Key Pair 475. Then, Trader 2 410 uses SEED-Coin Application 2 411 to send coin transfer acceptance acknowledgement to Trader 1's 405 Key Master B 407 and SEED-Coin Application 1 406 as illustrated in
Signing the Transaction
[0827] Once the SEED-Coin transfer has been acknowledged, Trader 1's 405 Key Master B 407 computes the hash value of the transaction, encrypts the hash value with private key of Trader 1 Identity Key Pair 463, and deposits the results in the Trader 1's Transaction Vault 1 467 as illustrated in
[0828] Next, Trader 2's Key Master C 412 computes the hash value of the transaction, encrypts the hash value with private key of Trader 2 Identity Key Pair 473, and deposits the results in Trader 1's Pending Transaction Vault 467 serving as Trader 2's 410 attestation and digital signature for acceptance of the transaction.
[0829] Trader 1 405 may use SEED-Coin App 1 406 to submit the pending transaction for verification, potentially using Brokering Software 425 as illustrated in
[0830] A verifier such as Verifier 1 415 may manually or automatically accept the incoming verification request. Verifier 1's SEED-Coin Application 3 416 and Key Master D 417 may, a month other steps: [0831] Retrieve the pending transaction file as illustrated in
[0836] If the transaction is verified, then Verifier 1's 415 Key Master D 417 computes the hash value of the pending transaction, encrypts the hash value with private key of his identity key pair, and deposits the results in Trader 1's Transaction Vault 1 467 serving as Verifier 1's 415 attestation and digital signature for validation of the transaction. A community of interest may define compensation rates for verifiers.
Posting a New Transaction Block
[0837] Once Trader 1 405, Trader 2 410, and Verifier 1 415 have all verified and signed the pending transaction, then one of the parties such as Verifier 1 415 may submit the pending transaction for posting to Key Master Alpha 400 as illustrated in
[0841] Registry 620 increments the transaction block sequence number and transmits the new block sequence number to Key Master Alpha 400 as depicted in reference numeral 13.
Then, the Key Master Alpha 400:
[0842] Generates Date/Time/KM token for the transaction; [0843] Computes the hash value of the pending transaction; [0844] Deposits the new transaction block as depicted in reference numeral 14 as illustrated in
[0846] Registry 620 updates the “most recent” fields associated with relevant SEED-Coin sequence number with the File ID and sequence number of the new transaction block. The Registry 620 then purges the pending transaction data for the associated SEED-Coin, enabling the SEED-Coin to be traded again.
[0847] The Registry 620 next confirms completion of the transaction with communications to the External Payment Gateway and Escrow 430 as depicted in reference numeral 9, Trader 1's 405 Key Master B 407 as depicted in reference numeral 2, Trader 2's 410 Key Master C 412 as depicted in reference numeral 6, and Verifier 1's 415 Key Master D 417 as depicted in reference numeral 11.
[0848] The Transaction Block Vault 450 may be automatically replicated to any number of locations, such as Transaction Block Vault Duplicates 2 . . . n 451, constrained only by operating parameters determined by the community of interest.
[0849] External Payment Gateway and Escrow 430 may validate the new transaction block and: [0850] Notify Trader 1 405 of release of payment as depicted in reference numerals 9, 2 and 1, and [0851] Release payment through external Payment Processors 435, if required, as depicted in reference numeral 8.
[0852] All traders and verifiers may be permitted access to the Transaction Block Vault 450 as illustrated in
[0853] Naturally, the SEED-Coin solution may support any number of traders and verifiers such as Traders 3 . . . n Identities 490 and Verifiers 2 . . . n Identities 495 as illustrated in
Data Elements, Origins, Sources, Retention and Cross-Checks
[0854] As illustrated in Table 3, Table 4 and Table 5, a detailed review of the data elements that each device manages includes: [0855] Registry 620 abbreviated as “R” in the columns labeled “Origin” and “Source”; [0856] Key Master Alpha 400 abbreviated as “KM-A” in the columns labeled “Origin” and “Source”; [0857] Trader 1 Key Master B 407 abbreviated as “KM-B” in the columns labeled “Origin” and “Source”; [0858] Trader 2 Key Master C 412 abbreviated as “KM-C” in the columns labeled “Origin” and “Source”; and [0859] Verifier 1 Key Master D 417 abbreviated as “KM-D” in the columns labeled “Origin” and “Source.” [0860] SEED-Coin App 1 406 abbreviated as “App 1” in the columns labeled “Origin” and “Source.” [0861] SEED-Coin App 2 411 abbreviated as “App 2” in the columns labeled “Origin” and “Source.” [0862] SEED-Coin App 3 416 abbreviated as “App 3” in the columns labeled “Origin” and “Source.” [0863] Trader 1's Coin Vault 466 abbreviated as “CV” in the columns labeled “Origin” and “Source.”
