System, method, and computer-readable medium for cryptographic key rotation in a database system

US 8,504,844 B2
Filed: 12/19/2008
Issued: 08/06/2013
Est. Priority Date: 12/19/2008
Status: Active Grant

First Claim

Patent Images

1. A method of encryption key management in a database system deployed in a computer system, comprising:

storing a plurality of encryption keys each respectively in association with a generation identifier;

encrypting respective data of rows of a column of a database table using a respective one of the plurality of encryption keys; and

for each encrypted row of the column of the database table, storing, in the database table, cipher text resulting from encryption of the respective data and a respective generation identifier, wherein each respective generation identifier is configured to indicate the respective encryption key used to encrypt the data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method, and computer-readable medium that facilitate key rotation without disrupting database access are provided. Generation identifiers that specify a particular encryption key are stored in association with cipher text of encrypted columns in database tables. When data is to be read from an encrypted column, the cipher text is read along with the associated generation identifier. An encryption key corresponding to the generation identifier is then read to decrypt the cipher text. When data is to be written to the encrypted column, a most recent encryption key is retrieved from the key repository to encrypt the data. The cipher text is then written to the encrypted column in association with the generation identifier of the key used to encrypt the data. Advantageously, the key rotation may be performed without requiring that the table or database to be taken offline or otherwise unavailable during key rotation.

34 Citations

View as Search Results

20 Claims

1. A method of encryption key management in a database system deployed in a computer system, comprising:
- storing a plurality of encryption keys each respectively in association with a generation identifier;
  
  encrypting respective data of rows of a column of a database table using a respective one of the plurality of encryption keys; and
  
  for each encrypted row of the column of the database table, storing, in the database table, cipher text resulting from encryption of the respective data and a respective generation identifier, wherein each respective generation identifier is configured to indicate the respective encryption key used to encrypt the data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein storing a plurality of encryption keys comprises storing the plurality of encryption keys in an encryption key repository that is communicatively coupled to the database system.
  - 3. The method of claim 1, wherein storing, in the database table, cipher text resulting from encryption of the respective data and a respective generation identifier comprises storing the respective generation identifier in a column of a row with the cipher text.
  - 4. The method of claim 1, further comprising:
    - receiving a request to access data of a column of a row of the database table;
      
      reading cipher text of the column of the row; and
      
      reading a respective generation identifier stored with the cipher text in the column of the row.
  - 5. The method of claim 4, further comprising retrieving an encryption key corresponding to the respective generation identifier read from the column of the row.
  - 6. The method of claim 5, further comprising decrypting the cipher text of the column of the row using the encryption key that corresponds to the respective generation identifier read from the column of the row.
  - 7. The method of claim 1, further comprising:
    - receiving a request to write data to a column of a row of the database table; and
      
      retrieving a most recent encryption key and an associated generation identifier from an encryption key repository.
  - 8. The method of claim 7, further comprising:
    - encrypting the data of the request with the most recent encryption key thereby producing cipher text; and
      
      writing the cipher text and the generation identifier associated with the most recent encryption key to the column of the row.

9. A computer-readable medium encoded with computer-executable instructions, the computer-executable instructions executable with a processor, the computer-readable medium comprising:
- instructions to store a plurality of encryption keys each respectively in association with a generation identifier;
  
  instructions to encrypt respective data of rows of a column of the database table with a respective one of the plurality of encryption keys; and
  
  instructions to store, in the database table, for each encrypted row of the column of the database table, cipher text resulting from encryption of the respective data and a respective generation identifier, wherein each respective generation identifier is configured to indicate the respective encryption key used to encrypt the data.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer-readable medium of claim 9, wherein the instructions to store a plurality of encryption keys comprise instructions to store the plurality of encryption keys in an encryption key repository that is communicatively coupled to the database system.
  - 11. The computer-readable medium of claim 9, wherein the instructions to store, in the database table, cipher text resulting from encryption of the respective data and a respective generation identifier comprise instructions to store the respective generation identifier in a column of a row with the cipher text.
  - 12. The computer-readable medium of claim 9, further comprising:
    - instructions to receive a request to access data of a column of a row of the database table;
      
      instructions to read cipher text of the column of the row; and
      
      instructions to read a generation identifier stored with the cipher text in the column of the row.
  - 13. The computer-readable medium of claim 12, further comprising instructions to retrieve an encryption key corresponding to the respective generation identifier read from the column of the row.
  - 14. The computer-readable medium of claim 13, further comprising instructions to decrypt the cipher text of the column of the row using the encryption key that corresponds to the respective generation identifier read from the column of the row.
  - 15. The computer-readable medium of claim 9, further comprising:
    - instructions to receive a request to write data to a column of a row of the database table; and
      
      instructions to retrieve a most recent encryption key and an associated generation identifier from an encryption key repository.
  - 16. The computer-readable medium of claim 15, further comprising:
    - instructions to encrypt the data of the request with the most recent encryption key thereby producing cipher text; and
      
      instructions to write the cipher text and the generation identifier associated with the most recent encryption key to the column of the row.

17. A computer system having a database system deployed therein configured for encryption key management, comprising:
- at least one storage medium on which the database system is stored; and
  
  at least one processing module that is configured to;
  
  store a plurality of encryption keys each respectively in association with a generation identifier;
  
  encrypt respective data of rows of a column of a database table, wherein each row is encrypted with a respective one of the plurality of encryption keys; and
  
  for each encrypted row of the column of the database table, store, in the database table, cipher text resulting from encryption of the respective data and a respective generation identifier, wherein each respective generation identifier is configured to indicate the respective encryption key used to encrypt the data.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein the at least one processing module is further configured to store the plurality of encryption keys in an encryption key repository that is communicatively coupled to the database system.
  - 19. The system of claim 17, wherein the at least one processing module is further configured to store the respective generation identifier in a column of a row with the cipher text.
  - 20. The system of claim 17, wherein the at least one processing module is further configured to:
    - receive a request to access data of a column of a row of the database table;
      
      read cipher text of the column of the row; and
      
      read a generation identifier stored with the cipher text in the column of the row.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Teradata Corporation
Original Assignee
Teradata US, Inc. (Teradata Corporation)
Inventors
Browning, James
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
SONG, HEE K

Application Number

US12/339,179
Publication Number

US 20100161995A1
Time in Patent Office

1,691 Days
Field of Search

726/2, 726/6, 726/26, 713/156, 713/155, 713/158, 713/164, 713/166, 713/189, 713/193, 380/200, 380/201, 380/277, 380/279, 380 28- 30, 709/227, 709/228, 709/225, 707/100, 707/103, 707/200, 707/694
US Class Current

713/189
CPC Class Codes

G06F 16/20   of structured data, e.g. re...

G06F 21/6227   where protection concerns t...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

System, method, and computer-readable medium for cryptographic key rotation in a database system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

34 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System, method, and computer-readable medium for cryptographic key rotation in a database system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links