FIELD OF INVENTION
[0001] The present invention relates to the field of data security. More specifically, the present invention is related to an improved system and method for secure data storage and verification for remotely stored data.
BACKGROUND
[0002] Credential documents and certificates now days need to be verified for one or the other reasons such as for taking admission in any university, during security verification for employment, in buying/selling properties, in hospitals for fetching patient information, in insurance companies and so many. These credential documents and certificates of any individual citizen or a company/organization include good amount of personal and confidential data, which is the subject matter of high concern for the parties regarding their privacy, confidentiality and identify theft perspectives.
[0003] These documents, generally, act as proof for age, eligibility, skill, registration, accomplishments etc. So, on several occasions, parties need to share one or more of these documents with other relevant organizations/institutions (data seeker) for legitimate purpose. The data seekers also generally verify authenticity of the shared documents. The main problem/challenge with the current process is that this process is time taking, inconvenient, inexpensive and cannot be fully trusted as there is no fool proof privacy protection and security provided by the third party.
[0004] At present, the individual or appointed person of organization carries original certificates/credentials and shows them to the data seeker. The data seeker

party in turn engages background verification firms to validate the credentials. Firstly, it is very inconvenient for party to carry originals. Secondly, it takes long lead time for verification ranging from days to weeks. There are chances of mistakes due to human error during verification. Further, there is a high risk of privacy breaches and data leakages due to manual access of the sensitive data by multiple individuals. Additionally, there are high chances that the documents are fake and look alike of originals which may be mistakenly approved as valid documents.
[0005] There are few prior art which provides data verification methods such as US patent application 20120179909 titled “Systems and methods for providing individual electronic document secure storage, retrieval and use” that provides systems and methods for providing secure digital mail document storage, retrieval and use in a cloud computing environment.
[0006] Further, an US patent application 20160098571 titled ‘Trusted user circles’ provided a trusted user circle server for encryption key distribution and authentication support, as well as a client-side application which resides on user's devices are disclosed.
[0007] However, these inventions no-where provide the mechanism taking consent of the party whose data/documents is to be verified. This way, the party will not be certain about verification and also there is no provision of secured access of the data by outsiders such as verified data seekers. Also, the systems and methods provided in prior art do not provide data securing from hacking and eavesdropping of data.

[0008] Therefore, despite of the advancement offered by prior art, a need remains for further improvements. In view of aforementioned, it is required to provide an improved system and method of data security that can overcome the limitations and disadvantages of the prior arts.
SUMMARY OF THE INVENTION
[0009] Embodiments of the present invention disclose an improved system and method for secure data storage and verification for remotely stored data. [0010] In an aspect of the present invention, a system for data verification and secure usage of data comprises a ‘data gateway’, a plurality of computing devices, a communication network to enable the plurality of computing devices to communicate. In an aspect, the system enables a subject to securely store data/document(s) on data gateway using his computing device and further, a data seeker can request the data/document(s)/yes or no verification of presented data of the subject from the data gateway using the UI or API of the data gateway from its computing device.
[0011] In another aspect of the present invention, a computer implemented method for data verification and secure usage of data comprises: storing data/document(s), by a subject, on data gateway using a computing device; verifying the authenticity of each data/document by data gateway electronically with respective data issuer (source of truth); encrypting the data/document(s) of the subject at data gateway server; persisting a private key in transformed form on the computing device of the subject for decryption of the encrypted data/documents stored in gateway as or when required; enabling a data seeker,

using the data gateway API/UI, to send request to the data gateway for
providing/verifying the data/document regarding the subject.
[0012] In an aspect of the present invention, the present invention is related to
verification and secure usage of data such as user credential and certificates using
a data gateway. The data gateway verifies the data authenticity electronically with
respective data issuer. Upon successful verification, the data is encrypted with a
public key and stored in block chain storage of the data gateway.
[0013] It is an object of the present invention to provide an improved method for
data storage and verification which facilitates quick sharing and validation of data.
[0014] It is another object of the present invention to provide an improved method
for data storage and verification which is available for 24x7 with fool proof
privacy protection and security and is strictly controlled by the subject.
[0015] It is a further object of the present invention to provide an improved
method for verification and data storage which is convenient, inexpensive and
assures security and privacy of data.
[0016] It is also an object of the present invention to provide an improved method
for verification and data storage in which all data access requests, consents/denials
are logged into immutable audit trail and audit trail log made immutable by
storing it on block chain.
[0017] It is a further object of the present invention to provide a system for data
storage and verification which includes a data gateway which does not store end
user private keys anywhere in its custody.