[0864] A detailed view of the levels of encryption and the data elements contained within a Coin Transfer from Trader 1 to Trader 2, abbreviated at “CT” in the columns labeled “Origin” and “Source”, is also illustrated in Table 5.
[0865] As illustrated in Table 3, Table 4 and Table 5, a detailed review of the contents of the various vaults utilized in the SEED-Coin example includes: [0866] Trader 1's Transaction Vault 1 467 abbreviated as “T1-TV” in the columns labeled “Origin” and “Source”; [0867] Transaction Block Vault 450 abbreviated as “TBV” in the columns labeled “Origin” and “Source”; and [0868] Trader 1's Coin Vault 466 abbreviated as “CV” in the columns labeled “Origin” and “Source.”
[0869] As illustrated in Table 3, Table 4 and Table 5: [0870] The “Origin” column indicates the device that created the data element; and [0871] The “Source” column indicates from where the data element was received. The “Source” may be a device, a vault or a block vault. An abbreviation of “Multi” indicates that multiple sources contribute to a given data element such as a transaction file.
[0872] Also, as illustrated in Table 3, Table 4 and Table 5, the “Retention” column abbreviated as “Retn” indicates how long a data element is retained with the possible following values: [0873] Temp=Data element retained on a temporary basis, only as along as required by current process. For example, Trader 1 Key Master B 407 loads the contents of the transaction into memory for the purpose of encrypting it, but once deposited, does not retain the contents of the transaction. [0874] Opt=Data element retained or not retained on an optional basis. For example, Trader 1 Key Master B 407 may retain Trader 2 Identity Token 472 after completion of the current transaction. [0875] Verf=Data element retained until transaction verified and recorded in the Transaction Block Vault 450. [0876] Pers=Data element retained on a persistent or permanent basis. [0877] Next=Until data element replaced with the next transaction for the given coin.
TABLE-US-00002 TABLE 3 SEED-Coin Transaction Formation Data Elements and Core Components Trader 1's Transaction Vault 467 [T1-TV] Origin Source Retn Transaction File Encrypted with private key of Trader 1's Transaction Vault 467 File ID of KM-B App 1 Verf Transaction Trader 1 Identity KM-B App 1 Verf Token 462 Trader 2 Identity KM-C App 1 Verf Token 472 Sequence # of Coin R App 1 Verf Date/Time/KM token KM-A App 1 Verf of Coin Type of Transaction, App 1 App 1 Verf e.g. Sell, Transfer for Goods/Services If Sell, Price App 1 App 1 Verf Sequence # of R R Verf Preceding Transaction Block File ID of KM-A R Verf Preceding Transaction Block Trader 1 Attestation File Entire file encrypted with private key of Trader 1's Transaction Vault 467 File ID of KM-B KM-B Verf Transaction Trader 1 Identity KM-B KM-B Verf Token 462 Encrypted with private key Trader 1 Identity Key Pair 463 Hash value of KM-B KM-B Verf Transaction Trader 2 Attestation File Entire file encrypted with private key of Trader 1's Transaction Vault 467 File ID of KM-B T1-TV Verf Transaction Trader 2 Identity KM-C KM-C Verf Token 472 Encrypted with private key of Trader 2 Identity Key Pair 473 Hash value of KM-C KM-C Verf Transaction Verifier 1 Attestation File Entire file encrypted with private key of Trader 1's Transaction Vault 467 File ID of KM-B T1-TV Verf Transaction Verifier 1 Identity KM-D KM-D Verf Token 462 Encrypted with private key of Verifier 1 Identity Key Pair 463 Hash