Encryption/decryption in a cloud storage solution

US 9,930,026 B2
Filed: 10/20/2014
Issued: 03/27/2018
Est. Priority Date: 10/20/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for decrypting encrypted data received from a cloud, comprising:

receiving a record from a cloud storage solution at a client system, wherein at least one data field in the received record is encrypted, wherein each encrypted data field is associated with an encrypted field identifier, and wherein the encrypted data fields were encrypted external to the cloud storage solution and prior to storage in the cloud storage solution;

providing a client certification key associated with a user accessing the record and at least one encrypted field identifier to a security server, wherein the security server is separate from the cloud storage solution and wherein decryption keys associated with the encrypted data fields are stored only on the security server, and wherein the client system is associated with a local program coordinating access with the security server and operable when executed to communicate with the security server;

receiving at least one decryption key associated with at least one of the at least one encrypted field identifier from the security server;

decrypting, by the local program using each of the received decryption keys, at least one encrypted data field; and

presenting the received record to the user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosure generally describes computer-implemented methods, software, and systems, including a method for decryption of data stored in the cloud. A record is received from a cloud storage solution, wherein at least one data field in the received record is encrypted, and wherein each encrypted data field is associated with an encrypted field identifier. A client certification key associated with a user accessing the record and at least one encrypted field identifier are provided to a security server. At least one decryption key associated with at least one of the at least one encrypted field identifier is received. Using each of received decryption key, at least one encrypted data field is decrypted. The received record is presented to the user accessing the record.

22 Citations

View as Search Results

18 Claims

1. A computer-implemented method for decrypting encrypted data received from a cloud, comprising:
- receiving a record from a cloud storage solution at a client system, wherein at least one data field in the received record is encrypted, wherein each encrypted data field is associated with an encrypted field identifier, and wherein the encrypted data fields were encrypted external to the cloud storage solution and prior to storage in the cloud storage solution;
  
  providing a client certification key associated with a user accessing the record and at least one encrypted field identifier to a security server, wherein the security server is separate from the cloud storage solution and wherein decryption keys associated with the encrypted data fields are stored only on the security server, and wherein the client system is associated with a local program coordinating access with the security server and operable when executed to communicate with the security server;
  
  receiving at least one decryption key associated with at least one of the at least one encrypted field identifier from the security server;
  
  decrypting, by the local program using each of the received decryption keys, at least one encrypted data field; and
  
  presenting the received record to the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer-implemented method of claim 1, wherein the client certification key corresponds to a single sign-on (SSO) authorization, wherein the SSO authorization allows access to the received record from the cloud storage solution.
  - 3. The computer-implemented method of claim 1, wherein the client certification key associated with the user accessing the record provides authorized access to fewer than all of the encrypted data fields within the record, and wherein presenting the received record to the user includes presenting at least one data field without decrypting the at least one data field.
  - 4. The computer-implemented method of claim 1, wherein the security server performs one or more operations, including:
    - determining, for each encrypted field identifier, whether the user associated with the client certification key is authorized to view decrypted contents of the corresponding encrypted data field; and
      
      providing, for each encrypted field identifier for which the user associated with the client certification key is authorized, a decryption key associated with the encrypted field identifier.
  - 5. The computer-implemented method of claim 1, wherein the local program is a client browser plug-in.
  - 6. The computer-implemented method of claim 4, wherein the determination of whether the user associated with the client certification key is authorized to view the decrypted contents of an encrypted data field is based on the client certification key of the user being associated with at least one of a role of the user, a pre-defined authorization, the user'"'"'s region, or the user'"'"'s membership in a group, family, team, or department, or one or more of the user'"'"'s role, education, certification, or location.
  - 7. The computer-implemented method of claim 6, wherein a first encrypted data field is authorized for access by a single first user, and wherein a different second encrypted data field is authorized for access by a different second user.
  - 8. The computer-implemented method of claim 1, wherein a level of encryption associated with user access for the record is set using inputs from an administrator or a record keeper.
  - 9. The computer-implemented method of claim 1, wherein presenting the received record to the user includes, when the user does not have authorization to see a particular data field, presenting a placeholder field value in lieu of encrypted information.
  - 10. The computer-implemented method of claim 1, further comprising:
    - identifying a record to be stored in the cloud;
      
      identifying settings associated with the record, including which of the fields are to be encrypted and using which particular keys;
      
      providing, to the security server, a client certification key for encryption;
      
      receiving, from the security server, an encryption key based on the client certification key and an authorization to encrypt;
      
      encrypting particular fields prior to storage in the cloud; and
      
      sending the record to the cloud for storage.
  - 11. The computer-implemented method of claim 1, further comprising:
    - determining that an update has occurred on a field value in the record;
      
      encrypting the field value; and
      
      sending the record to the cloud storage solution for storage.
  - 12. The computer-implemented method of claim 1, wherein the cloud storage solution encrypts the record in its entirety in the cloud.

13. A computer system, comprising:
- memory operable to store content, including static and dynamic content; and
  
  at least one hardware processor interoperably coupled to the memory and operable to perform instructions to;
  
  receive a record from a cloud storage solution at a client system, wherein at least one data field in the received record is encrypted, wherein each encrypted data field is associated with an encrypted field identifier, and wherein the encrypted data fields were encrypted external to the cloud storage solution and prior to storage in the cloud storage solution;
  
  provide a client certification key associated with a user accessing the record and at least one encrypted field identifier to a security server, wherein the security server is separate from the cloud storage solution and wherein decryption keys associated with the encrypted data fields are stored only on the security server, and wherein the client system is associated with a local program coordinating access with the security server and operable when executed to communicate with the security server;
  
  receive at least one decryption key associated with at least one of the at least one encrypted field identifier from the security server;
  
  decrypt, by the local program using each of the received decryption keys, at least one encrypted data field; and
  
  present the received record to the user.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer system of claim 13, wherein the client certification key corresponds to a single sign-on (SSO) authorization, wherein the SSO authorization allows access to the received record from the cloud storage solution.
  - 15. The computer system of claim 13, wherein the client certification key associated with the user accessing the record provides authorized access to fewer than all of the encrypted data fields within the record, and wherein presenting the received record to the user includes presenting at least one data field without decrypting the at least one data field.
  - 16. The computer system of claim 13, wherein the security server performs one or more operations, including:
    - determining, for each encrypted field identifier, whether the user associated with the client certification key is authorized to view decrypted contents of the corresponding encrypted data field; and
      
      providing, for each encrypted field identifier for which the user associated with the client certification key is authorized, a decryption key associated with the encrypted field identifier.
  - 17. The computer system of claim 13, wherein the local program is a client browser plug in.
  - 18. The computer system of claim 16, wherein the determination of whether the user associated with the client certification key is authorized to view the decrypted contents of an encrypted data field is based on the client certification key of the user being associated with at least one of a role of the user, a pre-defined authorization, the user'"'"'s region, or the user'"'"'s membership in a group, family, team, or department, or one or more of the user'"'"'s role, education, certification, or location.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Shoshan, Itzhak
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
FIELDS, COURTNEY D

Application Number

US14/518,055
Publication Number

US 20160344724A1
Time in Patent Office

1,254 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0428 wherein the data content is...

H04L 63/0815 providing single-sign-on or...

Encryption/decryption in a cloud storage solution

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Encryption/decryption in a cloud storage solution

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links