Description:FIELD OF INVENTION
[0001] Embodiments of the present disclosure relate to the field of cyber security systems, and more particularly, a cybersecurity system and a method to protect a web environment from quantum-based threats.
BACKGROUND
[0002] Rivest–Shamir–Adleman (RSA) is an asymmetric encryption algorithm widely used for secure data transmission and digital signatures, especially in digital banking. However, RSA and similar classical cryptographic systems now face a significant threat from the rapid advancement of quantum computing.
[0003] A quantum threat refers to the potential ability of a quantum computer to break widely used encryption schemes such as RSA and Elliptic Curve Cryptography (ECC). These algorithms currently form the foundation of online security protocols including TLS/SSL, secure messaging, remote access, digital signatures, software protection, and cryptocurrencies.
[0004] RSA's security relies on the computational difficulty of factoring large integers, a challenge that Shor’s algorithm, a quantum algorithm, can overcome efficiently. As a result, once practical quantum computers become available, they could render RSA and ECC obsolete by enabling attackers to decrypt previously secure communications.
[0005] However, various quantum-safe algorithms have been proposed, such as those standardized by the U.S. National Institute of Standards and Technology (NIST) these alternatives often rely on highly complex mathematical constructs. Implementing these algorithms requires huge increase in computation power both at server, client and during transit. as well as major changes to the existing ecosystem of browsers, servers, RSA certificate issuers and transport protocol. These transitions involve significant cost and time, making widespread adoption a long-term challenge for businesses.
[0006] Hence, there is a need for a cybersecurity system and a method to protect a web environment from quantum-based threats which address the aforementioned issue(s).
OBJECTIVE OF THE INVENTION
[0007] A primary objective of the invention is to provide a secure cybersecurity system for protecting a web environment from quantum-based threats by enabling distributed, client-side generation of a 256-bit Advanced Encryption Standard (AES) session key derived from independently encrypted key shares added over standard RSA-based protocols.
BRIEF DESCRIPTION
[0008] In accordance with an embodiment of the present disclosure, a cybersecurity system to protect a web environment from quantum-based threats is provided. The system includes a processing subsystem hosted on a server. The processing subsystem is configured to execute on a network to control bidirectional communications among a plurality of modules. The processing subsystem includes a user authentication module configured to authenticate a user from a web browser using a login mechanism to initiate a secure session. The processing subsystem includes an initialization module operatively coupled to the user authentication module. The initialization module is configured to trigger the web browser to send parallel requests to at least two remote microservices for retrieval of encrypted partial cryptographic key shares. The processing subsystem includes a distributed key share module operatively coupled to the initialization module. The distributed key share module includes a first microservice configured to generate and encrypt a first partial encryption key using a first Rivest–Shamir–Adleman (RSA) key. The distributed key share module includes a second microservice configured to generate and encrypt a second partial encryption key using a second RSA key. The processing subsystem includes a browser-based web assembly cryptographic module operatively coupled to the distributed key share module. The browser-based web assembly cryptographic module is configured to receive the encrypted first partial encryption key from the first microservice and the encrypted second partial encryption key from the second microservice. The browser-based web assembly cryptographic module is configured to decrypt the encrypted first partial encryption key using a first RSA private key and the encrypted second partial encryption key using a second RSA private key. The browser-based web assembly cryptographic module is configured to combine the decrypted first partial encryption key and the decrypted second partial encryption key to generate a 256-bit advanced encryption standard session key. The processing subsystem includes a session encryption module operatively coupled to the browser-based web assembly cryptographic module. The session encryption module is configured to perform encryption and decryption of session data using the 256-bit advanced encryption standard session key. The processing subsystem includes an ephemeral key memory management module operatively coupled to the session encryption module. The ephemeral key memory management module is configured to store the 256-bit advanced encryption standard session key exclusively in a webassembly memory during the session. The ephemeral key memory management module is configured to erase the 256-bit advanced encryption standard session key upon session termination, logout, timeout, or error detection.