value of KM-D KM-D Verf Transaction File Trader 1 Key Master B 407 [KM-B] Origin Source Retn Trader 1 Identity KM-B KM-B Pers Token 462 & Identity Key Pair 463 Trader 1 Masking KM-B KM-B Pers Token 464 & Masking Key Pair 465 Trader 1 Transaction KM-B KM-B Pers Vault 467 Token & Key Pair Trader 2 Identity KM-C KM-C Opt Token 472 Public key of Trader KM-C R Opt 2 Identity 470 Verifier 1 415 KM-D KM-D Opt Identity Token Public key of KM-D R Opt Verifier 1 415 Identity Contents of the Multi T1-TV Temp Transaction Trader 2 Key Master C 412 [KM-C] Origin Source Retn Trader 2 Identity KM-C KM-C Pers Token & Key Pair 472 & 473 Trader 1 Identity KM-B KM-B Opt Token 462 Public key of Trader KM-B R Opt 1 identity 460 Trader 1 Transactions KM-B KM-B VerfOpt Vault 467 Token Public key of Trader KM-B R Opt 1 Transaction Vault 467 Contents of Multi T1-TV Temp Transaction Verifier 1 Key Master D 417 [KM-D] Origin Source Retn Verifier 1 Identity KM-D KM-D Pers 480 Token & Key Pair Trader 1 Identity KM-B T1-TV Temp Token 462 Public key of Trader KM-B R Temp 1 Identity 460 Trader 2 Identity KM-C T1-TV Temp Token 472 Public key of Trader KM-C R Temp 2 Identity 470 Trader 1's KM-B R Temp Transactions Vault 467 Token Public key of Trader KM-B R Temp 1's Transaction Vault 467 Contents of Multi T1-TV Temp Transaction
TABLE-US-00003 TABLE 4 SEED-Coin Core Components and Block Vault Data Elements Registry 620 [R] Origin Source Retn Trader's & Self Self Pers Verifier's Identities 460, 470 & 480 Trader's & KM-B, KM-B, Pers Verifier's Identity C & D C & D Tokens & Public Keys Trader 1's KM-B KM-B Pers Transaction Vault 467 Token & Public Key Public Keys of SEED- App 1, App 1, Pers Coin Apps 2 & 3 2 & 3 406, 411 & 416 Unique IDs of SEED- R R Pers Coin Apps 406, 411 & 416 Transaction Block KM-A KM-A Pers Vault 450 Token & Public Key Coin Sequence #s Pers a. File ID of KM-A KM-A Next Current Block in Transaction Block Vault 450 b. Sequence #s of R R Next Current Transaction in Transaction Block Vault 450 c. Pending Transaction KM-B KM-B Temp File ID and Vault Token for Trader 1's Vault 467 Key Master Alpha 400 [KM-A] Origin Source Retn Trader 1's KM-B R Temp Transaction Vault 467 Token and File ID of Pending Transaction Trader 1 & 2 KM- T1-TV Temp Identity Tokens B & C 462 & 472 Public Keys Trader KM- R Temp 1 & 2 B & C Identities 460 & 470 Verifier 1 Identity KM-D T1-TV Temp 480 Token Public Key of KM-D R Temp Verifier 1 Identity 480 Public key of Trader 1 KM-B R Temp Transaction Vault 467 Contents of KM-B T1-TV Temp Transaction Attestations by KM-B, T1-TV Temp Trader 1 405, C & D Trader 2 410 and Verifier 1 415 Transaction Block KM-A KM-A Pers vault 450 Token & Key Pair File ID of KM-A KM-A Pers Transaction Block Sequence # of R R Pers Transaction Block Date/time/KM Token KM-A KM-A Temp of Transaction Block Transaction Block Vault 450 [TBV] Origin Source Retn Entire block encrypted with private key of Transaction Block Vault 450 Sequence # of R KM-A Pers Transaction Block File ID of KM-A KM-A Pers Transaction Block Date/Time/KM Token KM-A KM-A Pers of Transaction Block Sequence # of Coin R T1-TV Pers Date/Time/KM Token KM-A T1-TV Pers of Coin Verifier 1 415 T1-TV Pers Identity token Encrypted with private key of KM-A Hash value of KM-A KM-A Pers Transaction Encrypted with private key of Trader 1's Transaction Vault 467 File ID of KM-B T1-TV Pers Transaction Trader 1 Identity KM-B T1-TV Pers Token 462 Trader 2 Identity KM-C T1-TV Pers Token 472 Sequence # of Coin R T1-TV