USER-CONTROLLED DATA ENCRYPTION WITH OBFUSCATED POLICY

US 20120331283A1
Filed: 06/24/2011
Published: 12/27/2012
Est. Priority Date: 06/24/2011
Status: Active Grant

First Claim

Patent Images

1. A method for re-encrypting data, comprising:

specifying a data-sharing policy that determines who the data will be shared with and how much of the data will be shared;

generating an obfuscated re-encryption program that is a private version of the data-sharing policy;

sending the obfuscated re-encryption program to a cloud data management system in a cloud computing environment;

storing encrypted data on a cloud data management system; and

re-encrypting the encrypted data on the cloud data management system using the obfuscated re-encryption program to obtain the re-encrypted data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An obfuscated policy data encryption system and method for re-encrypting data to maintain the confidentiality and integrity of data about a user when the data is stored in a public cloud computing environment. The system and method allow a user to specify in a data-sharing policy who can obtain the data and how much of the data is available to them. This policy is obfuscated such that it is unintelligible to the cloud operator and others processing and storing the data. In some embodiments, a patient species with whom his health care data should be shared with and the encrypted health care data is stored in the cloud in an electronic medical records system. The obfuscated policy allows the electronic medial records system to dispense the health care data of the patient to those requesting the data without disclosing the details of the policy itself.

Citations

20 Claims

1. A method for re-encrypting data, comprising:
- specifying a data-sharing policy that determines who the data will be shared with and how much of the data will be shared;
  
  generating an obfuscated re-encryption program that is a private version of the data-sharing policy;
  
  sending the obfuscated re-encryption program to a cloud data management system in a cloud computing environment;
  
  storing encrypted data on a cloud data management system; and
  
  re-encrypting the encrypted data on the cloud data management system using the obfuscated re-encryption program to obtain the re-encrypted data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising keeping the data-sharing policy unintelligible to the cloud data management system by using the obfuscated re-encryption program.
  - 3. The method of claim 2, further comprising generating the obfuscated re-encryption program using an obfuscated policy, a private key of a user, and a public key of a data consumer.
  - 4. The method of claim 3, further comprising:
    - having a data provider encrypt the data using a public key of the user to obtain the encrypted data;
      
      sending the encrypted data to the cloud data management system; and
      
      re-encrypting the encrypted data on the cloud data management system using the obfuscated re-encryption program to obtain the re-encrypted data.
  - 5. The method of claim 3, further comprising:
    - having the data consumer request data from the cloud data management system; and
      
      sending the re-encrypted data from the cloud data management system to the data consumer.
  - 6. The method of claim 5, further comprising sending to the data consumer a portion of the re-encrypted data so that the data is readable only by the appropriate data consumers as specified by the data-sharing policy.
  - 7. The method of claim 6, further comprising keeping the data-sharing policy unintelligible to the data consumer and the cloud by using the obfuscated re-encryption program.
  - 8. The method of claim 6, further comprising decrypting the re-encrypted data using the data consumer'"'"'s private key.

9. A method for maintaining a confidentiality of a user'"'"'s data when the data is stored in a cloud data management system on a public cloud computing environment, comprising:
- having the user specify a data-sharing policy that sets forth if and how much of the data is shared with a data consumer that desires the data;
  
  hiding the data-sharing procedure from the cloud data management system by generating an obfuscated re-encryption program that is a private version of the data-sharing policy;
  
  generating an obfuscated re-encryption program using a private key of the user, a public key of the data consumer, and the data-sharing policy;
  
  receiving encrypted data on the cloud data management system sent from a data provider, where the encrypted data is an encrypted version of the data;
  
  re-encrypting the encrypted data using the obfuscated re-encryption program to obtain re-encrypted data; and
  
  storing the re-encrypted data in the cloud data management system.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, further comprising:
    - determining that the user wants to modify the data-sharing policy;
      
      having the user modify the data-sharing procedure to obtain a modified data-sharing policy;
      
      hiding the modified data-sharing procedure from the cloud data management system by generating a modified obfuscated re-encryption program that is a private version of the modified data-sharing policy; and
      
      sending the modified obfuscated re-encryption program to the cloud for use in future re-encryptions.
  - 11. The method of claim 9, further comprising having the data provider encrypt the data using a public key of the user to obtain the encrypted data.
  - 12. The method of claim 11, further comprising:
    - receiving from the data consumer at the cloud data management system a request from the data consumer for the data; and
      
      sending at least part of the data from the cloud data management system to the data consumer.
  - 13. The method of claim 12, further comprising sending from the cloud data management system to the data consumer a ciphertext that is readable only by the desired recipients.
  - 14. The method of claim 13, further comprising:
    - having the data consumer receive the ciphertext; and
      
      decrypting the ciphertext using the data consumer'"'"'s private key to obtain decrypted data.
  - 15. The method of claim 14, further comprising keeping the data-sharing policy unintelligible to the data consumer by using the obfuscated re-encryption program.

16. A method for providing health care data about a patient in accordance with a data-sharing policy set by the patient, comprising:
- having the patient set the data-sharing policy that sets forth how much access to the health care data may be given to health care providers and other data consumers;
  
  generating an obfuscated re-encryption program that is a private version of the data-sharing policy;
  
  sending the obfuscated re-encryption program to an electronic medical records system in a cloud computing environment;
  
  storing encrypted health care data about the patient in the electronic medical records system; and
  
  providing upon request the health care data about the patient to a health care provider that will be readable in accordance with the data-sharing policy set by the patient.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, further comprising keeping the data-sharing policy unintelligible to the electronic medial records system and the health care providers by using the obfuscated re-encryption program.
  - 18. The method of claim 17, further comprising:
    - having the patient generate an obfuscated re-encryption program using the data-sharing policy, a private key of the patient, and public keys of the health care providers;
      
      encrypting the health care data using a public key of the patient to obtain encrypted data;
      
      sending the encrypted data to the electronic medical records system; and
      
      re-encrypting the encrypted data using the obfuscated re-encryption program to obtain re-encrypted data.
  - 19. The method of claim 18, further comprising:
    - receiving a request from one of the health care providers for the health care data about the patient;
      
      sending a portion of the re-encrypted data to the requesting health care provider; and
      
      decrypting the re-encrypted data using the private key of the requesting health care provider to obtain the requested health care data about the patient.
  - 20. The method of claim 17, further comprising generating a data-sharing policy that allows the health care data to be used for medical research purposes without disclosing any personally-identifiable information about the patient.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Chase, Melissa E., Lauter, Kristin Estella, Chandran, Nishanth, Vaikuntanathan, Vinod

Granted Patent

US 9,077,525 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/150
CPC Class Codes

G06F 11/3447   Performance evaluation by m...

H04L 2209/16   Obfuscation or hiding, e.g....

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 2209/88   Medical equipments

H04L 41/0896   Bandwidth or capacity manag...

H04L 41/145   involving simulating, desig...

H04L 67/1008   based on parameters of serv...

H04L 9/088   Usage controlling of secret...

H04L 9/3013   involving the discrete loga...

H04L 9/3073   involving pairings, e.g. id...

USER-CONTROLLED DATA ENCRYPTION WITH OBFUSCATED POLICY

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

USER-CONTROLLED DATA ENCRYPTION WITH OBFUSCATED POLICY

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links