Highly Available Encryption Framework for Multiple Different Computing Environments

US 20200134223A1
Filed: 10/31/2018
Published: 04/30/2020
Est. Priority Date: 10/31/2018
Status: Active Grant

First Claim

Patent Images

1. A system for data object encryption, the system comprising:

an encryption framework available across a plurality of runtime environments;

wherein the system is configured to;

receive a data object in one of the plurality of runtime environments, wherein the data object is capable of being encrypted using a content encryption key;

determine an encryption module implemented in the encryption framework that is compatible with the one of the plurality of runtime environment, wherein the encryption module comprises a key service provider that provides a master key and a key wrapping algorithm for the content encryption key in the runtime environment;

encrypt the data object using the content encryption key;

encrypt the content encryption key using the master key and key wrapping algorithm; and

write the encrypted data object to networked database storage.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is provided for data object encryption. The system includes an encryption framework available across a plurality of runtime environments. The system is configured to receive a data object in one of the plurality of runtime environments, wherein the data object is capable of being encrypted using a content encryption key and determine an encryption module implemented in the encryption framework that is compatible with the one of the plurality of runtime environment, wherein the encryption module comprises a key service provider that provides a master key and a key wrapping algorithm for the content encryption key in the runtime environment. The system is further configured to encrypt the data object using the content encryption key, encrypt the content encryption key using the master key and key wrapping algorithm, and write the encrypted data object to networked database storage.

37 Citations

View as Search Results

24 Claims

1. A system for data object encryption, the system comprising:
- an encryption framework available across a plurality of runtime environments;
  
  wherein the system is configured to;
  
  receive a data object in one of the plurality of runtime environments, wherein the data object is capable of being encrypted using a content encryption key;
  
  determine an encryption module implemented in the encryption framework that is compatible with the one of the plurality of runtime environment, wherein the encryption module comprises a key service provider that provides a master key and a key wrapping algorithm for the content encryption key in the runtime environment;
  
  encrypt the data object using the content encryption key;
  
  encrypt the content encryption key using the master key and key wrapping algorithm; and
  
  write the encrypted data object to networked database storage.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the encryption module is one of a plurality of encryption modules implemented in the encryption framework, wherein the content encryption key is encrypted using each of the plurality of encryption modules, and wherein the content encryption key is recoverable through decryption by the each of the plurality of encryption modules.
  - 3. The system of claim 2, wherein prior to the system determining the one of the encryption modules, the system is further configured to:
    - determine the content encryption key for the data object; and
      
      retrieve a plurality of master keys including the master key from a plurality of key service providers including the key service provider using the plurality of encryption modules.
  - 4. The system of claim 1, wherein the system is further configured to:
    - determine encryption metadata for the data object based on the content encryption key and the master key, wherein the encryption metadata comprises a key identifier for the master key, the content encryption key encrypted by the master key, and a modification data for a last time of modification of the master key.
  - 5. The system of claim 4, wherein the encryption module is one of a plurality of encryption modules, and wherein system is further configured to:
    - determine that one of the encryption modules is registered with the encryption framework after encrypting the data object and the content encryption key;
      
      scan the encryption metadata;
      
      determine that the encryption metadata is required to be updated based on the one of the encryption modules being registered with the encryption framework after encrypting the data object and the content encryption key; and
      
      update the encryption metadata based on the one of the encryption modules registered after encrypting the data object.
  - 6. The system of claim 4, wherein the system is further configured to:
    - determine that one of the content encryption key or the master key requires renewal;
      
      renew the one of the content encryption key or the master key; and
      
      update the encryption metadata based on the renewing.
  - 7. The system of claim 4, wherein the system is further configured to:
    - transmit a read request for the data object from the networked database storage;
      
      receive the encrypted data object;
      
      determine the master key and an unwrapping algorithm from the key service provider using the encryption metadata;
      
      decrypt the content encryption key using the master key and the unwrapping algorithm; and
      
      decrypt the encrypted data object using the content encryption key.
  - 8. The system of claim 1, wherein prior to the system determining the encryption module, the system is further configured to:
    - integrate the key service provider with the encryption framework;
      
      provide a first interface to return the master key currently available with the key service provider based on integrating the key service provider;
      
      provide a second interface to retrieve the master key for decryption of the encrypted data object based on integrating the key service provider; and
      
      activate the encryption module with the encryption framework based on the first interface and the second interface.

9. A method for data object encryption, the method comprising:
- receiving a data object in one of a plurality of runtime environments associated with an encryption framework, wherein the data object is capable of being encrypted using a content encryption key, and wherein the encryption framework is available across the plurality of runtime environments;
  
  determining an encryption module implemented in the encryption framework, wherein the encryption module comprises a key service provider that provides a master key and a key wrapping algorithm for the content encryption key in the runtime environment;
  
  encrypting the data object using the content encryption key;
  
  encrypting the content encryption key using the master key and key wrapping algorithm; and
  
  writing the encrypted data object to networked database storage.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, wherein the encryption module is one of a plurality of encryption modules implemented in the encryption framework, wherein the content encryption key is encrypted using each of the plurality of encryption modules, and wherein the content encryption key is recoverable through decryption by the each of the plurality of encryption modules.
  - 11. The method of claim 10, wherein prior to the determining the one of the encryption modules, the method further comprises:
    - determining the content encryption key for the data object; and
      