Pers Date/time/KM Token KM-A T1-TV Pers of Coin Type of Transaction, App 1 T1-TV Pers e.g. Sell, Transfer for Goods/Services If Sell, Price App 1 T1-TV Pers Sequence # of R T1-TV Pers Preceding Transaction File ID of Preceding KM-A T1-TV Pers Transaction Block Encrypted with private key of Trader 1 Identity Key Pair 463 Hash value of KM-B T1-TV Pers Transaction Encrypted with private key of Trader 2 Identity Key Pair 473 Hash value of KM-C T1-TV Pers Transaction Encrypted with private key of Verifier 1's Identity 4780 Key Pair Hash value of KM-D T1-TV Pers Transaction
TABLE-US-00004 TABLE 5 SEED-Coin Vault and Coin Transfer Data Elements Trader 1's Coin Vault 466 [CV] Origin Source Retn 1.sup.st level encrypted with public key of Trader 1's Coin Vault 466 2.sup.nd level encrypted with public key of Trader 1 Masking Key Pair 465 3.sup.rd level encrypted with public key of Trader 1's SEED-Coin App 1 406 SEED-Coin Token KM-A Previous Pers Date/Time/KM KM-A Owner Pers Token of Coin Sequence # of R Pers Coin Coin Transfer (CT) Origin Source Retn 1.sup.st level encrypted with public key of Key Master C 412 2.sup.nd level encrypted with public key of Trader 2 Identity Key pair 473 3.sup.rd level encrypted with public key of SEED-Coin App 2 411 SEED-Coin Token KM-A CV Temp Sequence # of Coin R CV Temp Date/Time/KM KM-A CV Temp Token of Coin Trader 1's KM-B KM-B Temp Transactions Vault 467 Token File ID of Pending KM-B KM-B Temp Transaction
[0878] As illustrated collectively by
[0884] One of normal skill in the art will recognize that the examples above represent a portion of the cross-checking and validation features of the crypto currency operations described herein.
Initial Coin Commissioning
[0885] Many options exist for commissioning a new coin to occupy a SEED-Coin chain of encrypted blocks. Generally, a community of interest will agree regarding the size of the initial coin offering and determine whether coins will be pre-sold or simply commence trading once the coins have been commissioned.
[0886] Initial coin generation will involve a commissioner, one whom operates the Key Master Alpha 400 and the Registry 620, to generate the pre-determined number of coins en masse and deposit the coins in the commissioner's coin vault, like Trader 1's Coin Vault 466. Key Master Alpha 400 will also create the Transaction Block Vault 450.
[0887] When coins are sold from the commissioner's coin vault, the transaction process will proceed with the sales process described herein. In the resulting transaction, the seller would be the community of interest and the buyer would be the respective buying trader.
[0888] The exemplary mechanism represents one of many ways in which the SEED Protocol 500 may be configured to support crypto currency operations. The present application is intended to be inclusive of all such variations.
[0889] The crypto currency configuration described herein may be utilized to trade any commodity.
Wide Applicability
[0890] With the three uses cases for SEED-Chain detailed herein—voting, smart contracts, and crypto currencies—one of normal skill in the art may extrapolate many other ways in which the SEED Protocol's 500 SEED-Chains, the related cryptographic attributes, and the triangulation capabilities may be utilized to serve a wide variety of use cases in which distributed indelible ledgers and distributed verification are required.
[0891] One may also utilize SEED-Chains, as described herein, independently of the SEED Protocol 500.
