TRUSTED CLOUD COMPUTING AND SERVICES FRAMEWORK
First Claim
1. A method for subscribing to data, comprising:
- requesting a subset of searchably encrypted data by at least one subscriber device;
receiving cryptographic key information from a key generation component that generates the cryptographic key information based on identity information associated with the at least one subscriber device;
decrypting the subset of encrypted data as allowed by capabilities defined in the cryptographic key information; and
validating that a correct subset of encrypted data consistent with the requesting is received by the at least one subscriber device.
2 Assignments
0 Petitions
Accused Products
Abstract
A digital escrow pattern is provided for network data services including searchable encryption techniques for data stored in a cloud, distributing trust across multiple entities to avoid a single point of data compromise. In one embodiment, a key generator, a cryptographic technology provider and a cloud services provider are each provided as separate entities, enabling a publisher of data to publish data confidentially (encrypted) to a cloud services provider, and then expose the encrypted data selectively to subscribers requesting that data based on subscriber identity information encoded in key information generated in response to the subscriber requests, e.g., a role of the subscriber.
239 Citations
20 Claims
-
1. A method for subscribing to data, comprising:
-
requesting a subset of searchably encrypted data by at least one subscriber device; receiving cryptographic key information from a key generation component that generates the cryptographic key information based on identity information associated with the at least one subscriber device; decrypting the subset of encrypted data as allowed by capabilities defined in the cryptographic key information; and validating that a correct subset of encrypted data consistent with the requesting is received by the at least one subscriber device. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system, comprising:
-
at least one data store storing selectively accessible encrypted data records wherein at least one subscriber requests a subscription to a subset of data records, a first independent entity generates cryptographic key information based on identity information associated with the at least one subscriber, and a second independent entity performs decrypting of the subset based on the cryptographic key information generated by the first independent entity; and at least one processor configured to perform a network service, for handling at least one request by the at least one subscriber, that provides selective access to the subset of data records and validates that the subset is a correct subset consistent with the subscription.
-
-
7. A method for subscribing to data, comprising:
-
requesting a subset of searchably encrypted data from at least one subscriber device; receiving cryptographic key information from a key generation component that generates the cryptographic key information based on identity information associated with the at least one subscriber device; decrypting the subset of encrypted data as allowed by capabilities defined in the cryptographic key information; and verifying content of the subset of encrypted data was not deleted or modified prior to being received by the at least one subscriber device. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A system, comprising:
-
at least one data store storing selectively accessible encrypted data records wherein at least one subscriber device requests a subscription to a subset of data records, a first independent entity generates cryptographic key information based on identity information associated with the at least one subscriber device, and a second independent entity performs decrypting of the subset based on the cryptographic key information generated by the first independent entity; and at least one processor configured to perform a network service, for a request by the at least one subscriber device, that provides selective access to the subset of data records and verifies that the content of the data records in the subset has not been modified without permission.
-
-
13. A method, comprising:
-
requesting a first entity to validate identity information associated with a computing device; requesting and receiving key information from a second entity, operating independently from the first entity, based on at least one role determined from the identity information; encrypting at least one record accessible from the computing device based on the key information according to a searchable encryption algorithm; and defining at least one capability for at least one subscriber role with respect to the at least one record for selectively providing decrypted access to the at least one record. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification