Storing data in a server computer with deployable encryption/decryption infrastructure

US 10,241,930 B2
Filed: 03/22/2018
Issued: 03/26/2019
Est. Priority Date: 12/08/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for configuring a second computer to store data in a data-storage structure, wherein the data originates from a first computer that is communicatively connected to the second computer, and wherein the data is processed by an application in the second computer, the method comprising:

deploying an infrastructure having two configurations and configured to be deployed in a first configuration or a second configuration to the second computer, the infrastructure including implementing a forwarder module, a crypto module and a key control module;

receiving a key trigger from the first computer;

generating and storing a key by the key control module based upon receiving the key trigger from the first computer;

responsive to deploying the infrastructure in the first configuration,receiving, by the forwarder module, the data from the first computer and identifying a data portion of the data for encryption,encrypting, by the crypto module, the data portion with the key,forwarding, by the forwarder module, the encrypted data portion to the application,reading, by the forwarder module, an encrypted data portion from the application for decryption,decrypting, by the crypto module, the encrypted data portion with the key, andforwarding, by the forwarder module, the decrypted data portion to the first computer;

responsive to deploying the infrastructure in the second configuration,receiving, by the forwarder module, the data from the application and identifying the data portion of the data for encryption,encrypting, by the crypto module, the data portion with the key,forwarding, by the forwarder module, the encrypted data portion to the data-storage structure,reading, by the forwarder module, an encrypted data portion from the data-storage structure for decryption,decrypting, by the crypto module, the encrypted data portion with the key, andforwarding, by the forwarder module, the decrypted data portion to the application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

For storing data in a data-storage structure of a server computer, an infrastructure is deployed to a server computer. The infrastructure has a forwarder module to receive data from an application and to identify a data portion, a crypto module to encrypt the data portion with a key and key control module adapted to generate and to store the key. The infrastructure is also able to process data in the opposite direction. The key is provided into the key control module upon receiving a key trigger from the client computer.

Citations

20 Claims

1. A computer-implemented method for configuring a second computer to store data in a data-storage structure, wherein the data originates from a first computer that is communicatively connected to the second computer, and wherein the data is processed by an application in the second computer, the method comprising:
- deploying an infrastructure having two configurations and configured to be deployed in a first configuration or a second configuration to the second computer, the infrastructure including implementing a forwarder module, a crypto module and a key control module;
  
  receiving a key trigger from the first computer;
  
  generating and storing a key by the key control module based upon receiving the key trigger from the first computer;
  
  responsive to deploying the infrastructure in the first configuration,receiving, by the forwarder module, the data from the first computer and identifying a data portion of the data for encryption,encrypting, by the crypto module, the data portion with the key,forwarding, by the forwarder module, the encrypted data portion to the application,reading, by the forwarder module, an encrypted data portion from the application for decryption,decrypting, by the crypto module, the encrypted data portion with the key, andforwarding, by the forwarder module, the decrypted data portion to the first computer;
  
  responsive to deploying the infrastructure in the second configuration,receiving, by the forwarder module, the data from the application and identifying the data portion of the data for encryption,encrypting, by the crypto module, the data portion with the key,forwarding, by the forwarder module, the encrypted data portion to the data-storage structure,reading, by the forwarder module, an encrypted data portion from the data-storage structure for decryption,decrypting, by the crypto module, the encrypted data portion with the key, andforwarding, by the forwarder module, the decrypted data portion to the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer-implemented method according to claim 1, wherein deploying the infrastructure comprises deploying code to the second computer that is imported from a source external to the second computer to implement the forwarder module, the crypto module and the key control module for execution by a processor of the second computer.
  - 3. The computer-implemented method according to claim 1, wherein the deploying comprises at least one of:
    - providing a self-extracting file containing code and opening the file to make the code available to the second computer,installing a web archive into a servlet-engine or into a web-application server,using a virtual machine image that performs the functions of the forwarder module, the crypto module and the key control module, andusing the virtual machine image as a software-as-a-service offering on the second computer.
  - 4. The computer-implemented method according to claim 1, wherein the key trigger is associated with a particular key-use-definition, and wherein generating and storing the key includes generating and storing the key by the key control module as a key for the particular key-use-definition.
  - 5. The computer-implemented method according to claim 4, further comprising storing the data, wherein storing the data comprises:
    - by the forwarder module, receiving the data and identifying the data portion to be encrypted;
      
