Encrypting data for analytical web applications

US 9,830,470 B2
Filed: 10/09/2015
Issued: 11/28/2017
Est. Priority Date: 10/09/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for processing queries in analytical web applications over encrypted data, the method being executed using one or more processors and comprising:

receiving, by a database driver executed on a server-side computing device and from a client-side proxy, a query and one or more encryption keys, the one or more encryption keys having been selected by the client-side proxy based on operations required to perform the query, wherein the client-side proxy is configured to be stateless where no state is maintained except for the one or more encryption keys and the database driver is configured to be modified to maintain an encryption state and a decryption state;

performing at least one operation of the query to provide a query result comprising the encrypted data; and

transmitting, by the database driver, the encrypted data to the client-side proxy, the client-side proxy processing the encrypted data to provide plaintext data to an end user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and computer-readable storage media for processing queries in analytical web applications over encrypted data. Implementations include actions of receiving, by a database driver executed on a server-side computing device and from a client-side proxy, a query and one or more encryption keys, the one or more encryption keys having been selected by the client-side proxy based on operations required to perform the query, performing at least one operation of the query to provide a query result including encrypted data, and transmitting, by the database driver, the encrypted data to the client-side proxy, the client-side proxy processing the encrypted data to provide plaintext data to an end user.

64 Citations

View as Search Results

20 Claims

1. A computer-implemented method for processing queries in analytical web applications over encrypted data, the method being executed using one or more processors and comprising:
- receiving, by a database driver executed on a server-side computing device and from a client-side proxy, a query and one or more encryption keys, the one or more encryption keys having been selected by the client-side proxy based on operations required to perform the query, wherein the client-side proxy is configured to be stateless where no state is maintained except for the one or more encryption keys and the database driver is configured to be modified to maintain an encryption state and a decryption state;
  
  performing at least one operation of the query to provide a query result comprising the encrypted data; and
  
  transmitting, by the database driver, the encrypted data to the client-side proxy, the client-side proxy processing the encrypted data to provide plaintext data to an end user.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein performing at least one operation of the query further comprises:
    - determining, by the database driver, that a particular re-encryption key is needed;
      
      transmitting, by the database driver, a request for the particular re-encryption key to the proxy; and
      
      receiving, by the database driver, the particular re-encryption key from the proxy.
  - 3. The method of claim 1, wherein performing the at least one operation of the query comprises decrypting at least a portion of a set of encrypted data stored in a database using an encryption key of the one or more encryption keys to provide lower-level encrypted data in a multi-layer encryption scheme, the encrypted data of the query result comprising the lower-level encrypted data.
  - 4. The method of claim 3, wherein the lower-level encrypted data is encrypted based on at least one of deterministic encryption and order-preserving encryption.
  - 5. The method of claim 4, further comprising:
    - providing, by the database driver, a first query part and a second query part based on the query, the first query part comprising the at least one operation;
      
      transmitting, by the database driver, the second query part to the client-side proxy with the lower-level encrypted data, wherein processing the lower-level encrypted data to provide plaintext data is performed by the proxy based on the second query part.
  - 6. The method of claim 1, wherein the proxy comprises an order-preserving encryption scheme.
  - 7. The method of claim 1, wherein the query comprises at least one encrypted parameter.

8. A non-transitory computer-readable storage medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations for processing queries in analytical web applications over encrypted data, the operations comprising:
- receiving, by a database driver executed on a server-side computing device and from a client-side proxy, a query and one or more encryption keys, the one or more encryption keys having been selected by the client-side proxy based on operations required to perform the query, wherein the client-side proxy is configured to be stateless where no state is maintained except for the one or more encryption keys and the database driver is configured to be modified to maintain an encryption state and a decryption state;
  
  performing at least one operation of the query to provide a query result comprising the encrypted data; and
  
