Secure database
First Claim
1. A system, comprising:
- a secure hardware unit; and
a database system comprising;
one or more processors; and
a computer-readable medium having stored thereon instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising;
receiving, from a database client, a client request to perform a database operation using first encrypted data as an encrypted value of a field of a database to be operated on by the database operation, wherein the first encrypted data has been encrypted by the database client using a first encryption key;
providing, to the secure hardware unit, a system request for performing one or more data processing operations corresponding to the database operation, the system request including (i) the first encrypted data, (ii) data identifying the first encryption key, (iii) one or more database entries including second encrypted data that has been encrypted using a second encryption key, and (iv) data identifying the second encryption key, wherein the secure hardware unit;
decrypts the first encrypted data using the first encryption key to generate first decrypted data and decrypts the second data using the second encryption key to generate second decrypted data;
generates output data by performing the one or more data processing operations on at least one database entry having a decrypted value of the field that matches the first decrypted data; and
provides the output data to the database system; and
receiving, from the secure hardware unit and by the database system, the output data representing an output of the one or more data processing operations.
3 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus, including a system that includes a secure hardware unit; and a database system including one or more processors; and a computer-readable medium having stored instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including: receiving a client request to perform a database operation using first encrypted data as an encrypted value of a field to be operated on by the database operation, where the first encrypted data has been encrypted by a database client using a first encryption key; providing, to the secure hardware unit, a system request for performing one or more data processing operations, the system request including (i) the first encrypted data and (ii) data identifying the first encryption key; and receiving, from the secure hardware unit, output data representing an output of the one or more data processing operations.
15 Citations
19 Claims
-
1. A system, comprising:
-
a secure hardware unit; and a database system comprising; one or more processors; and a computer-readable medium having stored thereon instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising; receiving, from a database client, a client request to perform a database operation using first encrypted data as an encrypted value of a field of a database to be operated on by the database operation, wherein the first encrypted data has been encrypted by the database client using a first encryption key; providing, to the secure hardware unit, a system request for performing one or more data processing operations corresponding to the database operation, the system request including (i) the first encrypted data, (ii) data identifying the first encryption key, (iii) one or more database entries including second encrypted data that has been encrypted using a second encryption key, and (iv) data identifying the second encryption key, wherein the secure hardware unit; decrypts the first encrypted data using the first encryption key to generate first decrypted data and decrypts the second data using the second encryption key to generate second decrypted data; generates output data by performing the one or more data processing operations on at least one database entry having a decrypted value of the field that matches the first decrypted data; and provides the output data to the database system; and receiving, from the secure hardware unit and by the database system, the output data representing an output of the one or more data processing operations. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-implemented method, comprising:
-
receiving, by a database system and from a database client, a client request to perform a database operation using first encrypted data as an encrypted value of a field of a database to be operated on by the database operation, wherein the first encrypted data has been encrypted by the database client using a first encryption key; providing, by the database system and to a secure hardware unit, a system request for performing one or more data processing operations corresponding to the database operation, the system request including (i) the first encrypted data, (ii) data identifying the first encryption key, (iii) one or more database entries including second encrypted data that has been encrypted using a second encryption key, and (iv) data identifying the second encryption key, wherein the secure hardware unit; decrypts the first encrypted data using the first encryption key to generate first decrypted data and decrypts the second data using the second encryption key to generate second decrypted data; generates output data by performing the one or more data processing operations on at least one database entry having a decrypted value of the field that matches the first decrypted data; and provides the output data to the database system; and receiving, from the secure hardware unit and by the database system, the output data representing an output of the one or more data processing operations. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A computer-readable medium having stored thereon instructions that, when executed by the one or more computers, cause the one or more computers to perform operations comprising:
-
receiving, by a database system and from a database client, a client request to perform a database operation using first encrypted data as an encrypted value of a field of a database to be operated on by the database operation, wherein the first encrypted data has been encrypted by the database client using a first encryption key; providing, by the database system to a secure hardware unit, a system request for performing one or more data processing operations corresponding to the database operation, the system request including (i) the first encrypted data, (ii) data identifying the first encryption key, (iii) one or more database entries including second encrypted data that has been encrypted using a second encryption key, and (iv) data identifying the second encryption key, wherein the secure hardware unit; decrypts the first encrypted data using the first encryption key to generate first decrypted data and decrypts the second data using the second encryption key to generate second decrypted data; generates output data by performing the one or more data processing operations on at least one database entry having a decrypted value of the field that matches the first decrypted data; and provides the output data to the database system; and receiving, from the secure hardware unit and by the database system, the output data representing an output of the one or more data processing operations. - View Dependent Claims (19)
-
Specification