METHOD AND SYSTEM FOR ACCESS-CONTROLLED DECRYPTION IN BIG DATA STORES

US 20150026462A1
Filed: 06/14/2014
Published: 01/22/2015
Est. Priority Date: 03/15/2013
Status: Abandoned Application

First Claim

Patent Images

1. A method, comprising:

receiving a request to encrypt a sensitive datum within a large distributed file system (large DFS);

creating meta-information associated with the sensitive datum for determining, for each particular user, whether to decrypt the sensitive datum at a later time;

encrypting the sensitive datum while leaving non-sensitive data of the large DFS unencrypted;

storing the encrypted sensitive data; and

storing the meta-information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for access-controlled decryption in big data stores is provided. In an implementation, a system provides a method for encryption that stores meta-information about sensitive data elements being encrypted in a big data store, such as a Hadoop system, in which the bulk of the data may remain unencrypted. In an implementation, the system reads the stored meta-information at decryption time to determine where the encrypted data is within a large and unencrypted file system, and to determine whether or not an individual user has access rights to decrypt a given element of sensitive data. The system allows fine-grain control over access rights to sensitive data during decryption.

28 Citations

View as Search Results

20 Claims

1. A method, comprising:
- receiving a request to encrypt a sensitive datum within a large distributed file system (large DFS);
  
  creating meta-information associated with the sensitive datum for determining, for each particular user, whether to decrypt the sensitive datum at a later time;
  
  encrypting the sensitive datum while leaving non-sensitive data of the large DFS unencrypted;
  
  storing the encrypted sensitive data; and
  
  storing the meta-information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein the sensitive datum comprises one of structured data or unstructured data within a highly distributed file system (DFS) of structured data or unstructured data.
  - 3. The method of claim 1, wherein encrypting the sensitive datum further comprises encrypting a sensitive datum of a file or a table, while leaving non-sensitive data of the file or the table unencrypted.
  - 4. The method of claim 1, wherein storing the meta-information comprises one of storing the meta-information to precede the encrypted sensitive datum on a storage medium, storing the meta-information in a same storage object as a header, or storing the meta-information in a separate storage object from the header, during encryption.
  - 5. The method of claim 1, wherein the meta-information for the sensitive datum in a file includes a general encryption marker and a specific encryption marker;
    - wherein the general encryption marker comprises a unique string having low probability of recurrence in a file system or in a file subsystem containing the file and is associated with each encrypted datum in the file system or file subsystem; and
      
      wherein the specific encryption marker identifies one of a type of the sensitive datum, a time of access of the sensitive datum, an IP address of an access of the sensitive datum, an identity of one or more groups entitled to access the sensitive datum, or an access parameter associated with the sensitive datum, each particular user having an associated set of access rights to different types of sensitive data.
  - 6. The method of claim 5, wherein the sensitive datum comprises a type selected from the group of types consisting of a credit card number, a social security number, a financial transaction, an account number, personal demographic information, personal identity information, a name, a date of birth, a place of birth, a mother'"'"'s maiden name, a datum linkable to an individual, personal educational information, employment information, a private weblog, a private message, a certificate, and a private image.
  - 7. The method of claim 6, wherein the specific encryption marker comprises a code to identify the type of the sensitive datum.
  - 8. The method of claim 6, further comprising:
    - retrieving an access control list for an individual user;
      
      reading the encrypted sensitive datum including the meta-information associated with the encrypted sensitive datum;
      
      reading the general encryption marker of the meta-information to identify the datum as an encrypted sensitive datum;
      
      reading the specific encryption marker to determine a type of the encrypted sensitive datum;
      
      comparing the determined type of the encrypted sensitive datum with the access control list of the user to determine whether to decrypt the encrypted sensitive datum for the user; and
      