[0009] In accordance with another embodiment of the present disclosure, a cybersecurity method to protect a web environment from quantum-based threats is provided. The method includes authenticating, by a user authentication module, a user from a web browser using a login mechanism to initiate a secure session. The method includes triggering, by an initialization module, the web browser to send parallel requests to at least two remote microservices for retrieval of encrypted partial cryptographic key shares. The method includes generating and encrypting, by a first microservice of a distributed key share module a first partial encryption key using a first RSA key. The method includes generating and encrypting, by a second microservice of the distributed key share module, a second partial encryption key using a second RSA key. The method includes receiving, by a browser-based web assembly cryptographic module, the encrypted first partial encryption key from the first microservice and the encrypted second partial encryption key from the second microservice. The method includes decrypting, by the browser-based web assembly cryptographic module, using a first RSA private key and the encrypted second partial encryption key using a second RSA private key. The method includes combining, by the browser-based web assembly cryptographic module, the decrypted first partial encryption key and the decrypted second partial encryption key to generate a 256-bit advanced encryption standard session key. The method includes performing, by a session encryption module, encryption and decryption of session data using the 256-bit advanced encryption standard session key. The method includes storing, by an ephemeral key memory management module, the 256-bit advanced encryption standard session key exclusively in a webassembly memory during the session. The method includes erasing, by the ephemeral key memory management module, the 256-bit advanced encryption standard session key upon session termination, logout, timeout, or error detection.
[0010] To further clarify the advantages and features of the present disclosure, a more particular description of the disclosure will follow by reference to specific embodiments thereof, which are illustrated in the appended figures. It is to be appreciated that these figures depict only typical embodiments of the disclosure and are therefore not to be considered limiting in scope. The disclosure will be described and explained with additional specificity and detail with the appended figures.
BRIEF DESCRIPTION OF THE DRAWINGS
[0011] The disclosure will be described and explained with additional specificity and detail with the accompanying figures in which:
[0012] FIG. 1 is a block diagram representation of a cybersecurity system to protect a web environment from quantum-based threats in accordance with an embodiment of the present disclosure;
[0013] FIG. 2 is a schematic diagram illustrating a secure client-server key exchange framework of a cybersecurity system to protect a web environment from quantum-based threats in accordance with an embodiment of the present disclosure;
[0014] FIG. 3 is a schematic diagram illustrating a session-level impact of an RSA private key compromise in a cybersecurity system of FIG.1 in accordance with an embodiment of the present disclosure.
[0015] FIG. 4 is a block diagram of a computer or a server in accordance with an embodiment of the present disclosure;
[0016] FIG. 5(a) illustrates a flow chart representing the steps involved in a cybersecurity method to protect a web environment from quantum-based threats in accordance with an embodiment of the present disclosure; and
[0017] FIG. 5(b) illustrates continued steps of the method of FIG. 5(a) in accordance with an embodiment of the present disclosure.
[0018] Further, those skilled in the art will appreciate that elements in the figures are illustrated for simplicity and may not have necessarily been drawn to scale. Furthermore, in terms of the construction of the device, one or more components of the device may have been represented in the figures by conventional symbols, and the figures may show only those specific details that are pertinent to understanding the embodiments of the present disclosure so as not to obscure the figures with details that will be readily apparent to those skilled in the art having the benefit of the description herein.
DETAILED DESCRIPTION
[0019] For the purpose of promoting an understanding of the principles of the disclosure, reference will now be made to the embodiment illustrated in the figures and specific language will be used to describe them. It will nevertheless be understood that no limitation of the scope of the disclosure is thereby intended. Such alterations and further modifications in the illustrated system, and such further applications of the principles of the disclosure as would normally occur to those skilled in the art are to be construed as being within the scope of the present disclosure.
[0020] The terms “comprises”, “comprising”, or any other variations thereof, are intended to cover a non-exclusive inclusion, such that a process or method that comprises a list of steps does not include only those steps but may include other steps not expressly listed or inherent to such a process or method. Similarly, one or more devices or subsystems or elements or structures or components preceded by "comprises... a" does not, without more constraints, preclude the existence of other devices, sub-systems, elements, structures, components, additional devices, additional sub-systems, additional elements, additional structures or additional components. Appearances of the phrase "in an embodiment", "in another embodiment" and similar language throughout this specification may, but not necessarily do, all refer to the same embodiment.
[0021] Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by those skilled in the art to which this disclosure belongs. The system, methods, and examples provided herein are only illustrative and not intended to be limiting.
[0022] In the following specification and the claims, reference will be made to a number of terms, which shall be defined to have the following meanings. The singular forms “a”, “an”, and “the” include plural references unless the context clearly dictates otherwise.
