Cloud key directory for federating data exchanges

US 10,425,402 B2
Filed: 12/02/2016
Issued: 09/24/2019
Est. Priority Date: 06/17/2011
Status: Active Grant

First Claim

Patent Images

1. A method, implemented at a computer system that includes one or more processors, for securing data using attribute-based encryption, the method comprising:

encrypting a portion of data using multi-authority attribute-based encryption, the portion of data having a data owner;

associating the encrypted portion of data with one or more encryption attributes;

storing the encrypted portion of data and the one or more encryption attributes in a data store, which stores the encrypted portion of data along with the one or more encryption attributes; and

defining one or more access controls for the portion of data that include an identity of a plurality of users permitted to access some or all of the portion of data, the plurality of users being distinct from the data owner, wherein the attribute-based encryption allows some or all of the encrypted portion of data to be provided by the data store upon receiving a request that includes a confirmed identity of at least one of the plurality of users permitted to access the portion of data and at least a threshold number of the one or more encryption attributes, the particular sub-portion of the portion of data being provided to the at least one user being determined by the confirmed identity of the at least one user and the at least a threshold number of encryption attributes provided in the request.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to securing data using attribute-based encryption. In an embodiment, a computer system encrypts a portion of data with an attribute-based encryption, including associating the encrypted portion of data with one or more encryption attributes. The computer system sends the encrypted portion of data and the one or more encryption attributes to a data store, which stores the first portion of data along with the one or more encryption attributes. The computer system also defines one or more access controls for the portion of data that include an identity of at least one user permitted to access the portion of data. The attribute-based encryption allows the encrypted portion of data to be provided by the data store upon request by the identified user when the request includes one or more search attributes that are relevant to the one or more encryption attributes.

55 Citations

View as Search Results

20 Claims

1. A method, implemented at a computer system that includes one or more processors, for securing data using attribute-based encryption, the method comprising:
- encrypting a portion of data using multi-authority attribute-based encryption, the portion of data having a data owner;
  
  associating the encrypted portion of data with one or more encryption attributes;
  
  storing the encrypted portion of data and the one or more encryption attributes in a data store, which stores the encrypted portion of data along with the one or more encryption attributes; and
  
  defining one or more access controls for the portion of data that include an identity of a plurality of users permitted to access some or all of the portion of data, the plurality of users being distinct from the data owner, wherein the attribute-based encryption allows some or all of the encrypted portion of data to be provided by the data store upon receiving a request that includes a confirmed identity of at least one of the plurality of users permitted to access the portion of data and at least a threshold number of the one or more encryption attributes, the particular sub-portion of the portion of data being provided to the at least one user being determined by the confirmed identity of the at least one user and the at least a threshold number of encryption attributes provided in the request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the identity of the at least one user is defined based on a user identifier.
  - 3. The method of claim 1, wherein the identity of the at least one user is defined based on a user group.
  - 4. The method of claim 1, wherein the encrypted portion of data is stored in a client-specific directory at the data store.
  - 5. The method of claim 4, wherein the data store includes a plurality of client-specific directories for a plurality of different clients.
  - 6. The method of claim 1, further comprising subsequently updating at least one of the one or more access controls or the one or more encryption attributes.
  - 7. The method of claim 1, wherein the data store comprises an anonymous directory.
  - 8. The method of claim 1, wherein the portion of data comprises a first portion of data, the one or more encryption attributes comprise one or more first encryption attributes, the one or more access controls comprise one or more first access controls, and the one or more search attributes comprise one or more first search attributes, the method further comprising:
    - encrypting a second portion of data with the attribute-based encryption, including associating the encrypted second portion of data with one or more second encryption attributes;
      
      sending the encrypted second portion of data and the one or more second encryption attributes to the data store, which stores the second portion of data along with the one or more second encryption attributes; and
      
      defining one or more second access controls for the second portion of data that include the identity of the least one user, wherein the attribute-based encryption allows the encrypted second portion of data to be provided by the data store upon request by the identified user when the request includes one or more second search attributes that are relevant to the one or more second encryption attributes.
  - 9. The method of claim 8, wherein the attribute-based encryption also allows both the encrypted first portion of data and the encrypted second portion of data to be provided by the data store upon request by the identified user when the request includes both the one or more first search attributes and the one or more second search attributes.

10. A computer system, comprising:
- one or more processors; and
  
  one or more computer-readable media having stored thereon computer-executable instructions that are executable by the one or more processors to cause the computer system to secure data using attribute-based encryption, the computer-executable instructions including instructions that are executable to cause the computer system to perform at least the following;
  
  encrypt a portion of data using multi-authority attribute-based encryption, the portion of data having a data owner;
  
  associate the encrypted portion of data with one or more encryption attributes;
  
  store the encrypted portion of data and the one or more encryption attributes in a data store, which stores the encrypted portion of data along with the one or more encryption attributes; and
  
