Secure application access system

US 9,552,492 B2
Filed: 12/09/2013
Issued: 01/24/2017
Est. Priority Date: 08/01/2013
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

requesting, by a first device, an encrypted record from a second device;

receiving, by the first device, the encrypted record from the second device;

decrypting, by the first device, the received encrypted record as decrypted data;

creating, by the first device, an index of keywords;

scanning the decrypted data, and for each keyword encountered in the decrypted data, associating in the index a unique identifier string with the encountered keyword and inserting the unique identifier string in a modified encrypted record corresponding to a location where the keyword was encountered;

sending the modified encrypted record to the second device to replace the encrypted record stored on the second device;

receiving a search query from a client device, the search query entered by a user in a search area that is mapped to the first device, the search query comprising one or more keywords;

matching the one or more keywords with one or more keywords in the index;

in response to a match of a keyword in the index, generating a second search query for the second device that includes a substring of encrypted data retrieved from the index that is associated with the matched keyword; and

sending the second search query to the second device.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A proxy server creates an index of keywords, receives an encrypted record, decrypts the received encrypted record as decrypted data and, when a keyword in the index is encountered in the decrypted data, associates in the index an encrypted record location identifier with the encountered keyword. The proxy server receives a search query and uses the keyword index to retrieve encrypted records from the server. The encrypted records are decrypted and sent as search results in response to the search query.

78 Citations

View as Search Results

21 Claims

1. A method, comprising:
- requesting, by a first device, an encrypted record from a second device;
  
  receiving, by the first device, the encrypted record from the second device;
  
  decrypting, by the first device, the received encrypted record as decrypted data;
  
  creating, by the first device, an index of keywords;
  
  scanning the decrypted data, and for each keyword encountered in the decrypted data, associating in the index a unique identifier string with the encountered keyword and inserting the unique identifier string in a modified encrypted record corresponding to a location where the keyword was encountered;
  
  sending the modified encrypted record to the second device to replace the encrypted record stored on the second device;
  
  receiving a search query from a client device, the search query entered by a user in a search area that is mapped to the first device, the search query comprising one or more keywords;
  
  matching the one or more keywords with one or more keywords in the index;
  
  in response to a match of a keyword in the index, generating a second search query for the second device that includes a substring of encrypted data retrieved from the index that is associated with the matched keyword; and
  
  sending the second search query to the second device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as recited in claim 1, further comprising:
    - encrypting the decrypted data as a new encrypted record using a new encryption key;
      
      wherein the scanning step associates in the index a substring of encrypted data extracted from the new encrypted record where the keyword was encountered with the encountered keyword; and
      
      sending the new encrypted record to the second device to replace the requested encrypted record on the second device.
  - 3. The method as recited in claim 1, wherein the second device is a server.
  - 4. The method as recited in claim 1, wherein the first device is a proxy server.
  - 5. The method as recited in claim 1, wherein the index is created for a particular cloud application program.
  - 6. The method as recited in claim 1, wherein the index is created for a particular user.
  - 7. The method as recited in claim 1, further comprising:
    - receiving, by the first device, a search result set from the second device, the search result set including at least one encrypted record;
      
      decrypting the at least one encrypted record;
      
      including the decrypted at least one encrypted record in a second search result set; and
      
      sending the second search result set to a third device.

8. An apparatus, comprising:
- a subsystem at a first device, implemented at least partially in hardware, that requests an encrypted record from a second device;
  
  a subsystem at the first device, implemented at least partially in hardware, that receives the encrypted record from the second device;
  
  a subsystem at the first device, implemented at least partially in hardware, that decrypts the received encrypted record as decrypted data;
  
  a subsystem at the first device, implemented at least partially in hardware, that creates an index of keywords;
  
  a scanner subsystem at the first device, implemented at least partially in hardware, that scans the decrypted data, and for each keyword encountered in the decrypted data, associates in the index a unique identifier string with the encountered keyword and inserts the unique identifier string in a modified encrypted record corresponding to a location where the keyword was encountered;
  
  a subsystem at the first device, implemented at least partially in hardware, that sends the modified encrypted record to the second device to replace the encrypted record stored on the second device;
  
  a subsystem at the first device, implemented at least partially in hardware, that receives a search query from a client device, the search query entered by a user in a search area that is mapped to the first device, the search query comprising one or more keywords;
  
  a subsystem at the first device, implemented at least partially in hardware, that matches the one or more keywords with one or more keywords in the index;
  
