Database system, computer system, and computer-readable storage medium for decrypting a data record

US 8,887,254 B2
Filed: 12/15/2010
Issued: 11/11/2014
Est. Priority Date: 12/18/2009
Status: Active Grant

First Claim

Patent Images

1. A database system comprising:

a memory containing multiple data records, wherein each of the data records has a data record asymmetric key pair for cryptographic encryption and decryption, wherein each data record asymmetric key pair comprises a data record public key and a data record private key, wherein each of the multiple data records is at least partially encrypted by its data record public key, wherein the data record private key of each asymmetric key pair is encrypted, wherein the memory contains a representation of a directed acyclic graph, wherein paths along the directed acyclic graph each have a starting node and an ending node, forming a chain of nodes;

a set of user accounts, wherein each of the user accounts has a user asymmetric key pair for encryption and decryption, wherein each user asymmetric key pair has a user public key and a user private key, wherein the user public key is computed using the user private key;

wherein each starting node corresponds to one of the set of user accounts, wherein each ending node corresponds to one of the multiple data records;

wherein data is added to a data record by encrypting it with the data record public key, wherein access to the data record is granted to a user account by a cryptographic access key encrypted with the user public key, wherein a directed path formed by the chain of nodes starting at the starting node and ending at the ending node allows decryption of the data record using the cryptographic access key.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A database system comprising: a memory containing multiple data records, wherein each of the data records has a data record asymmetric key pair for cryptographic encryption and decryption, wherein each data record asymmetric key pair comprises a data record public key and a data record private key, wherein the data contained in each of the multiple data records is encrypted by the data record public key, wherein the data record private key of each data record asymmetric key pair is encrypted with the public key of another asymmetric key pair; a set of user accounts, wherein each of the user accounts has a user asymmetric key pair for encryption and decryption, wherein each user asymmetric key pair has a user public key and a user private key; wherein data is added to a data record by encrypting it with the data record public key; wherein access to the data record is granted to a user account by encrypting the data record private key with the public key of an asymmetric cryptographic key pair whose encrypted private key is accessible from the user account via a sequence of successive decryptions of encrypted private keys; and wherein the data record private key allows decryption of the data record.

Citations

16 Claims

1. A database system comprising:
- a memory containing multiple data records, wherein each of the data records has a data record asymmetric key pair for cryptographic encryption and decryption, wherein each data record asymmetric key pair comprises a data record public key and a data record private key, wherein each of the multiple data records is at least partially encrypted by its data record public key, wherein the data record private key of each asymmetric key pair is encrypted, wherein the memory contains a representation of a directed acyclic graph, wherein paths along the directed acyclic graph each have a starting node and an ending node, forming a chain of nodes;
  
  a set of user accounts, wherein each of the user accounts has a user asymmetric key pair for encryption and decryption, wherein each user asymmetric key pair has a user public key and a user private key, wherein the user public key is computed using the user private key;
  
  wherein each starting node corresponds to one of the set of user accounts, wherein each ending node corresponds to one of the multiple data records;
  
  wherein data is added to a data record by encrypting it with the data record public key, wherein access to the data record is granted to a user account by a cryptographic access key encrypted with the user public key, wherein a directed path formed by the chain of nodes starting at the starting node and ending at the ending node allows decryption of the data record using the cryptographic access key.
- View Dependent Claims (2, 3, 4)
- - 2. The database system of claim 1, wherein the memory contains a representation of a directed acyclic graph, wherein paths along the directed acyclic graph each have a starting node and an ending node, wherein each starting node corresponds to one of the set of user accounts, wherein each ending node corresponds to one of the multiple data records, wherein a directed path from the starting node to the ending node allows decryption of the data record using the cryptographic access key.
  - 3. The database system of claim 2, wherein each node has a node asymmetric key pair with a node private key and a node public key, wherein the node asymmetric key pair of the starting node is the user asymmetric key pair, wherein the node asymmetric key pair of the ending node is the data record key pair.
  - 4. The database system of claim 3, wherein nodes along a directed path form a chain of nodes starting at the starting node and ending at the ending node, wherein each of the nodes contains a node data record, wherein the node data record comprises the node public key, wherein the data record further comprises the encrypted private key of the next node in the chain of nodes, wherein the private key of next node is encrypted using the node public key.

5. A computer system for accessing a database of a database system, wherein the database system comprises:
- a memory containing multiple data records, wherein each of the data records has a data record asymmetric key pair for cryptographic encryption and decryption, wherein each data record asymmetric key pair comprises a data record public key and a data record private key, wherein each of the multiple data records is encrypted by its data record public key, wherein the data record private key of each asymmetric key pair is encrypted, wherein the memory contains a representation of a directed acyclic graph, wherein paths along the directed acyclic graph each have a starting node and an ending node, forming a chain of nodes;
  
  a set of user accounts, wherein each of the user accounts has a user asymmetric key pair for encryption and decryption, wherein each user asymmetric key pair has a user public key and a user private key, wherein the user public key is computed using the user private key;
  
  wherein each starting node corresponds to one of the set of user accounts, wherein each ending node corresponds to one of the multiple data records;
  
  wherein data is added to a data record by encrypting it with the data record public key;
  
  wherein access to the data record is granted to a user account by a cryptographic access key encrypted with the user public key;
  
  wherein a directed path formed by the chain of nodes starting at the starting node and ending at the ending node allows decryption of the data record using the cryptographic access key;
  
  wherein the computer system comprises;
  
  a processor; and
  
  a computer-readable storage medium containing machine-readable instructions for execution by the processor, wherein execution of the instructions cause the processor to perform the steps of;
  
