Database outsourcing with access privacy
First Claim
Patent Images
1. A storage system comprising:
- a network;
a server having a server memory, a server processing unit and a server network interface in communication with the network; and
a plurality of clients, each client having a client memory in which data is stored, a client processing unit and a client network interface in communication with the server through the network, each of the clients having an encryption portion that enables each of the clients to securely communicate and understand data with all other clients, the server memory being shared by the clients through the network to store copies of encrypted data in the server memory from the clients, the server unable to decrypt the encrypted data stored in the server memory, the server having a timing mechanism to ensure data that is shared is a desired copy.
2 Assignments
0 Petitions
Accused Products
Abstract
This invention introduces a new paradigm for outsourcing the transaction processing backend of a multi-client database application to an untrusted service provider. Specifically, the invention enables untrusted service providers to support transaction serialization, backup and recovery for clients, with full data confidentiality and correctness. Moreover, providers learn nothing about transactions (except their size and timing), thus achieving read and write access pattern privacy.
99 Citations
32 Claims
-
1. A storage system comprising:
-
a network; a server having a server memory, a server processing unit and a server network interface in communication with the network; and a plurality of clients, each client having a client memory in which data is stored, a client processing unit and a client network interface in communication with the server through the network, each of the clients having an encryption portion that enables each of the clients to securely communicate and understand data with all other clients, the server memory being shared by the clients through the network to store copies of encrypted data in the server memory from the clients, the server unable to decrypt the encrypted data stored in the server memory, the server having a timing mechanism to ensure data that is shared is a desired copy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A client of a storage system comprising:
-
a client memory in which data is stored; an encryption portion which encrypts and decrypts the data; a client processing unit in communication with the memory which stores the data in the client memory according to code the processing unit executes; and a client network interface in communication with the client memory through which a request for a required slot in an encrypted transaction log of a server is sent to the server and through which an allocate transaction slot response from the server is received.
-
-
12. A server of a storage system comprising:
-
a server memory in which encrypted data from clients is stored and shared, said server memory having an encrypted transaction log, the encrypted data not able to be decrypted by the server; a server processing unit in communication with the server memory; and a server network interface which receives a request for required slot in the transaction log from a client through which an allocate transaction slot response is sent to the client.
-
-
13. A method for storing data comprising the steps of:
-
sending an encrypted encoding of a transaction entailing updates to data a client processing unit of a client desires to perform from a client network interface of the client through a network to a server, the server unable to decrypt the encoding; sending information about other transactions to the client from a server network interface of the server through the network; checking with the client processing unit for a conflict between the transaction and the other transactions; sending a commit message from the client network interface to the server regarding the transaction if there are no conflicts; and executing the transaction on each client. - View Dependent Claims (14, 15, 16, 17, 18, 19, 21, 22, 23)
-
-
20. The method as described in 13 including the step of the processing unit recovering data in the client memory by obtaining and reading and decrypting data from the server memory.
-
24. A method of a client of a storage system comprising the steps of:
-
storing data in a client memory according to code a client processing unit executes; forming a request for a required slot in an encrypted transaction log of a server with an encryption portion; sending the request to the server through a client network interface; and receiving an allocate transaction slot response from the server.
-
-
25. A method of a server of a storage system comprising the steps of:
-
storing encrypted data from clients in a server memory which a server processing unit cannot decrypt, the server memory having an encrypted transaction log; receiving at a server network interface a request for required slot in the transaction log from a client; and sending an allocate transaction slot response to the client through the server network interface.
-
-
26. A storage system comprising:
-
a network; a server having a server network interface in communication with the network, a server processing unit and a server memory for storing data; and a first client and at least a second client, each client having a client processing unit, a client memory, encryption portion and a client network interface in communication with the network;
when the first client desires to perform a deterministic transaction T1 to the server, client sends from the client network interface to the server an encrypted executable description of T1, as encrypted by the encryption portion of the first client, the server network interface sending information about an ordered sequence of deterministic transactions X to the second client, the client processing unit of the second client executing transactions X in the order they were sent to the server from at least the first client. - View Dependent Claims (27, 28, 29, 30)
-
-
31. A computer readable medium storing a computer program which when executed by at least one client processing unit of a client of a storage system communicates with a server, the computer program comprising instructions for the client processing unit generated steps of:
-
storing data in a client memory; encrypting a request for a required slot in an encrypted transaction log of the server; and sending the encrypted request to the server through a client network interface.
-
-
32. A computer readable medium storing a computer program which when executed by at least one server processing unit of a server of a storage system communicates with a client, the computer program comprising instructions for the server processing unit generated steps of:
-
storing encrypted data from clients in a server memory which the server processing unit cannot decrypt, the server memory having an encrypted transaction log; receiving at a server network interface a request for a required slot in the transaction log from the client; and sending an allocate transaction slot response to the client through the server network interface.
-
Specification