Cloud key directory for federating data exchanges

US 8,935,810 B2
Filed: 12/03/2013
Issued: 01/13/2015
Est. Priority Date: 06/17/2011
Status: Active Grant

First Claim

Patent Images

1. At a computer system including at least one processor and a memory, in a computer networking environment including a plurality of computing systems, a computer-implemented method for providing attribute-based data access, the method comprising:

an act of receiving a data request, the data request specifying one or more search data attributes describing requested data that is to be found in an anonymous directory, wherein the anonymous directory is configured to provide access to secured data of one or more clients according to corresponding access controls defined by each of the one or more clients, the secured data including a particular portion of data that is associated with a particular client and that is encrypted using multi-authority attribute-based encryption that associates the particular portion of data with one or more encryption data attributes and that enables the particular portion of data to be provided if conditions in the corresponding access controls are met;

an act of determining that the particular portion of data should be provided based on determining that the conditions in the corresponding access controls are met, and that at least one of the search data attributes of the data request is determined to be relevant to at least one of the encryption data attributes; and

an act of providing the particular portion of data in response to the data request.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to providing attribute-based data access. In an embodiment, a data request specifies one or more search data attributes describing requested data that is to be found in an anonymous directory. The anonymous directory is configured to provide access to secured data according to access controls defined one or more clients. The secured data includes data that is associated with a particular client and that is encrypted using multi-authority attribute-based encryption, which associates the data with one or more encryption data attributes and that enables the data to be provided if conditions in the corresponding access controls are met. The particular portion of data is provided based on determining that the conditions in the corresponding access controls are met, and that at least one of the search data attributes is determined to be relevant to at least one of the encryption data attributes.

Citations

20 Claims

1. At a computer system including at least one processor and a memory, in a computer networking environment including a plurality of computing systems, a computer-implemented method for providing attribute-based data access, the method comprising:
- an act of receiving a data request, the data request specifying one or more search data attributes describing requested data that is to be found in an anonymous directory, wherein the anonymous directory is configured to provide access to secured data of one or more clients according to corresponding access controls defined by each of the one or more clients, the secured data including a particular portion of data that is associated with a particular client and that is encrypted using multi-authority attribute-based encryption that associates the particular portion of data with one or more encryption data attributes and that enables the particular portion of data to be provided if conditions in the corresponding access controls are met;
  
  an act of determining that the particular portion of data should be provided based on determining that the conditions in the corresponding access controls are met, and that at least one of the search data attributes of the data request is determined to be relevant to at least one of the encryption data attributes; and
  
  an act of providing the particular portion of data in response to the data request.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the anonymous directory is configured to enable discovery of the particular client'"'"'s particular portion of data, based on a threshold number of encryption data attributes being requested in the data request.
  - 3. The method of claim 1, wherein the anonymous directory is configured to enable the one or more clients to specify which secured data is to be provided in response to data requests, based on one or more of user identity or user type.
  - 4. The method of claim 1, wherein the anonymous directory is configured to enable the one or more clients to dynamically change which of their secured data is provided in response to data requests by changing the corresponding access controls.
  - 5. The method of claim 1, wherein the anonymous directory is configured to enable requests for secured data without a prior knowledge of what secured data is available through the anonymous directory and without a prior knowledge of the one or more clients.
  - 6. The method of claim 1, wherein determining that the conditions in the corresponding access controls are met comprises one or more of determining that a user making the data request is a specified user or determining that the user is of a specified user type.
  - 7. The method of claim 1, wherein at least a portion of secured data of the particular client remains unavailable to data requests received by the anonymous directory, based on the particular client'"'"'s corresponding access controls.

