Hidden link dynamic key manager for use in computer systems with database structure for storage of encrypted data and method for storage and retrieval of encrypted data
First Claim
1. A computer readable medium containing a database structure for storage of encrypted data, the database structure comprising:
- at least one data entity encrypted by at least one encryption key, the data entity having at least one searchable attribute;
at least one encryption key identification stored in association with the data entity for identifying the encryption key, wherein the encryption key identification is encrypted by a system key; and
a system key common name also stored in association with the data entity for identifying the system key, wherein the system key common name is encrypted by a master key.
6 Assignments
0 Petitions
Accused Products
Abstract
A computer system (20) having a security domain (22), at least one client business domain (26), and a plurality of client terminals (34) utilizes a hidden link dynamic key manager (24, 84) and a database structure that includes encrypted data entities (30C, 30D) and a security identification attribute (32) for storage of encrypted data. Methods for encrypting data and for storing, decrypting, and retrieving encrypted data operate on the computer system (20), which also includes an information database (62) and a key database (44). The key database (44) is isolated from the information database (62). The hidden link key manager is stored in the security domain (22) and includes a system key manager (84) operable to generate system keys with system key common names and an encryption key manager (24) operable to generate encryption keys having encryption key identifications. The key managers (24, 84) operate on a key server (40), which is mirrored by a secondary key server (42). A general security manager (82) also operates on the key server (40) to control access to the security domain (22). The security information attribute (32) is stored with a persistent data entity (30A) that is associated with the other encrypted data entities (30C, 30D) by a database schema. The encryption key identification (112) for the encryption key used to encrypt the data entities (30C, 30D) is encrypted by a system key and then stored as part of the security information attribute (32). The system key common name hash value (114) is also stored in the security information attribute (32). The information data entities (30) are stored on the information database (62), but the encryption key identification (153), encryption key (154), system key common name hash value (156, 157), and system key common name (158) are stored in the key database (44) inside the security domain (22). The system key itself is stored on a Smart Card reader (56) inside the security domain.
-
Citations
58 Claims
-
1. A computer readable medium containing a database structure for storage of encrypted data, the database structure comprising:
-
at least one data entity encrypted by at least one encryption key, the data entity having at least one searchable attribute; at least one encryption key identification stored in association with the data entity for identifying the encryption key, wherein the encryption key identification is encrypted by a system key; and a system key common name also stored in association with the data entity for identifying the system key, wherein the system key common name is encrypted by a master key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A computer readable data transmission medium containing a data structure for encrypted data, the data structure comprising:
-
at least one encryption key, the data entity having at least one searchable attribute; at least one encryption key identification stored in association with the data entity and for identifying the encryption key, wherein the encryption key identification is encrypted by a system key; and a system key common name also stored in association with the data entity for identifying the system key, wherein the system key common name is encrypted by a master key.
-
-
26. A method for storage and retrieval of encrypted data, the method comprising:
-
encrypting a data entity with an encryption key having an encryption key identification; storing the encrypted data entity; encrypting the encryption key identification with a system key having a system key common name; encrypting the system key common name with a master key; and storing the encrypted encryption key identification and the encrypted system key common name in association with the encrypted data entity. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
-
-
51. A method for storage and retrieval of encrypted data, the method comprising:
-
encrypting a plurality of data entities with a rotating and dynamic encryption key having an encryption key identification; storing the encrypted data entities; encrypting the encryption key identification with a system key having a system key identification; encrypting the system key identification with a master key; and storing the encrypted encryption key identification and the encrypted system key identification with the encrypted data entity; and creating and rotating to a new encryption key upon occurrence of a desired rotation event.
-
-
52. A method of providing a secure environment for the storage of information, the method comprising:
-
encrypting a data entity with an encryption key having a randomly generated encryption key identification; storing the encrypted data entity; encrypting the encryption key identification with a system key having a system key identification; encrypting the system key identification with a master key; and storing the encrypted encryption key identification and the encrypted system key identification in association with the encrypted data entity.
-
-
53. A method of encrypting and storing a data entity, the method comprising the steps of:
-
encrypting a data entity using a first encryption key having a first encryption key identification; encrypting the first encryption key identification using a second encryption key having a second encryption key identification; encrypting the second encryption key identification using a third encryption key; storing the encrypted data entity, the encrypted first encryption key identification, and the encrypted second encryption key identification together; encrypting the first encryption key using a fourth encryption key having a fourth encryption key identification; encrypting the fourth encryption key identification using the third encryption key; encrypting the second and fourth encryption keys using the third encryption key; storing the unencrypted first encryption key identification, the encrypted fourth encryption key identification, and the encrypted first encryption key together; storing the unencrypted second encryption key identification and the encrypted second encryption key together; storing the unencrypted fourth encryption key identification and the encrypted fourth encryption key together; and securing the third encryption key. - View Dependent Claims (54, 55)
-
-
56. A method of encrypting, storing, and decrypting a data entity, the method comprising the steps of:
-
encrypting and storing the data entity as follows— encrypting a data entity using a first encryption key having a first encryption key identification, encrypting the first encryption key identification using a second encryption key having a second encryption key identification, encrypting the second encryption key identification using a third encryption key, storing the encrypted data entity, the encrypted first encryption key identification, and the encrypted second encryption key identification together, encrypting the first encryption key using a fourth encryption key having a fourth encryption key identification, encrypting the fourth encryption key identification using the third encryption key, encrypting the second and fourth encryption keys using the third encryption key, storing the unencrypted first encryption key identification, the encrypted fourth encryption key identification, and the encrypted first encryption key together, storing the unencrypted second encryption key identification and the encrypted second encryption key together, storing the unencrypted fourth encryption key identification and the encrypted fourth encryption key together, securing the third encryption key; and decrypting the data entity as follows— accessing the third encryption key and using the third encryption key to decrypt the second encryption key identification and the fourth encryption key identification, identifying the second encryption key using the decrypted second encryption key identification, using the second encryption key to decrypt the first encryption key identification, identifying the first encryption key using the decrypted first encryption key identification, identifying the fourth encryption key using the decrypted fourth encryption key identification, using the fourth key to decrypt the first encryption key, and using the decrypted first encryption key to decrypt the data entity. - View Dependent Claims (57, 58)
-
Specification