System, apparatus and method for encryption and decryption of data transmitted over a network

US 9,444,793 B2
Filed: 12/30/2010
Issued: 09/13/2016
Est. Priority Date: 09/15/2008
Status: Active Grant

First Claim

Patent Images

1. A method for securing data transmitted between a client device and a server comprising:

obtaining, by an intermediate module, input text sent from said client device to the server;

processing said input text at the intermediate module to obtain processed text, wherein said processing comprises;

when the input text is not to be searchable by the server, transforming the input text non-deterministically or a combination of deterministically and non-deterministically, using at least one key to obtain processed text; and

when the input text is to be searchable by the server, transforming said input text deterministically, using at least one key to obtain processed text, and including a statistically significant feature in the processed text, the feature including a rarely used character or group of characters; and

transmitting the processed text to the server.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for securing data transmitted between a client device and a server by obtaining input text at an intermediate module, processing the input text to obtain processed text, deciding whether to transform the input text deterministically or non-deterministically, or a combination of deterministically and non-deterministically, and based on that decision, transforming the input text accordingly, using at least one key to obtain processed text, and transmitting the processed text to the server. Other embodiments and features of the invention include (independently or together) searching for processed text, allowing for sorting of processed text records by applying an order-preserving transformation, storing unabridged processed elements in a storage device managed by the intermediate module, providing a function by the intermediate module on the input data in lieu of the server, and processing the processed text so as to determine by the intermediate module a transformation applied by the server on input text.

Citations

62 Claims

1. A method for securing data transmitted between a client device and a server comprising:
- obtaining, by an intermediate module, input text sent from said client device to the server;
  
  processing said input text at the intermediate module to obtain processed text, wherein said processing comprises;
  
  when the input text is not to be searchable by the server, transforming the input text non-deterministically or a combination of deterministically and non-deterministically, using at least one key to obtain processed text; and
  
  when the input text is to be searchable by the server, transforming said input text deterministically, using at least one key to obtain processed text, and including a statistically significant feature in the processed text, the feature including a rarely used character or group of characters; and
  
  transmitting the processed text to the server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 2. The method of claim 1, further comprising for at least a portion of said input text, determining not to transform a portion of the input text.
  - 3. The method of claim 1, further comprising:
    - receiving processed text at the intermediate module; and
      
      applying a reverse processing on said processed text to obtain original input text.
  - 4. The method of claim 3, further comprising sending said original input text to said client device.
  - 5. The method of claim 1, wherein said step of transforming said input text deterministically and non-deterministically comprises:
    - non-deterministically transforming the input text using a first key to produce a non-deterministically transformed text; and
      
      deterministically transforming each of a plurality of input tokens in the input text using a second key to produce a respective plurality of deterministically transformed tokens,wherein transmitting the processed input text to the server comprises transmitting the non-deterministically transformed text and the plurality of deterministically transformed tokens to the server.
  - 6. The method of claim 5, wherein said first key and said second key are identical.
  - 7. The method of claim 5, wherein transforming said input text deterministically comprises performing an irreversible transformation on said input text.
  - 8. The method of claim 1,wherein said input text is a search query including at least one search term,wherein transforming said input text comprises deterministically transforming said at least one search term using a first key to produce a respective at least one deterministically transformed search term, andwherein transmitting the processed input text to the server comprises transmitting the at least one deterministically transformed search term to the server.
  - 9. The method of claim 8, wherein transforming said input text further comprises:
    - non-deterministically transforming the input text using a second key to produce a non-deterministically transformed text; and
      
      combining the at least one deterministically transformed search term and the non-deterministically transformed text using a logical disjunction operator to obtain a combined processed text,wherein transmitting the processed input text to the server comprises transmitting the combined processed text to the server.
  - 10. The method of claim 9, wherein transforming said input text deterministically comprises performing a reversible transformation on said input text.
  - 11. The method of claim 1, wherein said processed text comprises a string of characters selected from a processed text character set, said processed text character set comprising at least one contiguous subset of the Unicode character set.
  - 12. The method of claim 11, wherein said at least one contiguous subset includes characters in the letter or number character category, or both.
  - 13. The method of claim 11, wherein said at least one contiguous subset comprises between one and ten subset ranges of the Unicode character set.
  - 14. The method of claim 11, wherein the at least one contiguous subset is selected from the set of Unicode characters consisting of Korean Hangul, Chinese, Japanese and Korean (CJK) Unified Ideographs, and a combination thereof.
  - 15. The method of claim 1, wherein transforming said input text comprises transforming a plurality of separate portions of said input text, at least one of said plurality of portions of said input text including no more than a maximum number of characters.
  - 16. The method of claim 1, wherein transforming said input text deterministically comprises:
    - normalizing at least one portion of said input text to obtain at least one normalized input portion by applying at least one normalization rule to said input text;
      