[0023] Embodiment of the present disclosure related to a cybersecurity system to protect a web environment from quantum-based threats. The system includes a processing subsystem hosted on a server. The processing subsystem is configured to execute on a network to control bidirectional communications among a plurality of modules. The processing subsystem includes a user authentication module configured to authenticate a user from a web browser using a login mechanism to initiate a secure session. The processing subsystem includes an initialization module operatively coupled to the user authentication module. The initialization module is configured to trigger the web browser to send parallel requests to at least two remote microservices for retrieval of encrypted partial cryptographic key shares. The processing subsystem includes a distributed key share module operatively coupled to the initialization module. The distributed key share module includes a first microservice configured to generate and encrypt a first partial encryption key using a first RSA key. The distributed key share module includes a second microservice configured to generate and encrypt a second partial encryption key using a second RSA key. The processing subsystem includes a browser-based web assembly cryptographic module operatively coupled to the distributed key share module. The browser-based web assembly cryptographic module is configured to receive the encrypted first partial encryption key from the first microservice and the encrypted second partial encryption key from the second microservice. The browser-based web assembly cryptographic module is configured to decrypt the encrypted first partial encryption key using a first RSA private key and the encrypted second partial encryption key using a second RSA private key. The browser-based web assembly cryptographic module is configured to combine the decrypted first partial encryption key and the decrypted second partial encryption key to generate a 256-bit advanced encryption standard session key. The processing subsystem includes a session encryption module operatively coupled to the browser-based web assembly cryptographic module. The session encryption module is configured to perform encryption and decryption of session data using the 256-bit advanced encryption standard session key. The processing subsystem includes an ephemeral key memory management module operatively coupled to the session encryption module. The ephemeral key memory management module is configured to store the 256-bit advanced encryption standard session key exclusively in a webassembly memory during the session. The ephemeral key memory management module is configured to erase the 256-bit advanced encryption standard session key upon session termination, logout, timeout, or error detection.
[0024] FIG. 1 is a block diagram of a cybersecurity system (100) to protect a web environment from quantum-based threats in accordance with an embodiment of the present disclosure. As used herein, the term 'web environment' refers to a browser-based client-server framework in which user interactions and data exchanges occur over the Internet using standard web protocols such as HTTP or HTTPS. Quantum-based threats refer to potential security vulnerabilities introduced by quantum computing technologies.
[0025] The system (100) includes a processing subsystem (105) hosted on a server (108). In one embodiment, the server (108) may include a cloud-based server. In another embodiment, parts of the server (108) may be a local server coupled to a user device (not shown in FIG.1). The processing subsystem (105) is configured to execute on a network (115) to control bidirectional communications among a plurality of modules. In one example, the network (115) may be a private or public local area network (LAN) or Wide Area Network (WAN), such as the Internet. In another embodiment, the network (115) may include both wired and wireless communications according to one or more standards and/or via one or more transport mediums. In one example, the network (115) may include wireless communications according to one of the 802.11 or Bluetooth specification sets, or another standard or proprietary wireless communication protocol. In yet another embodiment, the network (115) may also include communications over a terrestrial cellular network, including, a global system for mobile communications (GSM), code division multiple access (CDMA), and/or enhanced data for global evolution (EDGE) network.
[0026] The processing subsystem (105) includes a user authentication module (120) configured to authenticate a user from a web browser using a login mechanism to initiate a secure session. More specifically, the user authentication module (120) receives login credentials (e.g., username/password, one-time PIN, or other credentials) transmitted over a Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol Secure (HTTPS) channel through a login interface. Upon receipt of the login credentials, the user authentication module (120) verifies the identity of the user using the login mechanism, which may include but are not limited to one of OAuth, Single Sign-On, and basic authentication, and the like. Upon successful authentication, the user authentication module (120) initiates the secure session.
[0027] The processing subsystem (105) includes an initialization module (125) operatively coupled to the user authentication module (120). The initialization module (125) is configured to trigger the web browser to send parallel requests to at least two remote microservices for retrieval of encrypted partial cryptographic key shares. More specifically Upon successful user authentication, the initialization module (125) triggers the user's web browser via HTTPS to automatically send parallel asynchronous requests to the at least two remote microservices for the retrieval of encrypted partial cryptographic key share. The at least two remote microservices include a first microservice (135) and a second microservice (140).
[0028] The processing subsystem (105) includes a distributed key share module (130) operatively coupled to the initialization module (125). The distributed key share module (130) includes a first microservice (135) configured to generate and encrypt a first partial encryption key using a first Rivest–Shamir–Adleman (RSA) key. The encrypted first partial encryption key is a 128-bit key.
