Cloud key directory for federating data exchanges
First Claim
1. A method, implemented at a computer system that includes one or more processors, for securing data using attribute-based encryption, the method comprising:
- encrypting a portion of data using multi-authority attribute-based encryption, the portion of data having a data owner;
associating the encrypted portion of data with one or more encryption attributes;
storing the encrypted portion of data and the one or more encryption attributes in a data store, which stores the encrypted portion of data along with the one or more encryption attributes; and
defining one or more access controls for the portion of data that include an identity of a plurality of users permitted to access some or all of the portion of data, the plurality of users being distinct from the data owner, wherein the attribute-based encryption allows some or all of the encrypted portion of data to be provided by the data store upon receiving a request that includes a confirmed identity of at least one of the plurality of users permitted to access the portion of data and at least a threshold number of the one or more encryption attributes, the particular sub-portion of the portion of data being provided to the at least one user being determined by the confirmed identity of the at least one user and the at least a threshold number of encryption attributes provided in the request.
2 Assignments
0 Petitions
Accused Products
Abstract
Embodiments are directed to securing data using attribute-based encryption. In an embodiment, a computer system encrypts a portion of data with an attribute-based encryption, including associating the encrypted portion of data with one or more encryption attributes. The computer system sends the encrypted portion of data and the one or more encryption attributes to a data store, which stores the first portion of data along with the one or more encryption attributes. The computer system also defines one or more access controls for the portion of data that include an identity of at least one user permitted to access the portion of data. The attribute-based encryption allows the encrypted portion of data to be provided by the data store upon request by the identified user when the request includes one or more search attributes that are relevant to the one or more encryption attributes.
55 Citations
20 Claims
-
1. A method, implemented at a computer system that includes one or more processors, for securing data using attribute-based encryption, the method comprising:
-
encrypting a portion of data using multi-authority attribute-based encryption, the portion of data having a data owner; associating the encrypted portion of data with one or more encryption attributes; storing the encrypted portion of data and the one or more encryption attributes in a data store, which stores the encrypted portion of data along with the one or more encryption attributes; and defining one or more access controls for the portion of data that include an identity of a plurality of users permitted to access some or all of the portion of data, the plurality of users being distinct from the data owner, wherein the attribute-based encryption allows some or all of the encrypted portion of data to be provided by the data store upon receiving a request that includes a confirmed identity of at least one of the plurality of users permitted to access the portion of data and at least a threshold number of the one or more encryption attributes, the particular sub-portion of the portion of data being provided to the at least one user being determined by the confirmed identity of the at least one user and the at least a threshold number of encryption attributes provided in the request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer system, comprising:
-
one or more processors; and one or more computer-readable media having stored thereon computer-executable instructions that are executable by the one or more processors to cause the computer system to secure data using attribute-based encryption, the computer-executable instructions including instructions that are executable to cause the computer system to perform at least the following; encrypt a portion of data using multi-authority attribute-based encryption, the portion of data having a data owner; associate the encrypted portion of data with one or more encryption attributes; store the encrypted portion of data and the one or more encryption attributes in a data store, which stores the encrypted portion of data along with the one or more encryption attributes; and define one or more access controls for the portion of data that include an identity of a plurality of users permitted to access some or all of the portion of data, the plurality of users being distinct from the data owner, wherein the attribute-based encryption allows some or all of the encrypted portion of data to be provided by the data store upon receiving a request that includes a confirmed identity of at least one of the plurality of users permitted to access the portion of data and at least a threshold number of the one or more encryption attributes, the particular sub-portion of the portion of data being provided to the at least one user being determined by the confirmed identity of the at least one user and the at least a threshold number of encryption attributes provided in the request. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computer program product comprising one or more hardware storage devices having stored thereon computer-executable instructions that are executable by one or more processors to cause a computer system to secure data using attribute-based encryption, the computer-executable instructions including instructions that are executable to cause the computer system to perform at least the following:
-
encrypt a portion of data using multi-authority attribute-based encryption, the portion of data having a data owner; associate the encrypted portion of data with one or more encryption attributes; store the encrypted portion of data and the one or more encryption attributes in a data store, which stores the encrypted portion of data along with the one or more encryption attributes; and define one or more access controls for the portion of data that include an identity of a plurality of users permitted to access some or all of the portion of data, the plurality of users being distinct from the data owner, wherein the attribute-based encryption allows some or all of the encrypted portion of data to be provided by the data store upon receiving a request that includes a confirmed identity of at least one of the plurality of users permitted to access the portion of data and at least a threshold number of the one or more encryption attributes, the particular sub-portion of the portion of data being provided to the at least one user being determined by the confirmed identity of the at least one user and the at least a threshold number of encryption attributes provided in the request. - View Dependent Claims (20)
-
Specification