Method and apparatus for managing cryptographic keys

US 20070230704A1
Filed: 04/04/2006
Published: 10/04/2007
Est. Priority Date: 04/04/2006
Status: Active Grant

First Claim

Patent Images

1. A method for managing keys, comprising:

receiving a request from a user at a database to encrypt/decrypt data at the database;

sending a user-token to the user, wherein the user-token includes a user-key encrypted with a user-secret thereby enabling the user to decrypt the user-key with the user-secret;

receiving the user-key which has been decrypted by the user;

using the user-key to encrypt/decrypt the data at the database; and

deleting the user-key at the database.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention provides a system for managing keys. During operation, the system receives a request from a user at a database to encrypt/decrypt data at the database. In response to this request, the system sends a user-token to the user, wherein the user-token includes a user-key encrypted with a user-secret thereby enabling the user to decrypt the user-key with the user-secret. Next, the system receives the decrypted user-key from the user. The system then uses the user-key to encrypt/decrypt the data at the database. Finally, the system deletes the user-key at the database.

Citations

23 Claims

1. A method for managing keys, comprising:
- receiving a request from a user at a database to encrypt/decrypt data at the database;
  
  sending a user-token to the user, wherein the user-token includes a user-key encrypted with a user-secret thereby enabling the user to decrypt the user-key with the user-secret;
  
  receiving the user-key which has been decrypted by the user;
  
  using the user-key to encrypt/decrypt the data at the database; and
  
  deleting the user-key at the database.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein using the user-key to encrypt/decrypt the data involves directly encrypting/decrypting the data with the user-key.
  - 3. The method of claim 1, wherein using the user-key to encrypt/decrypt the data involves:
    - decrypting an encrypted data-key with the user-key to obtain a data-key; and
      
      using the data-key to encrypt/decrypt the data.
  - 4. The method of claim 3, wherein a second copy of the data-key is encrypted with a second user-key belonging to a second user so that the second user can also access the data.
  - 5. The method of claim 4, further comprising:
    - modifying the data-key;
      
      encrypting the modified data-key with the user-key belonging to the user;
      
      deleting the encrypted second copy of the data-key;
      
      creating a new second copy of the data-key to match the modified data-key; and
      
      encrypting the new second copy of the data-key with the second user-key belonging to the second user.
  - 6. The method of claim 1, wherein a second copy of the user-key is encrypted with a second user-key belonging to a second user so that the second user can also access the data.
  - 7. The method of claim 6, wherein prior to being encrypted with the second user-key, the user-key is encrypted with a master-key, which is stored in an external security module coupled to the database.
  - 8. The method of claim 1, further comprising creating the user-token by:
    - receiving a request from the client at the database to create the user-token;
      
      generating the user-key;
      
      sending the user-key to the user; and
      
      receiving the user-token from the user, wherein the user-token includes the user-key encrypted with the user-secret.
  - 9. The method of claim 8, wherein generating the user-key involves receiving the user-key from the client.
  - 10. The method of claim 1, wherein the user-secret can include:
    - a cryptographic key;
      
      a password;
      
      or a certificate.

11. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for managing keys, comprising:
- receiving a request from a user at a database to encrypt/decrypt data at the database;
  
  sending a user-token to the user, wherein the user-token includes a user-key encrypted with a user-secret thereby enabling the user to decrypt the user-key with the user-secret;
  
  receiving the user-key which has been decrypted by the user;
  
  using the user-key to encrypt/decrypt the data at the database; and
  
  deleting the user-key at the database.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The computer-readable storage medium of claim 11, wherein using the user-key to encrypt/decrypt the data involves directly encrypting/decrypting the data with the user-key.
  - 13. The computer-readable storage medium of claim 11, wherein using the user-key to encrypt/decrypt the data involves:
    - decrypting an encrypted data-key with the user-key to obtain a data-key; and
      
      using the data-key to encrypt/decrypt the data.
  - 14. The computer-readable storage medium of claim 13, wherein a second copy of the data-key is encrypted with a second user-key belonging to a second user so that the second user can also access the data.
  - 15. The computer-readable storage medium of claim 14, further comprising:
    - modifying the data-key;
      
      encrypting the modified data-key with the user-key belonging to the user deleting the encrypted second copy of the data-key;
      
      creating a new second copy of the data-key to match the modified data-key; and
      
      encrypting the new second copy of the data-key with the second user-key belonging to the second user.
  - 16. The computer-readable storage medium of claim 11, wherein a second copy of the user-key is encrypted with a second user-key belonging to a second user so that the second user can also access the data.
  - 17. The computer-readable storage medium of claim 16, wherein prior to being encrypted with the second user-key, the user-key is encrypted with a master-key, which is stored in an external security module coupled to the database.
  - 18. The computer-readable storage medium of claim 11, further comprising creating the user-token by:
    - receiving a request from the client at the database to create the user-token;
      
      generating the user-key;
      
      sending the user-key to the user; and
      
      receiving the user-token from the user, wherein the user-token includes the user-key encrypted with the user-secret.
  - 19. The computer-readable storage medium of claim 18, wherein generating the user-key involves receiving the user-key from the client.
  - 20. The computer-readable storage medium of claim 11, wherein the user-secret can include:
    - a cryptographic key;
      
      a password;
      
      or a certificate.

21. An apparatus that manages keys, comprising:
- a database;
  
  a user-token;
  
  a receiving mechanism configured to receive a request from a user at the database to encrypt/decrypt data at the database;
  
  a sending mechanism configured to send the user-token to the user, wherein the user-token includes a user-key encrypted with a user-secret thereby enabling the user to decrypt the user-key with the user-secret;
  
  the receiving mechanism further configured to receive the user-key which has been decrypted by the user;
  
  an encryption/decryption mechanism configured to use the user-key to encrypt/decrypt the data at the database; and
  
  a deleting mechanism configured to delete the user-key at the database.
- View Dependent Claims (22, 23)
- - 22. The apparatus of claim 21, wherein while using the user-key to encrypt/decrypt the data, the encryption/decryption mechanism is configured to:
    - decrypt an encrypted data-key with the user-key to obtain a data-key; and
      
      to use the data-key to encrypt/decrypt the data.
  - 23. The apparatus of claim 22, further comprising an encrypting mechanism configured to encrypt a second copy of the data-key with a second user-key belonging to a second user so that the second user can also access the data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Wong, Daniel, Youn, Paul

Granted Patent

US 7,751,570 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/277
CPC Class Codes

H04L 2463/062   applying encryption of the ...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 9/0822   using key encryption key

H04L 9/0891   Revocation or update of sec...

Method and apparatus for managing cryptographic keys

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for managing cryptographic keys

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links