[0029] RSA algorithm is a widely used public-key cryptography algorithm that relies on the difficulty of factoring large numbers. It uses a pair of keys: a public key for encryption and a private key for decryption. RSA is employed for secure communication, digital signatures, and key exchange, and its security stems from the mathematical challenge of determining the private key from the public key.
[0030] The distributed key share module (130) includes a second microservice (140) configured to generate and encrypt a second partial encryption key using a second RSA key. The encrypted second partial encryption key is a 128-bit key.
[0031] In an embodiment, each microservice in the distributed key share module (130) utilizes a separate standard RSA certificate to perform the encryption of its respective key share, ensuring that the partial encryption keys remain confidential during transmission.
[0032] The processing subsystem (105) includes a browser-based web assembly cryptographic module (145) operatively coupled to the distributed key share module (130). The browser-based web assembly cryptographic module (145) is configured to receive the encrypted first partial encryption key from the first microservice (135) and the encrypted second partial encryption key from the second microservice (140). These encrypted keys are transmitted over a secure RSA based-TLS channel.
[0033] The browser-based web assembly cryptographic module (145) is configured to decrypt the encrypted first partial encryption key using a first RSA private key and the encrypted second partial encryption key using a second RSA private key.
[0034] The browser-based web assembly cryptographic module (145) is configured to combine the decrypted first partial encryption key and the decrypted second partial encryption key to generate a 256-bit advanced encryption standard (AES) session key. The 256-bit advanced encryption standard session key is unique to the current user session and is used solely for encrypting and decrypting communication data during the session.
[0035] Advanced Encryption Standard (AES) is a symmetric encryption algorithm standardized by the National Institute of Standards and Technology (NIST). The 256-bit AES key length is widely used for high-security applications and is considered quantum-resistant with respect to symmetric cryptography. AES is widely used in various applications, including government computer security, cybersecurity, electronic data protection, and the like.
[0036] The processing subsystem (105) includes a session encryption module (150) operatively coupled to the browser-based web assembly cryptographic module (145). The session encryption module (150) is configured to perform encryption and decryption of session data using the 256-bit advanced encryption standard session key. More specifically, the session encryption module (150) performs symmetric encryption and decryption of session data exchanged between a client and a server. The encryption step ensures confidentiality and data protection throughout the duration of the authenticated session.
[0037] The processing subsystem (105) includes an ephemeral key memory management module (155) operatively coupled to the session encryption module (150). The ephemeral key memory management module (155) is configured to store the 256-bit advanced encryption standard session key exclusively in a webassembly memory during the session. The Webassembly memory store the 256-bit advanced encryption standard session key in a secure, non-exposed memory space, thereby preventing access from attackers and ensures that the session key remains inaccessible to the client-side attack surface. The WebAssembly memory refers to a low-level, sandboxed memory space within a browser runtime environment. This memory is accessible by WebAssembly modules and is designed to be secure and isolated. WebAssembly memory operates at a very basic level, providing raw bytes for storage and manipulation.
[0038] In an embodiment, the webassembly memory is built using RUST programming language.
[0039] The ephemeral key memory management module (155) is configured to erase the 256-bit advanced encryption standard key upon session termination, logout, timeout, or error detection. Additionally, after each cryptographic operation, the WebAssembly memory may be zeroized or wiped to eliminate residual key traces. Upon logout, timeout, or error, the WebAssembly module explicitly overwrites the AES-256 session key in memory, thereby preventing retrieval in the event of a subsequent compromise of the browser or client memory.
[0040] Let’s consider a user “X” accessing a secure bank web application protected by the cybersecurity system (100). The user authentication module (120) authenticates the user through secure login credentials. Upon successful login, the initialization module (125) triggers the user's browser to send parallel HTTPS requests to two independent microservices for key shares. The first microservice (135) generates a 128-bit AES partial key and encrypts it using a first RSA key and the second microservice (140) that generates and encrypts a second 128-bit AES partial key using a second RSA key. These encrypted key shares are securely transmitted to the browser. The browser-based WebAssembly cryptographic module receives both encrypted keys, decrypts them using corresponding RSA private keys, and combines them to generate the 256-bit AES session key. The 256-bit AES session key is then stored temporarily in isolated WebAssembly memory by the ephemeral key memory management module (155). Now, for instance an attacker gains access to one of the RSA key used in a single session. Only one encrypted partial key can be decrypted and without the second partial key, the attacker cannot generate the AES-256 session key. Since the key is stored exclusively in WebAssembly memory, and is erased upon session termination, logout, timeout, or error detection.
