Secure data processing method
First Claim
Patent Images
1. A method for processing data, comprising the steps of:
- storing data in at least one database with at least a portion of said data being stored in said database in encrypted form;
allowing communication with said database by a user via a communication link to read said data stored in said database and, if necessary, to enter additional data into said database;
storing a key, for decrypting and encrypting said data, in a central database separate from said data base;
transmitting said key from said central database exclusively to an authorized user who is authorized to communicate with said database, for use by said authorized user in at least one of encrypting and decrypting said data in said database dividing said database into a first data base and a second data base;
dividing said data into first data parts respectively identifying subjects, selected from the group consisting of persons and objects, as identified subject, and into second data parts respectively describing said subjects, as described subjects;
uniquely associating said identified subjects with said described subjects by respective association data items;
storing said first data parts in said first database with the respective association data items;
storing said second data parts and said second database with the respective association data items, identical to the respective association data items in said first database so that respective first and second data parts in said respective first and second databases can be found and associated by the respective identical association data items; and
storing the respective association data items in said first database in encrypted form produced using said key, and optionally also storing the respective second data parts ins aid second database in encrypted form produced using said key, said association data items in encrypted form, and if present, said second data parts in encrypted form, comprising encrypted data, and said encrypted data being decrypted using said key transmitted to said authorized user.
5 Assignments
0 Petitions
Accused Products
Abstract
A method for the processing of data which are stored in at least one database in at least partially encrypted form, in which case the data can be read by a user communicating with the database via a communications link and, if necessary, new data can be stored, in which case the data are decrypted and/or encrypted exclusively by the user using a key which is stored in a central further database and can be transmitted exclusively to the authorized user.
246 Citations
20 Claims
-
1. A method for processing data, comprising the steps of:
-
storing data in at least one database with at least a portion of said data being stored in said database in encrypted form;
allowing communication with said database by a user via a communication link to read said data stored in said database and, if necessary, to enter additional data into said database;
storing a key, for decrypting and encrypting said data, in a central database separate from said data base;
transmitting said key from said central database exclusively to an authorized user who is authorized to communicate with said database, for use by said authorized user in at least one of encrypting and decrypting said data in said database dividing said database into a first data base and a second data base;
dividing said data into first data parts respectively identifying subjects, selected from the group consisting of persons and objects, as identified subject, and into second data parts respectively describing said subjects, as described subjects;
uniquely associating said identified subjects with said described subjects by respective association data items;
storing said first data parts in said first database with the respective association data items;
storing said second data parts and said second database with the respective association data items, identical to the respective association data items in said first database so that respective first and second data parts in said respective first and second databases can be found and associated by the respective identical association data items; and
storing the respective association data items in said first database in encrypted form produced using said key, and optionally also storing the respective second data parts ins aid second database in encrypted form produced using said key, said association data items in encrypted form, and if present, said second data parts in encrypted form, comprising encrypted data, and said encrypted data being decrypted using said key transmitted to said authorized user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
encrypting said key which is transmitted to said authorized user using a user-related public key to produce an encrypted key; and
said authorized user decrypting said encrypted key using a user-related private key.
-
-
3. A method as claimed in claim 2, further comprising the steps of:
assigning only one of said association data items to each subject within said group.
-
4. A method as claimed in claim 1, comprising designating said second database as a group-specific database for a specific user group comprising only personnel having authorized access to said second data parts, and storing said second data parts together with the respective association data items in said group-specific second database, and employing a dedicated encryption table, as said encryption table, for said specific user group.
-
5. A method as claimed in claim 1, further comprising the steps of:
-
designating said second database as a group-specific database for a specific user group comprising only personnel having authorized access to said second data parts; and
storing said second data parts together with the respective association data items in said group-specific second database.
-
-
6. A method as claimed in claim 5, further comprising the step of:
making said first database accessible for all users, not limited to said specific user group.
