Method and apparatus for transparent encryption

US 7,757,278 B2
Filed: 01/02/2002
Issued: 07/13/2010
Est. Priority Date: 01/04/2001
Status: Active Grant

First Claim

Patent Images

1. A transparent encryption appliance that does not store data for protecting data received from a web stored in a database by a web server environment, the transparent encryption appliance comprising:

at least one client interface for coupling to at least one network and communicating with one or more clients via the at least one network;

a server interface for coupling to the web server environment;

wherein the appliance is separate from the web server environment and is operative to be connected between the web server environment and the at least one network, wherein the server interface and the at least one client interface communicate using same communications protocol; and

a processor coupled to the at least one client interface and the server interface for at least one of securing and unsecuring data, wherein;

securing data comprises;

evaluating a data transaction received through the at least one client interface;

identifying first sensitive data contained in said data transaction;

securing only the first sensitive data by at least one of encrypting, hashing, and keyed hashing;

replacing in the data transaction the identified first sensitive data with the secured first sensitive data; and

providing the data transaction including the secured first sensitive data through the web server interface; and

unsecuring data comprises;

responsive to a request received through the at least one client interface for second sensitive data corresponding to at least a portion of the stored secured first sensitive data or other stored secured sensitive data, receiving through the web server interface the secured second sensitive data corresponding to the requested data;

unsecuring the received secured second sensitive data by at least one of decrypting and hash verifying; and

providing the unsecured second sensitive data through the at least one client interface.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus are provided for protecting sensitive information within server or other computing environments. Numerous electronic requests addressed to a server system are received over network couplings and evaluated. The evaluation scans for sensitive information including credit card information and private user information. Upon detecting sensitive data, cryptographic operations are applied to the sensitive data. When the sensitive data is being transferred to the server system, the cryptographic operations encrypt the sensitive data prior to transfer among components of the server system. When sensitive data is being transferred from the server system, the cryptographic operations decrypt the sensitive data prior to transfer among the network couplings. The cryptographic operations also include hash, and keyed hash operations.

114 Citations

View as Search Results

21 Claims

1. A transparent encryption appliance that does not store data for protecting data received from a web stored in a database by a web server environment, the transparent encryption appliance comprising:
- at least one client interface for coupling to at least one network and communicating with one or more clients via the at least one network;
  
  a server interface for coupling to the web server environment;
  
  wherein the appliance is separate from the web server environment and is operative to be connected between the web server environment and the at least one network, wherein the server interface and the at least one client interface communicate using same communications protocol; and
  
  a processor coupled to the at least one client interface and the server interface for at least one of securing and unsecuring data, wherein;
  
  securing data comprises;
  
  evaluating a data transaction received through the at least one client interface;
  
  identifying first sensitive data contained in said data transaction;
  
  securing only the first sensitive data by at least one of encrypting, hashing, and keyed hashing;
  
  replacing in the data transaction the identified first sensitive data with the secured first sensitive data; and
  
  providing the data transaction including the secured first sensitive data through the web server interface; and
  
  unsecuring data comprises;
  
  responsive to a request received through the at least one client interface for second sensitive data corresponding to at least a portion of the stored secured first sensitive data or other stored secured sensitive data, receiving through the web server interface the secured second sensitive data corresponding to the requested data;
  
  unsecuring the received secured second sensitive data by at least one of decrypting and hash verifying; and
  
  providing the unsecured second sensitive data through the at least one client interface.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The appliance of claim 1, wherein:
    - in securing data the data transaction is received through a first said client interface; and
      
      in unsecuring data the request is received, and the unsecured second sensitive data is provided, through the first said client interface or a second said client interface.
  - 3. The appliance of claim 1, wherein the processor manages SSL traffic and handles computations that support SSL connections, wherein at least one of:
    - in securing data the data transaction is received via a first SSL connection and SSL computations are completed before identifying the first sensitive data contained in the data transaction; and
      
      in unsecuring data the unsecured second sensitive data is provided via a second SSL connection.
  - 4. The appliance of claim 1, wherein the received data transaction is one of a cleartext transaction and a Hypertext Transfer Protocol (HTTP) transaction.
  - 5. The appliance of claim 1, wherein the at least one network is at least one of the Internet, a wired network type, a wireless network type, a hybrid network type, an independent network, a proprietary network, or a back plane network.
  - 6. The appliance of claim 1, further comprising a key storage for storing at least one cryptographic key for use in at least one of the securing and unsecuring of data.
  - 7. The appliance of claim 6, further comprising a user interface for use in loading the at least one key into the key storage.
  - 8. The appliance of claim 7, wherein the user interface is further for use in specifying access controls to the stored keys.
  - 9. The appliance of claim 1, further comprising a user interface for use in specifying one or more fields containing the sensitive data.
  - 10. The appliance of claim 9, wherein the one or more fields are identified by one or more regular expressions.
  - 11. The appliance of claim 1, wherein the appliance secures and unsecures web cookies provided by the web server environment, wherein:
    - securing a cookie comprises;
      
