Search

US-20260128891-A1 - SECURED STORAGE CONFIGURATION FOR PROTECTION OF ELECTRONIC DOCUMENTS

US20260128891A1US 20260128891 A1US20260128891 A1US 20260128891A1US-20260128891-A1

Abstract

An electronic document protection system to securely store electronic documents within an organization. An electronic document is obtained from a user associated with the organization, and a document-specific encryption key is generated, distinct from encryption keys for other documents. The document is encrypted using this document-specific key, producing an encrypted version. The encrypted document is stored in a private distributed storage system accessible only to a designated set of organizational users. A secure data record is generated for the document, including a location identifier for the encrypted document in the private storage system. This secure data record is stored in an immutable, append-only data log, ensuring that stored information cannot be altered and is accessible only by authorized organizational users. This approach provides document-level encryption, controlled access, and tamper-proof recordkeeping, thereby enhancing data security, integrity, and verifiable authenticity of organizational documents.

Inventors

  • Ronald DeKoven

Assignees

  • Justice Technology, Ltd.

Dates

Publication Date
20260507
Application Date
20251219

Claims (20)

  1. 1 . A non-transitory computer readable storage medium comprising stored instructions to securely store electronic documents, the instructions comprising instructions that when executed cause at least one processor to: obtain an electronic document from a user associated with an organization; generate a document-specific encryption key, wherein the document-specific encryption key is distinct from encryption keys generated for other electronic documents; encrypt the electronic document using the document-specific encryption key to generate an encrypted electronic document; store the encrypted electronic document in a private distributed storage system, wherein the private distributed storage system is accessible to a designated set of users within the organization; generate a secure data record corresponding to the electronic document, the secure data record comprising a location identifier for the encrypted electronic document within the private distributed storage system; and store the secure data record in an immutable, append-only data log, wherein the immutable, append-only data log is accessible only by users within the organization.
  2. 2 . The non-transitory computer readable storage medium of claim 1 , wherein the secure data record is linked in the immutable, append-only data log to a prior secure data record corresponding to a related document to establish a relationship between the electronic document and the related document.
  3. 3 . The non-transitory computer readable storage medium of claim 1 , wherein the instructions to encrypt the electronic document further comprises instructions that when executed cause the at least one processor to use a symmetric key encryption algorithm.
  4. 4 . The non-transitory computer readable storage medium of claim 3 , further comprising instructions that when executed causes the at least one processor to encrypt each document-specific encryption key with a master encryption key uniquely associated with the organization and storing the encrypted document-specific encryption key in the immutable, append-only data log.
  5. 5 . The non-transitory computer readable storage medium of claim 3 , wherein the instructions to store the encrypted electronic document in the private distributed storage system further comprises instructions that when executed causes the at least one processor to store the document in a private InterPlanetary File System (IPFS) network accessible to the designated set of users.
  6. 6 . The non-transitory computer readable storage medium of claim 1 , further comprising instructions that when executed causes the at least one processor to obtain metadata associated with the electronic document from the user, the metadata comprising at least one of: a title, a description, a document date, a date of document signing, or user comments, and storing the metadata in association with the encrypted electronic document in the private distributed storage system.
  7. 7 . The non-transitory computer readable storage medium of claim 1 , further comprising instructions that when executed causes the at least one processor to generate a non-fungible token (NFT) as the secure data record, the non-fungible token comprising the location identifier and being stored in the immutable, append-only data log implemented as a blockchain-based ledger.
  8. 8 . A method for securely storing electronic documents, the method comprising: obtaining an electronic document from a user associated with an organization; generating a document-specific encryption key, wherein the document-specific encryption key is distinct from encryption keys generated for other electronic documents; encrypting the electronic document using the document-specific encryption key to generate an encrypted electronic document; storing the encrypted electronic document in a private distributed storage system, wherein the private distributed storage system is accessible to a designated set of users within the organization; generating a secure data record corresponding to the electronic document, the secure data record comprising a location identifier for the encrypted electronic document within the private distributed storage system; and storing the secure data record in an immutable, append-only data log, wherein the immutable, append-only data log is accessible only by users within the organization.
  9. 9 . The method of claim 8 , wherein the secure data record is linked in the immutable, append-only data log to a prior secure data record corresponding to a related document to establish a relationship between the electronic document and the related document.
  10. 10 . The method of claim 8 , wherein encrypting the electronic document comprises using a symmetric key encryption algorithm.
  11. 11 . The method of claim 10 , further comprising encrypting each document-specific encryption key with a master encryption key uniquely associated with the organization and storing the encrypted document-specific encryption key in the immutable, append-only data log.
  12. 12 . The method of claim 10 , wherein storing the encrypted electronic document in the private distributed storage system comprises storing the document in a private InterPlanetary File System (IPFS) network accessible to the designated set of users.
  13. 13 . The method of claim 8 , further comprising obtaining metadata associated with the electronic document from the user, the metadata comprising at least one of: a title, a description, a document date, a date of document signing, or user comments, and storing the metadata in association with the encrypted electronic document in the private distributed storage system.
  14. 14 . The method of claim 8 , further comprising generating a non-fungible token (NFT) as the secure data record, the non-fungible token comprising the location identifier and being stored in the immutable, append-only data log implemented as a blockchain-based ledger.
  15. 15 . A system for secure storage of electronic documents, comprising: at least on processor; and a memory having stored instructions, the instructions comprising instructions that when executed cause at least one processor to: obtain an electronic document from a user associated with an organization; generate a document-specific encryption key, wherein the document-specific encryption key is distinct from encryption keys generated for other electronic documents; encrypt the electronic document using the document-specific encryption key to generate an encrypted electronic document; store the encrypted electronic document in a private distributed storage system, wherein the private distributed storage system is accessible to a designated set of users within the organization; generate a secure data record corresponding to the electronic document, the secure data record comprising a location identifier for the encrypted electronic document within the private distributed storage system; and store the secure data record in an immutable, append-only data log, wherein the immutable, append-only data log is accessible only by users within the organization.
  16. 16 . The system of claim 15 , wherein the secure data record is linked in the immutable, append-only data log to a prior secure data record corresponding to a related document to establish a relationship between the electronic document and the related document.
  17. 17 . The system of claim 15 , wherein the instructions to encrypt the electronic document further comprises instructions that when executed cause the at least one processor to use a symmetric key encryption algorithm.
  18. 18 . The system of claim 17 , further comprising instructions that when executed causes the at least one processor to: encrypt each document-specific encryption key with a master encryption key uniquely associated with the organization and storing the encrypted document-specific encryption key in the immutable, append-only data log; and store the document in a private InterPlanetary File System (IPFS) network accessible to the designated set of users.
  19. 19 . The system of claim 15 , further comprising instructions that when executed causes the at least one processor to obtain metadata associated with the electronic document from the user, the metadata comprising at least one of: a title, a description, a document date, a date of document signing, or user comments, and storing the metadata in association with the encrypted electronic document in the private distributed storage system.
  20. 20 . The system of claim 15 , further comprising instructions that when executed causes the at least one processor to generate a non-fungible token (NFT) as the secure data record, the non-fungible token comprising the location identifier and being stored in the immutable, append-only data log implemented as a blockchain-based ledger.

