Selective encryption configuration

US 10,320,761 B2
Filed: 06/23/2016
Issued: 06/11/2019
Est. Priority Date: 11/02/2015
Status: Active Grant

First Claim

Patent Images

1. A method for encoding a partially encrypted data stream, the method comprising:

receiving, at an edge encryption proxy, an unencrypted data stream;

evaluating the unencrypted data stream using communication encryption rules, wherein each communication encryption rule from the communication encryption rules includes a rule condition and a content mapping, and wherein evaluating the unencrypted data stream using the communication encryption rules includes;

determining whether the rule condition is met in the unencrypted data stream, andon a condition that the rule condition is met in the unencrypted data stream;

identifying a portion of the unencrypted data stream corresponding to the content mapping as a candidate sensitive portion;

identifying a data storage container based on the content mapping;

identifying data encryption configuration information corresponding to the data storage container;

on a condition that the data encryption configuration information indicates that the data storage container is configured for storing sensitive information;

identifying the candidate sensitive portion as a sensitive portion,generating an encrypted portion by encrypting the sensitive portion,including a preceding portion of the unencrypted data stream in a partially encrypted data stream, the preceding portion preceding the sensitive portion in the unencrypted data stream,including the encrypted portion in the partially encrypted data stream subsequent to the preceding portion, andincluding a subsequent portion of the unencrypted data stream in the partially encrypted data stream subsequent to the encrypted portion, the subsequent portion subsequent to the sensitive portion in the unencrypted data stream;

transmitting or storing the partially encrypted data stream;

receiving a second partially encrypted data stream, the second partially encrypted data stream indicating a recipient and including an encrypted input portion and unencrypted input portions;

generating a decrypted portion by decrypting the encrypted input portion;

generating a decrypted data stream including the decrypted input portion and the unencrypted input portions; and

transmitting the decrypted data stream to the recipient.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Encoding a partially encrypted data stream may include receiving, at an edge encryption proxy, an unencrypted data stream, evaluating the unencrypted data stream using communication encryption rules including rule conditions and content mappings, determining whether the rule conditions match on the unencrypted data stream, and on a condition that the rule condition matches on the unencrypted data stream, and identifying a portion of the unencrypted data stream corresponding to the content mapping as a candidate sensitive portion. On a condition that the data encryption configuration information indicates that a data storage container corresponding to a matching content mapping is configured for storing sensitive information, generating an encrypted portion by encrypting the candidate sensitive portion, generating a partially encrypted data stream, including the encrypted portion, and unencrypted insensitive portions of the unencrypted data stream, and omitting the candidate sensitive portion, and transmitting or storing the partially encrypted data stream.

20 Citations

View as Search Results

18 Claims

1. A method for encoding a partially encrypted data stream, the method comprising:
- receiving, at an edge encryption proxy, an unencrypted data stream;
  
  evaluating the unencrypted data stream using communication encryption rules, wherein each communication encryption rule from the communication encryption rules includes a rule condition and a content mapping, and wherein evaluating the unencrypted data stream using the communication encryption rules includes;
  
  determining whether the rule condition is met in the unencrypted data stream, andon a condition that the rule condition is met in the unencrypted data stream;
  
  identifying a portion of the unencrypted data stream corresponding to the content mapping as a candidate sensitive portion;
  
  identifying a data storage container based on the content mapping;
  
  identifying data encryption configuration information corresponding to the data storage container;
  
  on a condition that the data encryption configuration information indicates that the data storage container is configured for storing sensitive information;
  
  identifying the candidate sensitive portion as a sensitive portion,generating an encrypted portion by encrypting the sensitive portion,including a preceding portion of the unencrypted data stream in a partially encrypted data stream, the preceding portion preceding the sensitive portion in the unencrypted data stream,including the encrypted portion in the partially encrypted data stream subsequent to the preceding portion, andincluding a subsequent portion of the unencrypted data stream in the partially encrypted data stream subsequent to the encrypted portion, the subsequent portion subsequent to the sensitive portion in the unencrypted data stream;
  
  transmitting or storing the partially encrypted data stream;
  
  receiving a second partially encrypted data stream, the second partially encrypted data stream indicating a recipient and including an encrypted input portion and unencrypted input portions;
  
  generating a decrypted portion by decrypting the encrypted input portion;
  
  generating a decrypted data stream including the decrypted input portion and the unencrypted input portions; and
  
  transmitting the decrypted data stream to the recipient.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the unencrypted data stream includes an indication of the recipient of the unencrypted data stream, and wherein transmitting or storing the partially encrypted data stream includes transmitting the partially encrypted data stream to the recipient.
  - 3. The method of claim 1, wherein receiving the unencrypted data stream includes receiving the unencrypted data stream from a device in a first network domain, wherein the edge encryption proxy is in the first network domain.
  - 4. The method of claim 3, wherein transmitting or storing the partially encrypted data stream includes transmitting the partially encrypted data stream to an external device in a second network domain.
  - 5. The method of claim 4, wherein transmitting the partially encrypted data stream to the external device includes transmitting the partially encrypted data stream to the external device such that the encrypted portion is stored by the external device as encrypted data.
  - 6. The method of claim 3, wherein transmitting or storing the partially encrypted data stream includes transmitting the partially encrypted data stream to an external device in a second network domain,wherein the recipient resides in the first network domain.
  - 7. The method of claim 1, comprising:
    - receiving information configuring the communication encryption rules.
  - 8. The method of claim 1, comprising:
    - receiving information configuring the data encryption configuration information.
  - 9. The method of claim 1, wherein the rule condition indicates an operand reference, a relational operator, and a target value, and wherein determining whether the rule condition is met in the unencrypted data stream includes:
    - identifying a rule condition matching portion of the unencrypted data stream based on the operand reference; and
      
      determining that the rule condition is met in the unencrypted data stream on a condition a relationship between the rule condition matching portion and the target value is described by the relational operator.