[0018] It is another object of the present invention to provide an improved system and method for data verification and data storage in which access to each piece of information is driven by subject’s consent.
[0019] This invention is pointed out particularly with the appended claims. Additional features and the advantages of the present invention will become apparent to those skilled in the art by referring to the following detailed description taken in conjunction with the accompanying drawings.
BRIEF DESCRIPTION OF DRAWING
[0020] Other objects, features, and advantages of the present subject matter will
be apparent from the following description when read with reference to the
accompanying drawings. Drawings are illustrated with different views according
to different embodiments of the invention:
[0021] FIG. 1 is a schematic of a system (100) for data verification and secure
usage of data in accordance with an embodiment of the present invention;
[0022] FIG. 2 is a schematic of a system (100) for data verification and secure
usage of data in accordance with another embodiment of the present invention,
and
[0023] FIG. 3 is a schematic of a system (100) for data verification and secure
usage of data in accordance with another embodiment of the present invention.
DETAILED DESCRIPTION OF EMBODIMENTS
[0024] The present invention will now be described in brief with reference to the accompanying drawings. Now, refer in more detail to the exemplary drawings for the purposes of illustrating non-limiting embodiments of the present invention.

[0025] As used herein, the term ‘Subject’ refers a ‘contact person’ of
organization, in case of party being an organization or ‘person’ himself in case of
party being a person.
[0026] As used herein, the term ‘Data Issuer’ refers ‘Organization’ that gave the
certificate, e.g. a university that gives mark sheet and/or a company that gives
experience letter etc.
[0027] As used herein, the term ‘Data seeker’ is referred to an organization to
which the party is sharing its certificate(s) as proof for valid credentials and for
other purposes.
[0028] As used herein, the term ‘data gateway’ is used for ‘central portal’ which
is a part of this solution implementation system.
[0029] As used herein, the term ‘Subject side client’ is a mobile app or software
program which runs on the subjects’ mobile/tablet or computing device and
interacts with data gateway.
[0030] An embodiment of the present invention provides a system (100) for data
verification and secure usage of data. The system (100) for data verification and
secure usage of data creates an end to end secure data storage environment and
verification facility for subjects and proof-seekers. Referring to FIG. 1, the system
(100) for data verification and secure usage of data includes a plurality of
computing devices and a data gateway (104). The computing devices are enabled
to communicate through communication network. A subject (102) may share the
data/documents to the data gateway (104) using his dedicated computing device.

[0031] Each computing device includes an operating system to manage the
hardware resources of the computing device and provide services for enabling
computer applications (e.g., mobile applications running on mobile devices). The
computer applications stored in the computing devices require the operating
system to properly run on the device. The computing device includes at least one
local storage device to store the computer applications and user data.
[0032] In an embodiment of the present invention, the computing devices can be a
desktop computer, a laptop computer, a tablet computer, a personal digital
assistant, smart phone or other computing devices capable of running
computer/mobile applications, as contemplated by a person having ordinary skill
in the art.
[0033] An embodiment of the present invention further provides a computer
implemented method for data verification and secure usage of data. Referring to
the method, once a subject (102) uploads a certificate/credential to data gateway
(104), the data gateway (104) verifies its authenticity electronically with
respective data issuer (106). Since, the verification is done with the data issuer
(source of truth) (106), it is ascertained that there is no risk of being misled with
fake certificates.
[0034] In an embodiment of the present invention, upon successful verification,
the data files are encrypted with a public key and stored in the data gateway (104)
database.
[0035] In an embodiment, for data encryption, 256 bit encryption is used and a
private key is needed for decryption of data. In the embodiment, the data gateway

