Cloud key directory for federating data exchanges

US 9,992,191 B2
Filed: 12/02/2016
Issued: 06/05/2018
Est. Priority Date: 06/17/2011
Status: Active Grant

First Claim

Patent Images

1. A method, implemented at a computer system that includes one or more processors, for decrypting and providing data based on attribute-based encryption, the method comprising:

receiving, from a first entity, a first data request associated with a first identity and comprising a search attribute describing data to be found in a data store that provides access to a plurality of portions of secured data of a plurality of clients, each portion of secured data being associated with a corresponding client-defined access control and being encrypted with an attribute-based encryption that associates each portion of secured data with at least one corresponding encryption attribute, the attribute-based encryption enabling each portion of secured data to be decrypted in response to a data request in accordance with the corresponding client-defined access control when the data request'"'"'s search attribute is relevant to the corresponding at least one encryption attribute;

based at least on receiving the first data request;

determining that the search attribute matches a particular encryption attribute, which is associated with a first portion of secured data of a first client;

determining that a first access control defined by the first client grants the first identity access to the first portion of secured data; and

based on the search attribute matching the particular encryption attribute, and based on first access control granting the first identity access to the first portion of secured data, decrypting the first portion of secured data and providing the decrypted first portion of data to the first entity;

receiving, from a second entity, a second data request associated with a second identity and also comprising the search attribute; and

based at least on receiving the second data request;

determining that the search attribute matches to the particular encryption attribute, which is also associated with a second portion of secured data of a second client;

determining that a second access control defined by the second client grants the second identity access to the second portion of secured data; and

based on the search attribute matching the particular encryption attribute, and based on second access control granting the second identity access to the second portion of secured data, decrypting the second portion of secured data and providing the decrypted the second portion of data to the second entity.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data store provides access to portions of secured data. Each portion is associated with a client-defined access control and is encrypted with attribute-based encryption. This encryption associates each portion with an encryption attribute, and enables the portion to be provided, based on a request, in accordance its client-defined access control and when the request'"'"'s search attribute is relevant its encryption attribute. First and second portions are provided in response to first and second requests. Each request includes the same search attribute, and the first and second portions are associated with the same encryption attribute. The first portion is provided based on a first access control granting access to a first identity access and the search attribute being relevant to the encryption attribute. The second portion is provided based on a second access control granting access to a second identity and the search attribute being relevant to the encryption attribute.

Citations

21 Claims

1. A method, implemented at a computer system that includes one or more processors, for decrypting and providing data based on attribute-based encryption, the method comprising:
- receiving, from a first entity, a first data request associated with a first identity and comprising a search attribute describing data to be found in a data store that provides access to a plurality of portions of secured data of a plurality of clients, each portion of secured data being associated with a corresponding client-defined access control and being encrypted with an attribute-based encryption that associates each portion of secured data with at least one corresponding encryption attribute, the attribute-based encryption enabling each portion of secured data to be decrypted in response to a data request in accordance with the corresponding client-defined access control when the data request'"'"'s search attribute is relevant to the corresponding at least one encryption attribute;
  
  based at least on receiving the first data request;
  
  determining that the search attribute matches a particular encryption attribute, which is associated with a first portion of secured data of a first client;
  
  determining that a first access control defined by the first client grants the first identity access to the first portion of secured data; and
  
  based on the search attribute matching the particular encryption attribute, and based on first access control granting the first identity access to the first portion of secured data, decrypting the first portion of secured data and providing the decrypted first portion of data to the first entity;
  
  receiving, from a second entity, a second data request associated with a second identity and also comprising the search attribute; and
  
  based at least on receiving the second data request;
  
  determining that the search attribute matches to the particular encryption attribute, which is also associated with a second portion of secured data of a second client;
  
  determining that a second access control defined by the second client grants the second identity access to the second portion of secured data; and
  
  based on the search attribute matching the particular encryption attribute, and based on second access control granting the second identity access to the second portion of secured data, decrypting the second portion of secured data and providing the decrypted the second portion of data to the second entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the first data request also comprises the first identity, and wherein the second data request also comprises the second identity.
  - 3. The method of claim 1, wherein the first identity is associated with a first user identifier, and wherein the first access control grants the first user identifier.
  - 4. The method of claim 1, wherein the first identity is associated with a first user type, and wherein the first access control grants the first user type.
  - 5. The method of claim 1, wherein the plurality of portions of secured data are stored in client-specific directories at the data store.
  - 6. The method of claim 1, wherein providing the decrypted first portion of data is also based at least on sending the search attribute to a third party for verification.
  - 7. The method of claim 1, wherein providing the decrypted first portion of data is also based at least on sending the first data request to multiple authorities.
  - 8. The method of claim 1, wherein the first portion of secured data is encrypted by the first client prior to being stored in the data store.
  - 9. The method of claim 1, wherein the data store stores each encryption attribute with its corresponding portion of secured data.
  - 10. The method of claim 1, wherein the first portion of secured data is decrypted based on based on a threshold number of a plurality of search attributes matching a plurality of encryption attributes.