      decrypting the encrypted sensitive datum for the user when the access control list of the user entitles the user to access the type of the encrypted sensitive datum.
  - 9. The method of claim 5, wherein the specific encryption marker includes an index to a lookup table containing a relationship between a value of the specific encryption marker and one or more types of the encrypted sensitive data.
  - 10. The method of claim 5, wherein different instances of the general encryption marker are associated with corresponding different parts of a file system.
  - 11. The method of claim 5, wherein multiple specific encryption markers are associated with the encrypted sensitive datum, and further comprising:
    - interpreting the multiple specific encryption markers based on rules in a lookup table or in a decryption code.
  - 12. The method of claim 5, wherein a user is provided access to the encrypted sensitive datum when the access control list of the user includes entitlement to all of the types associated with the multiple specific encryption markers of the encrypted sensitive datum.
  - 13. The method of claim 12, wherein a user is provided access to the encrypted sensitive datum when the access control list of the user includes entitlement to at least one of the types associated with the multiple specific encryption markers of the encrypted sensitive datum.
  - 14. The method of claim 12, wherein multiple specific encryption markers are associated with encryption of an entire record, and the user is provided access to the entire record according to a scheme selected from the group of schemes consisting of:
    - a first scheme in which the user is granted access to the entire record when the access control list of the user includes entitlement to at least one of the types associated with the multiple specific encryption markers of the entire record;
      
      a second scheme in which the user is granted access to the entire record when the access control list of the user includes entitlement to all of the types associated with the multiple specific encryption markers of the entire record; and
      
      a third scheme in which the user is granted access to the entire record based on interpreting the multiple specific encryption markers according to one or more rules in a lookup table or in a decryption code.
  - 15. The method of claim 5, further comprising storing the meta-information in an index, an offset file, or a table, wherein the index, offset file, or table includes at least a pointer to the encrypted sensitive datum and to one or more types of the encrypted sensitive datum.
  - 16. The method of claim 15, wherein the index, offset file, or table comprises a header or an index block associated with the encrypted sensitive datum.
  - 17. The method of claim 5, wherein a field, column, row, or a structure of a file or a record comprises at least some sensitive data and the meta-information applies to the access rights of the user to the entire field, column, row, or structure.
  - 18. The method of claim 5, wherein the specific encryption markers are separately encrypted with a different encryption key than an encryption key applied to encrypting the sensitive datum.

19. A system, comprising:
- a cryptography engine for creating and accessing secure information in a large distributed data store;
  
  an encryption engine in the cryptography engine for encrypting a sensitive datum in the large distributed data store and creating a meta-information marker for establishing access rights to access the sensitive datum;
  
  a decryption engine in the cryptography engine for reading the meta-information marker to establish access rights for accessing the sensitive datum and for decrypting the sensitive datum when an individual user has access rights;
  
  a user interface for the individual user to initiate discovery, encryption, and decryption actions in the large distributed data store; and
  
  a controller to execute the discovery, encryption, and decryption actions in the large distributed data store via the cryptography engine.
- View Dependent Claims (20)
- - 20. The system of claim 19, further comprising:
    - a general encryption marker in the meta-information marker comprising a unique string having low probability of recurrence in a file system or in a file subsystem and associated with each encrypted datum in the file system or file subsystem; and
      
      a specific encryption marker in the meta-information marker to identify a type of the sensitive datum and to index an access control list, each particular user having an associated set of access rights in the access control list to different types of sensitive data;
      
      wherein the meta-information marker is stored in a permanent storage medium including one of the large distributed data store or a storage repository connected to the controller; and
      
      wherein the decryption engine decrypts the sensitive datum only when the user has access rights based on the specific encryption marker.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dataguise Incorporated (PKW Holdings, Inc.)
Original Assignee
Dataguise Incorporated (PKW Holdings, Inc.)
Inventors
Ramesh, Subramanian, Bedi, Harinder Singh, Kashyap, Varun

Application Number

US14/304,902
Publication Number

US 20150026462A1
Time in Patent Office

Days
Field of Search
US Class Current

713/165
CPC Class Codes

G06F 21/6218 to a system of files or obj...

G06F 2221/2141 Access rights, e.g. capabil...

METHOD AND SYSTEM FOR ACCESS-CONTROLLED DECRYPTION IN BIG DATA STORES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

28 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

METHOD AND SYSTEM FOR ACCESS-CONTROLLED DECRYPTION IN BIG DATA STORES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others