      retrieving a plurality of master keys including the master key from a plurality of key service providers including the key service provider using the plurality of encryption modules.
  - 12. The method of claim 9, further comprising:
    - determining encryption metadata for the data object based on the content encryption key and the master key, wherein the encryption metadata comprises a key identifier for the master key, the content encryption key encrypted by the master key, and a modification data for a last time of modification of the master key.
  - 13. The method of claim 12, wherein the encryption module is one of a plurality of encryption modules, and wherein the method further comprises:
    - determining that one of the encryption modules is registered with the encryption framework after encrypting the data object and the content encryption key;
      
      scanning the encryption metadata;
      
      determining that the encryption metadata is required to be updated based on the one of the encryption modules being registered with the encryption framework after encrypting the data object and the content encryption key; and
      
      updating the encryption metadata based on the one of the encryption modules registered after encrypting the data object.
  - 14. The method of claim 12, further comprising:
    - determining that one of the content encryption key or the master key requires renewal;
      
      renewing the one of the content encryption key or the master key; and
      
      updating the encryption metadata based on the renewing.
  - 15. The method of claim 12, further comprising:
    - transmitting a read request for the data object from the networked database storage;
      
      receiving the encrypted data object;
      
      determining the master key and an unwrapping algorithm from the key service provider using the encryption metadata;
      
      decrypting the content encryption key using the master key and the unwrapping algorithm; and
      
      decrypting the encrypted data object using the content encryption key.
  - 16. The method of claim 9, wherein prior to the determining the encryption module, the method further comprises:
    - integrating the key service provider with the encryption framework;
      
      providing a first interface to return the master key currently available with the key service provider based on integrating the key service provider;
      
      providing a second interface to retrieve the master key for decryption of the encrypted data object based on integrating the key service provider; and
      
      activating the encryption module with the encryption framework based on the first interface and the second interface.

17. A non-transitory machine readable medium having stored thereon instructions for performing a method comprising machine executable code which when executed by at least one machine, causes the machine to:
- receive a data object in one of a plurality of runtime environments associated with an encryption framework, wherein the data object is capable of being encrypted using a content encryption key, and wherein the encryption framework is available across the plurality of runtime environments;
  
  determine an encryption module implemented in the encryption framework that is compatible with the one of the plurality of runtime environment, wherein the encryption module comprises a key service provider that provides a master key and a key wrapping algorithm for the content encryption key in the runtime environment;
  
  encrypt the data object using the content encryption key;
  
  encrypt the content encryption key using the master key and key wrapping algorithm; and
  
  write the encrypted data object to networked database storage.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The non-transitory machine readable medium of claim 17, wherein the encryption module is one of a plurality of encryption modules implemented in the encryption framework, wherein the content encryption key is encrypted using each of the plurality of encryption modules, and wherein the content encryption key is recoverable through decryption by the each of the plurality of encryption modules.
  - 19. The non-transitory machine readable medium of claim 18, storing instructions which when executed by at least one machine, further causes the machine to:
    - prior to the machine determining the one of the encryption modules, determine the content encryption key for the data object; and
      
      retrieve a plurality of master keys including the master key from a plurality of key service providers including the key service provider using the plurality of encryption modules.
  - 20. The non-transitory machine readable medium of claim 17, storing instructions which when executed by at least one machine, further causes the machine to:
    - determine encryption metadata for the data object based on the content encryption key and the master key, wherein the encryption metadata comprises a key identifier for the master key, the content encryption key encrypted by the master key, and a modification data for a last time of modification of the master key.
  - 21. The non-transitory machine readable medium of claim 20, wherein the encryption module is one of a plurality of encryption modules, and wherein the non-transitory machine readable medium stores instructions which when executed by at least one machine, further causes the machine to:
    - determine that one of the encryption modules is registered with the encryption framework after encrypting the data object and the content encryption key;
      
      scan the encryption metadata;
      
      determine that the encryption metadata is required to be updated based on the one of the encryption modules being registered with the encryption framework after encrypting the data object and the content encryption key; and
      
      update the encryption metadata based on the one of the encryption modules registered after encrypting the data object.
  - 22. The non-transitory machine readable medium of claim 20, storing instructions which when executed by at least one machine, further causes the machine to:
    - determine that one of the content encryption key or the master key requires renewal;
      
      renew the one of the content encryption key or the master key; and
      
      update the encryption metadata based on the renewing.
  - 23. The non-transitory machine readable medium of claim 20, storing instructions which when executed by at least one machine, further causes the machine to:
    - transmit a read request for the data object to the networked database storage;
      
      receive the encrypted data object;
      
      determine the master key and an unwrapping algorithm from the key service provider using the encryption metadata;
      
      decrypt the content encryption key using the master key and the unwrapping algorithm; and
      
      decrypt the encrypted data object using the content encryption key.
  - 24. The non-transitory machine readable medium of claim 17, storing instructions which when executed by at least one machine, further causes the machine to:
    - prior to the machine determining the encryption module, integrate the key service provider with the encryption framework;
      
      provide a first interface to return the master key currently available with the key service provider based on integrating the key service provider;
      
      provide a second interface to retrieve the master key for decryption of the encrypted data object based on integrating the key service provider; and
      
      activate the encryption module with the encryption framework based on the first interface and the second interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
YE, Lei, MURRAY, David Baiyor, CHAUDHARY, Vineet Deokaran, FU, Xiongjian

Granted Patent

US 10,956,600 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6227   where protection concerns t...

H04L 9/0822   using key encryption key

H04L 9/083   involving central third par...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

Highly Available Encryption Framework for Multiple Different Computing Environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

37 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Highly Available Encryption Framework for Multiple Different Computing Environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others