US 12,425,191 B1
System and method for providing multiple key encryption
James Pecoraro, New York, NY (US); Scott Ryan James, New York, NY (US); Jakub Guzikowski, Wroclaw (PL); Cezary Siewierski, Dublin (IE); and Jason Niggel, New York, NY (US)
Assigned to THE BANK OF NEW YORK MELLON, New York, NY (US)
Filed by The Bank of New York Mellon, New York, NY (US)
Filed on Oct. 6, 2023, as Appl. No. 18/482,650.
Int. Cl. H04L 29/06 (2006.01); H04L 9/08 (2006.01); H04L 9/14 (2006.01)
CPC H04L 9/0822 (2013.01) [H04L 9/0877 (2013.01); H04L 9/0891 (2013.01); H04L 9/14 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A method for providing multiple key encryption, comprising:
generating, a private key encryption key (KEK) and a corresponding public KEK in a trusted execution environment (TEE);
providing the public KEK to a key generator;
generating, by the key generator, a data encryption key (DEK) and encrypting the DEK with the public KEK;
obtaining, by a key processor, an ephemeral public key and the encrypted DEK, and sending the ephemeral public key and the encrypted DEK to the TEE;
decrypting, by the TEE, the encrypted DEK using the private KEK, and re-encrypting the decrypted DEK with the ephemeral public key;
obtaining, by the key processor, the re-encrypted DEK from the TEE and passing the re-encrypted DEK to a signing service;
decrypting, by the signing service the re-encrypted DEK using a corresponding ephemeral private key; and
encrypting, by the signing service, data using the DEK.