Key Master Admin Application and Adding a User to an Existing Key Master
[0892] Administration of Key Masters 112 can be aided by a Key Master Admin Application 510, improving convenience and security of the mechanism as depicted in
[0893] New User 553 using New User Application 554 establishes identity with Registry 620, which may include various forms of identity verification as depicted in reference numeral 1, and may include establishing SEED-Direct 2.sup.nd factor authentication using a Mobile Device 557 as described herein.
[0894] New User 553 using New User Application 554 requests services from an existing Key Master 112 including submission of credentials established with Registry 620 as depicted in reference numeral 2.
[0895] Key Master 112 and New User Application 554 identify one another using unique Key Master 112 serial number and/or other unique identifiers as depicted in reference numeral 2.
[0896] Key Master 112 communicates to Registry 620 the credentials of the New User 553 and New User Application 554 who is requesting services from existing Key Master 112, seeking authorization to provide services as depicted in reference numeral 3.
[0897] New User Application 554 transmits Key Master's 112 serial number and/or other unique identifiers to Registry 620, along with credentials of New User 553 as depicted in reference numeral 1.
[0898] Registry 620 confirms match of information coming from New User Application 554 and existing Key Master 112 regarding New User 553. The Registry 620 may also gather additional information such as IP address of New User's App 554 to aid in detection of anomalous behavior.
[0899] If Registry 620 detects a mismatch or anomaly, then Registry 620 notifies Key Master Admin 511 of denied request for new user creation, along with any other requested information regarding denied new user credentials and associated Key Master 112. Such notification may occur via a Key Master Admin Application 510 as depicted in reference numeral 4, via text message, e-mail, or other forms of communications.
[0900] If Registry 620 detects no mismatches or anomalies, then Registry 620 notifies Key Master Admin 511 of request for new user creation. Such notification may occur via a Key Master Admin Application 510 as depicted in reference numeral 4, via text message, e-mail, or other forms of communications.
[0901] Key Master Admin 511 notifies Registry 620 of approval or denial of request from New User 553 to be served by existing Key Master 112. Such approval or denial may occur via a Key Master Admin Application 510 as depicted in reference numeral 4.
[0902] Registry 620 notifies existing Key Master 112 of approval or denial decision by Key Master Admin 511 as depicted in reference numeral 3.
[0903] If Key Master 112 receives approval to provide services to New User 553 and to New User Application 554, then normal operations may proceed as described herein.
Key Master Admin Application and the Key Vault
[0904] To prevent loss of access to encrypted data due to loss of private keys, a Key Vault 520 may be created by the Key Master Admin Application 510 to which all private keys may be automatically and securely stored as illustrated in
[0905] The combination of low cost Key Masters 112 and the Key Vault 520 enables distribution of encryption functions down to individuals or small groups of users such as workgroups, small offices, families, etc.
[0906] The Key Master Admin Application 510 may integrate the Key Vault 520 within itself or elect to use any secure storage location.
[0907] In this variation of the process, the Key Master Admin Application 510 does not have encryption/decryption capabilities thus making the Key Master Admin Application 510 and associated Key Vault 520 very lightweight able, for instance, to be operated on a mobile smart phone.
[0908] Using the Key Master Admin Application 510, the Key Master Admin 511 will authenticate to the Registry 620 as depicted in reference numeral 4. Such authentication may include SEED-Direct 2.sup.nd factor authentication using a Mobile Device 557 as well as described herein.
[0909] Upon initialization of a Key Master 112, the Key Master 112 will send to Key Vault 520 a portion of its private key, for instance, two-of-three components, encrypted with the Registry's 120 public key, plus the remaining portion of its own private key, for instance the third of three components, which may remain unencrypted in the Key Vault 520. This initial deposit of the Key Master 112 private key becomes central to the key recovery process described below.
[0910] Each time the Key Master 112 generates a new key pair for an identity or a vault, the Key Master 112 encrypts the newly generated private key and related identity or vault token with the Key Master's 112 own public key. The Key Master 112 then transmits the encrypted private key and related token to the Key Vault 520 through the Key Master Admin Application 510 as depicted in reference numeral 5.
[0911] The Key Master Admin Application 510 and Key Vault 520 may employ a variety of security measures to prevent unauthorized access to the data stored in the Key Vault 520, but even if breached, no unencrypted data is at risk. Even if the contents of the Key Vault 520 could be decrypted by unauthorized parties, the unauthorized parties still lack access to the encrypted files or any information regarding the identities to which the keys relate.