11. A computer system, comprising:
- one or more processors; and
  
  one or more computer-readable media having stored thereon computer-executable instructions that are executable by the one or more processors to cause the computer system to decrypt and provide data based on attribute-based encryption, the computer-executable instructions including instructions that are executable to cause the computer system to perform at least the following;
  
  receive, from a first entity, a first data request associated with a first identity and comprising at least one search attribute describing data to be found in a data store that provides access to a plurality of portions of secured data of a plurality of clients, each portion of secured data being associated with a corresponding client-defined access control and being encrypted with an attribute-based encryption that associates each portion of secured data with at least one corresponding encryption attribute, the attribute-based encryption enabling each portion of secured data to be decrypted in response to a data request in accordance with the corresponding client-defined access control when the data request'"'"'s search attribute is relevant to the corresponding at least one encryption attribute;
  
  based at least on receiving the first data request;
  
  determine that the search attribute matches a particular encryption attribute, which is associated with a first portion of secured data of a first client;
  
  determine that a first access control defined by the first client grants the first identity access to the first portion of secured data; and
  
  based on the search attribute matching the particular encryption attribute, and based on first access control granting the first identity access to the first portion of secured data, decrypt the first portion of secured data and provide the decrypted first portion of data to the first entity;
  
  receive, from a second entity, a second data request associated with a second identity and also comprising the search attribute; and
  
  based at least on receiving the second data request;
  
  determine that the search attribute matches to the particular encryption attribute, which is also associated with a second portion of secured data of a second client;
  
  determine that a second access control defined by the second client grants the second identity access to the second portion of secured data; and
  
  based on the search attribute matching the particular encryption attribute, and based on second access control granting the second identity access to the second portion of secured data, decrypt the second portion of secured data and provide the decrypted the second portion of data to the second entity.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The computer system of claim 11, wherein the first data request also comprises the first identity, and wherein the second data request also comprises the second identity.
  - 13. The computer system of claim 11, wherein the first identity is associated with a first user identifier, and wherein the first access control grants the first user identifier.
  - 14. The computer system of claim 11, wherein the first identity is associated with a first user type, and wherein the first access control grants the first user type.
  - 15. The computer system of claim 11, wherein the plurality of portions of secured data are stored in client-specific directories at the data store.
  - 16. The computer system of claim 11, wherein providing the decrypted first portion of data is also based at least on sending the search attribute to a third party for verification.
  - 17. The computer system of claim 11, wherein providing the decrypted first portion of data is also based at least on sending the first data request to multiple authorities.
  - 18. The computer system of claim 11, wherein the first portion of secured data is encrypted by the first client prior to being stored in the data store.
  - 19. The computer system of claim 11, wherein the data store stores each encryption attribute with its corresponding portion of secured data.
  - 20. The computer system of claim 11, wherein the data store comprises an anonymous directory.

21. A computer program product comprising one or more hardware storage devices having stored thereon computer-executable instructions that are executable by one or more processors to cause a computer system to decrypt and provide data based on attribute-based encryption, the computer-executable instructions including instructions that are executable to cause the computer system to perform at least the following:
- receive, from a first entity, a first data request associated with a first identity and comprising at least one search attribute describing data to be found in a data store that provides access to a plurality of portions of secured data of a plurality of clients, each portion of secured data being associated with a corresponding client-defined access control and being encrypted with an attribute-based encryption that associates each portion of secured data with at least one corresponding encryption attribute, the attribute-based encryption enabling each portion of secured data to be decrypted in response to a data request in accordance with the corresponding client-defined access control when the data request'"'"'s search attribute is relevant to the corresponding at least one encryption attribute;
  
  based at least on receiving the first data request;
  
  determine that the search attribute matches a particular encryption attribute, which is associated with a first portion of secured data of a first client;
  
  determine that a first access control defined by the first client grants the first identity access to the first portion of secured data; and
  
  based on the search attribute matching the particular encryption attribute, and based on first access control granting the first identity access to the first portion of secured data, decrypt the first portion of secured data and provide the decrypted first portion of data to the first entity;
  
  receive, from a second entity, a second data request associated with a second identity and also comprising the search attribute; and
  
  based at least on receiving the second data request;
  
  determine that the search attribute matches to the particular encryption attribute, which is also associated with a second portion of secured data of a second client;
  
  determine that a second access control defined by the second client grants the second identity access to the second portion of secured data; and
  
  based on the search attribute matching the particular encryption attribute, and based on second access control granting the second identity access to the second portion of secured data, decrypt the second portion of secured data and provide the decrypted the second portion of data to the second entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
D'Souza, Roy Peter, Pandey, Omkant
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US15/367,836
Publication Number

US 20170085554A1
Time in Patent Office

550 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 16/256   in federated or virtual dat...

G06F 16/27   Replication, distribution o...

G06F 16/951   Indexing; Web crawling tech...

G06F 16/9535   Search customisation based ...

G06F 16/9538   Presentation of query results

G06F 21/6218   to a system of files or obj...

G06F 21/6254   by anonymising data, e.g. d...

H04L 63/0421   Anonymous communication, i....

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/104   Grouping of entities

H04L 9/0894   Escrow, recovery or storing...

H04L 9/321   involving a third party or ...

Cloud key directory for federating data exchanges

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Cloud key directory for federating data exchanges

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links