公开(公告)号：US11546149B2

公开(公告)日：2023-01-03

申请号：US17202280

申请日：2021-03-15

Applicant: INTUIT INC.

Inventor： Gleb Keselman ,  Yaron Sheffer ,  Alon Rosen

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/00

Abstract: A processor of a remote crypto cluster (RCC) may receive a public key from a client device through at least one network. The processor of the RCC may obtain an encrypted specific key and a blinded project key from at least one data source through the at least one network. The processor of the RCC may derive a derived key in blind based on the encrypted specific key and the blinded project key. The processor of the RCC may send the derived key in blind to the client device.

公开(公告)号：US11870886B2

公开(公告)日：2024-01-09

申请号：US18301886

申请日：2023-04-17

Applicant: INTUIT INC.

Inventor： Margarita Vald ,  Olla Nasirov ,  Gleb Keselman ,  Yaron Sheffer ,  Sergey Banshats

IPC: H04L9/08 ,  H04L9/32

CPC classification number: H04L9/0822 ,  H04L9/083 ,  H04L9/0861 ,  H04L9/0891 ,  H04L9/3247 ,  H04L2209/04

Abstract: Systems and methods that may be used to provide multitenant key derivation and management using a unique protocol in which key derivation may be executed between the server that holds the root key and a client that holds the derivation data and obtains an encryption key. In one or more embodiments, the derivation data may be hashed. The disclosed protocol ensures that the server does not get access to or learn anything about the client's derived key, while the client does not get access to or learn anything about the server's root key.

公开(公告)号：US11647020B2

公开(公告)日：2023-05-09

申请号：US16825437

申请日：2020-03-20

Applicant: INTUIT INC.

Inventor： Gleb Keselman

IPC: H04L9/40 ,  H04L9/32

CPC classification number: H04L63/0853 ,  H04L9/3247 ,  H04L63/083 ,  H04L63/10

Abstract: Certain aspects of the present disclosure provide techniques for access control. Embodiments include receiving, by a satellite component of an access control system, a request from a computing device to verify an identity of the computing device, wherein the request comprises one or more characteristics of the computing device. Embodiments include verifying, by the satellite component, that the one or more characteristics of the computing device are valid, the verifying comprising one or more interactions with a management entity related to the computing device. Embodiments include generating, by the satellite component, a signed document that is trusted by a control component of the access control system. Embodiments include providing, by the satellite component, the signed document to the computing device for use in requesting credentials from the control component to access a secure resource.

公开(公告)号：US11522704B1

公开(公告)日：2022-12-06

申请号：US17815715

申请日：2022-07-28

Applicant: INTUIT INC.

Inventor： Olla Nasirov ,  Noam Kachko ,  Michael Gvirtzman ,  Yair Tayeb ,  Gleb Keselman ,  Sergey Banshats

IPC: H04L29/06 ,  H04L9/32 ,  G06F21/62 ,  H04L9/14

Abstract: Aspects of the present disclosure provide techniques for encrypted data management. Embodiments include determining an encrypted data item in a data store that is related to a request from a data consuming user. Embodiments include determining a data owning user and an encryption key that correspond to the encrypted data item based on a key identifier associated with the encrypted data item. Embodiments include determining one or more additional encrypted data items and one or more additional encryption keys that correspond to the data owning user based on key identifiers associated with the one or more additional encrypted data items. Embodiments include generating a single data access ticket comprising information about the data consuming user, the data owning user, the encryption key, and the one or more additional encryption keys.

公开(公告)号：US11431511B2

公开(公告)日：2022-08-30

申请号：US16429631

申请日：2019-06-03

Applicant: Intuit Inc.

Inventor： Gleb Keselman ,  Yaron Sheffer ,  Mike Rooz

IPC: H04L9/32 ,  H04L9/30 ,  H04L9/40

Abstract: At least one processor of a central authority separate from a computing process may establish a first trust relationship between the computing process and a central authority separate from the computing process. The establishing may include authenticating the computing process, which may include providing a signed token to the computing process, receiving a request for the certificate from the computing process including the signed token and policy ID data, determining that the computing process is eligible for the certificate according to a policy that associates the certificate with the policy ID data, and validating the signed token. In response to the establishing, the at least one processor may obtain the certificate. The certificate may be signed by a third-party certificate authority with which the central authority has a second trust relationship separate from the first trust relationship. The at least one processor may provide the certificate to the computing process.

公开(公告)号：US10366240B1

公开(公告)日：2019-07-30

申请号：US15415487

申请日：2017-01-25

Applicant: Intuit Inc.

