Structure preserving database encryption method and system
First Claim
1. A Structure Preserving Database Encryption system for encrypting a content stored in cells of a database, comprising:
- A) a computer provided with a client having access right definition to data stored in said database, wherein said client is used for communicating with said database by generating a communication session, and for allowing a person operating said client to retrieve data from said database;
B) a computerized authentication server for identifying said client and for transferring one or more encryption keys to said client; and
C) a computerized database server for encrypting data stored in each cell of a table within said database and for communicating with said client via said generated communication session, thereby providing said client according its access right definition a decrypt data;
wherein a value stored in a corresponding cell is determined, and each of said cells within said database has a unique cell coordinates represented by table, row and column identifiers, and wherein a concatenation function is activated on said cell table, row and column identifiers and as a result, a number based on said identifiers is obtained, and wherein a XOR operation between said number and said value stored in said cell is operated or a concatenation of said number with said value stored in said cell is performed;
wherein the decrypt data is obtained by a process, comprising;
a) identifying the client by means of an authentication server communicating over a conventional identification protocol;
b) receiving one or more encryption keys from said authentication server by said client, wherein said one or more encryption keys being relevant for performing at least one query from said client, according to the access right definition of said client;
c) generating a session by means of said client with a database server;
d) transferring from said client to said database server the corresponding one or more encryption keys received from said authentication server;
e) generating at least one query by said client;
f) searching by means of said database server an encrypted database for a corresponding data requested in said at least one query;
g) after finding said corresponding data, decrypting said corresponding data by means of said one or more corresponding encryption keys; and
h) transferring the results of said at least one query from said database server to said client.
1 Assignment
0 Petitions
Accused Products
Abstract
A database encryption system and method, the Structure Preserving Database Encryption (SPDE), is presented. In the SPDE method, each database cell is encrypted with its unique position. The SPDE method permits to convert a conventional database index into a secure one, so that the time complexity of all queries is maintained. No one with access to the encrypted database can learn anything about its content without the encryption key. Also a secure index for an encrypted database is provided. Furthermore, secure database indexing system and method are described, providing protection against information leakage and unauthorized modifications by using encryption, dummy values and pooling, and supporting discretionary access control in a multi-user environment.
-
Citations
13 Claims
-
1. A Structure Preserving Database Encryption system for encrypting a content stored in cells of a database, comprising:
-
A) a computer provided with a client having access right definition to data stored in said database, wherein said client is used for communicating with said database by generating a communication session, and for allowing a person operating said client to retrieve data from said database; B) a computerized authentication server for identifying said client and for transferring one or more encryption keys to said client; and C) a computerized database server for encrypting data stored in each cell of a table within said database and for communicating with said client via said generated communication session, thereby providing said client according its access right definition a decrypt data; wherein a value stored in a corresponding cell is determined, and each of said cells within said database has a unique cell coordinates represented by table, row and column identifiers, and wherein a concatenation function is activated on said cell table, row and column identifiers and as a result, a number based on said identifiers is obtained, and wherein a XOR operation between said number and said value stored in said cell is operated or a concatenation of said number with said value stored in said cell is performed; wherein the decrypt data is obtained by a process, comprising; a) identifying the client by means of an authentication server communicating over a conventional identification protocol; b) receiving one or more encryption keys from said authentication server by said client, wherein said one or more encryption keys being relevant for performing at least one query from said client, according to the access right definition of said client; c) generating a session by means of said client with a database server; d) transferring from said client to said database server the corresponding one or more encryption keys received from said authentication server; e) generating at least one query by said client; f) searching by means of said database server an encrypted database for a corresponding data requested in said at least one query; g) after finding said corresponding data, decrypting said corresponding data by means of said one or more corresponding encryption keys; and h) transferring the results of said at least one query from said database server to said client. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A Structure Preserving Database Encryption method for encrypting a content of one or more cells in a database, wherein each of which of said cells having a unique cell coordinates represented by table, row and column identifiers in said database, comprising the steps of:
-
A) generating a unique number for each of said cells according to the corresponding table, row and column identifiers of each of said cells; and B) encrypting a content of each of said cells with its corresponding generated unique number, while a structure of tables and indexes of said database remains as before the encryption which provides a transparent decryption process to a user; wherein encryption of each cell value is performed by; I) determining a value stored in a corresponding cell; II) determining a position of said cell within the database by determining said table, row and column identifiers of each of said cells; III) activating a function concatenating said table, row and column identifiers of each of said cells and as a result, obtaining a number based on said identifiers; IV) performing a XOR operation between said number and said value stored in said cell or concatenating said number with said value stored in said cell; and V) activating an encryption function on a result obtained from said XOR operation or from said concatenating of said number with said value stored in said cell; wherein a decryption process, comprising; a) identifying a client by means of an authentication server communicating over a conventional identification protocol; b) receiving one or more encryption keys from said authentication server by said client, wherein said one or more encryption keys being relevant for performing at least one query from said client, according to an access right definition of said client; c) generating a session by means of said client with a database server; d) transferring from said client to said database server the corresponding one or more encryption keys received from said authentication server; e) generating at least one query by said client; f) searching by means of said database server an encrypted database for a corresponding data requested in said at least one query; g) after finding said corresponding data, decrypting said corresponding data by means of said one or more corresponding encryption keys; and h) transferring the results of said at least one query from said database server to said client. - View Dependent Claims (10, 11, 12, 13)
-
Specification