  define one or more access controls for the portion of data that include an identity of a plurality of users permitted to access some or all of the portion of data, the plurality of users being distinct from the data owner, wherein the attribute-based encryption allows some or all of the encrypted portion of data to be provided by the data store upon receiving a request that includes a confirmed identity of at least one of the plurality of users permitted to access the portion of data and at least a threshold number of the one or more encryption attributes, the particular sub-portion of the portion of data being provided to the at least one user being determined by the confirmed identity of the at least one user and the at least a threshold number of encryption attributes provided in the request.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer system of claim 10, wherein the identity of the at least one user is defined based on a user identifier.
  - 12. The computer system of claim 10, wherein the identity of the at least one user is defined based on a user group.
  - 13. The computer system of claim 10, wherein the encrypted portion of data is stored in a client-specific directory at the data store.
  - 14. The computer system of claim 13, wherein the data store includes a plurality of client-specific directories for a plurality of different clients.
  - 15. The computer system of claim 10, the computer-executable instructions also including instructions that are executable to cause the computer system to subsequently updating at least one of the one or more access controls or the one or more encryption attributes.
  - 16. The computer system of claim 10, wherein the data store comprises an anonymous directory.
  - 17. The computer system of claim 10, wherein the portion of data comprises a first portion of data, the one or more encryption attributes comprise one or more first encryption attributes, the one or more access controls comprise one or more first access controls, and the one or more search attributes comprise one or more first search attributes, the computer-executable instructions also including instructions that are executable to cause the computer system to perform at least the following:
    - encrypt a second portion of data with the attribute-based encryption, including associating the encrypted second portion of data with one or more second encryption attributes;
      
      send the encrypted second portion of data and the one or more second encryption attributes to the data store, which stores the second portion of data along with the one or more second encryption attributes; and
      
      define one or more second access controls for the second portion of data that include the identity of the least one user, wherein the attribute-based encryption allows the encrypted second portion of data to be provided by the data store upon request by the identified user when the request includes one or more second search attributes that are relevant to the one or more second encryption attributes.
  - 18. The computer system of claim 10, wherein the attribute-based encryption also allows both the encrypted first portion of data and the encrypted second portion of data to be provided by the data store upon request by the identified user when the request includes both the one or more first search attributes and the one or more second search attributes.

19. A computer program product comprising one or more hardware storage devices having stored thereon computer-executable instructions that are executable by one or more processors to cause a computer system to secure data using attribute-based encryption, the computer-executable instructions including instructions that are executable to cause the computer system to perform at least the following:
- encrypt a portion of data using multi-authority attribute-based encryption, the portion of data having a data owner;
  
  associate the encrypted portion of data with one or more encryption attributes;
  
  store the encrypted portion of data and the one or more encryption attributes in a data store, which stores the encrypted portion of data along with the one or more encryption attributes; and
  
  define one or more access controls for the portion of data that include an identity of a plurality of users permitted to access some or all of the portion of data, the plurality of users being distinct from the data owner, wherein the attribute-based encryption allows some or all of the encrypted portion of data to be provided by the data store upon receiving a request that includes a confirmed identity of at least one of the plurality of users permitted to access the portion of data and at least a threshold number of the one or more encryption attributes, the particular sub-portion of the portion of data being provided to the at least one user being determined by the confirmed identity of the at least one user and the at least a threshold number of encryption attributes provided in the request.
- View Dependent Claims (20)
- - 20. The computer program product of claim 19, wherein the portion of data comprises a first portion of data, the one or more encryption attributes comprise one or more first encryption attributes, the one or more access controls comprise one or more first access controls, and the one or more search attributes comprise one or more first search attributes, the computer-executable instructions also including instructions that are executable to cause the computer system to perform at least the following:
    - encrypt a second portion of data with the attribute-based encryption, including associating the encrypted second portion of data with one or more second encryption attributes;
      
      send the encrypted second portion of data and the one or more second encryption attributes to the data store, which stores the second portion of data along with the one or more second encryption attributes; and
      
      define one or more second access controls for the second portion of data that include the identity of the least one user, wherein the attribute-based encryption allows the encrypted second portion of data to be provided by the data store upon request by the identified user when the request includes one or more second search attributes that are relevant to the one or more second encryption attributes, and wherein the attribute-based encryption also allows both the encrypted first portion of data and the encrypted second portion of data to be provided by the data store upon request by the identified user when the request includes both the one or more first search attributes and the one or more second search attributes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
D'Souza, Roy Peter, Pandey, Omkant
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US15/368,251
Publication Number

US 20170085536A1
Time in Patent Office

1,026 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 16/256   in federated or virtual dat...

G06F 16/27   Replication, distribution o...

G06F 16/951   Indexing; Web crawling tech...

G06F 16/9535   Search customisation based ...

G06F 16/9538   Presentation of query results

G06F 21/6218   to a system of files or obj...

G06F 21/6254   by anonymising data, e.g. d...

H04L 63/0421   Anonymous communication, i....

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/104   Grouping of entities

H04L 9/0894   Escrow, recovery or storing...

H04L 9/321   involving a third party or ...

Cloud key directory for federating data exchanges

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

55 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Cloud key directory for federating data exchanges

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

55 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links