Searchable encryption enabling encrypted search based on document type
First Claim
1. A method for searchable encryption of cloud stored data encoding a document type, comprising:
- receiving, at a network intermediary device over a communication network, a document of a first document type destined for a cloud service provider, the first document type identifying a logical definition of the document as defined by a computing system;
applying, at the network intermediary device, a searchable encryption algorithm to the document to generate a search index;
in response to the encryption of the document by the searchable encryption algorithm, generating, by the network intermediary device, one or more entries in the search index stored in the network intermediary, the one or more entries including a mapping of encrypted keyword labels for some or all of the keywords in the document to an encrypted document index identifying the document being encrypted, each encrypted keyword label being generated by applying a pseudorandom function using a key to encode a document type identifier into the encrypted keyword label, where the key relates to a respective keyword of the document, the document type identifier is indicative of the first document type of the document, the document type identifier identifying the logical definition of the document as defined by the computing system;
encrypting, by the network intermediary device, the document using a second encryption algorithm;
transmitting, over the communication network by the network intermediary device, the encrypted document to the cloud service provider to be stored at the cloud service provider;
receiving, at the network intermediary device over the communication network by a client device, a search request comprising a requested document type for documents stored at the cloud service provider; and
retrieving, by the network intermediary device, from the cloud service providers one or more documents matching the requested document type,wherein generating, by the network intermediary device, one or more entries in the search index stored in the network intermediary comprises;
generating, by the network intermediary device, one or more entries in the search index stored in the network intermediary, the one or more entries including a mapping of encrypted keyword labels for some or all of the keywords in the document to the encrypted document index identifying the document being encrypted, each encrypted keyword label being generated by applying the pseudorandom function using a key to encode a document type identifier indicative of the document type of the document and a counter value indicative of a number of occurrences of the respective keyword in previously encrypted documents of the same document type as the document being encrypted.
11 Assignments
0 Petitions
Accused Products
Abstract
A searchable encryption method enables encrypted search of encrypted documents based on document type. In some embodiments, the searchable encryption method is implemented in a network intermediary, such as a proxy server. The network intermediary encrypts documents on behalf of a user or an enterprise destined to be stored on a cloud service provider. The searchable encryption method encodes document type information into the encrypted search index while preserving encryption security. Furthermore, the searchable encryption method enables search of encrypted documents using the same encrypted index, either for a particular document type or for all encrypted documents regardless of the document type.
-
Citations
16 Claims
-
1. A method for searchable encryption of cloud stored data encoding a document type, comprising:
-
receiving, at a network intermediary device over a communication network, a document of a first document type destined for a cloud service provider, the first document type identifying a logical definition of the document as defined by a computing system; applying, at the network intermediary device, a searchable encryption algorithm to the document to generate a search index; in response to the encryption of the document by the searchable encryption algorithm, generating, by the network intermediary device, one or more entries in the search index stored in the network intermediary, the one or more entries including a mapping of encrypted keyword labels for some or all of the keywords in the document to an encrypted document index identifying the document being encrypted, each encrypted keyword label being generated by applying a pseudorandom function using a key to encode a document type identifier into the encrypted keyword label, where the key relates to a respective keyword of the document, the document type identifier is indicative of the first document type of the document, the document type identifier identifying the logical definition of the document as defined by the computing system; encrypting, by the network intermediary device, the document using a second encryption algorithm; transmitting, over the communication network by the network intermediary device, the encrypted document to the cloud service provider to be stored at the cloud service provider; receiving, at the network intermediary device over the communication network by a client device, a search request comprising a requested document type for documents stored at the cloud service provider; and retrieving, by the network intermediary device, from the cloud service providers one or more documents matching the requested document type, wherein generating, by the network intermediary device, one or more entries in the search index stored in the network intermediary comprises; generating, by the network intermediary device, one or more entries in the search index stored in the network intermediary, the one or more entries including a mapping of encrypted keyword labels for some or all of the keywords in the document to the encrypted document index identifying the document being encrypted, each encrypted keyword label being generated by applying the pseudorandom function using a key to encode a document type identifier indicative of the document type of the document and a counter value indicative of a number of occurrences of the respective keyword in previously encrypted documents of the same document type as the document being encrypted. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for searchable encryption of cloud stored data encoding a document type, comprising:
-
a network proxy server configured as a network intermediary device to receive, over a communication network, a document of a first document type destined for a cloud service provider, the first document type identifying a logical definition of the document as defined by a computing system, the network proxy server being configured to apply a searchable encryption algorithm to the document to generate a search index, in response to the encryption of the document by the searchable encryption algorithm, the network proxy server is being configured to generate one or more entries in a search index stored in the network intermediary device where the one or more entries include a mapping of encrypted keyword labels for some or all of the keywords in the document to an encrypted document index identifying the document being encrypted, each encrypted keyword label being generated by applying a pseudorandom function using a key to encode a document type identifier into the encrypted keyword label, where the key relates to a respective keyword of the document, the document type identifier is indicative of the first document type of the document, the document type identifier identifying the logical definition of the document as defined by the computing system, the network proxy server further configured to encrypt the document using a second encryption algorithm, to transmit, over the communication network, the encrypted document to the cloud service provider to be stored at the cloud service provider, to receive, over the communication network by a client device, a search request comprising a requested document type for documents stored at the cloud service provider, and to retrieve from the cloud service providers one or more documents matching the requested document type, wherein the network proxy server is further configured to generate one or more entries in the search index stored in the network intermediary device where the one or more entries including a mapping of encrypted keyword labels for some or all of the keywords in the document to the encrypted document index identifying the document being encrypted, each encrypted keyword label being generated by applying the pseudorandom function using a key to encode a document type identifier indicative of the document type of the document and a counter value indicative of a number of occurrences of the respective keyword in previously encrypted documents of the same document type as the document being encrypted. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
Specification