      identifying a cookie received through the server interface;
      
      securing the cookie by at least one of encrypting, hashing, and keyed hashing the cookie; and
      
      providing the secured cookie to one of the one or more clients through the at least one client interface without providing means to the client to unsecure the cookie, wherein the secured cookie is stored in the client; and
      
      unsecuring the cookie comprises;
      
      responsive to a request received through the server interface for the cookie stored on a client, receiving from the client the secured cookie corresponding to the requested cookie through the at least one client interface;
      
      unsecuring the received secured cookie by at least one of decrypting and hash verifying; and
      
      providing the unsecured cookie through the server interface.

12. A system for protecting data stored in a web server environment, comprising:
- at least one client coupled to at least one network;
  
  the web server environment that stores data received from a web in at least one database and does not secure by encrypting, hashing, or keyed hashing the data received from the web before the data is stored; and
  
  a transparent encryption appliance separate from the web server environment and connected between the web server environment and said at least one network that does not store data for protecting the data stored in the web server environment, comprising;
  
  at least one client interface coupled to the at least one network and communicating with the at least one client via the at least one network;
  
  a server interface coupled to the web server environment, wherein the server interface and the at least one client interface communicate using same communications protocol; and
  
  a processor coupled to the at least one client interface and the server interface for at least one of securing and unsecuring data, wherein;
  
  securing data comprises;
  
  inspecting a data transaction received through the at least one network interface;
  
  identifying first sensitive data contained in said data transaction;
  
  securing only the first sensitive data by at least one of encrypting, hashing, and keyed hashing;
  
  replacing in the data transaction the identified first sensitive data with the secured first sensitive data; and
  
  providing the data transaction including the secured first sensitive data to the web server environment, wherein the secured first sensitive data is stored in said at least one database by the web server environment; and
  
  unsecuring data comprises;
  
  responsive to a request received through the at least one network interface for second sensitive data corresponding to at least a portion of the stored secured first sensitive data or other stored secured sensitive data, receiving from the web server environment the secured second sensitive data corresponding to the requested second sensitive data retrieved from said at least one database by the web server environment;
  
  unsecuring the received secured second sensitive data by at least one of decrypting and hash verifying; and
  
  providing the unsecured second sensitive data through the at least one client interface.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The system of claim 12, wherein the processor of the appliance manages SSL traffic and handles computations that support SSL connections, wherein at least one of:
    - in securing data the data transaction is received via a first SSL connection and SSL computations are completed before identifying the first sensitive data contained in the data transaction; and
      
      in unsecuring data the unsecured second sensitive data is provided via a second SSL connection.
  - 14. The system of claim 12, wherein the data transaction received by the appliance is one of a cleartext transaction and a Hypertext Transfer Protocol (HTTP) transaction.
  - 15. The system of claim 12, wherein the appliance further comprises a key storage for storing one or more cryptographic keys for use in at least one of the securing and unsecuring of data.
  - 16. The system of claim 15, wherein the appliance further comprises a user interface for use in loading the one or more keys into the key storage and specifying access controls to the stored one or more keys.
  - 17. The system of claim 12, wherein the appliance further comprises a user interface for use in specifying one or more fields containing the sensitive data, wherein the one or more fields are identified by one or more regular expressions.
  - 18. The system of claim 12, wherein the appliance further secures and unsecures web cookies provided by the web server environment, wherein:
    - securing a cookie comprises;
      
      identifying a cookie received through the server interface;
      
      securing the cookie by at least one of encrypting, hashing, and keyed hashing the cookie; and
      
      providing the secured cookie to one of the one or more clients through the at least one client interface without providing means to the client to unsecure the cookie, wherein the secured cookie is stored in the one client; and
      
      unsecuring the cookie comprises;
      
      responsive to a request received through the server interface for the cookie, receiving the secured cookie corresponding to the requested cookie through the at least one client interface;
      
      unsecuring the received secured cookie by at least one of decrypting and hash verifying; and
      
      providing the unsecured cookie through the server interface.

