Selective encryption delineation
First Claim
1. A method of decrypting a partially encrypted data stream to facilitate exchanging a mixture of sensitive and insensitive data, the method comprising:
- receiving, from a remote server in a first network domain, at an edge encryption proxy in a second network domain, the partially encrypted data stream;
scanning the partially encrypted data stream, wherein scanning the partially encrypted data stream includes;
identifying a first portion of the partially encrypted data stream, wherein the first portion omits an encrypted portion sentinel;
wherein the end encrypted portion sentinel comprises at least one value selected based at least in part on a determination that the at least one value is statistically unlikely to be included to be included in the partially encrypted data stream;
including the first portion in a decrypted output data stream;
identifying encryptionmetadata in the partially encrypted data stream;
identifying the encrypted portion sentinel in the partially encrypted data stream subsequent to the first portion, wherein the encrypted portion sentinel is configured to indicate that subsequent data is encrypted until a subsequent end encrypted portion sentinel is present in the partially encrypted data stream, wherein an end encrypted portion sentinel comprises at least one value selected based at least in part on a determination that the at least one value is statistically unlikely to be included in the partially encrypted data stream; and
identifying an encrypted portion in the partially encrypted data stream subsequent to the encrypted portion sentinel;
generating a decrypted data portion by decrypting the encrypted portion in response to identifying the encrypted portion sentinel, wherein decrypting the encrypted portion includes;
identifying an encrypted data portion in the encrypted portion, the encrypted data portion omitting the end encrypted portion sentinel;
decrypting the encrypted data portion using at least in part the encryption metadata before having identified the end encrypted portion sentinel; and
defining an end to the encrypted data portion in response to identifying the end encrypted portion sentinel in the encrypted portion subsequent to the encrypted data portion, wherein the end encrypted portion sentinel is configured to indicate that subsequent data is decrypted until a subsequent encrypted portion sentinel is present in the partially encrypted data stream;
including the decrypted data portion in the decrypted output data stream; and
outputting the decrypted output data stream to a client device in the second network domain.
1 Assignment
0 Petitions
Accused Products
Abstract
Decoding a partially encrypted data stream may include receiving and scanning the partially encrypted data stream. Scanning the partially encrypted data stream may include identifying an encrypted portion sentinel in the partially encrypted data stream subsequent to a first portion, identifying an encrypted portion in the partially encrypted data stream subsequent to the encrypted portion sentinel, and generating a decrypted data portion by decrypting the encrypted portion. Decrypting the encrypted portion may include identifying an encrypted data portion in the encrypted portion, the encrypted data portion omitting an end encrypted portion sentinel, decrypting the encrypted data portion, and identifying an end encrypted portion sentinel in the encrypted portion subsequent to the encrypted data portion. Decoding the partially encrypted data stream may include including the decrypted data portion in the decrypted output data stream, and outputting the decrypted output data stream to a client device in the second network domain.
31 Citations
17 Claims
-
1. A method of decrypting a partially encrypted data stream to facilitate exchanging a mixture of sensitive and insensitive data, the method comprising:
-
receiving, from a remote server in a first network domain, at an edge encryption proxy in a second network domain, the partially encrypted data stream; scanning the partially encrypted data stream, wherein scanning the partially encrypted data stream includes; identifying a first portion of the partially encrypted data stream, wherein the first portion omits an encrypted portion sentinel; wherein the end encrypted portion sentinel comprises at least one value selected based at least in part on a determination that the at least one value is statistically unlikely to be included to be included in the partially encrypted data stream; including the first portion in a decrypted output data stream; identifying encryptionmetadata in the partially encrypted data stream; identifying the encrypted portion sentinel in the partially encrypted data stream subsequent to the first portion, wherein the encrypted portion sentinel is configured to indicate that subsequent data is encrypted until a subsequent end encrypted portion sentinel is present in the partially encrypted data stream, wherein an end encrypted portion sentinel comprises at least one value selected based at least in part on a determination that the at least one value is statistically unlikely to be included in the partially encrypted data stream; and identifying an encrypted portion in the partially encrypted data stream subsequent to the encrypted portion sentinel; generating a decrypted data portion by decrypting the encrypted portion in response to identifying the encrypted portion sentinel, wherein decrypting the encrypted portion includes; identifying an encrypted data portion in the encrypted portion, the encrypted data portion omitting the end encrypted portion sentinel; decrypting the encrypted data portion using at least in part the encryption metadata before having identified the end encrypted portion sentinel; and defining an end to the encrypted data portion in response to identifying the end encrypted portion sentinel in the encrypted portion subsequent to the encrypted data portion, wherein the end encrypted portion sentinel is configured to indicate that subsequent data is decrypted until a subsequent encrypted portion sentinel is present in the partially encrypted data stream; including the decrypted data portion in the decrypted output data stream; and outputting the decrypted output data stream to a client device in the second network domain. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 16, 17)
-
-
10. A non-transitory computer-readable storage medium, comprising executable instructions that, when executed by a processor, cause the processor to perform operations to exchange a mixture of sensitive and insensitive data, the operations comprising:
-
receiving, at an edge encryption proxy in a first network domain, from a client device in the first network domain, a first request for information, the first request indicating a remote server in a second network domain; transmitting a second request for the information to the remote server on behalf of the client device; in response to transmitting the second request to the remote server, receiving, from the remote server, at the edge encryption proxy, a partially encrypted data stream; including a first portion of the partially encrypted data stream in a decrypted output data stream, wherein the first portion omits an encrypted portion sentinel, wherein the encrypted portion sentinel is configured to indicate that subsequent data is encrypted until a subsequent end encrypted portion sentinel, wherein an end encrypted portion sentinel comprises at least one value selected based at least in part on a determination that the at least one value is statistically unlikely to be included in the partially encrypted data stream; identifying encryption metadata in the partially encrypted data stream; identifying an encrypted portion in the partially encrypted data stream subsequent to the encrypted portion sentinel in the partially encrypted data stream, the encrypted portion sentinel subsequent to the first portion in the partially encrypted data stream is present in the partially encrypted data stream; generating a decrypted data portion by decrypting the encrypted portion in response to identifying the encrypted portion sentinel, wherein decrypting the encrypted portion includes; generating the decrypted data portion by decrypting an encrypted data portion from the encrypted portion before having identified the end encrypted portion sentinel, such that the decrypted data portion includes at least a portion of the information, the encrypted data portion omitting the end encrypted portion sentinel, wherein the end encrypted portion sentinel is configured to indicate that subsequent data is decrypted until a subsequent encrypted portion sentinel, and wherein the decrypting of the encrypted data portion uses at least in part the encryption metadata; and defining an end of the encrypted data portion in response to identifying the end encrypted portion sentinel in the encrypted portion subsequent to the encrypted data portion when the end encrypted portion sentinel is present in the partially encrypted data stream; including the decrypted data portion in the decrypted output data stream; and outputting the decrypted output data stream to the client device in response to the first request. - View Dependent Claims (11, 12, 13, 14, 15)
-
Specification