DATABASE SYSTEM FOR PROTECTING AND SECURING STORED DATA USING A PRIVACY SWITCH

US 20180150647A1
Filed: 01/23/2018
Published: 05/31/2018
Est. Priority Date: 08/05/2016
Status: Active Grant

First Claim

Patent Images

1. A method of storing user data records in a database to protect stored data from data breaches, each of the user data records including a plurality of user attributes, comprising:

designating at least one of the plurality of user attributes in each of the user data records as a private attribute;

replacing the private attribute in each of the user data records in the database with a designated identifier that uniquely identifies the private attribute while obfuscating the private attribute; and

sending the private attributes over a communication network to user communication devices respectively associated with each of the user data records that include the private attributes such that the user communication devices are caused to store the private attributes they respectively receive and generate credentials representing the private attributes that are authenticated upon being verified by a verifying entity without disclosing the private attributes.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Applications of the privacy switch technology are shown for handling data breaches in database systems, thereby providing fundamental improvements to the security and utility of database technology.

52 Citations

View as Search Results

42 Claims

1. A method of storing user data records in a database to protect stored data from data breaches, each of the user data records including a plurality of user attributes, comprising:
- designating at least one of the plurality of user attributes in each of the user data records as a private attribute;
  
  replacing the private attribute in each of the user data records in the database with a designated identifier that uniquely identifies the private attribute while obfuscating the private attribute; and
  
  sending the private attributes over a communication network to user communication devices respectively associated with each of the user data records that include the private attributes such that the user communication devices are caused to store the private attributes they respectively receive and generate credentials representing the private attributes that are authenticated upon being verified by a verifying entity without disclosing the private attributes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein designating at least one of the plurality of user attributes in each of the user data records as a private attribute includes designating a plurality of user attributes as private attributes.
  - 3. The method of claim 1, wherein the designating includes designating at least all key attributes in the user data records as private attributes.
  - 4. The method of claim 1, wherein the designating is performed by users respectively associated with the user data records.
  - 5. The method of claim 1, wherein the designating is performed by a database provider.
  - 6. The method of claim 1, wherein the designated identifiers are selected by users respectively associated with the user data records.
  - 7. The method of claim 1, wherein the designated identifiers are selected by a database provider.
  - 8. The method of claim 1, further comprising storing in each of the user data records an encrypted data object in which the private attribute that has been designated is encrypted.
  - 9. The method of claim 8, wherein the designating includes designating a plurality of the user attributes in a given one of the user data records as private attributes.
  - 10. The method of claim 9, wherein the designated identifier in the given user data record uniquely identifies all of the private attributes that have been designated.
  - 11. The method of claim 10, wherein the encrypted data object in the given user data record encrypts a concatenation of the private attributes that have been designated.

12. A method of maintaining user privacy when storing a user data record associated with a user in a database, comprising:
- receiving by a user communication device associated with the user over a communications network at least one of a plurality of user attributes in the user data record that is designated as a private attribute, the private attribute being replaced in the user data record by a designated identifier that uniquely identifies the private attribute while obfuscating the private attribute;
  
  storing the private attribute in a memory associated with the user communication device;
  
  generating, with the user communication device, a credential representing the private attribute that is authenticated upon being verified by a verifying entity without disclosing the private attribute, the verifying entity being configured to receive and respond to a request for verification of the designated identifier from a second entity having authorized access to the database, the verifying entity being further configured to send the private attribute to the second entity only if the credential is verified; and
  
  sending the credential and the designated identifier to the verifying entity in response to a request from the verifying entity.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The method of claim 12, further comprising receiving, by the user communication device, a request from the verifying entity that is sent only if the credential is verified, for receipt of the private attribute and, in response thereto, sending the private attribute to the verifying entity.
  - 14. The method of claim 13, wherein the second entity includes a first executable computer code associated with a database provider of the database, the first executable computer code being executed in a virtual machine environment.
  - 15. The method of claim 14, wherein the verifying entity includes a second executable computer code that is executed in a virtual machine environment and which is in a common session with the first executable computer code.
  - 16. The method of claim 15, wherein sending the credential and the designated identifier includes sending the credential and the designated identifier in the common session from a third executable computer code that is executed in a virtual machine environment and which is associated with the user communication device.
  - 17. The method of claim 12, wherein the user data record includes an encrypted data object in which the private attribute is encrypted.
  - 18. The method of claim 17, wherein a plurality of the user attributes in the user data record are designated as private attributes.
  - 19. The method of claim 18, wherein the designated identifier in user data record uniquely identifies all of the private attributes that have been designated.
  - 20. The method of claim 19, wherein the encrypted data object in the user data record encrypts a concatenation of the private attributes that have been designated.
  - 21. The method of claim 12, wherein the private attribute is a key attribute of the user data record.