(104) includes an application program interface (API) which allows other applications such as subject side client, applications on data seeker’s computing device (108) to talk to data gateway(104).
[0036] In an embodiment, to verify information regarding the subject, the corresponding private key is needed for decryption; it is provided to subject by persisting it in data of subject side client application (108) such as mobile application or computer software etc.. The data gateway contacts subject for permission to verify that information for that data seeker at that time. When subject approves and shares his private key to data gateway (104), that private key is used one-time to decrypt the relevant data and provide verification response to the data seeker.
[0037] The 256 bit encryption is preferred as it is infeasible to decrypt the data thru brute force method without the encryption key. Since the encryption algorithm used is non-equality preserving and non-range-preserving and non-prefix-preserving, even pattern/trend recognition is not feasible without decrypting the data.
[0038] In a preferred embodiment of the present invention, the corresponding private key needed for decryption is not persisted anywhere in custody of data gateway (104). It will be only in the subject’s (102) custody. [0039] Referring to FIG. 2, when a data seeker (110) requests data gateway (104) to verify some information regarding some subject (102), data gateway (104) contacts subject (102) for permission to verify that information for that data seeker (110) at that time. The subject (102) has option to deny permission upon

which the verification of the information will not be done. When the subject (102) approves and shares his private key to data gateway (104), that private key is used one-time to decrypt the relevant data and provide verification response to the data seeker. To make it convenient for subject (102) to safely hold the key in his custody and share the key with data gateway(104) when relevant, this is done by the subject side client(108) that resides on mobile/tablet of the subject (102). [0040] In an embodiment of the present invention, the private key received from the subject (102) is erased in data gateway (104) after this one-time decryption and not persisted anywhere in the data gateway (104). Hence there is no scope of insiders or hackers misusing it.
[0041] As depicted in FIG. 3 in an exemplary embodiment of the present invention, the data issuer (106) itself uploads data of multiple subjects (102) into the data gateway (104). Since the data came from the source of truth (official data issuer) itself, there will be no further verification. For example: An authorized professional of any educational institute may upload issued educational certificates such as degrees of all students onto the data gateway (104). In such case as the data/documents are uploaded from the source of truth itself, there would be no verification needed. However, whenever the data seeker (110) requests the data gateway (104) to verify the educational certificates of any student (102), the data gateway (104) contacts the student (102) for permission to verify that information for that data seeker (110) at that time. The student (102) has option to deny permission upon which the verification of the information will not be done.

[0042] The major advantage of the present invention is that the public key, private key pairs are different across subjects. So, private key of a subject (102) can’t decrypt data of another subject. Further, in preferred embodiment, throughout the cycle there is no human handling of the keys or sensitive data. Even system administrator, head of the company won’t be able to see the keys or sensitive data. This preempts risk of data breaches by malicious insiders.
[0043] Further, the present invention provides a secure data storage facility which is hack-secure and even if in remote theoretical event of data gateway (104) being hacked; since no decrypted data is stored there is no risk of data breach. In an embodiment of the present invention, the raw private key is neither stored in the subject side client (108) nor transmitted from subject side client (108) to the data gateway (104). Only a transformed form of the private key is used in both. So even a theoretical event of data in transit being hacked or the subject’s mobile being hacked won’t compromise the private key. When the data gateway (104) receives private key (in transformed form) from the subject side client (108), it performs reverse transformation on that to convert the private key into it’s raw form subject side client and then uses it for decrypting.
[0044] In another embodiment of the present invention, multiple private keys are not stored together at single place. Each private key will be in separate key store and in transformed form So, even an extreme theoretical event where hacker successfully hacks data gateway as well as key store in subject side client won’t cause mass data breach since the hacked key store would have only one subject’s private key. In an embodiment of the present invention, the present invention

makes the stored certificate and credential data tamper proof by storing it on a block chain system. Due to the cumulative hashing and decentralization provided by block chain the data in block chain is tamperproof.
[0045] Moreover, the private key of a subject stored in the subject side client (108) undergoes key rotation periodically. So even in theoretical event where private key of a subject is compromised, still it can’t be misused forever because, after the next key rotation, it becomes stale. The present invention also facilitates the data security to the data in transit. In an embodiment, “https (TLS)” protocol is used for protecting transmission of data. For each verification request, list of fields for which verification was sought, list of fields for which verification was consented by the subject, list of fields for which verification was performed are logged into an immutable audit trail log. Even system administrator or head of the company can’t tamper contents in the audit trail log. This increases accountability of the system.
[0046] In some embodiments, the verification request’s response is just success/failure/unable to verify at field granularity. It does not include actual values. Whatever data is provided by the data seeker is verified and in event of failure of verification for a field, actual correct value of the field is not disclosed to the data seeker. This behavior boosts the security and privacy further. [0047] In this way this invention facilitates quick, convenient, inexpensive, trusted, accurate, 24x7 available verification of the information with fool proof privacy protection and security under strict control of the party.

