Method and apparatus for transparent encryption
First Claim
1. A transparent encryption appliance that does not store data for protecting data received from a web stored in a database by a web server environment, the transparent encryption appliance comprising:
- at least one client interface for coupling to at least one network and communicating with one or more clients via the at least one network;
a server interface for coupling to the web server environment;
wherein the appliance is separate from the web server environment and is operative to be connected between the web server environment and the at least one network, wherein the server interface and the at least one client interface communicate using same communications protocol; and
a processor coupled to the at least one client interface and the server interface for at least one of securing and unsecuring data, wherein;
securing data comprises;
evaluating a data transaction received through the at least one client interface;
identifying first sensitive data contained in said data transaction;
securing only the first sensitive data by at least one of encrypting, hashing, and keyed hashing;
replacing in the data transaction the identified first sensitive data with the secured first sensitive data; and
providing the data transaction including the secured first sensitive data through the web server interface; and
unsecuring data comprises;
responsive to a request received through the at least one client interface for second sensitive data corresponding to at least a portion of the stored secured first sensitive data or other stored secured sensitive data, receiving through the web server interface the secured second sensitive data corresponding to the requested data;
unsecuring the received secured second sensitive data by at least one of decrypting and hash verifying; and
providing the unsecured second sensitive data through the at least one client interface.
12 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus are provided for protecting sensitive information within server or other computing environments. Numerous electronic requests addressed to a server system are received over network couplings and evaluated. The evaluation scans for sensitive information including credit card information and private user information. Upon detecting sensitive data, cryptographic operations are applied to the sensitive data. When the sensitive data is being transferred to the server system, the cryptographic operations encrypt the sensitive data prior to transfer among components of the server system. When sensitive data is being transferred from the server system, the cryptographic operations decrypt the sensitive data prior to transfer among the network couplings. The cryptographic operations also include hash, and keyed hash operations.
114 Citations
21 Claims
-
1. A transparent encryption appliance that does not store data for protecting data received from a web stored in a database by a web server environment, the transparent encryption appliance comprising:
-
at least one client interface for coupling to at least one network and communicating with one or more clients via the at least one network; a server interface for coupling to the web server environment; wherein the appliance is separate from the web server environment and is operative to be connected between the web server environment and the at least one network, wherein the server interface and the at least one client interface communicate using same communications protocol; and a processor coupled to the at least one client interface and the server interface for at least one of securing and unsecuring data, wherein; securing data comprises;
evaluating a data transaction received through the at least one client interface;
identifying first sensitive data contained in said data transaction;
securing only the first sensitive data by at least one of encrypting, hashing, and keyed hashing;
replacing in the data transaction the identified first sensitive data with the secured first sensitive data; and
providing the data transaction including the secured first sensitive data through the web server interface; andunsecuring data comprises;
responsive to a request received through the at least one client interface for second sensitive data corresponding to at least a portion of the stored secured first sensitive data or other stored secured sensitive data, receiving through the web server interface the secured second sensitive data corresponding to the requested data;
unsecuring the received secured second sensitive data by at least one of decrypting and hash verifying; and
providing the unsecured second sensitive data through the at least one client interface. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system for protecting data stored in a web server environment, comprising:
-
at least one client coupled to at least one network; the web server environment that stores data received from a web in at least one database and does not secure by encrypting, hashing, or keyed hashing the data received from the web before the data is stored; and a transparent encryption appliance separate from the web server environment and connected between the web server environment and said at least one network that does not store data for protecting the data stored in the web server environment, comprising; at least one client interface coupled to the at least one network and communicating with the at least one client via the at least one network; a server interface coupled to the web server environment, wherein the server interface and the at least one client interface communicate using same communications protocol; and a processor coupled to the at least one client interface and the server interface for at least one of securing and unsecuring data, wherein; securing data comprises;
inspecting a data transaction received through the at least one network interface;
identifying first sensitive data contained in said data transaction;
securing only the first sensitive data by at least one of encrypting, hashing, and keyed hashing;
replacing in the data transaction the identified first sensitive data with the secured first sensitive data; and
providing the data transaction including the secured first sensitive data to the web server environment, wherein the secured first sensitive data is stored in said at least one database by the web server environment; andunsecuring data comprises;
responsive to a request received through the at least one network interface for second sensitive data corresponding to at least a portion of the stored secured first sensitive data or other stored secured sensitive data, receiving from the web server environment the secured second sensitive data corresponding to the requested second sensitive data retrieved from said at least one database by the web server environment;