[0041] It is to be noted that the system (100) may comprise, but is not limited to, a mobile phone, desktop computer, portable digital assistant (PDA), smart phone, tablet, ultra-book, netbook, laptop, multi-processor system, microprocessor-based or programmable consumer electronic system, or any other communication device that a user may use. In some embodiments, the system may comprise a display module (not shown) to display information (for example, in the form of user interfaces). In further embodiments, the system may comprise one or more of touch screens, accelerometers, gyroscopes, cameras, microphones, global positioning system (GPS) devices, and so forth.
[0042] In one embodiment, the various functional components of the system (100) may reside on a single computer, or they may be distributed across several computers in various arrangements. The various components of the system (100) may, furthermore, access one or more databases, and each of the various components of the system may be in communication with one another. Further, while the components of FIG. 1 are discussed in the singular sense, it will be appreciated that in other embodiments multiple instances of the components may be employed.
[0043] FIG. 2 is a schematic diagram illustrating a secure client-server key exchange framework of a cybersecurity system (100) to protect a web environment from quantum-based threats in accordance with an embodiment of the present disclosure. The framework enables generation, encryption, and secure transmission of an encrypted first partial encryption key from a first microservice (135) and an encrypted second partial encryption key from the second microservice (140). As shown, the cybersecurity system (100) comprises a server-side and a client-side. The server side comprises the first microservice (135), which authenticates the user and generates a first partial AES encryption key, and the second microservice (140), which generates a second partial AES encryption key. Each microservice encrypts its respective 128-bit key share independently using its own RSA certificate.
[0044] On the client side, a browser-based web assembly cryptographic module (145) residing in the user’s browser receives the encrypted key shares from both microservices via HTTPS. Specifically, the Browser-based web assembly cryptographic module (145) initiates two parallel RSA-encrypted requests: one to retrieve the first encrypted key and another to retrieve the second encrypted key. Upon receipt, the browser-based web assembly cryptographic module (145) uses corresponding RSA private keys to decrypt the encrypted key shares. Once both partial keys are decrypted, the browser-based web assembly cryptographic module (145) combines them to form a 256-bit AES session key, which is securely stored in an ephemeral WebAssembly memory for the duration of the session.
[0045] FIG. 3 is a schematic diagram illustrating a session-level impact of an RSA private key compromise in a cybersecurity system (100) of FIG.1 in accordance with an embodiment of the present disclosure. As shown, an attacker (205) may obtain unauthorized access to a stolen RSA private key. However, due to the framework of the cybersecurity system (100), which utilizes a 256-bit advanced encryption standard session key for each user session (210), the impact of such a breach is significantly minimized.
[0046] Specifically, even if the RSA key is compromised, only the session corresponding to that key exchange is potentially exposed, as indicated in the FIG.3. All other sessions remain (215) secure because they are protected by independently generated AES-256 session keys, which never persisted and are securely stored only in WebAssembly memory during the session, thereby ensuring that the compromise of one session does not affect the confidentiality or integrity of other concurrent or future sessions. Each new session has fresh AES key.
[0047] FIG. 4 is a block diagram of a computer or a server (108) in accordance with an embodiment of the present disclosure. The server (108) includes processor(s) (330), and memory (310) operatively coupled to the bus (320). The processor(s) (330), as used herein, means any type of computational circuit, such as, but not limited to, a microprocessor, a microcontroller, a complex instruction set computing microprocessor, a reduced instruction set computing microprocessor, a very long instruction word microprocessor, an explicitly parallel instruction computing microprocessor, a digital signal processor, or any other type of processing circuit, or a combination thereof.
[0048] The memory (310) includes several subsystems stored in the form of an executable program which instructs the processor (330) to perform the method steps illustrated in FIG. 1. The memory (310) includes a processing subsystem (105) of FIG.1. The processing subsystem (105) further has following modules: a user authentication module (120), an initialization module (125), a distributed key share module (130), a browser-based web assembly cryptographic module (145), a session encryption module (150), and an ephemeral key memory management module (155).
