Computer program products and systems for transparent data encryption and decryption
First Claim
1. A computer program product embodied in a tangible medium of expression comprising programming instructions, operable by a directory service that provides a central repository for information about system resources and users available in a data processing system, for:
- receiving a directory message requesting data that is maintained by the directory service;
determining if the requested data is stored in encrypted form in a database maintained by the directory service, wherein the database comprises a directory and the requested data comprises an attribute value corresponding to an attribute of a directory object maintained in the directory;
determining if, in response to a policy corresponding to the requested data, a receiver is a trusted client, wherein the policy corresponding to the requested data specifies (i) whether the attribute may be accessed and (ii) a manner of accessing the attribute;
delivering the requested data in unencrypted form if the client is trusted; and
delivering the requested data in encrypted form if the client is untrusted.
0 Assignments
0 Petitions
Accused Products
Abstract
A method and system for transparently encrypting (and decrypting) sensitive data stored in a directory (or other database) is provided. Sensitive data, a password for example, may be required by a client in a distributed data processing environment. When the database entry is created, the sensitive data received from a user, or more generally, a client, may be encrypted, and saved in the directory entry in encrypted form. Encryption of sensitive data may be performed in accordance with a predetermined set of policies. When the sensitive information is needed, it may be selectively delivered in encrypted or unencrypted form based on a policy in the set. Policies may include criteria external to the database, and interfaced to the database via a policy engine.
-
Citations
11 Claims
-
1. A computer program product embodied in a tangible medium of expression comprising programming instructions, operable by a directory service that provides a central repository for information about system resources and users available in a data processing system, for:
-
receiving a directory message requesting data that is maintained by the directory service; determining if the requested data is stored in encrypted form in a database maintained by the directory service, wherein the database comprises a directory and the requested data comprises an attribute value corresponding to an attribute of a directory object maintained in the directory; determining if, in response to a policy corresponding to the requested data, a receiver is a trusted client, wherein the policy corresponding to the requested data specifies (i) whether the attribute may be accessed and (ii) a manner of accessing the attribute; delivering the requested data in unencrypted form if the client is trusted; and delivering the requested data in encrypted form if the client is untrusted. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A data processing system comprising:
-
protocol engine circuitry operable for receiving data for storage in a database, the database comprising a plurality of object entries representing users, systems and system resources, wherein each object entry of the plurality of object entries comprises an associated attribute value pertaining to the object entity, and the received data is one such attribute value that pertains to one of the object entries; data access circuitry, coupled to the protocol engine circuitry, and operable for determining, as determined by a policy engine coupled to the data access circuitry and based on a policy corresponding to the received data, one of an encrypted and unencrypted form of storage of the received data; encrypting circuitry operable for, if the form of storage of the received data is the encrypted form, encrypting the received data using an encryption key that is based on the policy corresponding to the received data; receiving circuitry for receiving a request for the data; circuitry operable for determining if the requested data is stored in encrypted form in the database; circuitry operable for determining if, in response to a policy corresponding to the requested data, a receiver is a trusted client; circuitry operable for delivering the requested data in unencrypted form if the client is trusted; and circuitry operable for delivering the requested data in encrypted form if the client is untrusted. - View Dependent Claims (8, 9, 10, 11)
-
Specification