Restoration of Keys from a Key Vault After Failure of Serving Key Master
[0912] If a Key Master 112 fails or is destroyed a Key Vault 520 may be used to restore the private keys of the failed Old Key Master 712 to the New Key Master 714 as illustrated in
[0913] Upon start-up of a New Key Master 714 to replace an Old Key Master 712, the New Key Master 714 will generate its own device key pair and identify itself to the Registry 620, including providing the Registry 620 with the New Key Master's 714 public key as depicted in reference numeral 1.
[0914] The Key Master Admin 511, using the Key Master Admin Application 510, will authenticate to the Registry 620 as depicted in reference numeral 3, a process which may also employ SEED-Direct 2.sup.nd factor authentication using a Mobile Device 557 as described herein.
[0915] Key Master Admin 511, using Key Master Admin Application 510, provides New Key Master 714 device ID to Registry 620 as depicted in reference numeral 3. Registry 620 acknowledges the pairing of the Key Master Admin Application 510 to the New Key Master 714 as depicted in reference numeral 3.
[0916] Key Master Admin Application 510, using Key Vault 520, transmits the two-of-three components of the Old Key Master's 712 private key previously encrypted by the Old Key Master 712 with the Registry's 620 public key, to the Registry 620 as depicted in reference numeral 3.
[0917] The Registry 620 decrypts the two-of-three components of the Old Key Master's 712 private key by using the Registry's 620 private key, encrypts with the New Key Master's 714 public key, and transmits to the New Key Master 714 as depicted in reference numeral 1.
[0918] The New Key Master 714 decrypts the two-of-three components of the Old Key Master's 712 private key using the private key of the New Key Master 714.
[0919] The Key Master Admin Application 510 transmits from the Key Vault 520 to the New Key Master 714 the third component of old Key Master's 112 private key as depicted in reference numeral 2.
[0920] The New Key Master 714 now has the Old Key Master's 712 private key.
[0921] Registry 620 transmits a list of identities and vaults served by Old Key Master 712 to the New Key Master 714 encrypted with the New Key Master's 714 public key as depicted in reference numeral 1.
[0922] The Key Master Admin Application 510 transmits from the Key Vault 520 the private keys and related tokens of the identities and vaults served, previously encrypted by the Old Key Master's 712 with its own public key, to the New Key Master 714 as depicted in reference numeral 2, a process that may require a served-identities and served-vaults verification process that may involve the Registry 620, and/or transmission of a served-user list from the New Key Master 714 to the Key Master Admin Application 510.
[0923] Using the Old Key Master's 712 private key, the New Key Master 714 can now decrypt the recovered served-identities and served-vaults private keys, restoring the private keys for normal operations by the New Key Master 714.
[0924] The Registry 620 updates any other Key Masters 112 with association to Old Key Master 712 of the New Key Master's 714 identification as depicted in reference numeral 4.
[0925] The Registry 620 updates any Cloud Lockboxes 130 with association to Old Key Master 712 of the New Key Master 714 identification as depicted in reference numeral 5.
[0926] As one of ordinary skill in the art will recognize, if other secure storage has been designated to serve as the Key Vault 520 then a similar process would ensue.
Multiple Registries
[0927] A community of interest may operate a single Registry 620 to serve all participants. However, situations may arise in which a community of interest elects to operate multiple Registries 620 such as Registry A 800, Registry B 801 and Registry C 802 as depicted in
[0928] In such an embodiment, the Registry A 800, Registry B 801 and Registry C 802 communicate with each other during: [0929] Identity creation processes to confirm uniqueness; [0930] Exchange of permissions changes for access; and [0931] Coordination of other functions as described herein.
Wide Applicability
[0932] One with ordinary skill in the art will recognize that the mechanisms described herein may be configured in a variety of ways while retaining the primary characteristics, capabilities, and benefits of the overall design all of which are intended to be addressed in this application. The present application provides in-depth explanation of some of the variations, but the presented variations are not meant to be exhaustive, but rather provide examples.