Secured database system with built-in antivirus protection

US 7,844,829 B2
Filed: 01/18/2006
Issued: 11/30/2010
Est. Priority Date: 01/18/2006
Status: Active Grant

First Claim

Patent Images

1. A method for securing a database system, the method comprising:

under control of a system administrator provisioning storage from a storage device, for storing database information;

generating an asymmetric key pair comprising an encryption key and a decryption key, said encryption key being made available only to a security officer, and said decryption key being made available only to a database administrator and the database system;

under control of the security officer utilizing said encryption key so that said database information is stored on the storage device in an encrypted manner;

under control of the database administrator utilizing said decryption key for decrypting the database information stored on the storage device, wherein access to said decryption key is controlled by the database system based on user privileges;

receiving a request from a user for access to the database information;

determining whether the user has been granted privileges allowing to access to the database information;

if the user has been granted privileges allowing access to the database information, automatically decrypting the database information to provide the access; and

otherwise denying the request if the user has not been granted privileges allowing access to the database information;

wherein no single user has access to both the encryption and decryption keys, and wherein no single user has access to the decryption key and the storage provisioned for storing the database information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secured database system with built-in antivirus protection is described. In one embodiment, for example, a method of the present invention is described for securing a database system, the method comprises steps of: provisioning storage from a storage device, for storing database information; generating an encryption key so that the database information is stored on the storage device in an encrypted manner; generating a decryption key for decrypting the database information stored on the storage device, wherein access to the decryption key is controlled by the database system based on user privileges; receiving a request from a user for access to the database information; determining whether the user has been granted sufficient privileges to access the database information; if the user has been granted sufficient privileges, automatically decrypting the database information to provide the access; and otherwise denying the request if the user has not been granted sufficient privileges.

120 Citations

View as Search Results

25 Claims

1. A method for securing a database system, the method comprising:
- under control of a system administrator provisioning storage from a storage device, for storing database information;
  
  generating an asymmetric key pair comprising an encryption key and a decryption key, said encryption key being made available only to a security officer, and said decryption key being made available only to a database administrator and the database system;
  
  under control of the security officer utilizing said encryption key so that said database information is stored on the storage device in an encrypted manner;
  
  under control of the database administrator utilizing said decryption key for decrypting the database information stored on the storage device, wherein access to said decryption key is controlled by the database system based on user privileges;
  
  receiving a request from a user for access to the database information;
  
  determining whether the user has been granted privileges allowing to access to the database information;
  
  if the user has been granted privileges allowing access to the database information, automatically decrypting the database information to provide the access; and
  
  otherwise denying the request if the user has not been granted privileges allowing access to the database information;
  
  wherein no single user has access to both the encryption and decryption keys, and wherein no single user has access to the decryption key and the storage provisioned for storing the database information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein said encryption key is available only to a user who will not be allowed to have access to the decryption key.
  - 3. The method of claim 2, wherein the user is a security officer.
  - 4. The method of claim 1, wherein said decryption key is available only to a user who will not be allowed to have access to the encryption key.
  - 5. The method of claim 4, wherein the user is a database administrator.
  - 6. The method of claim 1, wherein the step of provisioning storage is required to be performed by a user who does not have access to the encryption key or the decryption key.
  - 7. The method of claim 6, wherein the user is a system administrator.
  - 8. The method of claim 1, further comprising:
    - providing a secured file system overlaid on top of an existing operating system'"'"'s file system, such that the database information is mounted from the storage device in a secure manner so that all writing of the database information is encrypted.
  - 9. The method of claim 8, wherein the secured file system controls read and write operations that affect storage of the database information on the operating system'"'"'s file system.
  - 10. The method of claim 1, wherein the step of decrypting the database information occurs in a manner that is transparent to the user requesting access, such that the user is unaware that the database information is encrypted.
  - 11. The method of claim 1, further comprising:
    - providing built-in antivirus protection for the database system, by scanning data submitted for storage by the database system so as to provide native virus scanning and protection at an encrypted file system level.

12. A method for securing a database system, the method comprising:
- in response to input from a system administrator, provisioning storage from a storage device for storing database information;
  
  in response to input from a security officer, generating an encryption key from an asymmetric key pair so that said database information is stored on the storage device in an encrypted manner, wherein access to said encryption key is controlled by the security officer;
  
  in response to input from a database administrator, generating a decryption key from said asymmetric key pair for decrypting the database information stored on the storage device, wherein access to said decryption key is controlled by the database system based on user authorization; and
  
  providing access to the database information by decrypting the database information only for authorized users;
  
  wherein no single user has access to both the encryption and decryption keys, and wherein no single user has access to the decryption key and the storage provisioned for storing the database information.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The method of claim 12, wherein said encryption key is available only to the security officer.
  - 14. The method of claim 12, wherein said decryption key is available only to the database administrator.
  - 15. The method of claim 12, wherein the storage device is available for provisioning only by the system administrator.
  - 16. The method of claim 12, wherein said decryption key is stored in a system catalog table of the database system.
  - 17. The method of claim 12, further comprising:
    - providing a secured file system for loading database information from the storage device, said secured file system operating under control of the database system.
  - 18. The method of claim 17, wherein the secured file system intercepts read and write operations, to provide necessary encryption/decryption for controlling storage of the database information on the storage device.
  - 19. The method of claim 12, wherein access to the database information is provided in a manner such that decryption is transparent to users having authorization that allows access to the database information, such that the users are unaware that the database information is encrypted.
  - 20. The method of claim 12, wherein user authorization is based on user privileges that may be granted and revoked to individual database users.

21. A secured database system comprising:
- a relational database management system (RDBMS);
  
  a storage device under control of a system administrator for provisioning storage of database information;
  
  an encryption key created from an asymmetric key pair and available only to a security officer for encrypting said database information that is stored on the storage device;
  
  a decryption key, created from said asymmetric key pair and automatically maintained by the database system, for decrypting the database information stored on the storage device, wherein access to said decryption key is not available to the system administrator or the security officer and is controlled by the database system based on user authorization; and
  
  a module for providing access to the database information by automatically decrypting the database information only for authorized users;
  
  wherein no single user has access to both the encryption and decryption keys, and wherein no single user has access to the decryption key and the storage provisioned for storing the database information.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The system of claim 21, wherein said encryption key is available only to a security officer.
  - 23. The system of claim 21, wherein said decryption key is available only to a database administrator.
  - 24. The system of claim 21, wherein the storage device is available for provisioning only by a system administrator.
  - 25. The system of claim 21, wherein said decryption key is stored in a system catalog table of the RDBMS.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sybase Incorporated (SAP SE)
Original Assignee
Sybase Incorporated (SAP SE)
Inventors
Meenakshisundaram, Sethu
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
PAN, PEILIANG

Application Number

US11/307,001
Publication Number

US 20070168678A1
Time in Patent Office

1,777 Days
Field of Search

713/189, 713/1, 713/2, 713/188, 713/194, 380/200, 380/201, 380/255, 380/277, 380/278, 726/2, 726/26, 726/27
US Class Current

713/189
CPC Class Codes

G06F 12/1483   using an access-table, e.g....

G06F 21/562   Static detection

G06F 21/62   Protecting access to data v...

G06F 21/78   to assure secure storage of...

Secured database system with built-in antivirus protection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

120 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Secured database system with built-in antivirus protection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

120 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links