Method and apparatus for re-encrypting data in a transaction-based secure storage system

US 7,792,300 B1
Filed: 09/30/2003
Issued: 09/07/2010
Est. Priority Date: 09/30/2003
Status: Active Grant

First Claim

Patent Images

1. A method for re-encrypting encrypted data in a secure storage file system, comprising:

obtaining one or more selected encrypted data blocks from the secure storage file system, each selected encrypted data block comprising a selected encrypted data, the one or more selected encrypted data blocks comprising data blocks accessed by a first user, wherein the one or more selected encrypted data blocks were selected based on a user data access record, wherein the user data access record comprises a bitmap indicating which encrypted data blocks are accessed by a first user;

decrypting, re-encrypting and storing each one of the one or more selected encrypted data blocks, the decrypting, re-encrypting and storing of each data block comprising;

decrypting the selected encrypted data using a first symmetric key associated with the encrypted data block to obtain selected data;

re-encrypting the selected data using a second symmetric key associated with the data block to obtain new encrypted data;

for each user who has access to the data block,obtaining a public key associated with a private key, wherein the first user is denied access to the private key;

encrypting the second symmetric key using the public key to obtain a new encrypted symmetric key;

storing in a new data block, stored in a storage device;

the new encrypted data and the new encrypted symmetric key if a second user has read permission, wherein the second user is allowed access to the private key;

applying a hash function to the selected data to obtain hash data;

encrypting the hash data with the private key to obtain encrypted hash data; and

storing the encrypted hash data, the new encrypted data, and the new encrypted symmetric key if the second user has write permission.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for re-encrypting encrypted data in a secure storage file system, including obtaining selected data to re-encrypt from the secure storage file system using a user data access record and the encrypted data, decrypting the selected data using a symmetric key, re-encrypting the selected data using a new symmetric key to obtain new encrypted data, encrypting the new symmetric key using a public key to obtain a new encrypted symmetric key, storing the new encrypted data and the new encrypted symmetric key if the public key is associated with a file system user having read permission, and storing an encrypted hash data if the file system user has write permission.

Citations

18 Claims

1. A method for re-encrypting encrypted data in a secure storage file system, comprising:
- obtaining one or more selected encrypted data blocks from the secure storage file system, each selected encrypted data block comprising a selected encrypted data, the one or more selected encrypted data blocks comprising data blocks accessed by a first user, wherein the one or more selected encrypted data blocks were selected based on a user data access record, wherein the user data access record comprises a bitmap indicating which encrypted data blocks are accessed by a first user;
  
  decrypting, re-encrypting and storing each one of the one or more selected encrypted data blocks, the decrypting, re-encrypting and storing of each data block comprising;
  
  decrypting the selected encrypted data using a first symmetric key associated with the encrypted data block to obtain selected data;
  
  re-encrypting the selected data using a second symmetric key associated with the data block to obtain new encrypted data;
  
  for each user who has access to the data block,obtaining a public key associated with a private key, wherein the first user is denied access to the private key;
  
  encrypting the second symmetric key using the public key to obtain a new encrypted symmetric key;
  
  storing in a new data block, stored in a storage device;
  
  the new encrypted data and the new encrypted symmetric key if a second user has read permission, wherein the second user is allowed access to the private key;
  
  applying a hash function to the selected data to obtain hash data;
  
  encrypting the hash data with the private key to obtain encrypted hash data; and
  
  storing the encrypted hash data, the new encrypted data, and the new encrypted symmetric key if the second user has write permission.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the user data access record comprises at least one selected from the group consisting of a bitmap for each user and a bitmap for each group of users.
  - 3. The method of claim 1, wherein the write permission comprises at least one sub-division.
  - 4. The method of claim 3, wherein the sub-division is selected from a group consisting of insert, append, truncate, and delete.
  - 5. The method of claim 1, wherein the secure storage file system is implemented using a preloaded shared library.
  - 6. The method of claim 5, wherein the preloaded shared library translates read/write/file name accesses into different read/write/file name accesses.
  - 7. The method of claim 1, wherein the secure storage file system is implemented using a shared library that includes functionality to map read/write/file name accesses to a custom-implemented file system.

