METHOD AND SYSTEM FOR ACCESS-CONTROLLED DECRYPTION IN BIG DATA STORES
First Claim
Patent Images
1. A method, comprising:
- receiving a request to encrypt a sensitive datum within a large distributed file system (large DFS);
creating meta-information associated with the sensitive datum for determining, for each particular user, whether to decrypt the sensitive datum at a later time;
encrypting the sensitive datum while leaving non-sensitive data of the large DFS unencrypted;
storing the encrypted sensitive data; and
storing the meta-information.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system for access-controlled decryption in big data stores is provided. In an implementation, a system provides a method for encryption that stores meta-information about sensitive data elements being encrypted in a big data store, such as a Hadoop system, in which the bulk of the data may remain unencrypted. In an implementation, the system reads the stored meta-information at decryption time to determine where the encrypted data is within a large and unencrypted file system, and to determine whether or not an individual user has access rights to decrypt a given element of sensitive data. The system allows fine-grain control over access rights to sensitive data during decryption.
28 Citations
20 Claims
-
1. A method, comprising:
-
receiving a request to encrypt a sensitive datum within a large distributed file system (large DFS); creating meta-information associated with the sensitive datum for determining, for each particular user, whether to decrypt the sensitive datum at a later time; encrypting the sensitive datum while leaving non-sensitive data of the large DFS unencrypted; storing the encrypted sensitive data; and storing the meta-information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A system, comprising:
-
a cryptography engine for creating and accessing secure information in a large distributed data store; an encryption engine in the cryptography engine for encrypting a sensitive datum in the large distributed data store and creating a meta-information marker for establishing access rights to access the sensitive datum; a decryption engine in the cryptography engine for reading the meta-information marker to establish access rights for accessing the sensitive datum and for decrypting the sensitive datum when an individual user has access rights; a user interface for the individual user to initiate discovery, encryption, and decryption actions in the large distributed data store; and a controller to execute the discovery, encryption, and decryption actions in the large distributed data store via the cryptography engine. - View Dependent Claims (20)
-
Specification