      by the crypto module, retrieving the key from the key control module according to the particular key-use-definition that defines a particular portion of the data to be encrypted;
      
      by the crypto module, encrypting the data portion with the key to the encrypted data portion; and
      
      by the forwarder module, forwarding the encrypted data portion to the application responsive to deploying the infrastructure in the first configuration or forwarding the encrypted data portion to the data-storage structure responsive to deploying the infrastructure in the second configuration.
  - 6. The computer-implemented method according to claim 5, further comprising retrieving the data, wherein retrieving the data comprises:
    - by the forwarder module, reading the encrypted data portion from the application or from the data-storage structure;
      
      by the crypto module, retrieving the key from the key control module according to the particular key-use-definition;
      
      by the crypto module, decrypting the encrypted data portion with the key to the decrypted data portion; and
      
      by the forwarder module, forwarding the decrypted data portion to the first computer responsive to deploying the infrastructure in the first configuration or forwarding the decrypted data to the application responsive to deploying the infrastructure in the second configuration.
  - 7. The computer-implemented method according to claim 6, wherein storing the data further comprises processing an unencrypted data portion of the data by the forwarder module and bypassing the unencrypted data portion of the data around the crypto module.
  - 8. The computer-implemented method according to claim 7, wherein storing the data is performed for the data-storage structure being a database or being a file system.
  - 9. The computer-implemented method according to 8, wherein deploying the infrastructure to the second computer comprises:
    - combining two modules to provide for minimized inter-module communication, and wherein in a first option the forwarder module is combined to the crypto module and wherein in a second option the crypto module is combined to the key control module.
  - 10. The computer-implemented method according to claim 8, wherein deploying the infrastructure to the second computer comprises deploying the infrastructure as a plug-in for the application or as a plug-in for the data-storage structure.
  - 11. The computer-implemented method according to claim 1, wherein deploying the infrastructure comprises deploying a modified infrastructure with a gateway configured to encrypt and to decrypt data packages for the communication between the first computer and the second computer, the crypto module further configured to encrypt data packages leaving the first computer for the second computer and to decrypt data packages arriving at the second computer from the first computer, wherein the key that is provided is the same key used to encrypt the data portion and to decrypt the encrypted data portion.

12. A server computer, comprising:
- a processor that is configured to execute code to implement a forwarder module, a crypto module and a key control module;
  
  a data-storage structure for storing data;
  
  a gateway to establish a communication connection with a client computer;
  
  an application that processes data originating from the client computer and that provides processed data to be stored in the data-structure;
  
  an infrastructure having two configurations and configured to be deployed in a first configuration or a second configuration, the infrastructure including;
  
  the forwarder modulethat in the first configuration is configured to receive data from the client computer and configured to identify a data portion for encryption, the forwarder module being configured to read an encrypted data portion from the application for decryption,that in the second configuration is configured to receive processed data from the application and configured to identify a data portion for encryption, the forwarder module being configured to read an encrypted data portion from the data-storage structure for decryption,the crypto module configured to encrypt the data portion with a key and configured to decrypt the encrypted data portion with the key, andthe key control module configured to generate and to store the key; and
  
  a key channel that is configured to communicate a key trigger into the key control module when the key trigger is received from the client computer.
- View Dependent Claims (13, 14, 15)
- - 13. The server computer according to claim 12, wherein the code executed by the processor is imported from a source external to the server and the server is configured to execute the code imported from the source external to the server to implement the forwarder module, the crypto module and the key control module.
  - 14. The server computer according to claim 12, wherein the key channel receives the key trigger being associated with a particular key-use-definition of the client computer and wherein the key control module generates and stores the key as a key for the particular key-use-definition.
  - 15. The server computer according to claim 14, wherein the gateway is configured to encrypt and to decrypt data packages for the communication between the client computer and the server computer, the crypto module further configured to encrypt data packages leaving the server computer for the client computer and to decrypt data packages arriving at the server computer from the client computer, wherein the key that is provided is the same key used to encrypt the data portion and to decrypt the encrypted data portion.