unsecuring the received secured second sensitive data by at least one of decrypting and hash verifying; and
providing the unsecured second sensitive data through the at least one client interface. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
-
19. A system for protecting stored passwords, comprising:
-
one or more clients coupled to at least one network; a web server environment that stores data received from a web and does not secure by encrypting, hashing, or keyed hashing the data received from the web before the data is stored; and a transparent encryption appliance separate from the web server environment and connected between the at least one network and the web server environment and operative to protect passwords contained in the data stored in the web server environment, comprising; at least one client interface coupled to the at least one network and communicating with the one or more clients via the at least one network; a server interface coupled to the web server environment, wherein the server interface and the at least one client interface communicate using same communications protocol; and a processor coupled to the at least one client interface and the server interface for securing passwords, wherein securing a password comprises identifying a password contained in a data transaction received through the at least one client interface;
securing the password by at least one of encrypting, hashing, and keyed hashing, while not securing the transaction as a whole;
replacing in the data transaction the identified password with the secured password; and
providing the data transaction including the secured password to the web server environment;wherein, responsive to a request received through the at least one client interface of the appliance for an action requiring authorization and containing a password, the appliance secures the password contained in the request, while not securing the request as a whole, and provides the request including the secured password to the web server environment;
the web server environment obtains the secured password from the provided request, retrieves a secured password previously secured by the appliance and stored by the web server, compares the obtained secured password to the retrieved previously stored secured password, and authenticates the action requiring authorization in the case the obtained secured password matches the retrieved previously stored secured password.
-
-
20. A method of protecting data stored in a web server that does not secure data by encrypting, hashing, or keyed hashing, comprising:
-
receiving from a client coupled to a network by a transparent encryption appliance that does not store data a data transaction containing first sensitive data, the transparent encryption appliance being separate from the web server and connected between the network and the web server, wherein the transparent encryption appliance comprises at least one client interface coupled to the at least one network and communicating with the at least one client via the at least one network, and a server interface coupled to the web server, wherein the server interface and the at least one client interface communicate using same communications protocol; securing only the first sensitive data by;
inspecting the data transaction;
identifying the first sensitive data contained in said data transaction;
securing only the identified first sensitive data using a processor coupled to the at least one client interface and the server interface by at least one of encrypting, hashing, and keyed hashing;
replacing in the data transaction the identified first sensitive data with the respective secured first sensitive data; and
providing the data transaction including the secured first sensitive data to the web server; andstoring the provided secured sensitive data in a database by the web server, wherein the web server does not secure by encrypting, hashing, or keyed hashing the data received from the web before the data is stored; and unsecuring secured sensitive data by;
responsive to a request for second sensitive data corresponding to at least a portion of the stored secured first sensitive data or other stored secured sensitive data, retrieving from the database by the web server the secured sensitive data corresponding to the requested second sensitive data;
forwarding the retrieved secured sensitive data to the transparent encryption appliance;
unsecuring the received secured data using the processor by at least one of decrypting and hash verifying; and
providing the unsecured second sensitive data to fulfill the request.
-
-
21. A non-transitory computer readable storage medium storing executable instructions which, when executed in a computer, protect sensitive information stored in a web server by a method comprising:
-
receiving from a client coupled to a network by a transparent encryption appliance that does not store data a data transaction containing first sensitive data, wherein the transparent encryption appliance comprises at least one client interface coupled to the at least one network and communicating with the at least one client via the at least one network, and a server interface coupled to the web server, wherein the server interface and the at least one client interface communicate using same communications protocol; inspecting the data transaction; identifying the first sensitive data contained in said data transaction; securing only the identified first sensitive data by at least one of encrypting, hashing, and keyed hashing using a processor of the computer; replacing in the data transaction the identified first sensitive data with the respective secured first sensitive data; providing the data transaction including the secured first sensitive data to a web server that is separate from the transparent encryption appliance and that does not secure the data received by encrypting, hashing, or keyed hashing before the data is stored; storing the provided secured sensitive data in a database by the web server; responsive to a request for second sensitive data corresponding to at least a portion of the stored secured first sensitive data or other stored secured sensitive data, receiving at the transparent encryption appliance from the web server the stored secured second sensitive data corresponding to the requested second sensitive data; unsecuring the retrieved second sensitive data by at least one of decrypting and hash verifying using the processor of the computer; and providing the unsecured second sensitive data to fulfill the request.
-
Specification