Structure preserving database encryption method and system

US 8,639,947 B2
Filed: 05/30/2005
Issued: 01/28/2014
Est. Priority Date: 06/01/2004
Status: Active Grant

First Claim

Patent Images

1. A Structure Preserving Database Encryption system for encrypting a content stored in cells of a database, comprising:

A) a computer provided with a client having access right definition to data stored in said database, wherein said client is used for communicating with said database by generating a communication session, and for allowing a person operating said client to retrieve data from said database;

B) a computerized authentication server for identifying said client and for transferring one or more encryption keys to said client; and

C) a computerized database server for encrypting data stored in each cell of a table within said database and for communicating with said client via said generated communication session, thereby providing said client according its access right definition a decrypt data;

wherein a value stored in a corresponding cell is determined, and each of said cells within said database has a unique cell coordinates represented by table, row and column identifiers, and wherein a concatenation function is activated on said cell table, row and column identifiers and as a result, a number based on said identifiers is obtained, and wherein a XOR operation between said number and said value stored in said cell is operated or a concatenation of said number with said value stored in said cell is performed;

wherein the decrypt data is obtained by a process, comprising;

a) identifying the client by means of an authentication server communicating over a conventional identification protocol;

b) receiving one or more encryption keys from said authentication server by said client, wherein said one or more encryption keys being relevant for performing at least one query from said client, according to the access right definition of said client;

c) generating a session by means of said client with a database server;

d) transferring from said client to said database server the corresponding one or more encryption keys received from said authentication server;

e) generating at least one query by said client;

f) searching by means of said database server an encrypted database for a corresponding data requested in said at least one query;

g) after finding said corresponding data, decrypting said corresponding data by means of said one or more corresponding encryption keys; and

h) transferring the results of said at least one query from said database server to said client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A database encryption system and method, the Structure Preserving Database Encryption (SPDE), is presented. In the SPDE method, each database cell is encrypted with its unique position. The SPDE method permits to convert a conventional database index into a secure one, so that the time complexity of all queries is maintained. No one with access to the encrypted database can learn anything about its content without the encryption key. Also a secure index for an encrypted database is provided. Furthermore, secure database indexing system and method are described, providing protection against information leakage and unauthorized modifications by using encryption, dummy values and pooling, and supporting discretionary access control in a multi-user environment.

Citations

13 Claims

1. A Structure Preserving Database Encryption system for encrypting a content stored in cells of a database, comprising:
- A) a computer provided with a client having access right definition to data stored in said database, wherein said client is used for communicating with said database by generating a communication session, and for allowing a person operating said client to retrieve data from said database;
  
  B) a computerized authentication server for identifying said client and for transferring one or more encryption keys to said client; and
  
  C) a computerized database server for encrypting data stored in each cell of a table within said database and for communicating with said client via said generated communication session, thereby providing said client according its access right definition a decrypt data;
  
  wherein a value stored in a corresponding cell is determined, and each of said cells within said database has a unique cell coordinates represented by table, row and column identifiers, and wherein a concatenation function is activated on said cell table, row and column identifiers and as a result, a number based on said identifiers is obtained, and wherein a XOR operation between said number and said value stored in said cell is operated or a concatenation of said number with said value stored in said cell is performed;
  
  wherein the decrypt data is obtained by a process, comprising;
  
  a) identifying the client by means of an authentication server communicating over a conventional identification protocol;
  
  b) receiving one or more encryption keys from said authentication server by said client, wherein said one or more encryption keys being relevant for performing at least one query from said client, according to the access right definition of said client;
  
  c) generating a session by means of said client with a database server;
  
  d) transferring from said client to said database server the corresponding one or more encryption keys received from said authentication server;
  
  e) generating at least one query by said client;
  
  f) searching by means of said database server an encrypted database for a corresponding data requested in said at least one query;
  
  g) after finding said corresponding data, decrypting said corresponding data by means of said one or more corresponding encryption keys; and
  
  h) transferring the results of said at least one query from said database server to said client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method according to claim 1, further comprising allowing to define an encrypted index for each table in the database which containing the encrypted cell content.
  - 3. A method according to claim 2, wherein the encrypted index for each table in said database, comprising the steps of:
    - a. concatenating a content of each cell value in said table with a random number having a fixed number of bits or the row identifier of each cell in said table; and
      
      b. activating a nondeterministic encryption function on the result obtained from said concatenating, thereby generating one or more encrypted index entries each of which containing one or more encrypted indexed values.
  - 4. A method according to claim 3, wherein the encrypted index for each table in said database further comprising the steps of:
    - a. providing an entry self pointer which used as a node identifier of a corresponding index, said self pointer determines the position of the corresponding node in said corresponding index;
      