[0049] In accordance with an embodiment of the present disclosure, a cybersecurity system (100) to protect a web environment from quantum-based threats is provided. The system (100) includes a processing subsystem (105) hosted on a server (108). The processing subsystem (105) is configured to execute on a network (115) to control bidirectional communications among a plurality of modules. The processing subsystem (105) includes a user authentication module (120) configured to authenticate a user from a web browser using a login mechanism to initiate a secure session. The processing subsystem (105) includes an initialization module (125) operatively coupled to the user authentication module (120). The initialization module (125) is configured to trigger the web browser to send parallel requests to at least two remote microservices for retrieval of encrypted partial cryptographic key shares. The processing subsystem (105) includes a distributed key share module (130) operatively coupled to the initialization module (125). The distributed key share module (130) includes a first microservice (135) configured to generate and encrypt a first partial encryption key using a first RSA key. The distributed key share module (130) includes a second microservice (140) configured to generate and encrypt a second partial encryption key using a second RSA key. The processing subsystem (105) includes a browser-based web assembly cryptographic module (145) operatively coupled to the distributed key share module (130). The browser-based web assembly cryptographic module (145) is configured to receive the encrypted first partial encryption key from the first microservice (135) and the encrypted second partial encryption key from the second microservice (140). The browser-based web assembly cryptographic module (145) is configured to decrypt the encrypted first partial encryption key using a first RSA private key and the encrypted second partial encryption key using a second RSA private key. The browser-based web assembly cryptographic module (145) is configured to combine the decrypted first partial encryption key and the decrypted second partial encryption key to generate a 256-bit advanced encryption standard session key. The processing subsystem (105) includes a session encryption module (150) operatively coupled to the browser-based web assembly cryptographic module (145). The session encryption module (150) is configured to perform encryption and decryption of session data using the 256-bit advanced encryption standard session key. The processing subsystem (105) includes an ephemeral key memory management module (155) operatively coupled to the session encryption module (150). The ephemeral key memory management module (155) is configured to store the 256-bit advanced encryption standard session key exclusively in a webassembly memory during the session. The ephemeral key memory management module (155) is configured to erase the 256-bit advanced encryption standard session key upon session termination, logout, timeout, or error detection
[0050] The bus (320) as used herein refers to be internal memory channels or computer network that is used to connect computer components and transfer data between them. The bus (320) includes a serial bus or a parallel bus, wherein the serial bus transmits data in bit-serial format and the parallel bus transmits data across multiple wires. The bus (320) as used herein, may include but not limited to, a system bus, an internal bus, an external bus, an expansion bus, a frontside bus, a backside bus and the like.
[0051] FIG. 5(a) illustrates a flow chart representing the steps involved in a cybersecurity method (400) to protect a web environment from quantum-based threats in accordance with an embodiment of the present disclosure. FIG. 5(b) illustrates continued steps of the method (400) of FIG. 5(a) in accordance with an embodiment of the present disclosure. The method (400) includes authenticating, by a user authentication module, a user from a web browser using a login mechanism to initiate a secure session in step 405. More specifically, the user authentication module receives login credentials (e.g., username/password, one-time PIN, or other credentials) transmitted over a Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol Secure (HTTPS) channel through a login interface. Upon receipt of the login credentials, the user authentication module verifies the identity of the user using the login mechanism, which may include but are not limited to one of OAuth, Single Sign-On, and basic authentication, and the like. Upon successful authentication, the user authentication module initiates the secure session
[0052] The method (400) includes triggering, by an initialization module, the web browser to send parallel requests to at least two remote microservices for retrieval of encrypted partial cryptographic key shares in step 410. More specifically Upon successful user authentication, the initialization module triggers the user's web browser via HTTPS to automatically send parallel asynchronous requests to the at least two remote microservices for the retrieval of encrypted partial cryptographic key share. The at least two remote microservices include a first microservice and a second microservice.
[0053] The method (400) includes generating and encrypting, by the first microservice of a distributed key share module a first partial encryption key using a first RSA key in step 415. The encrypted first partial encryption key is a 128-bit key.
[0054] RSA algorithm is a widely used public-key cryptography algorithm that relies on the difficulty of factoring large numbers. It uses a pair of keys: a public key for encryption and a private key for decryption. RSA is employed for secure communication, digital signatures, and key exchange, and its security stems from the mathematical challenge of determining the private key from the public key.
[0055] The method (400) includes generating and encrypting, by the second microservice of the distributed key share module, a second partial encryption key using a second RSA key in step 420. The encrypted second partial encryption key is a 128-bit key.
[0056] In an embodiment, each microservice in the distributed key share module utilizes a separate standard RSA certificate to perform the encryption of its respective key share, ensuring that the partial encryption keys remain confidential during transmission.
