METHOD AND APPARATUS FOR MIGRATING ENCRYPTED DATA

US 20160294563A1
Filed: 03/31/2015
Published: 10/06/2016
Est. Priority Date: 03/31/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

associating a security certificate with a business unit based on the submission of a provisioning request;

generating a policy for establishing the identity of the business unit, for controlling access to data associated with the business unit as maintained by a data service, or a combination thereof based on the security certificate; and

associating one or more keys for accessing the data from the data service with a data container of the data service, the business unit, a key manager associated with the business unit, or a combination thereof based on the policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An approach is provided for managing the provisioning and sharing of data among common users of a data service. A provisioning platform associates a security certificate with a business unit based on the submission of a provisioning request. The provisioning platform also associating one or more keys for accessing the data from the data service with a data container of the data service, the business unit, a key manager associated with the business unit, or a combination thereof based on the generation of a policy for establishing the identity of the business unit, for controlling access to data associated with the business unit as maintained by a data service, or a combination thereof based on the security certificate.

15 Citations

View as Search Results

21 Claims

1. A method comprising:
- associating a security certificate with a business unit based on the submission of a provisioning request;
  
  generating a policy for establishing the identity of the business unit, for controlling access to data associated with the business unit as maintained by a data service, or a combination thereof based on the security certificate; and
  
  associating one or more keys for accessing the data from the data service with a data container of the data service, the business unit, a key manager associated with the business unit, or a combination thereof based on the policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A method of claim 1, further comprising:
    - determining fulfillment of the provisioning request based on the association of the one or more keys,wherein the provisioning request is to provision (a) the business unit, (b) data associated with the business unit, or (c) a combination thereof.
  - 3. A method of claim 1, further comprising:
    - generating the security certificate in association with the business unit; and
      
      storing the security certificate to the data service,wherein the association of the security certificate with the business unit is based on the storage.
  - 4. A method of claim 3, further comprising:
    - generating the data container at the data service based on the storing of the security certificate,wherein the data container maintains one or more data objects and the data objects include (a) the data associated with the business unit, (b) at least one a key associated with the data, or (c) a combination thereof.
  - 5. A method of claim 1, further comprising:
    - storing identity information regarding the business unit to the key manager based on the policy,wherein the key manager stores at least one of the one or more keys for authenticating the business unit for access to the data service, the data to be provisioned, or a combination thereof.
  - 6. A method of claim 1, further comprising:
    - generating a table for mapping the one or more keys to the business unit, one or more other business units, or a combination thereof,wherein the table is maintained by the key manager and the associating of the one or more keys is based on the table.
  - 7. A method of claim 6, further comprising:
    - generating a key pair in association with the business unit based on the provisioning request;
      
      receiving a master key from the key manager based on authentication of a private key of the key pair; and
      
      storing a public key in association with the data to the data container,wherein the table specifies at least the private key associated with the business unit, the one or more other business units, or a combination thereof and the public key specifies data for indicating a prefix of the business unit, the one or more other business units, or a combination thereof.
  - 8. A method of claim 1, further comprising:
    - generating a policy for specifying access to the data associated with the business unit with another business unit based on a sharing request.
  - 9. A method of claim 8, further comprising:
    - causing (a) a generating a permission record for allowing the other business unit to access the data, (b) an updating of a table for mapping the one or more keys to the business unit, the other business unit, or a combination thereof,wherein the permission record, the table, or a combination thereof is maintained by the key manager.
  - 10. A method of claim 9, wherein fulfillment of the sharing request is based on the generation of the permission record, the updating of the table, or a combination thereof.

11. An apparatus comprising:
- at least one processor; and
  
  at least one memory including computer program code for one or more programs,the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to perform at least the following,associate a security certificate with a business unit based on the submission of a provisioning request; and
  
  generate a policy for establishing the identity of the business unit, for controlling access to data associated with the business unit as maintained by a data service, or a combination thereof based on the security certificate; and
  
  associate one or more keys for accessing the data from the data service with a data container of the data service, the business unit, a key manager associated with the business unit, or a combination thereof based on the policy.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. An apparatus of claim 11, wherein the apparatus is further caused to:
    - determine fulfillment of the provisioning request based on the association of the one or more keys,wherein the provisioning request is to provision (a) the business unit, (b) data associated with the business unit, or (c) a combination thereof.
  - 13. An apparatus of claim 11, wherein the apparatus is further caused to:
    - generate the security certificate in association with the business unit; and
      
      store the security certificate to the data service,wherein the association of the security certificate with the business unit is based on the storage.
  - 14. An apparatus of claim 13, wherein the apparatus is further caused to:
    - generate the data container at the data service based on the storing of the security certificate,wherein the data container maintains one or more data objects and the data objects include (a) the data associated with the business unit, (b) at least one a key associated with the data, or (c) a combination thereof.
  - 15. An apparatus of claim 14, wherein the apparatus is further caused to:
    - store identity information regarding the business unit to the key manager based on the policy,wherein the key manager stores at least one of the one or more keys for authenticating the business unit for access to the data service, the data to be provisioned, or a combination thereof.
  - 16. An apparatus of claim 11, wherein the apparatus is further caused to:
    - generate a table for mapping the one or more keys to the business unit, one or more other business units, or a combination thereof,wherein the table is maintained by the key manager and the associating of the one or more keys is based on the table.
  - 17. An apparatus of claim 16, wherein the apparatus is further caused to:
    - generate a key pair in association with the business unit based on the provisioning request;
      
      receive a master key from the key manager based on authentication of a private key of the key pair; and
      
      store a public key in association with the data to the data container,wherein the table specifies at least the private key associated with the business unit, the one or more other business units, or a combination thereof and the public key specifies data for indicating a prefix of the business unit, the one or more other business units, or a combination thereof.

18. A computer-readable storage medium carrying one or more sequences of one or more instructions which, when executed by one or more processors, cause an apparatus to perform:
- associating a security certificate with a business unit based on the submission of a provisioning request;
  
  generating a policy for establishing the identity of the business unit, for controlling access to data associated with the business unit as maintained by a data service, or a combination thereof based on the security certificate; and
  
  associating one or more keys for accessing the data from the data service with a data container of the data service, the business unit, a key manager associated with the business unit, or a combination thereof based on the policy.
- View Dependent Claims (19, 20)
- - 19. A computer-readable storage medium of claim 18, wherein the apparatus is further caused to perform:
    - determining fulfillment of the provisioning request based on the association of the one or more keys,wherein the provisioning request is to provision (a) the business unit, (b) data associated with the business unit, or (c) a combination thereof.
  - 20. A computer-readable storage medium of claim 18, wherein the apparatus is further caused to perform:
    - generating the security certificate in association with the business unit; and
      
      storing the security certificate to the data service,wherein the association of the security certificate with the business unit is based on the storage.

21-48. -48. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
HERE Global B.V. (Nokia Corporation)
Original Assignee
HERE Global B.V. (Nokia Corporation)
Inventors
QIAN, Gaoqiang

Granted Patent

US 9,729,541 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 9/083   involving central third par...

H04L 9/3263   involving certificates, e.g...

METHOD AND APPARATUS FOR MIGRATING ENCRYPTED DATA

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

15 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR MIGRATING ENCRYPTED DATA

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links