Cloud key directory for federating data exchanges
First Claim
1. A method, implemented at a computer system that includes one or more processors, for decrypting and providing data based on attribute-based encryption, the method comprising:
- receiving, from a first entity, a first data request associated with a first identity and comprising a search attribute describing data to be found in a data store that provides access to a plurality of portions of secured data of a plurality of clients, each portion of secured data being associated with a corresponding client-defined access control and being encrypted with an attribute-based encryption that associates each portion of secured data with at least one corresponding encryption attribute, the attribute-based encryption enabling each portion of secured data to be decrypted in response to a data request in accordance with the corresponding client-defined access control when the data request'"'"'s search attribute is relevant to the corresponding at least one encryption attribute;
based at least on receiving the first data request;
determining that the search attribute matches a particular encryption attribute, which is associated with a first portion of secured data of a first client;
determining that a first access control defined by the first client grants the first identity access to the first portion of secured data; and
based on the search attribute matching the particular encryption attribute, and based on first access control granting the first identity access to the first portion of secured data, decrypting the first portion of secured data and providing the decrypted first portion of data to the first entity;
receiving, from a second entity, a second data request associated with a second identity and also comprising the search attribute; and
based at least on receiving the second data request;
determining that the search attribute matches to the particular encryption attribute, which is also associated with a second portion of secured data of a second client;
determining that a second access control defined by the second client grants the second identity access to the second portion of secured data; and
based on the search attribute matching the particular encryption attribute, and based on second access control granting the second identity access to the second portion of secured data, decrypting the second portion of secured data and providing the decrypted the second portion of data to the second entity.
2 Assignments
0 Petitions
Accused Products
Abstract
A data store provides access to portions of secured data. Each portion is associated with a client-defined access control and is encrypted with attribute-based encryption. This encryption associates each portion with an encryption attribute, and enables the portion to be provided, based on a request, in accordance its client-defined access control and when the request'"'"'s search attribute is relevant its encryption attribute. First and second portions are provided in response to first and second requests. Each request includes the same search attribute, and the first and second portions are associated with the same encryption attribute. The first portion is provided based on a first access control granting access to a first identity access and the search attribute being relevant to the encryption attribute. The second portion is provided based on a second access control granting access to a second identity and the search attribute being relevant to the encryption attribute.
-
Citations
21 Claims
-
1. A method, implemented at a computer system that includes one or more processors, for decrypting and providing data based on attribute-based encryption, the method comprising:
-
receiving, from a first entity, a first data request associated with a first identity and comprising a search attribute describing data to be found in a data store that provides access to a plurality of portions of secured data of a plurality of clients, each portion of secured data being associated with a corresponding client-defined access control and being encrypted with an attribute-based encryption that associates each portion of secured data with at least one corresponding encryption attribute, the attribute-based encryption enabling each portion of secured data to be decrypted in response to a data request in accordance with the corresponding client-defined access control when the data request'"'"'s search attribute is relevant to the corresponding at least one encryption attribute; based at least on receiving the first data request; determining that the search attribute matches a particular encryption attribute, which is associated with a first portion of secured data of a first client; determining that a first access control defined by the first client grants the first identity access to the first portion of secured data; and based on the search attribute matching the particular encryption attribute, and based on first access control granting the first identity access to the first portion of secured data, decrypting the first portion of secured data and providing the decrypted first portion of data to the first entity; receiving, from a second entity, a second data request associated with a second identity and also comprising the search attribute; and based at least on receiving the second data request; determining that the search attribute matches to the particular encryption attribute, which is also associated with a second portion of secured data of a second client; determining that a second access control defined by the second client grants the second identity access to the second portion of secured data; and based on the search attribute matching the particular encryption attribute, and based on second access control granting the second identity access to the second portion of secured data, decrypting the second portion of secured data and providing the decrypted the second portion of data to the second entity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer system, comprising:
-
one or more processors; and one or more computer-readable media having stored thereon computer-executable instructions that are executable by the one or more processors to cause the computer system to decrypt and provide data based on attribute-based encryption, the computer-executable instructions including instructions that are executable to cause the computer system to perform at least the following; receive, from a first entity, a first data request associated with a first identity and comprising at least one search attribute describing data to be found in a data store that provides access to a plurality of portions of secured data of a plurality of clients, each portion of secured data being associated with a corresponding client-defined access control and being encrypted with an attribute-based encryption that associates each portion of secured data with at least one corresponding encryption attribute, the attribute-based encryption enabling each portion of secured data to be decrypted in response to a data request in accordance with the corresponding client-defined access control when the data request'"'"'s search attribute is relevant to the corresponding at least one encryption attribute; based at least on receiving the first data request; determine that the search attribute matches a particular encryption attribute, which is associated with a first portion of secured data of a first client; determine that a first access control defined by the first client grants the first identity access to the first portion of secured data; and based on the search attribute matching the particular encryption attribute, and based on first access control granting the first identity access to the first portion of secured data, decrypt the first portion of secured data and provide the decrypted first portion of data to the first entity; receive, from a second entity, a second data request associated with a second identity and also comprising the search attribute; and based at least on receiving the second data request; determine that the search attribute matches to the particular encryption attribute, which is also associated with a second portion of secured data of a second client; determine that a second access control defined by the second client grants the second identity access to the second portion of secured data; and based on the search attribute matching the particular encryption attribute, and based on second access control granting the second identity access to the second portion of secured data, decrypt the second portion of secured data and provide the decrypted the second portion of data to the second entity. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A computer program product comprising one or more hardware storage devices having stored thereon computer-executable instructions that are executable by one or more processors to cause a computer system to decrypt and provide data based on attribute-based encryption, the computer-executable instructions including instructions that are executable to cause the computer system to perform at least the following:
-
receive, from a first entity, a first data request associated with a first identity and comprising at least one search attribute describing data to be found in a data store that provides access to a plurality of portions of secured data of a plurality of clients, each portion of secured data being associated with a corresponding client-defined access control and being encrypted with an attribute-based encryption that associates each portion of secured data with at least one corresponding encryption attribute, the attribute-based encryption enabling each portion of secured data to be decrypted in response to a data request in accordance with the corresponding client-defined access control when the data request'"'"'s search attribute is relevant to the corresponding at least one encryption attribute; based at least on receiving the first data request; determine that the search attribute matches a particular encryption attribute, which is associated with a first portion of secured data of a first client; determine that a first access control defined by the first client grants the first identity access to the first portion of secured data; and based on the search attribute matching the particular encryption attribute, and based on first access control granting the first identity access to the first portion of secured data, decrypt the first portion of secured data and provide the decrypted first portion of data to the first entity; receive, from a second entity, a second data request associated with a second identity and also comprising the search attribute; and based at least on receiving the second data request; determine that the search attribute matches to the particular encryption attribute, which is also associated with a second portion of secured data of a second client; determine that a second access control defined by the second client grants the second identity access to the second portion of secured data; and based on the search attribute matching the particular encryption attribute, and based on second access control granting the second identity access to the second portion of secured data, decrypt the second portion of secured data and provide the decrypted the second portion of data to the second entity.
-
Specification