	US 12,309,262 B2
	System and method for pre-shared key (PSK) based document security
Srinivas Kumar, Cupertino, CA (US)
Assigned to SYMMERA INC., Stamford, CT (US)
Filed by SYMMERA INC., Stamford, CT (US)
Filed on Apr. 26, 2023, as Appl. No. 18/139,494.
Claims priority of provisional application 63/454,612, filed on Mar. 24, 2023.
Prior Publication US 2024/0323033 A1, Sep. 26, 2024
Int. Cl. H04L 9/08 (2006.01); G06F 21/60 (2013.01)

CPC H04L 9/085 (2013.01) [G06F 21/602 (2013.01); H04L 9/08 (2013.01); H04L 9/0819 (2013.01); H04L 9/083 (2013.01); H04L 9/088 (2013.01); H04L 9/0891 (2013.01)]

25 Claims

1. A method of generating, distributing, and managing a lifecycle of symmetric pre-shared keys (PSKs) used in certificate-less document security with selective object encryption, for use between applications executing on distributed devices including a producer application executing on a producer device, a consumer application executing on a consumer device, a key distribution service (KDS), a KDS proxy, a KDS interface, a symmetric KDS member M-PSK, a M-PSK identity hint, a tenant identifier, a device group identifier associated with the tenant identifier, a member domain associated with the group identifier, an application identifier associated with the group identifier, a key record, a dynamic host configuration protocol (DHCP) server, and a domain name system (DNS) server, the method comprising:

authenticating, with the KDS, by the producer application executing on the producer device, using the configured tenant identifier, the symmetric KDS member PSK (M-PSK) and the M-PSK identity hint, wherein the producer device is registered by a DNS hostname on the DNS server configured with the KDS or the KDS proxy, and wherein the producer device is configured as a first member of a device group on the KDS;

creating, by a producer application on the KDS, symmetric pre-shared keys with associated pre-shared key (PSK) identity hints;

encrypting embedded objects within a document, by the producer application on the KDS, selectively using the created pre-shared keys, wherein the producer application on the KDS is a word processing software or a document exchange program, and further wherein different embedded objects are encrypted with different pre-shared keys, and further wherein the pre-shared key identity hint is tagged with the respective encrypted object;

sending, by the producer application on the KDS to the consumer application executing on the consumer device, the document with the embedded encrypted objects and the tagged pre-shared key identity hints;

authenticating, with the KDS, by the consumer application executing on the consumer device, using the tenant identifier, the symmetric KDS member PSK (M-PSK) and the M-PSK identity hint, wherein the consumer device is registered by a DNS hostname on the DNS server configured with the KDS or the KDS proxy, and wherein the consumer device is configured as a second member of the device group on the KDS;

receiving, by the consumer application executing on the consumer device, the document with the embedded encrypted objects and the tagged pre-shared key identity hints;

retrieving, by the consumer application executing on the consumer device, from the KDS, using at least the group identifier and the pre-shared key identity hint, the pre-shared keys for the pre-shared key identity hints tagged with the respective encrypted embedded objects in the received document, for decryption; and

restricting access privileges to the encrypted embedded objects within the document, by the consumer application executing on the consumer device, on devices authenticated and validated by the KDS, wherein the consumer application is a word processing software or a document exchange program.