8. A computer system generating a secure storage file system, comprising:
- a processor;
  
  a memory;
  
  a storage device;
  
  a computer display; and
  
  software instructions stored in the memory for enabling the computer system under control of the processor, to perform;
  
  obtaining one or more selected encrypted data blocks from the secure storage file system, each selected encrypted data block comprising a selected encrypted data, the one or more selected encrypted data blocks comprising data blocks accessed by a first user, wherein the one or more selected encrypted data blocks were selected based on a user data access record, wherein the user data access record comprises a bitmap indicating which encrypted data blocks are accessed by a first user;
  
  decrypting, re-encrypting and storing each one of the one or more selected encrypted data blocks, the decrypting, re-encrypting and storing of each data block comprising;
  
  decrypting the selected encrypted data using a first symmetric key associated with the data block to obtain selected data;
  
  re-encrypting the selected data using a second symmetric key associated with the data block to obtain new encrypted data;
  
  for each user who has access to the data block,obtaining a public key associated with a private key, wherein the first user is denied access to the private key;
  
  encrypting the second symmetric key using the public key to obtain a new encrypted symmetric key;
  
  storing in a new data block, stored in a storage device the new encrypted data and the new encrypted symmetric key if a second user has read permission, wherein the second user is allowed access to the private key;
  
  applying a hash function to the selected data to obtain hash data;
  
  encrypting the hash data with the public key to obtain encrypted hash data; and
  
  storing the encrypted hash data, the new encrypted data, and the new encrypted symmetric key if the second user has write permission.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer system of claim 8, wherein the write permission comprises at least one sub-division.
  - 10. The computer system of claim 9, wherein the sub-division is selected from a group consisting of insert, append, truncate, and delete.
  - 11. The computer system of claim 8, wherein the secure storage file system is implemented using a preloaded shared library.
  - 12. The computer system of claim 11, wherein the preloaded shared library translates read/write/file name accesses into different read/write/file name accesses.
  - 13. The computer system of claim 8, wherein the secure storage file system is implemented using a shared library that includes functionality to map read/write/file name accesses to a custom-implemented file system.
  - 14. The computer system of claim 8, wherein the user data access record comprises at least one selected from the group consisting of a bitmap for each user and a bitmap for each group of users.

15. A secure storage system comprising:
- a storage provider storing encrypted data in a storage device,obtaining one or more selected encrypted data blocks from the secure storage file system, each selected encrypted data block comprising a selected encrypted data, the secure storage file system executing on the storage provider using a user data access record in response to receiving a key re-encryption event,the one or more selected encrypted data blocks comprising data blocks accessed by a first user, wherein the one or more selected encrypted data blocks were selected based on a user data access record, wherein the user data access record comprises a bitmap indicating which encrypted data blocks are accessed by a first user;
  
  decrypting, re-encrypting and storing each one of the one or more selected encrypted data blocks, the decrypting, re-encrypting and storing of each data block comprising;
  
  decrypting the selected encrypted data using a first symmetric key associated with the encrypted data block to obtain selected data;
  
  re-encrypting the selected data using a second symmetric key associated with the data block to obtain new encrypted data;
  
  for each user who has access to the data block,obtaining a public key associated with a private key, wherein the first user is denied access to the private key;
  
  encrypting the second symmetric key using the public key to obtain a new encrypted symmetric key;
  
  storing in a new data block, stored in the storage device, the new encrypted data and the new encrypted symmetric key if a second user has read permission, wherein the second user is allowed access to the private key;
  
  applying a hash function to the selected data to obtain hash data;
  
  encrypting the hash data with the private key to obtain encrypted hash data; and
  
  storing the encrypted hash data, the new encrypted data, and the new encrypted symmetric key if the second user has write permission; and
  
  a client device, wherein the client device comprises a client kernel for generating the key re-encryption event and a client application using the encrypted data.
- View Dependent Claims (16, 17, 18)
- - 16. The system of claim 15, wherein the user data access record comprises at least one selected from the group consisting of a bitmap for each user and a bitmap for each group of users.
  - 17. The system of claim 15, wherein the write permission comprises at least one sub-division.
  - 18. The system of claim 17, wherein the sub-division is selected from a group consisting of append, truncate, and delete.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Oracle America, Inc. (Oracle Corporation)
Inventors
Caronni, Germano
Primary Examiner(s)
Homayounmehr; Farid

Application Number

US10/675,667
Time in Patent Office

2,534 Days
Field of Search

380/277
US Class Current

380/277
CPC Class Codes

G06Q 20/3829   involving key management

H04L 2209/56   Financial cryptography, e.g...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

Method and apparatus for re-encrypting data in a transaction-based secure storage system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for re-encrypting data in a transaction-based secure storage system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links