[0057] The method (400) includes receiving, by a browser-based web assembly cryptographic module, the encrypted first partial encryption key from the first microservice and the encrypted second partial encryption key from the second microservice in step 425. These encrypted keys are transmitted over a secure RSA based-TLS channel.
[0058] The method (400) includes decrypting, by the browser-based web assembly cryptographic module, using a first RSA private key and the encrypted second partial encryption key using a second RSA private key in step 430.
[0059] The method (400) includes combining, by the browser-based web assembly cryptographic module, the decrypted first partial encryption key and the decrypted second partial encryption key to generate a 256-bit advanced encryption standard session key in step 435. The 256-bit advanced encryption standard session key is unique to the current user session and is used solely for encrypting and decrypting communication data during the session.
[0060] The method (400) includes performing, by a session encryption module, encryption and decryption of session data using the 256-bit advanced encryption standard session key in step 440. More specifically, the session encryption module performs symmetric encryption and decryption of session data exchanged between a client and a server. The encryption step ensures confidentiality and data protection throughout the duration of the authenticated session.
[0061] The method (400) includes storing, by an ephemeral key memory management module, the 256-bit advanced encryption standard session key exclusively in a webassembly memory during the session in step 445. the WebAssembly memory is an isolated memory allocation, which ensures that the session key remains inaccessible to the client-side attack surface.
[0062] The method (400) includes erasing, by the ephemeral key memory management module, the 256-bit advanced encryption standard session key upon session termination, logout, timeout, or error detection in step 450. Additionally, after each cryptographic operation, the WebAssembly memory may be zeroized or wiped to eliminate residual key traces. Upon logout, timeout, or error, the WebAssembly module explicitly overwrites the AES-256 session key in memory, thereby preventing retrieval in the event of a subsequent compromise of the browser or client memory.
[0063] Various embodiments of the cybersecurity system and method to protect a web environment from quantum-based threats as described above offer several advantages. The cybersecurity system offers a low-cost, multi-layer encryption solution that enhances cybersecurity in browser-based web applications by combining RSA with AES-256 encryption. It significantly reduces the attack surface on communication channels vulnerable to interception or quantum-based threats. The system utilizes a distributed key generation model in which each microservice independently generates a 128-bit partial AES key share and encrypts it using RSA. The encrypted key shares are transmitted to the client, where a browser-based WebAssembly module decrypts them using corresponding RSA keys and securely combines them into a 256-bit AES session key. The 256-bit AES session key is stored exclusively in the ephemeral WASM memory, ensuring that it is never written to persistent storage. Upon session termination, timeout, or error, the key is securely zeroized, ensuring no residual data is left in memory.
[0064] The techniques described in this disclosure may be implemented, at least in part, in hardware, software, firmware, or any combination thereof. For example, various aspects of the described techniques may be implemented within one or more processors, including one or more microprocessors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or any other equivalent integrated or discrete logic circuitry, as well as any combinations of such components. The term “processor” or “processing subsystem” may generally refer to any of the foregoing logic circuitry, alone or in combination with other logic circuitry, or any other equivalent circuitry. A control unit including hardware may also perform one or more of the techniques of this disclosure.
[0065] Such hardware, software, and firmware may be implemented within the same device or within separate devices to support the various techniques described in this disclosure. In addition, any of the described units, modules, or components may be implemented together or separately as discrete but interoperable logic devices. Depiction of different features as modules or units is intended to highlight different functional aspects and does not necessarily imply that such modules or units must be realized by separate hardware, firmware, or software components. Rather, functionality associated with one or more modules or units may be performed by separate hardware, firmware, or software components, or integrated within common or separate hardware, firmware, or software components.
[0066] It will be understood by those skilled in the art that the foregoing general description and the following detailed description are exemplary and explanatory of the disclosure and are not intended to be restrictive thereof.
[0067] While specific language has been used to describe the disclosure, any limitations arising on account of the same are not intended. As would be apparent to a person skilled in the art, various working modifications may be made to the method in order to implement the inventive concept as taught herein.
[0068] The figures and the foregoing description give examples of embodiments. Those skilled in the art will appreciate that one or more of the described elements may well be combined into a single functional element. Alternatively, certain elements may be split into multiple functional elements. Elements from one embodiment may be added to another embodiment. For example, the order of processes described herein may be changed and are not limited to the manner described herein. Moreover, the actions of any flow diagram need not be implemented in the order shown; nor do all of the acts need to be necessarily performed. Also, those acts that are not dependent on other acts may be performed in parallel with the other acts. The scope of embodiments is by no means limited by these specific examples.
