CLOUD KEY DIRECTORY FOR FEDERATING DATA EXCHANGES

US 20120324237A1
Filed: 06/17/2011
Published: 12/20/2012
Est. Priority Date: 06/17/2011
Status: Active Grant

First Claim

Patent Images

1. At a computer system including at least one processor and a memory, in a computer networking environment including a plurality of computing systems, a computer-implemented method for facilitating data transfer using an anonymous directory, the method comprising:

an act of instantiating an anonymous directory that stores data in one or more client-specific directories for a plurality of different clients, wherein the anonymous directory is further configured to provide data access according to access controls defined and managed by the client;

an act of receiving a data request from a user that identifies the user and specifies a portion of data that is to be returned to the user;

an act of determining which of the client'"'"'s data is to be returned to the user based on the client'"'"'s specified access controls, the access controls granting access to specified data in one or more client-specific directories, based on the user'"'"'s identity; and

an act of providing the determined data to the user.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to facilitating data transfer using an anonymous directory and to providing attribute-based data access to identified users. In an embodiment, a computer system instantiates an anonymous directory that stores data in various client-specific directories for different clients. The anonymous directory is configured to provide data access according to access controls defined and managed by the client. The computer system receives a data request from a user that identifies the user and specifies a portion of data that is to be returned to the user. The computer system determines which of the client'"'"'s data is to be returned to the user based on the client'"'"'s specified access controls. The access controls grant access to specified data in some of the client-specific directories, based on the user'"'"'s identity. The computer system then provides the determined data to the user.

Citations

20 Claims

1. At a computer system including at least one processor and a memory, in a computer networking environment including a plurality of computing systems, a computer-implemented method for facilitating data transfer using an anonymous directory, the method comprising:
- an act of instantiating an anonymous directory that stores data in one or more client-specific directories for a plurality of different clients, wherein the anonymous directory is further configured to provide data access according to access controls defined and managed by the client;
  
  an act of receiving a data request from a user that identifies the user and specifies a portion of data that is to be returned to the user;
  
  an act of determining which of the client'"'"'s data is to be returned to the user based on the client'"'"'s specified access controls, the access controls granting access to specified data in one or more client-specific directories, based on the user'"'"'s identity; and
  
  an act of providing the determined data to the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the request from the user specifies one or more attributes describing data that is to be found in the client'"'"'s data.
  - 3. The method of claim 2, wherein the client'"'"'s data is encrypted using multi-authority attribute-based encryption, such that the client specifies access rights to the encrypted data by allowing identified users to access data that has certain specified attributes.
  - 4. The method of claim 3, wherein the anonymous directory allows discovery of clients'"'"' data based on a threshold number of attributes being requested in the user'"'"'s request.
  - 5. The method of claim 1, wherein the anonymous directory allows data owners to specify which data is presented in a search result for each of a plurality of different users.
  - 6. The method of claim 1, wherein the anonymous directory allows data owners to specify which data is presented in a search result for each of a plurality of different user types.
  - 7. The method of claim 1, wherein the anonymous directory allows data owners to dynamically change which data is presented in a given search result.
  - 8. The method of claim 7, wherein the data owner converts the query received from the user based on the user'"'"'s identity, to provide that user with a specified set of data.
  - 9. The method of claim 1, wherein the user is authenticated to verify the user'"'"'s identity, and wherein the client sends to the user a set of attributes that the user can search for regarding the client'"'"'s data.
  - 10. The method of claim 9, wherein upon receiving from the user a search that implements one or more of the attributes sent by the client, the data searching is performed by the anonymous directory.
  - 11. The method of claim 1, wherein at least a portion of the client'"'"'s data is made visible to the anonymous directory.
  - 12. The method of claim 1, wherein at least a portion of the client'"'"'s data remains invisible to the anonymous directory, such that the anonymous directory transmits the client'"'"'s encrypted data.

13. A computer program product for implementing a method for providing attribute-based data access to identified users, the computer program product comprising one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by one or more processors of the computing system, cause the computing system to perform the method, the method comprising:
- an act of receiving encrypted data from a client that is to be stored in a client-specific directory, the data being encrypted using multi-authority attribute-based encryption, such that the client specifies access rights to the encrypted data by allowing identified users to access data with certain specified attributes;
  
  an act of receiving a data request from a user, wherein the data request includes the user'"'"'s identity and specifies one or more data attributes, wherein data that includes those attributes is to be returned to the user;
  
  an act of determining which portions of data have attributes that match the requested attributes specified by the user and are identified as being allowable to release to the identified user; and
  
  an act of sending to the user those portions of data whose attributes match the requested attributes specified by the user.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The computer program product of claim 13, wherein the client applies one or more attributes to each portion of data stored in the client-specific directory.
  - 15. The computer program product of claim 14, wherein the attributes applied by the client are user-specific, such that identified users receive different data based on their identity.
  - 16. The computer program product of claim 13, wherein at least one of the attributes is verified by an authority, the authority comprising a trusted third party.
  - 17. The computer program product of claim 13, wherein the user'"'"'s query is sent to a plurality of different authorities requesting specific attributes.
  - 18. The computer program product of claim 17, further comprising:
    - an act of receiving attributes from at least one of the authorities; and
      
      an act of allowing the user access to the data corresponding to the attributes returned by the authorities.
  - 19. The computer program product of claim 18, further comprising an act of preventing access to the data corresponding to the attributes not returned by the authorities.

20. A computer system comprising the following:
- one or more processors;
  
  system memory;
  
  one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by the one or more processors, causes the computing system to perform a method for providing attribute-based data access to identified users, the method comprising the following;
  
  an act of receiving encrypted data from a client that is to be stored in a client-specific directory, the data being encrypted using multi-authority attribute-based encryption, such that the client specifies access rights to the encrypted data by allowing identified users to access data with certain specified attributes;
  
  an act of receiving a data request from a user, wherein the data request includes the user'"'"'s identity and specifies one or more data attributes, wherein data that includes those attributes is to be returned to the user;
  
  an act of sending the received data request to a plurality of different authorities requesting specific attributes;
  
  an act of receiving attributes from at least one of the authorities;
  
  an act of allowing the user access to the data corresponding to the attributes returned by the authorities;
  
  an act of preventing access to the data corresponding to the attributes not returned by the authorities;
  
  an act of determining which portions of data have attributes that match the requested attributes specified by the user and are identified as being allowable to release to the identified user, based on the attributes returned by the authorities; and
  
  an act of sending to the user those portions of data whose attributes match the requested attributes specified by the user;

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
D'Souza, Roy Peter, Pandey, Omkant

Granted Patent

US 8,627,508 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/189
CPC Class Codes

G06F 16/256   in federated or virtual dat...

G06F 16/27   Replication, distribution o...

G06F 16/951   Indexing; Web crawling tech...

G06F 16/9535   Search customisation based ...

G06F 16/9538   Presentation of query results

G06F 21/6218   to a system of files or obj...

G06F 21/6254   by anonymising data, e.g. d...

H04L 63/0421   Anonymous communication, i....

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/104   Grouping of entities

H04L 9/0894   Escrow, recovery or storing...

H04L 9/321   involving a third party or ...

CLOUD KEY DIRECTORY FOR FEDERATING DATA EXCHANGES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

CLOUD KEY DIRECTORY FOR FEDERATING DATA EXCHANGES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links