Selective encryption delineation

US 10,601,781 B2
Filed: 06/23/2016
Issued: 03/24/2020
Est. Priority Date: 10/12/2015
Status: Active Grant

First Claim

Patent Images

1. A method of decrypting a partially encrypted data stream to facilitate exchanging a mixture of sensitive and insensitive data, the method comprising:

receiving, from a remote server in a first network domain, at an edge encryption proxy in a second network domain, the partially encrypted data stream;

scanning the partially encrypted data stream, wherein scanning the partially encrypted data stream includes;

identifying a first portion of the partially encrypted data stream, wherein the first portion omits an encrypted portion sentinel;

wherein the end encrypted portion sentinel comprises at least one value selected based at least in part on a determination that the at least one value is statistically unlikely to be included to be included in the partially encrypted data stream;

including the first portion in a decrypted output data stream;

identifying encryptionmetadata in the partially encrypted data stream;

identifying the encrypted portion sentinel in the partially encrypted data stream subsequent to the first portion, wherein the encrypted portion sentinel is configured to indicate that subsequent data is encrypted until a subsequent end encrypted portion sentinel is present in the partially encrypted data stream, wherein an end encrypted portion sentinel comprises at least one value selected based at least in part on a determination that the at least one value is statistically unlikely to be included in the partially encrypted data stream; and

identifying an encrypted portion in the partially encrypted data stream subsequent to the encrypted portion sentinel;

generating a decrypted data portion by decrypting the encrypted portion in response to identifying the encrypted portion sentinel, wherein decrypting the encrypted portion includes;

identifying an encrypted data portion in the encrypted portion, the encrypted data portion omitting the end encrypted portion sentinel;

decrypting the encrypted data portion using at least in part the encryption metadata before having identified the end encrypted portion sentinel; and

defining an end to the encrypted data portion in response to identifying the end encrypted portion sentinel in the encrypted portion subsequent to the encrypted data portion, wherein the end encrypted portion sentinel is configured to indicate that subsequent data is decrypted until a subsequent encrypted portion sentinel is present in the partially encrypted data stream;

including the decrypted data portion in the decrypted output data stream; and

outputting the decrypted output data stream to a client device in the second network domain.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Decoding a partially encrypted data stream may include receiving and scanning the partially encrypted data stream. Scanning the partially encrypted data stream may include identifying an encrypted portion sentinel in the partially encrypted data stream subsequent to a first portion, identifying an encrypted portion in the partially encrypted data stream subsequent to the encrypted portion sentinel, and generating a decrypted data portion by decrypting the encrypted portion. Decrypting the encrypted portion may include identifying an encrypted data portion in the encrypted portion, the encrypted data portion omitting an end encrypted portion sentinel, decrypting the encrypted data portion, and identifying an end encrypted portion sentinel in the encrypted portion subsequent to the encrypted data portion. Decoding the partially encrypted data stream may include including the decrypted data portion in the decrypted output data stream, and outputting the decrypted output data stream to a client device in the second network domain.

31 Citations

View as Search Results

17 Claims

1. A method of decrypting a partially encrypted data stream to facilitate exchanging a mixture of sensitive and insensitive data, the method comprising:
- receiving, from a remote server in a first network domain, at an edge encryption proxy in a second network domain, the partially encrypted data stream;
  
  scanning the partially encrypted data stream, wherein scanning the partially encrypted data stream includes;
  
  identifying a first portion of the partially encrypted data stream, wherein the first portion omits an encrypted portion sentinel;
  
  wherein the end encrypted portion sentinel comprises at least one value selected based at least in part on a determination that the at least one value is statistically unlikely to be included to be included in the partially encrypted data stream;
  
  including the first portion in a decrypted output data stream;
  
  identifying encryptionmetadata in the partially encrypted data stream;
  
  identifying the encrypted portion sentinel in the partially encrypted data stream subsequent to the first portion, wherein the encrypted portion sentinel is configured to indicate that subsequent data is encrypted until a subsequent end encrypted portion sentinel is present in the partially encrypted data stream, wherein an end encrypted portion sentinel comprises at least one value selected based at least in part on a determination that the at least one value is statistically unlikely to be included in the partially encrypted data stream; and
  