      deterministically transforming said at least one normalized input portion to obtain at least one transformed normalized input portions; and
      
      including said at least one transformed normalized input portion in said processed text.
  - 17. The method of claim 16, wherein said at least one normalization rule includes letter case conversion.
  - 18. The method of claim 16, wherein said at least one normalization rule includes replacing characters having diacritical marks with matching characters not having diacritical marks.
  - 19. The method of claim 16, wherein said at least one normalization rule includes replacing ligature characters with their respective constituent characters.
  - 20. The method of claim 16, wherein said at least one normalization rule includes replacing at least one word contained in said input text with a morphological variant matching said at least one word.
  - 21. The method of claim 16, wherein said at least one normalization rule includes replacing at least one word contained in said input text by a plurality of words.
  - 22. The method of claim 1, wherein a decision to transform the input text non-deterministically is based on whether said word is member of a set of words.
  - 23. The method of claim 1, wherein a decision to transform a word of the input text non-deterministically is based on a length of said word.
  - 24. The method of claim 1, wherein transforming said input text further comprises changing the order of portions of said processed text.
  - 25. The method of claim 1, wherein transforming said input text further comprises including at least one excess token in said processed text, said at least one excess token being distinguished from other tokens included in said processed text only after gaining access to a secret key.
  - 26. The method of claim 1, wherein said intermediate module is a software plug-in module installed in said client device.
  - 27. The method of claim 1, wherein said intermediate module is an intermediate server computer connected to said client device and to said server.
  - 28. The method of claim 1, wherein the input text includes textual information and at least one instruction relating to the manner of handling said textual information, wherein the method further comprises:
    - processing the at least one instruction to obtain at least one processed instruction;
      
      including said at least one processed instruction in said processed text; and
      
      including an indication in said processed text indicating presence and location of the processed instruction within the processed text.
  - 29. The method of claim 28, wherein the at least one handling instruction includes HTML markup.
  - 30. The method of claim 2, wherein determining not to transform a portion of the input text further comprises:
    - detecting at least one handling instruction contained in the input text, said handling instruction relating to the manner of handling said input text; and
      
      deciding not to transform said at least one handling instruction.
  - 31. The method of claim 1, wherein the input text is transformed non-deterministically upon detecting at least one handling instruction contained in the input text, said handling instruction relating to the manner of handling said input text.

32. A system for securing data transmitted between a client device and a server comprising:
- a memory; and
  
  a controller configured to;
  
  obtain input text sent from the client device to the server;
  
  process said input text to obtain processed text, wherein said controller is configured to process said input text by;
  
  when the input text is not to be searchable by the server, transforming the input text non-deterministically or a combination of deterministically and non-deterministically, using at least one key, to obtain processed text; and
  
  when the input text is to be searchable by the server, transforming said input text deterministically, using at least one key to obtain processed text, and including a statistically significant feature in the processed text, the feature including a rarely used character or group of characters; and
  
  transmit the processed text to the server.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62)
- - 33. The system of claim 32, wherein said controller is further configured to determine not to transform at least a portion of the input text.
  - 34. The system of claim 32, wherein said controller is further configured to:
    - receive processed text from the server; and
      
      apply a reverse processing on said processed text to obtain original input text.
  - 35. The system of claim 34, wherein said controller is further configured to send said original input text to said client device.
  - 36. The system of claim 32, wherein said controller is further configured to transform said input text deterministically and non-deterministically by:
    - non-deterministically transforming the input text using a first key to produce a non-deterministically transformed text; and
      
      deterministically transforming each of a plurality of input tokens in the input text using a second key to produce a respective plurality of deterministically transformed tokens,wherein said controller is configured to transmit the processed input text to the server by transmitting the non-deterministically transformed text and the plurality of deterministically transformed tokens to the server.
  - 37. The system of claim 36, wherein said first key and said second key are identical.
  - 38. The system of claim 36, wherein said controller is further configured to transform said input text deterministically by performing an irreversible transformation on said input text.
  - 39. The system of claim 32,wherein said input text is a search query including at least one search term,wherein said controller is configured to transform said input text by deterministically transforming said at least one search term using a first key to produce a respective at least one deterministically transformed search term, andwherein said controller is further to transmit the processed input text to the server by transmitting the at least one deterministically transformed search term to the server.
  - 40. The system of claim 39, wherein said controller is further to transform said input text by:
    - non-deterministically transforming the input text using a second key to produce a non-deterministically transformed text; and
      