Inventor： Guy Maman ,  Gleb Keselman ,  Yaron Sheffer

IPC: G06F21/00 ,  G06F21/60 ,  H04L29/06 ,  G06F21/44

Abstract: A method and system provides access control for sensitive data. An access control system defines a plurality of access policies for gaining access to the sensitive data. Each access policy includes a plurality of rules that indicate whether or not a client machine can gain access to an initial access secret under the policy. If a client machine requests access to the sensitive data, the access control system checks to see if the client machine satisfies the rules of the access policy. If the characteristics of the client machine satisfy the rules of the access policy, then the access control system provides a ticket to the client machine and instructs the client machine to write the ticket to a client machine information database. If the client machine writes the ticket to the client machine information database, then the access control system provides an initial access secret to the client machine.

公开(公告)号：US20230261855A1

公开(公告)日：2023-08-17

申请号：US18301886

申请日：2023-04-17

Applicant: INTUIT INC.

Inventor： Margarita VALD ,  Oila Nasirov ,  Gleb Keselman ,  Yaron Sheffer ,  Sergey Banshats ,  Sergey Banshats

IPC: H04L9/08 ,  H04L9/32

CPC classification number: H04L9/0822 ,  H04L9/083 ,  H04L9/0891 ,  H04L9/3247 ,  H04L9/0861 ,  H04L2209/04

Abstract: Systems and methods that may be used to provide multitenant key derivation and management using a unique protocol in which key derivation may be executed between the server that holds the root key and a client that holds the derivation data and obtains an encryption key. In one or more embodiments, the derivation data may be hashed. The disclosed protocol ensures that the server does not get access to or learn anything about the client's derived key, while the client does not get access to or learn anything about the server's root key.

公开(公告)号：US11646871B2

公开(公告)日：2023-05-09

申请号：US16991218

申请日：2020-08-12

Applicant: INTUIT INC.

Inventor： Margarita Vald ,  Olla Nasirov ,  Gleb Keselman ,  Yaron Sheffer ,  Sergey Banshats

IPC: H04L9/08 ,  H04L9/32

CPC classification number: H04L9/0822 ,  H04L9/083 ,  H04L9/0861 ,  H04L9/0891 ,  H04L9/3247 ,  H04L2209/04

Abstract: Systems and methods that may be used to provide multitenant key derivation and management using a unique protocol in which key derivation may be executed between the server that holds the root key and a client that holds the derivation data and obtains an encryption key. In one or more embodiments, the derivation data may be hashed. The disclosed protocol ensures that the server does not get access to or learn anything about the client's derived key, while the client does not get access to or learn anything about the server's root key.

公开(公告)号：US20190149320A1

公开(公告)日：2019-05-16

申请号：US15815189

申请日：2017-11-16

Applicant: Intuit Inc.

Inventor： Gleb Keselman ,  Ernesto Nebel ,  Jeffery Weber ,  Noah Kauhane ,  Vinu Somayaji ,  Yaron Sheffer

IPC: H04L9/08 ,  G06F17/30

Abstract: The present disclosure relates to deriving cryptographic keys for use in encrypting data based on a plaintext to be encrypted. An example method generally includes receiving, from a querying device, a request for a cryptographic key. The request generally includes data derived from a plaintext value to be encrypted and an indication of a type of the plaintext value to be encrypted. A cryptographic key is generated based, at least in part, on the derived data and the type of the plaintext value to be encrypted. The key deriver transmits the generated cryptographic key to the querying device.

公开(公告)号：US20180115550A1

公开(公告)日：2018-04-26

申请号：US15334440

申请日：2016-10-26

Applicant: Intuit Inc.

Inventor： Boaz Sapir ,  Gleb Keselman ,  Yaron Sheffer

IPC: H04L29/06 ,  H04L29/08 ,  G06F21/62

CPC classification number: H04L63/10 ,  G06F21/6218 ,  G06F21/6245 ,  H04L63/102 ,  H04L63/205 ,  H04L67/1097

Abstract: A method and system provides access control for sensitive data. An access control system defines a plurality of access policies for gaining access to the sensitive data. Each access policy includes a plurality of rules that indicate whether or not the client machine can gain access to an initial access secret under the policy. When the access control system receives access request data from a client machine requesting access to the access control system under one of the policies, the access control system compares characteristics of the client machine to the rules of the access policy. If the characteristics of the client machine satisfy the rules of the access policy in the access control system provides an initial access secret, such as an application key, to the client machine.