, Claims:1. A cybersecurity system (100) to protect a web environment from quantum-based threats, comprising:
a processing subsystem (105) hosted on a server (108) and configured to execute on a network (115) to control bidirectional communications among a plurality of modules, wherein the plurality of modules comprising:
a user authentication module (120) configured to authenticate a user from a web browser using a login mechanism to initiate a secure session;
characterized in that,
an initialization module (125) operatively coupled to the user authentication module (120), wherein the initialization module (125) is configured to trigger the web browser to send parallel requests to at least two remote microservices for retrieval of encrypted partial cryptographic key shares;
a distributed key share module (130) operatively coupled to the initialization module (125) wherein the distributed key share module (130) comprising:
a first microservice (135) configured to generate and encrypt a first partial encryption key using a first Rivest–Shamir–Adleman key; and
a second microservice (140) configured to generate and encrypt a second partial encryption key using a second Rivest–Shamir–Adleman key;
a browser-based web assembly cryptographic module (145) operatively coupled to the distributed key share module (130), wherein the browser-based web assembly cryptographic module (145) is configured to:
receive the encrypted first partial encryption key from the first microservice (135) and the encrypted second partial encryption key from the second microservice (140);
decrypt the encrypted first partial encryption key using a first Rivest–Shamir–Adleman private key and the encrypted second partial encryption key using a second Rivest–Shamir–Adleman private key; and
combine the decrypted first partial encryption key and the decrypted second partial encryption key to generate a 256-bit advanced encryption standard session key;
a session encryption module (150) operatively coupled to the browser-based web assembly cryptographic module (145), wherein the session encryption module (150) is configured to perform encryption and decryption of session data using the 256-bit advanced encryption standard session key; and
an ephemeral key memory management module (155) operatively coupled to the session encryption module (150), wherein the ephemeral key memory management module (155) is configured to:
store the 256-bit advanced encryption standard session key exclusively in a webassembly memory during the session; and
erase the 256-bit advanced encryption standard session key upon session termination, logout, timeout, or error detection.

2. The cybersecurity system (100) as claimed in claim 1, wherein the login mechanism comprises one of OAuth, Single Sign-On, and basic authentication

3. The cybersecurity system (100) as claimed in claim 1, wherein each of the encrypted first partial encryption key and the encrypted first partial encryption key comprises a 128-bit key.

4. The cybersecurity system (100) as claimed in claim 1, wherein the webassembly memory store the 256-bit advanced encryption standard session key in a secure, non-exposed memory space, thereby preventing access from attackers.

5. The cybersecurity system (100) as claimed in claim 1, wherein the webassembly memory is built using RUST programming language.

6. A cybersecurity method (400) to protect a web environment from quantum-based threats, comprising:

authenticating, by a user authentication module, a user from a web browser using a login mechanism to initiate a secure session; (405)
characterized in that,
triggering, by an initialization module, the web browser to send parallel requests to at least two remote microservices for retrieval of encrypted partial cryptographic key shares; (410)
generating and encrypting, by a first microservice of a distributed key share module a first partial encryption key using a first Rivest–Shamir–Adleman key; (415)
generating and encrypting, by a second microservice of the distributed key share module, asecond partial encryption key using a second Rivest–Shamir–Adleman key; (420)
receiving, by a browser-based web assembly cryptographic module, the encrypted first partial encryption key from the first microservice and the encrypted second partial encryption key from the second microservice; (425)
decrypting, by the browser-based web assembly cryptographic module, the encrypted first partial encryption key using a first Rivest–Shamir–Adleman private key and the encrypted second partial encryption key using a second Rivest–Shamir–Adleman private key; (430)
combining, by the browser-based web assembly cryptographic module, the decrypted first partial encryption key and the decrypted second partial encryption key to generate a 256-bit advanced encryption standard session key; (435)
performing, by a session encryption module, encryption and decryption of session data using the 256-bit advanced encryption standard session key; (440)
storing, by an ephemeral key memory management module, the 256-bit advanced encryption standard session key exclusively in a webassembly memory during the session; and (445)
erasing, by the ephemeral key memory management module, the 256-bit advanced encryption standard session key upon session termination, logout, timeout, or error detection. (450)

Dated this 27th day of May 2025
Signature

Manish Kumar
Patent Agent (IN/PA-5059)
Agent for the Applicant