22. A method for providing user data to a third party while maintaining user privacy, comprising:
- establishing a session in a computing environment to execute a first executable computer code in a virtual machine, the first executable computer code being associated with a database provider;
  
  causing a second executable computer code to be inserted into the session, the second executable computer code being associated with a verifying entity;
  
  receiving a request from a third party from outside of the session to obtain user data for a user having a user data record maintained by the database provider, the request identifying the user by a designated identifier stored in the user data record, the designated identifier replacing at least one private attribute of the user data record, the at least one private attribute including one or more key attributes of the user data record, the user data record including an encrypted data object in which said at least one private attribute is encrypted;
  
  responsive to the request, causing a third executable code to be inserted into the session, the third executable code being associated with a user communication device associated with the user;
  
  further responsive to the request, causing the third executable code to send a credential to the second executable code within the session, the credential being associated with said at least one private attribute of the user data record;
  
  upon verification of the credential by the second executable code,receiving in the session, from the third executable code, said at least one private attribute and the designated identifier; and
  
  in response to receipt in the session of said at least one private attribute and the designated identifier, accessing the user data record stored in the database and verifying said at least one private attribute using the encrypted data object and, if verified, sending the user data record to the third party outside of the session without including said at least one private attribute.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 23. The method of claim 22, wherein the at least one private attribute that is replaced by the designated identifier is stored in the user communication device.
  - 24. The method of claim 23, wherein verification of the credential ensures that said at least one private attribute has not been altered by the user communication device.
  - 25. The method of claim 24, wherein verification of the credential further ensures that the user who stored the at least one private attribute in the user communication device is also the user who created the credential.
  - 26. The method of claim 25, wherein ensuring the user who stored the at least one private attribute in the user communication device is also the user who created the credential is accomplished using biometric data of the user and a user defined dataset.
  - 27. The method of claim 22, wherein the second and third executable computer codes are each executed in a virtual machine.
  - 28. The method of claim 22, wherein the second and third executable computer codes are executed in a common virtual machine.
  - 29. The method of claim 22, wherein the second and third executable computer codes are executed in different virtual machines.
  - 30. The method of claim 22, wherein the at least one private attribute includes a key attribute of the user data record.
  - 31. The method of claim 22, wherein sending the user data record to the third party without including said at least one private attribute includes sending the user data record to the third party of a communications network.

32. A method executed by a user communication device for protecting stored data from data breaches, comprising:
- receiving by a user communication device associated with a user over a communications network at least one of a plurality of user attributes in a user data record that is designated as a private attribute, the private attribute being replaced in the user data record by a designated identifier that uniquely identifies the private attribute while obfuscating the private attribute;
  
  storing the private attribute in a memory associated with the user communication device;
  
  generating a credential using biometric data of the user and a user defined dataset;
  
  associated the credential and the user defined dataset with the private attribute;
  
  receiving a request to present the credential and the user defined dataset;
  
  responsive to a request to send the stored private attribute in the memory, the request only being issued if the credential is verified, causing the private attribute to be sent to an entity that has authorized access to the user data record.
- View Dependent Claims (33, 34, 35, 36, 37, 38)
- - 33. The method of claim 32, wherein verification of the credential ensures that the private attribute received by the user communication device is the same as the private attribute that is caused to be sent without alteration and that the user communication device receiving the private attribute is the same user communication device that causes the private attribute to be sent.
  - 34. The method of claim 32, wherein receiving the request to present the credential and the user defined dataset is received from a verifying entity and causing the private attribute to be sent includes sending the private attribute to the verifying entity, the verifying entity being configured to send the private attribute to the entity that has authorized access to the user data record.
  - 35. The method of claim 32, wherein receiving the request to present the credential includes receiving the request in a previously established session between (i) a first executable computer code associated with the entity that has authorized access to the user data record and which is executed in a first virtual machine environment and (ii) a second executable computer codes associated with a verifying entity that verifies the credential and which is executed in a second virtual machine environment.
  - 36. The method of claim 35, wherein causing the private attribute to be sent includes sending the private attribute from a third executable computer code associated with the user communication device to the second executable computer code while both the first, second and third executable computer codes are being executed in the previously established session.
  - 37. The method of claim 35, wherein the first and second virtual machine environments are the same virtual machine environment.
  - 38. The method of claim 35, wherein the first and second virtual machine environments are different virtual machine environments.