  a subsystem at the first device, implemented at least partially in hardware, that, in response to a match of a keyword in the index, generates a second search query for the second device that includes a substring of encrypted data retrieved from the index that is associated with the matched keyword; and
  
  a subsystem at the first device, implemented at least partially in hardware, that sends the second search query to the second device.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus as recited in claim 8, further comprising:
    - a subsystem at the first device, implemented at least partially in hardware, that encrypts the decrypted data as a new encrypted record using a new encryption key;
      
      wherein the scanner subsystem associates in the index a substring of encrypted data extracted from the new encrypted record where the keyword was encountered with the encountered keyword; and
      
      a subsystem at the first device, implemented at least partially in hardware, that sends the new encrypted record to the second device to replace the requested encrypted record on the second device.
  - 10. The apparatus as recited in claim 8, wherein the second device is a server.
  - 11. The apparatus as recited in claim 8, wherein the first device is a proxy server.
  - 12. The apparatus as recited in claim 8, wherein the index is created for a particular cloud application program.
  - 13. The apparatus as recited in claim 8, wherein the index is created for a particular user.
  - 14. The apparatus as recited in claim 8, further comprising:
    - a subsystem at the first device, implemented at least partially in hardware, that receives, by the first device, a search result set from the second device, the search result set including at least one encrypted record;
      
      a subsystem at the first device, implemented at least partially in hardware, that decrypts the at least one encrypted record;
      
      a subsystem at the first device, implemented at least partially in hardware, that includes the decrypted at least one encrypted record in a second search result set; and
      
      a subsystem at the first device, implemented at least partially in hardware, that sends the second search result set to a third device.

15. A non-transitory computer readable medium, storing software instructions, which when executed by one or more processors cause performance of:
- requesting, by a first device, an encrypted record from a second device;
  
  receiving, by the first device, the encrypted record from the second device;
  
  decrypting, by the first device, the received encrypted record as decrypted data;
  
  creating, by the first device, an index of keywords;
  
  scanning the decrypted data, and for each keyword encountered in the decrypted data, associating in the index a unique identifier string with the encountered keyword and inserting the unique identifier string in a modified encrypted record corresponding to a location where the keyword was encountered;
  
  sending the modified encrypted record to the second device to replace the encrypted record stored on the second device;
  
  receiving a search query from a client device, the search query entered by a user in a search area that is mapped to the first device, the search query comprising one or more keywords;
  
  matching the one or more keywords with one or more keywords in the index;
  
  in response to a match of a keyword in the index, generating a second search query for the second device that includes a substring of encrypted data retrieved from the index that is associated with the matched keyword; and
  
  sending the second search query to the second device.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The non-transitory computer readable medium as recited in claim 15, further comprising:
    - encrypting the decrypted data as a new encrypted record using a new encryption key;
      
      wherein the scanning step associates in the index a substring of encrypted data extracted from the new encrypted record where the keyword was encountered with the encountered keyword; and
      
      sending the new encrypted record to the second device to replace the requested encrypted record on the second device.
  - 17. The non-transitory computer readable medium as recited in claim 15, wherein the second device is a server.
  - 18. The non-transitory computer readable medium as recited in claim 15, wherein the first device is a proxy server.
  - 19. The non-transitory computer readable medium as recited in claim 15, wherein the index is created for a particular cloud application program.
  - 20. The non-transitory computer readable medium as recited in claim 15, wherein the index is created for a particular user.
  - 21. The non-transitory computer readable medium as recited in claim 15, further comprising:
    - receiving, by the first device, a search result set from the second device, the search result set including at least one encrypted record;
      
      decrypting the at least one encrypted record;
      
      including the decrypted at least one encrypted record in a second search result set; and
      
      sending the second search result set to a third device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bitglass, Inc. (Forcepoint LLC)
Original Assignee
Bitglass, Inc. (Forcepoint LLC)
Inventors
Kahol, Anurag, Bhattacharjya, Anoop Kumar, Kausik, Balas Natarajan
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
RUPRECHT, CHRISTOPHER S

Application Number

US14/101,329
Publication Number

US 20150039887A1
Time in Patent Office

1,142 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

G06F 21/6227   where protection concerns t...

H04L 41/0893   Assignment of logical group...

H04L 63/0272   Virtual private networks

H04L 63/0471   applying encryption by an i...

H04L 63/105   Multiple levels of security

H04L 67/56   Provisioning of proxy servi...

Secure application access system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

78 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Secure application access system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

78 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links