      b. obtaining an internal pointer to each encrypted index entry;
      
      c. obtaining an external pointer to a corresponding row in a table wherein said cell value is stored;
      
      d. encrypting said external pointer by a conventional encryption function; and
      
      e. activating a message authentication code function on the indexed value of said self, internal, and external pointers, thereby calculating a message authentication code value.
  - 5. A method according to claim 4, further comprising:
    - a. defining a fixed size pool for each index, said pool holding one or more values for inserting into the corresponding index; and
      
      b. updating each of said indexes with the corresponding said one or more values, whenever said pool is full.
  - 6. A method to claim 5, further comprising extracting corresponding values from a corresponding pool to the corresponding index in a random order.
  - 7. A method according to claim 3, further comprising executing a client'"'"'s query in the encrypted index for each table in said database, wherein said executed query is done by means of a database server using sub-indexes.
  - 8. A method according to claim 7, wherein the executing of a client'"'"'s query in the encrypted index for each table in said database, comprising the steps of:
    - a. connecting to a database server via said client and identifying said client;
      
      b. creating a secure session between said database server and said client;
      
      c. transferring one or more encryption keys by means of said client to said database server;
      
      d. submitting a query by means of said client to said database server;
      
      e. locating a corresponding sub-indexes which said client is entitled to access;
      
      f. executing said query on said corresponding sub-indexes by means of said database server using said one or more encryption keys;
      
      g. obtaining a result to said query; and
      
      h. transferring said obtained result to said client.

9. A Structure Preserving Database Encryption method for encrypting a content of one or more cells in a database, wherein each of which of said cells having a unique cell coordinates represented by table, row and column identifiers in said database, comprising the steps of:
- A) generating a unique number for each of said cells according to the corresponding table, row and column identifiers of each of said cells; and
  
  B) encrypting a content of each of said cells with its corresponding generated unique number, while a structure of tables and indexes of said database remains as before the encryption which provides a transparent decryption process to a user;
  
  wherein encryption of each cell value is performed by;
  
  I) determining a value stored in a corresponding cell;
  
  II) determining a position of said cell within the database by determining said table, row and column identifiers of each of said cells;
  
  III) activating a function concatenating said table, row and column identifiers of each of said cells and as a result, obtaining a number based on said identifiers;
  
  IV) performing a XOR operation between said number and said value stored in said cell or concatenating said number with said value stored in said cell; and
  
  V) activating an encryption function on a result obtained from said XOR operation or from said concatenating of said number with said value stored in said cell;
  
  wherein a decryption process, comprising;
  
  a) identifying a client by means of an authentication server communicating over a conventional identification protocol;
  
  b) receiving one or more encryption keys from said authentication server by said client, wherein said one or more encryption keys being relevant for performing at least one query from said client, according to an access right definition of said client;
  
  c) generating a session by means of said client with a database server;
  
  d) transferring from said client to said database server the corresponding one or more encryption keys received from said authentication server;
  
  e) generating at least one query by said client;
  
  f) searching by means of said database server an encrypted database for a corresponding data requested in said at least one query;
  
  g) after finding said corresponding data, decrypting said corresponding data by means of said one or more corresponding encryption keys; and
  
  h) transferring the results of said at least one query from said database server to said client.
- View Dependent Claims (10, 11, 12, 13)
- - 10. A method according to claim 9, wherein the content of each cell in the database before the encryption comprises a plaintext value, while after the encryption the content of each cell in said database comprises a ciphertext value.
  - 11. A method according to claim 9, further comprising activating a hash function on the generated unique number, thereby obtaining a hashed unique number.
  - 12. A method according to claim 9, further comprising activating on the encrypted cell content a decryption function which decrypts the value encrypted within said cell, by performing a XOR operation between said decrypted value and the generated unique number for said cell.
  - 13. A method according to claim 12, further comprising activating on an encrypted cell content a decryption function which decrypts the value encrypted within said cell, by performing a XOR operation between said decrypted value and a hashed unique number, or by performing discarding said hashed unique number from said decrypted value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ben Gurion University of The Negev
Original Assignee
Ben Gurion University of The Negev
Inventors
Elovici, Yuval, Shmueli, Erez, Waisenberg, Ronen
Primary Examiner(s)
Rahman, Mahfuzur

Application Number

US11/628,284
Publication Number

US 20080133935A1
Time in Patent Office

3,165 Days
Field of Search

713/193
US Class Current

713/193
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6227   where protection concerns t...

H04L 63/062   for key distribution, e.g. ...

H04L 63/08   for authentication of entit...

H04L 9/002   Countermeasures against att...

H04L 9/0836   using tree structure or hie...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

Structure preserving database encryption method and system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Structure preserving database encryption method and system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links