  decrypting the cryptographic access key with the user private key,using the cryptographic access key for decrypting the data record.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 6. The computer system of claim 5, wherein the execution of the instructions further cause the processor:
    - encrypting a data file with the data record public key; and
      
      writing the encrypted data file to the data record.
  - 7. The computer system of claim 6, wherein execution of the instructions further cause the processor to perform the step of digitally signing the data record before writing the encrypted data record to the database.
  - 8. The computer system of claim 5, wherein the memory contains a representation of a directed acyclic graph, wherein paths along the directed acyclic graph each have a starting node and an ending node, wherein each starting node corresponds to one of the set of user accounts, wherein each ending node corresponds to one of the multiple data records, wherein a directed path from a starting node to an ending node allows decryption of the data record using the cryptographic access key.
  - 9. The computer system of claim 8, wherein each node has a node asymmetric key pair with a node private key and a node public key, wherein the node asymmetric key pair of the starting node is the user asymmetric key pair, wherein the node asymmetric key pair of the ending node is the data record key pair.
  - 10. The computer system of claim 9, wherein nodes along the directed path form a chain of nodes starting at the starting node and ending at the ending node, wherein each of the nodes contains a node data record, wherein the node data record comprises the node public key, wherein the data record further comprises the encrypted private key of the next node in the chain of nodes, wherein the private key of each next node is encrypted using the node public key, wherein using the cryptographic access key for decrypting the data record comprises:
    - successively decrypting the node private keys of the chain of nodes; and
      
      decrypting the data record using the data record private key.
  - 11. The computer system of claim 10, wherein the instructions further cause the processor to perform the steps of:
    - encrypting a node private key with the user public key; and
      
      writing the encrypted node private key to the database system.
  - 12. The computer system of claim 10, wherein the instructions further cause the processor to:
    - accessing a new data record;
      
      generating a new record asymmetric key pair, wherein the new record asymmetric key pair comprises a new record private key and a new record public key;
      
      encrypting the new data record at least partially with the new record public key;
      
      encrypting the new data record private key with the public key of a node chosen from the representation of the directed acyclic graph; and
      
      writing the encrypted new data record, the new record public key, and the encrypted new record private key to the memory of the database.
  - 13. The computer system of claim 10, wherein the instructions further cause the processor to perform the steps of:
    - creating a new node key pair, wherein the new node key pair is an asymmetric key pair which comprises a new node public key and a new node private key;
      
      encrypting a private key of a first existing node using the new node public key;
      
      encrypting the new node private key using a public key of a second existing node; and
      
      writing the new node public key, the encrypted private key of a first existing node, and the encrypted new node private key to the memory of the database system.
  - 14. The computer system of claim 10, wherein the instructions further cause the processor to perform the step of caching the decrypted node private keys in the computer-readable storage medium for future use.
  - 15. The computer system of claim 5, wherein execution of the instructions further causes the processor to:
    - receiving a user-selected secret,storing the user-selected secret in a memory,computing the user private key by applying an embedding and randomizing function onto the secret,storing the user private key in the memory,computing the user public key using the user private key,erasing the secret and the user private key from the memory, andstoring the user public key in one of the set of user accounts.

16. A non-transitory computer-readable storage medium containing instructions for execution by a processor of a computer system for accessing a database of a database system, wherein the database system comprises:
- a memory containing multiple data records, wherein each of the data records has a data record asymmetric key pair for cryptographic encryption and decryption, wherein each data record asymmetric key pair comprises a data record public key and a data record private key, wherein each of the multiple data records is at least partially encrypted by its data record public key, wherein the data record private key of each asymmetric key pair is encrypted, wherein the memory contains a representation of a directed acyclic graph, wherein paths along the directed acyclic graph each have a starting node and an ending node, forming a chain of nodes;
  
  a set of user accounts, wherein each of the user accounts has a user asymmetric key pair for encryption and decryption, wherein each user asymmetric key pair has a user public key and a user private key, wherein the user public key is computed using the user private key;
  
  wherein each starting node corresponds to one of the set of user accounts, wherein each ending node corresponds to one of the multiple data records;
  
  wherein data is added to a data record by encrypting it with the data record public key;
  
  wherein access to the data record is granted to a user account by a cryptographic access key encrypted with the user public key;
  
  wherein a directed path formed by the chain of nodes starting at the starting node and ending at the ending node allows decryption of the data record using the cryptographic access; and
  
  wherein execution of the instructions cause the processor to perform the steps of;
  
  decrypting the cryptographic access key with the user private key,using the cryptographic access key for decrypting the data record.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Adrian Spalka, CompuGroup Medical SE
Original Assignee
Compugroup Medical AG (CompuGroup Medical SE & Co. KGaA)
Inventors
Spalka, Adrian, Lehnhardt, Jan
Primary Examiner(s)
Kyle, Tamara T
Assistant Examiner(s)
VOSTAL, ONDREJ C

Application Number

US12/968,537
Publication Number

US 20110173455A1
Time in Patent Office

1,427 Days
Field of Search

713/189, 713/156, 340/572.1, 380/277
US Class Current

726/7
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6254   by anonymising data, e.g. d...

G06F 21/64   Protecting data integrity, ...

H04L 2209/42   Anonymization, e.g. involvi...

H04L 63/0421   Anonymous communication, i....

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0863   involving passwords or one-...

H04L 9/0869   involving random numbers or...

H04L 9/30   Public key, i.e. encryption...

Database system, computer system, and computer-readable storage medium for decrypting a data record

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Database system, computer system, and computer-readable storage medium for decrypting a data record

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links