16. A computer program product that, when loaded into a non-transitory memory of a second computer and being executed by at least one processor of the second computer, performs a computer-implemented method for configuring the second computer to store data in a data-storage structure, wherein the data originates from a first computer that is communicatively connected to the second computer, and wherein the data is processed by an application in the second computer, the computer program product comprising code that, when executed by the at least one processor, implements a forwarder module, a crypto module and a key control module and further comprising instructions, that when executed, cause the at least one processor to:
- deploy an infrastructure to the second computer, the infrastructure having two configurations and configured to be deployed in a first configuration and a second configuration;
  
  receive a key trigger from the first computer;
  
  generate and store a key by the key control module based upon receiving the key trigger from the first computer;
  
  responsive to deploying the infrastructure in the first configuration,receive, by the forwarder module, the data from the first computer and identify, by the forwarder module, a data portion of the received data for encryption,encrypt, by the crypto module, the data portion with the key,forward, by the forwarder module, the encrypted data portion to the application,read, by the forwarder module, an encrypted data portion from the application for decryption,decrypt, by the crypto module, the encrypted data portion with the key, andforward, by the forwarder module, the decrypted data portion to the first computer;
  
  responsive to deploying the infrastructure in the second configuration, receive, by the forwarder module, the data from the application and identify, by the forwarder module, a data portion of the received data for encryption,encrypt, by the crypto module, the data portion with the key,forward, by the forwarder module, the encrypted data portion to the data-storage structure,read, by the forwarder module, an encrypted data portion from the data-storage structure for decryption,decrypt, by the crypto module, the encrypted data portion with the key, andforward, by the forwarder module, the decrypted data portion to the application.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer program product according to claim 16 wherein code is imported from a source external to the second computer that, when executed by the at least one processor, implements the forwarder module, the crypto module and the key control module.
  - 18. The computer program product according to claim 16 that performs the computer-implemented method, wherein the instructions for providing the key are performed for the key trigger being associated with a particular key-use-definition, and wherein the key control module generates and stores the key as a key for the particular key-use-definition.
  - 19. The computer program product according to claim 18 further comprising instructions for storing data including instructions that, when executed, cause the at least one processor to:
    - by the forwarder module, receive the data and identify the data portion to be encrypted;
      
      by the crypto module, retrieve the key from the key control module according to the particular key-use-definition that defines the particular portion of the data to be encrypted;
      
      by the crypto module, encrypt the data portion with the key to the encrypted data portion; and
      
      by the forwarder module, forward the encrypted data portion to the application responsive to the infrastructure being deployed in the first configuration or forward the encrypted data portion to the data-storage structure responsive to the infrastructure being deployed in the second configuration.
  - 20. The computer program product according to claim 19 further comprising instructions for retrieving data including instructions that, when executed, cause the at least one processor to:
    - read the encrypted data portion from the application or from the data-storage structure, by the forwarder module;
      
      retrieve the key from the key control module according to the particular key-use-definition, by the crypto module;
      
      decrypt the encrypted data portion with the key to the decrypted data portion, by the crypto module; and
      
      forward the decrypted data portion to the first computer responsive to the infrastructure being deployed in the first configuration or forward he decrypted data portion to the application responsive to the infrastructure being deployed in the second configuration, by the forwarder module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Eperi GmbH
Original Assignee
Eperi GmbH
Inventors
Eperiesi-Beck, Elmar
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US15/933,078
Publication Number

US 20180217944A1
Time in Patent Office

369 Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 21/62   Protecting access to data v...

G06F 2212/1052   Security improvement

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0876   based on the identity of th...

Storing data in a server computer with deployable encryption/decryption infrastructure

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Storing data in a server computer with deployable encryption/decryption infrastructure

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links