  transmitting, by the database driver, the encrypted data to the client-side proxy, the client-side proxy processing the encrypted data to provide plaintext data to an end user.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable storage medium of claim 8, wherein performing at least one operation of the query further comprises:
    - determining, by the database driver, that a particular re-encryption key is needed;
      
      transmitting, by the database driver, a request for the particular re-encryption key to the proxy; and
      
      receiving, by the database driver, the particular re-encryption key from the proxy.
  - 10. The computer-readable storage medium of claim 8, wherein performing the at least one operation of the query comprises decrypting at least a portion of a set of encrypted data stored in a database using an encryption key of the one or more encryption keys to provide lower-level encrypted data in a multi-layer encryption scheme, the encrypted data of the query result comprising the lower-level encrypted data.
  - 11. The computer-readable storage medium of claim 10, wherein the lower-level encrypted data is encrypted based on at least one of deterministic encryption and order-preserving encryption.
  - 12. The computer-readable storage medium of claim 11, wherein the operations further comprise:
    - providing, by the database driver, a first query part and a second query part based on the query, the first query part comprising the at least one operation;
      
      transmitting, by the database driver, the second query part to the client-side proxy with the lower-level encrypted data, wherein processing the lower-level encrypted data to provide plaintext data is performed by the proxy based on the second query part.
  - 13. The computer-readable storage medium of claim 8, wherein the proxy comprises an order-preserving encryption scheme.
  - 14. The computer-readable storage medium of claim 8, wherein the query comprises at least one encrypted parameter.

15. A system, comprising:
- a server-side computing device; and
  
  a computer-readable storage device coupled to the computing device and having instructions stored thereon which, when executed by the computing device, cause the computing device to perform operations for processing queries in analytical web applications over encrypted data, the operations comprising;
  
  receiving, by a database driver executed on the server-side computing device and from a client-side proxy, a query and one or more encryption keys, the one or more encryption keys having been selected by the client-side proxy based on operations required to perform the query, wherein the client-side proxy is configured to be stateless where no state is maintained except for the one or more encryption keys and the database driver is configured to be modified to maintain an encryption state and a decryption state;
  
  performing at least one operation of the query to provide a query result comprising the encrypted data; and
  
  transmitting, by the database driver, the encrypted data to the client-side proxy, the client-side proxy processing the encrypted data to provide plaintext data to an end user.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein performing at least one operation of the query further comprises:
    - determining, by the database driver, that a particular re-encryption key is needed;
      
      transmitting, by the database driver, a request for the particular re-encryption key to the proxy; and
      
      receiving, by the database driver, the particular re-encryption key from the proxy.
  - 17. The system of claim 15, wherein performing the at least one operation of the query comprises decrypting at least a portion of a set of encrypted data stored in a database using an encryption key of the one or more encryption keys to provide lower-level encrypted data in a multi-layer encryption scheme, the encrypted data of the query result comprising the lower-level encrypted data.
  - 18. The system of claim 17, wherein the lower-level encrypted data is encrypted based on at least one of deterministic encryption and order-preserving encryption.
  - 19. The system of claim 18, wherein operations further comprise:
    - providing, by the database driver, a first query part and a second query part based on the query, the first query part comprising the at least one operation;
      
      transmitting, by the database driver, the second query part to the client-side proxy with the lower-level encrypted data, wherein processing the lower-level encrypted data to provide plaintext data is performed by the proxy based on the second query part.
  - 20. The system of claim 15, wherein the proxy comprises an order-preserving encryption scheme.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Kerschbaum, Florian, Fuhry, Benny, Xu, Wei, Keble, Josef, Tighzert, Walter
Primary Examiner(s)
PLECHA, THADDEUS J

Application Number

US14/880,095
Publication Number

US 20170103227A1
Time in Patent Office

781 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6227   where protection concerns t...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/0281   Proxies

H04L 63/0478   applying multiple layers of...

H04L 9/008   involving homomorphic encry...

H04L 9/0819   Key transport or distributi...

Encrypting data for analytical web applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

64 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Encrypting data for analytical web applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

64 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links