Cloud key directory for federating data exchanges

US 9,558,370 B2
Filed: 12/02/2015
Issued: 01/31/2017
Est. Priority Date: 06/17/2011
Status: Active Grant

First Claim

Patent Images

1. At a computer system including at least one processor and a memory, in a computer networking environment including a plurality of computing systems, a computer-implemented method for providing attribute-based data access, the method comprising:

receiving a data request, the data request specifying one or more search data attributes describing requested data that is to be found in a data store, wherein the data store is configured to provide access to secured data of one or more clients according to corresponding access controls defined by each of the one or more clients, the secured data including a particular portion of data that is associated with a particular client and that is encrypted using an attribute-based encryption that associates the particular portion of data with one or more encryption data attributes and that enables the particular portion of data to be provided if conditions in the corresponding access controls are met;

determining that the particular portion of data should be provided based on determining that the conditions in the corresponding access controls are met, and that at least one of the search data attributes of the data request is determined to be relevant to at least one of the encryption data attributes; and

providing the particular portion of data in response to the data request.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to providing attribute-based data access. In an embodiment, a data request specifies one or more search data attributes describing requested data that is to be found in a data store. The data store is configured to provide access to secured data according to access controls defined by one or more clients. The secured data includes data that is associated with a particular client and that is encrypted using attribute-based encryption, which associates the data with one or more encryption data attributes and that enables the data to be provided if conditions in the corresponding access controls are met. The particular portion of data is provided based on determining that the conditions in the corresponding access controls are met, and that at least one of the search data attributes is determined to be relevant to at least one of the encryption data attributes.

Citations

20 Claims

1. At a computer system including at least one processor and a memory, in a computer networking environment including a plurality of computing systems, a computer-implemented method for providing attribute-based data access, the method comprising:
- receiving a data request, the data request specifying one or more search data attributes describing requested data that is to be found in a data store, wherein the data store is configured to provide access to secured data of one or more clients according to corresponding access controls defined by each of the one or more clients, the secured data including a particular portion of data that is associated with a particular client and that is encrypted using an attribute-based encryption that associates the particular portion of data with one or more encryption data attributes and that enables the particular portion of data to be provided if conditions in the corresponding access controls are met;
  
  determining that the particular portion of data should be provided based on determining that the conditions in the corresponding access controls are met, and that at least one of the search data attributes of the data request is determined to be relevant to at least one of the encryption data attributes; and
  
  providing the particular portion of data in response to the data request.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the data store is configured to enable discovery of the particular client'"'"'s particular portion of data, based on a threshold number of encryption data attributes being requested in the data request.
  - 3. The method of claim 1, wherein the data store is configured to enable the one or more clients to specify which secured data is to be provided in response to data requests, based on one or more of user identity or user type.
  - 4. The method of claim 1, wherein the data store is configured to enable the one or more clients to dynamically change which of their secured data is provided in response to data requests by changing the corresponding access controls.
  - 5. The method of claim 1, wherein the data store is configured to enable requests for secured data without a prior knowledge of what secured data is available through the data store and without a prior knowledge of the one or more clients.
  - 6. The method of claim 1, wherein determining that the conditions in the corresponding access controls are met comprises one or more of determining that a user making the data request is a specified user or determining that the user is of a specified user type.
  - 7. The method of claim 1, wherein at least a portion of secured data of the particular client remains unavailable to data requests received by the data store, based on the particular client'"'"'s corresponding access controls.

8. A computer program product for implementing a method for providing attribute-based data access, the computer program product comprising one or more hardware storage devices having stored thereon computer-executable instructions that are executable by one or more processors of a computing system to cause the computing system to perform at least the following:
- receive a data request, the data request specifying one or more search data attributes describing requested data that is to be found in a data store, wherein the data store is configured to provide access to secured data of one or more clients according to corresponding access controls defined by each of the one or more clients, the secured data including a particular portion of data that is associated with a particular client and that is encrypted using an attribute-based encryption that associates the particular portion of data with one or more encryption data attributes and that enables the particular portion of data to be provided if conditions in the corresponding access controls are met;
  
  determine that the particular portion of data should be provided based on determining that the conditions in the corresponding access controls are met, and that at least one of the search data attributes of the data request is determined to be relevant to at least one of the encryption data attributes; and
  
  provide the particular portion of data in response to the data request.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The computer program product of claim 8, wherein the corresponding access controls of the particular client apply one or more different encryption data attributes to different portions of secured data corresponding to the particular client and that is stored in the data store.
  - 10. The computer program product of claim 8, wherein the encryption data attributes applied by the particular client are user-specific, such that different users are provided different data based on their identity.
  - 11. The computer program product of claim 8, wherein the data request identifies a user.
  - 12. The computer program product of claim 8, wherein the data store is configured to provide one or more users access to the secured data of the one or more clients.
  - 13. The computer program product of claim 8, wherein the data store is configured to enable the particular portion of data of the particular client to be provided for any request that uses at least one of the encryption data attributes.

14. A computer system comprising the following:
- one or more processors;
  
  system memory; and
  
  one or more computer-readable storage media having stored thereon computer-executable instructions that are executable by the one or more processors to cause the computer system to provide attribute-based data access, the computer-executable instructions including instructions that are executable to cause the computer system to perform at least the following;
  
  receive a data request, the data request specifying one or more search data attributes describing requested data that is to be found in a data store, wherein the data store is configured to provide access to secured data of one or more clients according to corresponding access controls defined by each of the one or more clients, the secured data including a particular portion of data that is associated with a particular client and that is encrypted using an attribute-based encryption that associates the particular portion of data with one or more encryption data attributes and that enables the particular portion of data to be provided if conditions in the corresponding access controls are met;
  
  determine that the particular portion of data should be provided based on determining that the conditions in the corresponding access controls are met, and that at least one of the search data attributes of the data request is determined to be relevant to at least one of the encryption data attributes; and
  
  provide the particular portion of data in response to the data request.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer system of claim 14, wherein the corresponding access controls of the particular client apply one or more different encryption data attributes to different portions of secured data corresponding to the particular client and that is stored in the data store.
  - 16. The computer system of claim 14, wherein the encryption data attributes applied by the particular client are user-specific, such that different users are provided different data based on their identity.
  - 17. The computer system of claim 14, wherein the data request identifies the user.
  - 18. The computer system of claim 14, wherein the data store is configured to provide one or more users access to the secured data of the one or more clients.
  - 19. The computer system of claim 14, wherein the data store is configured to enable the particular portion of data of the particular client to be provided to any authorized user who requests data using at least one of the encryption data attributes.
  - 20. The computer system of claim 14, wherein the data store is configured to enable discovery of the particular client'"'"'s particular portion of data, based on a threshold number of encryption data attributes being requested in the data request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
D'Souza, Roy Peter, Pandey, Omkant
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US14/956,845
Publication Number

US 20160196452A1
Time in Patent Office

426 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 16/256   in federated or virtual dat...

G06F 16/27   Replication, distribution o...

G06F 16/951   Indexing; Web crawling tech...

G06F 16/9535   Search customisation based ...

G06F 16/9538   Presentation of query results

G06F 21/6218   to a system of files or obj...

G06F 21/6254   by anonymising data, e.g. d...

H04L 63/0421   Anonymous communication, i....

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/104   Grouping of entities

H04L 9/0894   Escrow, recovery or storing...

H04L 9/321   involving a third party or ...

Cloud key directory for federating data exchanges

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Cloud key directory for federating data exchanges

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links