19. A system for protecting stored passwords, comprising:
- one or more clients coupled to at least one network;
  
  a web server environment that stores data received from a web and does not secure by encrypting, hashing, or keyed hashing the data received from the web before the data is stored; and
  
  a transparent encryption appliance separate from the web server environment and connected between the at least one network and the web server environment and operative to protect passwords contained in the data stored in the web server environment, comprising;
  
  at least one client interface coupled to the at least one network and communicating with the one or more clients via the at least one network;
  
  a server interface coupled to the web server environment, wherein the server interface and the at least one client interface communicate using same communications protocol; and
  
  a processor coupled to the at least one client interface and the server interface for securing passwords, wherein securing a password comprises identifying a password contained in a data transaction received through the at least one client interface;
  
  securing the password by at least one of encrypting, hashing, and keyed hashing, while not securing the transaction as a whole;
  
  replacing in the data transaction the identified password with the secured password; and
  
  providing the data transaction including the secured password to the web server environment;
  
  wherein, responsive to a request received through the at least one client interface of the appliance for an action requiring authorization and containing a password, the appliance secures the password contained in the request, while not securing the request as a whole, and provides the request including the secured password to the web server environment;
  
  the web server environment obtains the secured password from the provided request, retrieves a secured password previously secured by the appliance and stored by the web server, compares the obtained secured password to the retrieved previously stored secured password, and authenticates the action requiring authorization in the case the obtained secured password matches the retrieved previously stored secured password.

20. A method of protecting data stored in a web server that does not secure data by encrypting, hashing, or keyed hashing, comprising:
- receiving from a client coupled to a network by a transparent encryption appliance that does not store data a data transaction containing first sensitive data, the transparent encryption appliance being separate from the web server and connected between the network and the web server, wherein the transparent encryption appliance comprises at least one client interface coupled to the at least one network and communicating with the at least one client via the at least one network, and a server interface coupled to the web server, wherein the server interface and the at least one client interface communicate using same communications protocol;
  
  securing only the first sensitive data by;
  
  inspecting the data transaction;
  
  identifying the first sensitive data contained in said data transaction;
  
  securing only the identified first sensitive data using a processor coupled to the at least one client interface and the server interface by at least one of encrypting, hashing, and keyed hashing;
  
  replacing in the data transaction the identified first sensitive data with the respective secured first sensitive data; and
  
  providing the data transaction including the secured first sensitive data to the web server; and
  
  storing the provided secured sensitive data in a database by the web server, wherein the web server does not secure by encrypting, hashing, or keyed hashing the data received from the web before the data is stored; and
  
  unsecuring secured sensitive data by;
  
  responsive to a request for second sensitive data corresponding to at least a portion of the stored secured first sensitive data or other stored secured sensitive data, retrieving from the database by the web server the secured sensitive data corresponding to the requested second sensitive data;
  
  forwarding the retrieved secured sensitive data to the transparent encryption appliance;
  
  unsecuring the received secured data using the processor by at least one of decrypting and hash verifying; and
  
  providing the unsecured second sensitive data to fulfill the request.

21. A non-transitory computer readable storage medium storing executable instructions which, when executed in a computer, protect sensitive information stored in a web server by a method comprising:
- receiving from a client coupled to a network by a transparent encryption appliance that does not store data a data transaction containing first sensitive data, wherein the transparent encryption appliance comprises at least one client interface coupled to the at least one network and communicating with the at least one client via the at least one network, and a server interface coupled to the web server, wherein the server interface and the at least one client interface communicate using same communications protocol;
  
  inspecting the data transaction;
  
  identifying the first sensitive data contained in said data transaction;
  
  securing only the identified first sensitive data by at least one of encrypting, hashing, and keyed hashing using a processor of the computer;
  
  replacing in the data transaction the identified first sensitive data with the respective secured first sensitive data;
  
  providing the data transaction including the secured first sensitive data to a web server that is separate from the transparent encryption appliance and that does not secure the data received by encrypting, hashing, or keyed hashing before the data is stored;
  
  storing the provided secured sensitive data in a database by the web server;
  
  responsive to a request for second sensitive data corresponding to at least a portion of the stored secured first sensitive data or other stored secured sensitive data, receiving at the transparent encryption appliance from the web server the stored secured second sensitive data corresponding to the requested second sensitive data;
  
  unsecuring the retrieved second sensitive data by at least one of decrypting and hash verifying using the processor of the computer; and
  
  providing the unsecured second sensitive data to fulfill the request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Thales DIS CPL USA, Inc. (Thales SA)
Original Assignee
SafeNet Incorporated (Thales SA)
Inventors
Tsirigotis, Panagiotis, Frindell, Alan, Goh, Eu-Jin, Modadugu, Nagendra, Chawla, Rajeev, Boneh, Dan
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
To; Baotran N

Application Number

US10/038,169
Publication Number

US 20020112167A1
Time in Patent Office

3,114 Days
Field of Search

713/193, 713/165, 713/189, 713/182, 713/171, 709/223, 726/2, 726/11, 726/12, 726/26, 726/27, 705/51, 705/64, 380/255, 707/705, 707/783
US Class Current

726/12
CPC Class Codes

H04L 2463/102   applying security measure f...

H04L 63/0428   wherein the data content is...

H04L 63/083   using passwords cryptograph...

H04L 63/123   received data contents, e.g...

H04L 67/02   based on web technology, e....

H04L 69/329   in the application layer [O...

Method and apparatus for transparent encryption

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

114 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for transparent encryption

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

114 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links