Methods for Threshold Password-Hardened Encryption and Decryption

Simple SummaryContent extracted from patent full text and abstract with AI.

This patent describes a method for securing encrypted data using a system called threshold password-hardened encryption (PHE) with rate-limiters. Unlike traditional password-based encryption that depends on a single server or rate-limiter, this approach uses multiple rate-limiters (processing units) where a minimum subset (threshold) is required to encrypt and decrypt user data. This makes it much harder for attackers to steal data, as they would need to compromise several independent components. The method also supports key rotation and allows dynamic management of the rate-limiters, supporting both high availability and strong security.

Use CasesContent extracted from patent full text and abstract with AI.

• Online services and cloud providers storing sensitive user data and requiring strong protection against insider threats and server compromise.
• Financial services, healthcare, or government databases where compliance standards (like PCI DSS) require regular key rotation and strong encryption.
• Cold storage solutions for sensitive backups, where secure data recovery is essential even if some rate-limiters are offline or compromised.
• Password management services that want to prevent both online and offline brute-force attacks against user credentials.
• Enterprise applications where distributed control over encrypted assets and emergency data recovery are needed.

BenefitsContent extracted from patent full text and abstract with AI.

• Improves security by requiring a threshold of independent parties (rate-limiters) to recover encrypted data, reducing single points of failure.
• Strong protection against both online and offline attacks, notably defending against server compromise and brute-force attempts.
• Enhanced availability: encrypted data can still be recovered if a subset of rate-limiters are available, even if others are offline or compromised.
• Enables seamless cryptographic key rotation without requiring access to original data or users, aiding compliance and management.
• Supports flexible access structures and dynamic reconfiguration of rate-limiters, adapting to organizational and security needs.
• Implements rate-limiting to slow down attack attempts and mitigate automated brute-force attacks.

Technical Classifications (CPCs)

Inventors & Applicants

Patent Abstract

Computer-implemented method for encrypting data by a server in cooperation with a predetermined number of rate limiters,the method comprising:receiving, by the server, from the user, a user identification (un), and a password to be encrypted,creating, by the server, a secret message, the secret message being a key suitable for use with a symmetric key encryption/decryption scheme,generating, by the server in cooperation with a subset of a size which is equal to or greater than a threshold, on the basis of a predetermined interactive cryptographic encryption protocol, a ciphertext which encrypts the user password, and the secret message using the respective secret keys of the rate limiters of the subset,the threshold being smaller than or equal to the number of rate limiters, andthe interactive cryptographic protocol being adapted such that the server needs only to interact with a subset of the predetermined size of the number of rate limiters for decryption of the ciphertext to recover the secret message,storing, by the server, the ciphertext, in association with the user identification; and deleting the secret message and the password.