      combining the at least one deterministically transformed search term and the non-deterministically transformed text using a logical disjunction operator to obtain a combined processed text,wherein said controller is configured to transmit the processed input text to the server by transmitting the combined processed text to the server.
  - 41. The system of claim 40, wherein said controller is configured to transform said input text deterministically by performing a reversible transformation on said input text.
  - 42. The system of claim 32, wherein said processed text comprises a string of characters selected from a processed text character set, said processed text character set comprising at least one contiguous subset of the Unicode character set.
  - 43. The system of claim 42, wherein said at least one contiguous subset includes characters in the letter or number character category, or both.
  - 44. The system of claim 42, wherein said at least one contiguous subset comprises between one and ten subset ranges of the Unicode character set.
  - 45. The system of claim 42, wherein the at least one contiguous subset is selected from the set of Unicode characters consisting of Korean Hangul, Chinese, Japanese and Korean (CJK) Unified Ideographs, and a combination thereof.
  - 46. The system of claim 32, wherein said controller is configured to transform said input text by transforming a plurality of separate portions of said input text, at least one of said plurality of portions of said input text including no more than a maximum number of characters.
  - 47. The system of claim 42, wherein said controller is configured to transform said input text deterministically by:
    - normalizing at least one portion of said input text to obtain at least one normalized input portion by applying at least one normalization rule to said input text;
      
      deterministically transforming said at least one normalized input portion to obtain at least one transformed normalized input portions; and
      
      including said at least one transformed normalized input portion in said processed text.
  - 48. The system of claim 47, wherein said at least one normalization rule includes letter case conversion.
  - 49. The system of claim 47, wherein said at least one normalization rule includes replacing characters having diacritical marks with matching characters not having diacritical marks.
  - 50. The system of claim 47, wherein said at least one normalization rule includes replacing ligature characters with their respective constituent characters.
  - 51. The system of claim 47, wherein said at least one normalization rule includes replacing at least one word contained in said input text with a morphological variant matching said at least one word.
  - 52. The system of claim 47, wherein said at least one normalization rule includes replacing at least one word contained in said input text by a plurality of words.
  - 53. The system of claim 32, wherein said controller is configured to decide to transform non-deterministically a word of the input text non-deterministically based on whether said word is member of a set of words.
  - 54. The system of claim 32, wherein said controller is configured to decide to transform a word of the input text non-deterministically based on a length of said word.
  - 55. The system of claim 32, wherein said controller is configured to transform said input text further by changing the order of portions of said processed text.
  - 56. The system of claim 32, wherein said controller is configured to transform said input text by including at least one excess token in said processed text, said at least one excess token being distinguished from other tokens included in said processed text only after gaining access to a secret key.
  - 57. The system of claim 32, wherein said controller is to execute a software plug-in module installed in said client device.
  - 58. The system of claim 32, wherein said controller is included in an intermediate server computer connected to said client device and to said server.
  - 59. The system of claim 32, wherein the input text includes textual information and at least one instruction relating to the manner of handling said textual information, wherein the controller is further configured to:
    - process the at least one instruction to obtain at least one processed instruction;
      
      include said at least one processed instruction in said processed text; and
      
      include an indication in said processed text indicating presence and location of the processed instruction within the processed text.
  - 60. The system of claim 59, wherein the at least one handling instruction includes HTML markup.
  - 61. The system of claim 33, wherein said controller is configured to determine not to transform a portion of the input text further by:
    - detecting at least one handling instruction contained in the input text, said handling instruction relating to the manner of handling said input text; and
      
      deciding not to transform said at least one handling instruction.
  - 62. The system of claim 32, wherein said controller is configured to decide to transform the input text non-deterministically upon detecting at least one handling instruction contained in the input text, said handling instruction relating to the manner of handling said input text.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CyberArk Software Ltd.
Original Assignee
Vaultive Ltd.
Inventors
Matzkel, Ben, Tal, Maayan, Lahav, Aviad
Primary Examiner(s)
Lee, Jae Y
Assistant Examiner(s)
Voltaire, Jean F

Application Number

US12/982,688
Publication Number

US 20110167107A1
Time in Patent Office

2,084 Days
Field of Search

370328-332, 709/203, 709/205, 709/217, 709/219, 709/232
US Class Current

1/1
CPC Class Codes

G06F 15/16   Combinations of two or more...

G06F 21/6227   where protection concerns t...

H04L 51/00   User-to-user messaging in p...

H04L 51/066   Format adaptation, e.g. for...

H04L 51/212   using filtering or selectiv...

H04L 51/226   Delivery according to prior...

H04L 51/42   Mailbox-related aspects, e....

H04L 63/0428   wherein the data content is...

H04L 63/045   wherein the sending and rec...

H04L 63/0471   applying encryption by an i...

H04L 63/126   the source of the received ...

H04L 67/01   Protocols

H04L 67/06   specially adapted for file ...

H04L 67/535   Tracking the activity of th...

H04L 67/568   Storing data temporarily at...

H04L 9/00   Cryptographic mechanisms or...

H04L 9/40   Network security protocols

System, apparatus and method for encryption and decryption of data transmitted over a network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

62 Claims

Specification

Solutions

Use Cases

Quick Links

System, apparatus and method for encryption and decryption of data transmitted over a network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

62 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links