39. A method of maintaining user privacy when storing a user data record associated with a user in a database, comprising:
- receiving by a verifying entity over a communications network at least one of a plurality of user attributes in the user data record that is designated as a private attribute, the private attribute being replaced in the user data record by a designated identifier that uniquely identifies the private attribute while obfuscating the private attribute;
  
  requesting, by the verifying entity, a secure key from a user communication device associated with the user;
  
  receiving by the verifying entity the secure key from the user communication device, the secure key being one component of a digital string that is used as input to a hash function that generates a hashed output, the digital string and the hashed output being generated by the user communication device, the digital string having at least two components;
  
  receiving by the verifying entity a credential from the user communication device, the credential representing the private attribute that is authenticated upon being verified by the verifying entity without disclosing the private attribute;
  
  verifying, by the verifying entity, the credential;
  
  if the credential is verified, sending, by the verifying entity, the private attribute an external storage device.
- View Dependent Claims (40)
- - 40. The method of claim 39, wherein the digital string is formed by a concatenation of the two components.

41. A method of maintaining user privacy when storing a user data record associated with a user in a database, comprising:
- sending, by a user communication device associated with the user over a communication network, a designated identifier to a server that maintains the database, the designated identifier being used to replace at least one of a plurality of user attributes in the user data record that is designated as a private attribute, the designated identifier uniquely identifying the private attribute while obfuscating the private attribute;
  
  generating, with the user communication device, a credential representing the private attribute that is authenticated upon being verified by a verifying entity without disclosing the private attribute, the verifying entity being configured to receive the private attribute from the server that maintains the server;
  
  sending the credential to the verifying entity in response to a request from the verifying entity;
  
  generating, with the user communication device, first and second digital strings;
  
  generating, with the user communication device, a hashed output using the first and second digital strings as input to a hash function;
  
  sending the one of the first and second digital strings and the hashed output to an external storage device that is to store the private attribute; and
  
  sending the other of the first and second digital strings to the verifying entity to thereby cause the verifying entity to send the private attribute to the external storage device if the credential is verified.

42. A method for providing user data to a third party while maintaining user privacy, comprising:
- establishing a session in a computing environment to execute a first executable computer code in a virtual machine, the first executable computer code being associated with a database provider;
  
  causing a second executable computer code to be inserted into the session, the second executable computer code being associated with a verifying entity;
  
  receiving in the session a request from a third party outside the session to obtain user data for a user having a user data record maintained by the database provider in a database, the request identifying the user by a designated identifier stored in the user data record, the designated identifier replacing at least one private attribute of the user data record, the at least one private attribute including one or more key attributes of the user data record;
  
  responsive to the request, causing the second executable code to authenticate the user within the session;
  
  further responsive to the request, causing the first executable computer code to request the private attribute from the second executable code within the session so that in response thereto a secure key is sent over a communication network by the second executable computer code to an external storage device that stores the private attribute, the secure key being configured so that the external storage device is able to verify that a user communication device associated with the user has authorized the verifying entity to access the private attribute;
  
  receiving the private attribute from the second executable computer code within the session, the second executable computer code having received the private attribute from the external storage device over the communication network only if the secure key is verified by the external storage device; and
  
  in response to receipt in the session of said at least one private attribute, accessing the user data record stored in the database and sending the user data record to the third party without including said at least one private attribute.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Safelishare Incorporated
Original Assignee
Sensoriant, Inc.
Inventors
Naqvi, Shamim A., Raucci, Robert F., Friedman, John Henry

Granted Patent

US 10,860,735 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 21/645   using a third party

H04L 9/321   involving a third party or ...

H04L 9/3218   using proof of knowledge, e...

H04L 9/3231   Biological data, e.g. finge...

H04L 9/50   using hash chains, e.g. blo...

DATABASE SYSTEM FOR PROTECTING AND SECURING STORED DATA USING A PRIVACY SWITCH

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

DATABASE SYSTEM FOR PROTECTING AND SECURING STORED DATA USING A PRIVACY SWITCH

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links