8. A computer program product for implementing a method for providing attribute-based data access, the computer program product comprising one or more hardware storage devices having stored thereon computer-executable instructions that, when executed by one or more processors of the computing system, cause the computing system to perform the method, the method comprising:
- an act of receiving a data request, the data request specifying one or more search data attributes describing requested data that is to be found in an anonymous directory, wherein the anonymous directory is configured to provide access to secured data of one or more clients according to corresponding access controls defined by each of the one or more clients, the secured data including a particular portion of data that is associated with a particular client and that is encrypted using multi-authority attribute-based encryption that associates the particular portion of data with one or more encryption data attributes and that enables the particular portion of data to be provided if conditions in the corresponding access controls are met;
  
  an act of determining that the particular portion of data should be provided based on determining that the conditions in the corresponding access controls are met, and that at least one of the search data attributes of the data request is determined to be relevant to at least one of the encryption data attributes; and
  
  an act of providing the particular portion of data in response to the data request.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The computer program product of claim 8, wherein the corresponding access controls of the particular client apply one or more different encryption data attributes to different portions of secured data corresponding to the particular client and that is stored in the anonymous directory.
  - 10. The computer program product of claim 8, wherein the encryption data attributes applied by the particular client are user-specific, such that different users are provided different data based on their identity.
  - 11. The computer program product of claim 8, wherein the data request identifies a user.
  - 12. The computer program product of claim 8, wherein the anonymous directory is configured to provide one or more directory users access to the secured data of the one or more clients.
  - 13. The computer program product of claim 8, wherein the anonymous directory is configured to enable the particular portion of data of the particular client to be provided for any request that uses at least one of the encryption data attributes.

14. A computer system comprising the following:
- one or more processors;
  
  system memory; and
  
  one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by the one or more processors, causes the computing system to perform a method for providing attribute-based data access, the method comprising the following;
  
  an act of receiving a data request, the data request specifying one or more search data attributes describing requested data that is to be found in an anonymous directory, wherein the anonymous directory is configured to provide access to secured data of one or more clients according to corresponding access controls defined by each of the one or more clients, the secured data including a particular portion of data that is associated with a particular client and that is encrypted using multi-authority attribute-based encryption that associates the particular portion of data with one or more encryption data attributes and that enables the particular portion of data to be provided if conditions in the corresponding access controls are met;
  
  an act of determining that the particular portion of data should be provided based on determining that the conditions in the corresponding access controls are met, and that at least one of the search data attributes of the data request is determined to be relevant to at least one of the encryption data attributes; and
  
  an act of providing the particular portion of data in response to the data request.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer system of claim 14, wherein the corresponding access controls of the particular client apply one or more different encryption data attributes to different portions of secured data corresponding to the particular client and that is stored in the anonymous directory.
  - 16. The computer system of claim 14, wherein the encryption data attributes applied by the particular client are user-specific, such that different users are provided different data based on their identity.
  - 17. The computer system of claim 14, wherein the data request identifies the user.
  - 18. The computer system of claim 14, wherein the anonymous directory is configured to provide one or more directory users access to the secured data of the one or more clients.
  - 19. The computer system of claim 14, wherein the anonymous directory is configured to enable the particular portion of data of the particular client to be provided to any authorized user who requests data using at least one of the encryption data attributes.
  - 20. The computer system of claim 14, wherein the anonymous directory is configured to enable discovery of the particular client'"'"'s particular portion of data, based on a threshold number of encryption data attributes being requested in the data request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
D'Souza, Roy Peter, Pandey, Omkant
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US14/095,130
Publication Number

US 20140090089A1
Time in Patent Office

406 Days
Field of Search

None
US Class Current

726/30
CPC Class Codes

G06F 16/256   in federated or virtual dat...

G06F 16/27   Replication, distribution o...

G06F 16/951   Indexing; Web crawling tech...

G06F 16/9535   Search customisation based ...

G06F 16/9538   Presentation of query results

G06F 21/6218   to a system of files or obj...

G06F 21/6254   by anonymising data, e.g. d...

H04L 63/0421   Anonymous communication, i....

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/104   Grouping of entities

H04L 9/0894   Escrow, recovery or storing...

H04L 9/321   involving a third party or ...

Cloud key directory for federating data exchanges

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Cloud key directory for federating data exchanges

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links