Description

RELATED APPLICATIONS This application is a continuation of prior, co-pending U.S. patent application Ser. No.: 18/193,608, filed on Mar. 30, 2023, which claims the benefit of Provisional Application No. 63/326,251, filed on Mar. 31, 2022, and of Provisional Application 63/374,342, filed on Sep. 1, 2022, all of which are incorporated herein by reference. FIELD OF ART This disclosure relates generally to the field of distributed software systems, and more specifically, to verifying the authenticity of electronic documents via distributed computing and cryptographic techniques. BACKGROUND The ability to store electronic documents and to enable verification of their authenticity is of fundamental importance in many areas. For example, in the event of a severe medical event, it is of critical importance to be able to determine whether the patient has registered any medical instructions (e.g., a “do not resuscitate” form), and (if so) to ensure that those instructions are authentic (that is, originate with the patient, and have not been altered or otherwise tampered with by unauthorized third parties). Even when there appears to be a document executed by or on behalf of a person in question, there may still be a question of whether the execution was genuine, or whether terms of the document have been altered since execution. BRIEF DESCRIPTION OF DRAWINGS FIG. 1 illustrates a detailed view of an environment in which documents are memorialized and their authenticities verified, according to one embodiment. FIG. 2 is a high-level block diagram illustrating physical components of a computer used as part or all of the document authentication system from FIG. 1, according to one embodiment. The figures depict embodiments of the present invention for purposes of illustration only. One skilled in the art will readily recognize from the following description that alternative embodiments of the structures and methods illustrated herein may be employed without departing from the principles of the invention described herein. DETAILED DESCRIPTION FIG. 1 illustrates a detailed view of an environment in which documents are memorialized and their authenticities later verified, according to one embodiment. A document system 100 provides such memorialization and verification services to users, such as a user of a creation client device 131 from which documents are submitted to the document authentication system 100 for memorialization, and a user of a verification client device 132 that requests verification of the authenticity of such documents. The document authentication system 100 is implemented in different manners in different embodiments. For example, in one embodiment the system 100 is made available as a remote network-based service, supporting clients from different organizations at any location in the world. In other embodiments, the system 100 is implemented as enterprise software, with the system 100 being installed internally to each of many different organizations, such that each organization has its own independent instance of the system 100 that is accessible to its own clients but inaccessible from outside the organization. The document authentication system 100 has, or accesses, a number of components, including a memorialization module 102, a verification module 112, a token generation module 106, a token registration module 108, a private distributed ledger 110, and private distributed storage 104. These components are now described in additional detail. The memorialization module 102 obtains a document from the creation client device 131 and memorializes it so that it is reliably saved and its authenticity verifiable. The documents may be of any type of electronic file format, such as Microsoft™ Word™ or Excel™, Portable Document Format (PDF), image (e.g., JPEG or TIFF), audio (e.g., MP3), or video (e.g., MP4 or AVI), as just some examples. The documents may have been executed to indicate that those executing the documents are certifying that the documents are authentic, such as through digital signing via an electronic service (e.g., Adobe™ Sign™), or through physical ink signatures on hardcopies of the documents. In one embodiment, the user of the creation client device 131 uses a graphical user interface to specify the document(s) to be memorialized—e.g., using a file chooser control of a web page of the system 100—as well as metadata for the document(s), such as title, description, document date, date of document signing, and/or comments, which is saved along with the document(s). In some embodiments, the memorialization module 102 analyzes the document(s) to be memorialized, extracts metadata (e.g., with text processing to determine the purpose of a document (such as a medical power of attorney document), or image analysis to determine the subject of a document containing an image), and pre-populates the metadata within the graphical user interface. In some embodiments, the user interface additionally fa