User-specified sharing of data via policy and/or inference from a hierarchical cryptographic store
First Claim
1. A computer implemented system that creates a hierarchical set of decryption keys to facilitate privacy-centric data storage of health records with diverse accessibility, comprising:
- an interface component that obtains from a user or an associated device information associated with a root key, in which the information includes a policy the user controls to maintain granular control over accessing the health records of the user by authorized accessing parties such that the policy specifies different keys to capture different preferences about sharing of the health records, wherein a first key is associated with sharing a set of the health records of the user with a first party and is further associated with a first user preference for data access, and a second key is associated with sharing a subset of the set of the health records of the user with a second party and is further associated with a second user preference for data access different than the first user preference for data access; and
a key generation component that employs the root key to derive a private set of cryptographic decryption keys that conforms to a hierarchy that describes partitioning of the encrypted data of the user based at least in part upon features or content of the encrypted data, wherein decryption capabilities of a decryption key from the private set of cryptographic decryption keys is defined based at least in part upon a location or an arrangement of the decryption key within the hierarchy.
2 Assignments
0 Petitions
Accused Products
Abstract
The claimed subject matter relates to architectures that can construct a hierarchical set of decryption keys for facilitating user-controlled encrypted data storage with diverse accessibility and hosting of that encrypted data. In particular, a root key can be employed to derive a hierarchical set of decryption keys and a corresponding hierarchical set of encryption keys. Each key derived can conform to a hierarchy associated with encrypted data of the user, and the decryption capabilities of the decryption keys can be configured based upon a location or assignment of the decryption key within the hierarchy. The cryptographic methods can be joined with a policy language that specifies sets of keys for capturing preferences about patterns of sharing. These policies about sharing can themselves require keys for access and the policies can provide additional keys for other aspects of policy and or base-level accesses.
-
Citations
20 Claims
-
1. A computer implemented system that creates a hierarchical set of decryption keys to facilitate privacy-centric data storage of health records with diverse accessibility, comprising:
-
an interface component that obtains from a user or an associated device information associated with a root key, in which the information includes a policy the user controls to maintain granular control over accessing the health records of the user by authorized accessing parties such that the policy specifies different keys to capture different preferences about sharing of the health records, wherein a first key is associated with sharing a set of the health records of the user with a first party and is further associated with a first user preference for data access, and a second key is associated with sharing a subset of the set of the health records of the user with a second party and is further associated with a second user preference for data access different than the first user preference for data access; and a key generation component that employs the root key to derive a private set of cryptographic decryption keys that conforms to a hierarchy that describes partitioning of the encrypted data of the user based at least in part upon features or content of the encrypted data, wherein decryption capabilities of a decryption key from the private set of cryptographic decryption keys is defined based at least in part upon a location or an arrangement of the decryption key within the hierarchy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer implemented method for constructing a hierarchical set of decryption keys for facilitating privacy-centric data storage with diverse accessibility, comprising:
-
receiving from a user information associated with a root key, in which the information includes a policy the user controls to maintain granular control over accessing encrypted data of the user by authorized accessing parties such that the policy specifies a set of keys to capture preferences about sharing of personal information of the user with the parties, wherein a first key is associated with sharing a set of the personal information of the user with a first party and is further associated with a first user preference for a first level of detail of data access, and a second key is associated with sharing a subset of the set of the personal information of the user with a second party and is further associated with a second user preference for a second level of detail of data access different than the first user preference for the first level of detail of data access; employing a processor to create a set of cryptographic decryption keys derived from the root key, in which a decryption key included in the set of cryptographic decryption keys conforms to a hierarchy describing or defining encrypted data associated with the user; and configuring decryption capabilities for the decryption key included in the set of cryptographic decryption keys based at least in part upon a location or assignment of the decryption key within the hierarchy. - View Dependent Claims (18)
-
-
19. A computer implemented method for securely hosting encrypted data associated with a user in a manner that facilitates user control and diverse accessibility, comprising:
-
employing a server with a processor and a data store for hosting encrypted data associated with a user in the data store that is accessible by way of a network that is configured to be substantially publicly addressable, wherein the encrypted data conforms to a hierarchical scheme such that a portion of the encrypted data decryptable by a decryption key associated with the user is based at least in part upon a location or an assignment of the decryption key within a hierarchy of a set of decryption keys derived from a root key associated with the user; receiving a set of preferences from the user relating to at least entities authorized to obtain, access, or search the encrypted data or policies for how data is revealed to one or more entities, in which the set of preferences specifies a set of keys for the user to maintain granular control over sharing of personal information of the user with the one or more entities, wherein a first key of the set of keys is associated with sharing a set of the data associated with the user with a first entity and is further associated with a first preference of the set of preferences for sharing data, and a second key of the set of keys is associated with sharing a subset of the data associated with the user with a second entity and is further associated with a second preference of the set of preferences for sharing data different than the first preference of the set of preferences for sharing data; receiving a request from a user-authorized entity to access or search the encrypted data; and transmitting requested encrypted data to the user-authorized entity based at least in part upon the preferences. - View Dependent Claims (20)
-
Specification