-
7. A method as claimed in claim 5, further comprising the step of:
-
employing a public group key to encrypt said association data items to be stored in said first database, and optionally to encrypt said second data parts, to produce said encrypted data;
as said key transmitted to said authorized user, employing a private group key and assigning said private group key exclusively to said specific user group; and
encrypting and subsequently decrypting said public group key using said private group key.
-
-
8. A method as claimed in claim 7, further comprising the steps of:
-
using a public file key to encrypt at least one of said association data items to be stored in said first database to produce an encrypted association data item;
assigning a further file key selected from the group consisting of a private file key and a symmetrical file key to said encrypted association data item with which said encrypted association data item is encrypted and decrypted; and
encrypting and decrypting said further file key using said public group key.
-
-
9. A method as claimed in claim 8, wherein the first data part associated with said encrypted association data item identifies a person, and further comprising the step of:
making said private file key available to said person.
-
10. A method as claimed in claim 8, further comprising the step of:
also encrypting said second data parts using a key selected from the group consisting of said public group key and said public file key.
-
11. A method as claimed in claim 10, further comprising the steps of:
-
expanding at least one of said association data items to be stored in said first database and said second data parts by adding random data thereto before encryption to produce expanded data, and encrypting said expanded data using a key selected from the group consisting of said public group key and said public file key.
-
-
12. A method as claimed in claim 8, further comprising the steps of:
-
encrypting said second data part using a symmetrical data key; and
encrypting and decrypting said symmetrical data key using a key selected from the group consisting of said public group key and said public file key.
-
-
13. A method as claimed in claim 12, further comprising the steps of:
producing all of said keys at a location selected from the group consisting of a central production location and a production location of said group and at a user location.
-
14. A method as claimed in claim 1, wherein said encrypted data includes said second data parts, and comprising the additional steps of:
-
assigning further data respectively to said second data parts, said further data defining an encryption machine; and
using said encryption machine to encrypt said second data parts and said further data.
-
-
15. A method as claimed in claim 1, further comprising the steps of:
-
providing a further database containing authorization data identifying authorized users;
before allowing access to said first data base by a potential user, requiring said potential user to enter information which is checked in said further database against said authorization data to determine whether said potential user is an authorized user; and
inhibiting access by said potential user to said first database if said potential user is not an authorized user.
-
-
16. A method as claimed in claim 1, further comprising the step of:
-
employing an encryption table for encrypting and decrypting said data;
storing said encryption table in said first database; and
making said encryption table available only to an authorized user.
-
-
17. A method for processing data, comprising the steps of:
-
storing data in at least one database with at least a portion of said data being stored in said database in encrypted form;
allowing communication with said database by a user via a communication link to read said data stored in said database and, if necessary, to enter additional data into said database;
storing a key, for decrypting and encrypting said data, in a central database separate from said data base;
allowing storage of new data in said at least one database; and
upon storage of said new data, assigning any existing data in said at least one database a version identifier.
-
-
18. A method for processing data, comprising the steps of:
-
storing data in at least one database with at least a portion of said data being stored in said database in encrypted form;
allowing communication with said database by a user via a communication link to read said data stored in said database and, if necessary, to enter additional data into said database;
storing a key, for decrypting and encrypting said data, in a central database separate from said data base;
wherein the step of allowing communication with said database includes allowing retrieval of said data in said database by said authorized user; and
upon each retrieval of data from said database, attaching an identifier to said data which identifies the authorized user who retrieved said data.
-
-
19. A method for processing data, comprising the steps of:
-
storing data in at least one database with at least a portion of said data being stored in said database in encrypted form;
allowing communication with said database by a user via a communication link to read said data stored in said database and, if necessary, to enter additional data into said database;
storing a key, for decrypting and encrypting said data, in a central database separate from said data base; and
employing an encryption table for encrypting and decrypting said data. - View Dependent Claims (20)
producing said encryption table at a location of an authorized user.
-
Specification