Searchable encryption enabling encrypted search based on document type
First Claim
Patent Images
1. A method comprising:
- receiving, at a network intermediary device over a communication network, a received document destined for a cloud service provider, the received document having a received document type;
determining the received document type of the received document;
selecting one or more keywords in the received document;
for each selected one or more keywords in the received document;
deriving a plurality of keys for the selected keyword;
encrypting a document index identifying the received document using a first of the plurality of keys using a first encryption algorithm;
generating an encrypted keyword label based on a second of the plurality of keys, the determined document type, a selected keyword counter value indicative of a count of occurrences of the selected keyword in previously encrypted documents of the received document type, and a pseudorandom function; and
generating a search index entry mapping the encrypted keyword label to the encrypted document index;
generating a search index in response to the search index entries generated for the one or more keywords in the received document;
encrypting the received document using a second encryption algorithm that is different from the first encryption algorithm;
transmitting the encrypted document to the cloud service provider;
storing the encrypted document at the cloud service provider;
receiving, at the network intermediary device, a search request with a search term for all document types;
generating a search term label based on the pseudorandom function, a key that is a function of the search term, a document type, and a search value;
searching for the search term label in the search index;
in response to finding the search term label in the search index;
retrieving from the search index the encrypted document index corresponding to the search term label;
changing the search value; and
after changing the search value, regenerating the search term label based on the pseudorandom function, the key, the document type, and the search value;
in response to not finding the search term label in the search index;
changing the document type;
after changing the document type, regenerating the search term label based on at least the pseudorandom function, the key, and the document type;
decrypting the retrieved encrypted document index;
retrieving the encrypted document from the cloud service provider using the decrypted document index;
decrypting the retrieved document; and
providing the decrypted document as the search result.
5 Assignments
0 Petitions
Accused Products
Abstract
A searchable encryption method enables encrypted search of encrypted documents based on document type. In some embodiments, the searchable encryption method is implemented in a network intermediary, such as a proxy server. The network intermediary encrypts documents on behalf of a user or an enterprise destined to be stored on a cloud service provider. The searchable encryption method encodes document type information into the encrypted search index while preserving encryption security. Furthermore, the searchable encryption method enables search of encrypted documents using the same encrypted index, either for a particular document type or for all encrypted documents regardless of the document type.
28 Citations
15 Claims
-
1. A method comprising:
-
receiving, at a network intermediary device over a communication network, a received document destined for a cloud service provider, the received document having a received document type; determining the received document type of the received document; selecting one or more keywords in the received document; for each selected one or more keywords in the received document; deriving a plurality of keys for the selected keyword; encrypting a document index identifying the received document using a first of the plurality of keys using a first encryption algorithm; generating an encrypted keyword label based on a second of the plurality of keys, the determined document type, a selected keyword counter value indicative of a count of occurrences of the selected keyword in previously encrypted documents of the received document type, and a pseudorandom function; and generating a search index entry mapping the encrypted keyword label to the encrypted document index; generating a search index in response to the search index entries generated for the one or more keywords in the received document; encrypting the received document using a second encryption algorithm that is different from the first encryption algorithm; transmitting the encrypted document to the cloud service provider; storing the encrypted document at the cloud service provider; receiving, at the network intermediary device, a search request with a search term for all document types; generating a search term label based on the pseudorandom function, a key that is a function of the search term, a document type, and a search value; searching for the search term label in the search index; in response to finding the search term label in the search index; retrieving from the search index the encrypted document index corresponding to the search term label; changing the search value; and after changing the search value, regenerating the search term label based on the pseudorandom function, the key, the document type, and the search value; in response to not finding the search term label in the search index; changing the document type; after changing the document type, regenerating the search term label based on at least the pseudorandom function, the key, and the document type; decrypting the retrieved encrypted document index; retrieving the encrypted document from the cloud service provider using the decrypted document index; decrypting the retrieved document; and providing the decrypted document as the search result. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system comprising;
-
a memory; and at least hardware processor collectively configured to; receive a received document destined for a cloud service provider, the received document having a received document type; determine the received document type of the received document; select one or more keywords in the received document; for each selected one or more keywords in the received document; derive a plurality of keys for the selected keyword; encrypt a document index identifying the received document using a first of the plurality of keys using a first encryption algorithm; generate an encrypted keyword label based on a second of the plurality of keys, the determined document type, a selected keyword counter value indicative of a count of occurrences of the selected keyword in previously encrypted documents of the received document type, and a pseudorandom function; and generate a search index entry mapping the encrypted keyword label to the encrypted document index; generate a search index in response to the search index entries generated for the one or more keywords in the received document; encrypt the received document using a second encryption algorithm that is different from the first encryption algorithm; transmit the encrypted document to the cloud service provider; store the encrypted document at the cloud service provider; receive a search request with a search term for all document types; generate a search term label based on the pseudorandom function, a key that is a function of the search term, a document type, and a search value; search for the search term label in the search index; in response to finding the search term label in the search index; retrieve from the search index the encrypted document index corresponding to the search term label; change the search value; and after changing the search value, regenerate the search term label based on the pseudorandom function, the key, the document type, and the search value; in response to not finding the search term label in the search index; change the document type; after changing the document type, regenerate the search term label based on at least the pseudorandom function, the key, and the document type; decrypt the retrieved encrypted document index; retrieve the encrypted document from the cloud service provider using the decrypted document index; decrypt the retrieved document; and provide the decrypted document as the search result. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method comprising:
-
receiving a received document destined for a cloud service provider, the received document having a received document type; determining the received document type of the received document; selecting one or more keywords in the received document; for each selected one or more keywords in the received document; deriving a plurality of keys for the selected keyword; encrypting a document index identifying the received document using a first of the plurality of keys using a first encryption algorithm; generating an encrypted keyword label based on a second of the plurality of keys, the determined document type, a selected keyword counter value indicative of a count of occurrences of the selected keyword in previously encrypted documents of the received document type, and a pseudorandom function; and generating a search index entry mapping the encrypted keyword label to the encrypted document index; generating a search index in response to the search index entries generated for the one or more keywords in the received document; encrypting the received document using a second encryption algorithm that is different from the first encryption algorithm; transmitting the encrypted document to the cloud service provider; storing the encrypted document at the cloud service provider; receiving a search request with a search term for all document types; generating a search term label based on the pseudorandom function, a key that is a function of the search term, a document type, and a search value; searching for the search term label in the search index; in response to finding the search term label in the search index; retrieving from the search index the encrypted document index corresponding to the search term label; changing the search value; and after changing the search value, regenerating the search term label based on the pseudorandom function, the key, the document type, and the search value; in response to not finding the search term label in the search index; changing the document type; after changing the document type, regenerating the search term label based on at least the pseudorandom function, the key, and the document type; decrypting the retrieved encrypted document index; retrieving the encrypted document from the cloud service provider using the decrypted document index; decrypting the retrieved document; and providing the decrypted document as the search result. - View Dependent Claims (12, 13, 14, 15)
-
Specification