Method and apparatus for facilitating role-based cryptographic key management for a database
First Claim
1. A method for facilitating role-based cryptographic key management, the method comprising:
- receiving a request at a computer system from a first user to perform a cryptographic operation, wherein the first user is a member of a first role, and the first role is a member of a second role that has been granted permission to perform the cryptographic operation, and wherein a second role key associated with the second role is wrapped with a first role key associated with the first role;
receiving a user secret to unwrap a first user key associated with the first user;
using the first user key to unwrap the first role key;
using the first role key to unwrap the second role key;
using the second role key to unwrap a data key and a permission, wherein the data key is a column key used to perform cryptographic operations on a column, a row, or a cell, within a database, and wherein the permission specifies cryptographic operations applicable to the second role; and
responsive to the applicable permission, using the data key to perform the cryptographic operation.
1 Assignment
0 Petitions
Accused Products
Abstract
One embodiment of the present invention provides a system that facilitates role-based cryptographic key management. The system operates by receiving a request at a database server from a user to perform a cryptographic operation on data on the database server, wherein the user is a member of a role, and wherein the role has been granted permission to perform the cryptographic operation on the data. Next, the system receives from the user at the database server a user key, which is associated with the user. The system then unwraps a wrapped role key with the user key to obtain a role key, which is associated with the role. Next, the system unwraps a wrapped data key with the role key to obtain a data key, which is used to encrypt and decrypt the data. Finally, the system uses the data key to perform the cryptographic operation on the data.
26 Citations
19 Claims
-
1. A method for facilitating role-based cryptographic key management, the method comprising:
-
receiving a request at a computer system from a first user to perform a cryptographic operation, wherein the first user is a member of a first role, and the first role is a member of a second role that has been granted permission to perform the cryptographic operation, and wherein a second role key associated with the second role is wrapped with a first role key associated with the first role; receiving a user secret to unwrap a first user key associated with the first user; using the first user key to unwrap the first role key; using the first role key to unwrap the second role key; using the second role key to unwrap a data key and a permission, wherein the data key is a column key used to perform cryptographic operations on a column, a row, or a cell, within a database, and wherein the permission specifies cryptographic operations applicable to the second role; and responsive to the applicable permission, using the data key to perform the cryptographic operation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory computer readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for facilitating role-based cryptographic key management, the method comprising:
-
receiving a request at a computer system for a first user to perform a crypto graphic operation, where the first user is member of a first role, and the first role is a member of a second role that has been granted permission to perform the cryptographic operation, and wherein a second role key associated with the second role is wrapped with a first role key associated with the first role; receiving a user secret to unwrap a first user key associated with the first user; using the first user key to unwrap the first role key; using the first role key to unwrap the second role key; using the second role key to unwrap a data key and a permission, wherein the data key is a column key used to perform cryptographic operations on a column, a row, or a cell, within a database, and wherein the permission specifies cryptographic operations applicable to the second role; and responsive to the applicable permission, using the data key to perform the cryptographic operation. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. An apparatus configured to facilitate role based cryptographic key management, comprising:
-
A processor; A receiving mechanism coupled to the processor and configured to receive a request from a user to perform a cryptographic operation on data at a computer system, wherein the user is a member of a first role, and the first role is a member of a second role that, role has been granted permission to perform the cryptographic operation, and wherein a second role key associated with the second role is wrapped with a first role key associated with the first role; wherein the receiving mechanism is further configured to receive from the user a user secret to unwrap a first user key associated with the first user; a cryptographic mechanism configured to use the first user key to unwrap the first role key; wherein cryptographic mechanism is further configured to use the first role key to unwrap the second role key; wherein cryptographic mechanism is further configured to use second role key to unwrap a data key and a permission, wherein the data key is a column key used to perform cryptographic operations on a column, a row, or a cell, within a database, and wherein the permission specifies cryptographic operations applicable to the second role; and wherein cryptographic mechanism is further configured to use the data key to perform the cryptographic operation responsive to the applicable permission.
-
Specification