  identifying an encrypted portion in the partially encrypted data stream subsequent to the encrypted portion sentinel;
  
  generating a decrypted data portion by decrypting the encrypted portion in response to identifying the encrypted portion sentinel, wherein decrypting the encrypted portion includes;
  
  identifying an encrypted data portion in the encrypted portion, the encrypted data portion omitting the end encrypted portion sentinel;
  
  decrypting the encrypted data portion using at least in part the encryption metadata before having identified the end encrypted portion sentinel; and
  
  defining an end to the encrypted data portion in response to identifying the end encrypted portion sentinel in the encrypted portion subsequent to the encrypted data portion, wherein the end encrypted portion sentinel is configured to indicate that subsequent data is decrypted until a subsequent encrypted portion sentinel is present in the partially encrypted data stream;
  
  including the decrypted data portion in the decrypted output data stream; and
  
  outputting the decrypted output data stream to a client device in the second network domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 16, 17)
- - 2. The method of claim 1, wherein scanning the partially encrypted data stream includes performing byte-wise scanning operations.
  - 3. The method of claim 1, wherein the first portion includes unencrypted data.
  - 4. The method of claim 1, wherein the partially encrypted data stream includes data encoded in accordance with a defined encoding scheme.
  - 5. The method of claim 4, wherein the defined encoding scheme is a Unicode encoding scheme.
  - 6. The method of claim 4, wherein:
    - the encrypted portion sentinel is a first valid code in the defined encoding scheme;
      
      the end encrypted portion sentinel is a second valid code in the defined encoding scheme that differs from the encrypted portion sentinel;
      
      the first portion includes codes that are valid in the defined encoding scheme and omits codes other than codes that are valid in the defined encoding scheme; and
      
      the encrypted portion includes codes that are valid in the defined encoding scheme, omits codes other than codes that are valid in the defined encoding scheme, and omits the encrypted portion sentinel.
  - 7. The method of claim 1, wherein decrypting the encrypted portion includes:
    - identifying encryption metadata in the encrypted portion by;
      
      identifying an encryption metadata start sentinel in the encrypted portion;
      
      identifying the encryption metadata in the encrypted portion subsequent to the encryption metadata start sentinel, wherein the encryption metadata omits the encryption metadata start sentinel, and omits an encryption metadata end sentinel; and
      
      identifying the encryption metadata end sentinel in the encrypted portion subsequent to the encryption metadata; and
      
      omitting the encryption metadata start sentinel, the encryption metadata, and the encryption metadata end sentinel from the encrypted data portion.
  - 8. The method of claim 1, wherein decrypting the encrypted data portion includes decrypting the encrypted data portion using decryption information that is unavailable to the remote server.
  - 9. The method of claim 1, wherein scanning the partially encrypted data stream comprises:
    - performing byte-wise scanning operations; and
      
      entering an unencrypted state in response to identifying the end encrypted portion sentinel.
  - 16. The method of claim 1, wherein the determination that the at least one value is statistically unlikely comprises determining that the at least one value cannot be included in the partially encrypted data stream.
  - 17. The method of claim 16, wherein the at least one value comprises a non-character sequence relative to valid characters associated with the partially encrypted data stream.

10. A non-transitory computer-readable storage medium, comprising executable instructions that, when executed by a processor, cause the processor to perform operations to exchange a mixture of sensitive and insensitive data, the operations comprising:
- receiving, at an edge encryption proxy in a first network domain, from a client device in the first network domain, a first request for information, the first request indicating a remote server in a second network domain;
  
  transmitting a second request for the information to the remote server on behalf of the client device;
  
  in response to transmitting the second request to the remote server, receiving, from the remote server, at the edge encryption proxy, a partially encrypted data stream;
  
  including a first portion of the partially encrypted data stream in a decrypted output data stream, wherein the first portion omits an encrypted portion sentinel, wherein the encrypted portion sentinel is configured to indicate that subsequent data is encrypted until a subsequent end encrypted portion sentinel, wherein an end encrypted portion sentinel comprises at least one value selected based at least in part on a determination that the at least one value is statistically unlikely to be included in the partially encrypted data stream;
  