10. A method of selective encryption, the method comprising:
- receiving, at an edge encryption proxy in a first network, an unencrypted data stream, from a client device in the first network, and wherein the unencrypted data stream indicates a recipient, wherein the recipient is an external device in a different network;
  
  generating a partially encrypted data stream by selectively encrypting the unencrypted data stream based on communication encryption rules and data encryption configuration information, wherein a sensitive portion of the unencrypted data stream is omitted from the partially encrypted data stream, and wherein an encrypted portion generated by encrypting the sensitive portion is included in the partially encrypted data stream;
  
  transmitting the partially encrypted data stream to the recipient such that recipient is prevented from decrypting the encrypted portion and the encrypted portion is stored as encrypted data;
  
  receiving a second partially encrypted data stream from the external device, wherein the second partially encrypted data stream indicates an internal recipient in the first network and includes an encrypted input portion and unencrypted input portions;
  
  generating a decrypted portion by decrypting the encrypted input portion;
  
  generating a decrypted data stream including the decrypted portion and the unencrypted input portions; and
  
  transmitting the decrypted data stream to the internal recipient in the first network.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10, wherein generating the partially encrypted data stream includes:
    - evaluating the unencrypted data stream using the communication encryption rules to identify a candidate sensitive portion; and
      
      evaluating the candidate sensitive portion using the data encryption configuration information to identify the candidate sensitive portion as a sensitive portion.
  - 12. The method of claim 11, wherein a communication encryption rule from the communication encryption rules includes a rule condition and a content mapping.
  - 13. The method of claim 12, wherein evaluating the unencrypted data stream using the communication encryption rules includes:
    - identifying a rule condition matching portion of the unencrypted data stream based on an operand reference indicated by the rule condition; and
      
      identifying the unencrypted data stream as matching on the communication encryption rule on a condition a relationship between the rule condition matching portion and a target value indicated by the rule condition is described by a relational operator indicated by the rule condition.
  - 14. The method of claim 12, wherein selectively encrypting the unencrypted data stream includes:
    - identifying the sensitive portion based on the content mapping.
  - 15. The method of claim 12, wherein selectively encrypting the unencrypted data stream includes:
    - determining that the content mapping corresponds with data encryption configuration information identifying a data storage container for storing sensitive information.
  - 16. The method of claim 10, wherein generating the partially encrypted data stream includes generating the partially encrypted data stream such that the partially encrypted data stream includes:
    - a first unencrypted portion, wherein the first unencrypted portion precedes the sensitive portion in the unencrypted data stream;
      
      the encrypted portion, subsequent to the first unencrypted portion in the partially encrypted data stream; and
      
      a second unencrypted portion, wherein the sensitive portion precedes the second unencrypted portion precedes in the unencrypted data stream, and the encrypted portion precedes the second unencrypted portion precedes in the partially encrypted data stream.

17. A tangible, non-transitory, and computer-readable storage medium, having stored thereon instructions that, when executed by a processor, facilitate performance of operations, comprising:
- receiving, at an edge encryption proxy in a first network, an unencrypted data stream, from a client device in the first network, and wherein the unencrypted data stream indicates a recipient, wherein the recipient is an external device in a different network;
  
  generating a partially encrypted data stream by selectively encrypting the unencrypted data stream based on communication encryption rules and data encryption configuration information, wherein a sensitive portion of the unencrypted data stream is omitted from the partially encrypted data stream, and wherein an encrypted portion generated by encrypting the sensitive portion is included in the partially encrypted data stream;
  
  transmitting the partially encrypted data stream to the recipient such that recipient is prevented from decrypting the encrypted portion and the encrypted portion is stored as encrypted data;
  
  receiving a second partially encrypted data stream from the external device, wherein the second partially encrypted data stream indicates an internal recipient in the first network and includes an encrypted input portion and unencrypted input portions;
  
  generating a decrypted portion by decrypting the encrypted portion;
  
  generating a decrypted data stream including the decrypted portion and the unencrypted input portions; and
  
  transmitting the decrypted data stream to the internal recipient in the first network.
- View Dependent Claims (18)
- - 18. The tangible, non-transitory, and computer-readable storage medium of claim 17, wherein generating the partially encrypted data stream includes:
    - evaluating the unencrypted data stream using the communication encryption rules to identify a candidate sensitive portion; and
      
      evaluating the candidate sensitive portion using the data encryption configuration information to identify the candidate sensitive portion as a sensitive portion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServiceNow Incorporated
Original Assignee
ServiceNow Incorporated
Inventors
Ye, Antonio, Barron-Kraus, Kyle
Primary Examiner(s)
Hoffman, Brandon S
Assistant Examiner(s)
Anderson, Michael D

Application Number

US15/190,613
Publication Number

US 20170126638A1
Time in Patent Office

1,083 Days
Field of Search

713153
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/0471   applying encryption by an i...

Selective encryption configuration

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

20 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Selective encryption configuration

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links