[0048] In addition to the above mentioned examples, various other modifications and alterations of the invention may be made without departing from the invention. Accordingly, the above disclosure is not to be considered as limiting and the appended claims are to be interpreted as encompassing the true spirit and the entire scope of the invention. As it will be readily apparent to those skilled in the art, the present invention may easily be produced in other specific forms without departing from its essential characteristics. The present embodiment is, therefore, to be considered as merely illustrative and not restrictive.

WE CLAIM:
1. A system (100) for data verification and secure usage of data comprising: a data gateway (104); a plurality of computing devices;
5 a communication network to enable the plurality of computing devices to
communicate; wherein a subject (102), using his computing device, is allowed to securely store data/document(s) on data gateway (104) and further, a data seeker (110) can request using its computing device, the data/document(s) of the subject (102) from data gateway (104) using API or UI provided by data gateway (104).
102. The system (100) for data verification and secure usage of data as claimed in claim 1, wherein the data gateway verifies the data/document authenticity electronically and instantaneously with its source of truth i.e with respective official issuer (106) of that data/document.
3. The system (100) for data verification and secure usage of data as claimed in
15 claim 1, wherein the data/document(s) of subject (102) are encrypted with a public
key and stored in the data gateway (104) database and the data can be decrypted only using respective private key.
4. The system (100) for data verification and secure usage of data as claimed in
claim 3, wherein only transformed form of private key is stored in the computing
20 device thereby in a theoretical event of data in transit being hacked or the subject’s computing device being hacked will not compromise the private key.

5. The system (100) for data verification and secure usage of data as claimed in
claim 3, wherein private key and public key are not handled by human anywhere
in the system.
6. The system (100) for data verification and secure usage of data as claimed in
5 claim 1, wherein at the data gateway, the data/document(s) of subject (102) are
encrypted with 256 bit encryption using an algorithm that is non-equality preserving, non-prefix preserving and non-range preserving thereby even the comparison or pattern identification in data is not feasible without decrypting it.
7. The system (100) for data verification and secure usage of data as claimed in
10 claim 1 further comprises an application program interface which allows data
gateway (104) to talk to other applications such as subject side client applications (108).
8. The system (100) for data verification and secure usage of data as claimed in
claim 1, wherein the data gateway (104) is adapted to contact the subject (102) for
15 his consent for each request from data seeker (110) unless explicit consent from the subject covering this request is already available.
9. The system (100) for data verification and secure usage of data as claimed in
claim 1, wherein a private key needed for decryption of encrypted data/documents
of subject (102) at the data gateway (104) is persisted only in the computing
20 device of the subject (102) in transformed form and is not stored in anywhere in custody of the data gateway (104).

10. The system (100) for data verification and secure usage of data as claimed in
claim 1, wherein all data access requests, consents/denials are logged into
immutable audit trail; audit trail log made immutable by storing it on block chain.
11. A computer implemented method for data verification and secure usage of data
5 comprising:
storing data/document(s), by a subject (102), on data gateway (104) using a computing device;
verifying the authenticity of data/document by data gateway
electronically with respective data issuer (106) of each data/document;
10 encrypting the data/document(s) of a subject (102) at data gateway server;
persisting a private key only at the computing device of the subject (102) for decryption of the encrypted data/documents as or when required;
enabling a data seeker (110), using UI or API of data gateway, to send request to the data gateway (104) for providing/verifying the data/document 15 regarding the subject (102).
12. A computer implemented method for data verification and secure usage of data as
claimed in claim 11 comprising sending notification to the subject (102) and
request for consent before providing data/document to data seeker (110) or
verifying data/document.