  identifying encryption metadata in the partially encrypted data stream;
  
  identifying an encrypted portion in the partially encrypted data stream subsequent to the encrypted portion sentinel in the partially encrypted data stream, the encrypted portion sentinel subsequent to the first portion in the partially encrypted data stream is present in the partially encrypted data stream;
  
  generating a decrypted data portion by decrypting the encrypted portion in response to identifying the encrypted portion sentinel, wherein decrypting the encrypted portion includes;
  
  generating the decrypted data portion by decrypting an encrypted data portion from the encrypted portion before having identified the end encrypted portion sentinel, such that the decrypted data portion includes at least a portion of the information, the encrypted data portion omitting the end encrypted portion sentinel, wherein the end encrypted portion sentinel is configured to indicate that subsequent data is decrypted until a subsequent encrypted portion sentinel, and wherein the decrypting of the encrypted data portion uses at least in part the encryption metadata; and
  
  defining an end of the encrypted data portion in response to identifying the end encrypted portion sentinel in the encrypted portion subsequent to the encrypted data portion when the end encrypted portion sentinel is present in the partially encrypted data stream;
  
  including the decrypted data portion in the decrypted output data stream; and
  
  outputting the decrypted output data stream to the client device in response to the first request.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The non-transitory computer-readable storage medium of claim 10 comprising executable instructions that, when executed by the processor, cause the processor to perform operations, wherein the first portion includes unencrypted data.
  - 12. The non-transitory computer-readable storage medium of claim 10 comprising executable instructions that, when executed by the processor, cause the processor to perform operations, wherein the partially encrypted data stream includes data encoded in accordance with a defined encoding scheme.
  - 13. The non-transitory computer-readable storage medium of claim 12 comprising executable instructions that, when executed by the processor, cause the processor to perform operations, wherein the defined encoding scheme is a Unicode encoding scheme.
  - 14. The non-transitory computer-readable storage medium of claim 12 comprising executable instructions that, when executed by the processor, cause the processor to perform operations, wherein:
    - the encrypted portion sentinel is a first valid code in the defined encoding scheme;
      
      the end encrypted portion sentinel is a second valid code in the defined encoding scheme that differs from the encrypted portion sentinel;
      
      the first portion includes codes that are valid in the defined encoding scheme and omits codes other than codes that are valid in the defined encoding scheme; and
      
      the encrypted portion includes codes that are valid in the defined encoding scheme, omits codes other than codes that are valid in the defined encoding scheme, and omits the encrypted portion sentinel.
  - 15. The non-transitory computer-readable storage medium of claim 10 comprising executable instructions that, when executed by the processor, cause the processor to perform operations, wherein decrypting the encrypted portion includes:
    - identifying encryption metadata in the encrypted portion by;
      
      identifying an encryption metadata start sentinel in the encrypted portion;
      
      identifying the encryption metadata in the encrypted portion subsequent to the encryption metadata start sentinel, wherein the encryption metadata omits the encryption metadata start sentinel, and omits an encryption metadata end sentinel;
      
      identifying the encryption metadata end sentinel in the encrypted portion subsequent to the encryption metadata; and
      
      omitting the encryption metadata start sentinel, the encryption metadata, and the encryption metadata end sentinel from the encrypted data portion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServiceNow Incorporated
Original Assignee
ServiceNow Incorporated
Inventors
Merritt, Norris
Primary Examiner(s)
Shaw, Peter C

Application Number

US15/190,512
Publication Number

US 20170104723A1
Time in Patent Office

1,370 Days
Field of Search

713153
US Class Current
CPC Class Codes

H04L 2209/34   Encoding or coding, e.g. Hu...

H04L 63/0281   Proxies

H04L 63/0457   wherein the sending and rec...

H04L 9/06   the encryption apparatus us...

H04L 9/36   with means for detecting ch...

Selective encryption delineation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

31 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Selective encryption delineation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links