Secure database

US 10,284,535 B2
Filed: 12/13/2016
Issued: 05/07/2019
Est. Priority Date: 12/13/2016
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a secure hardware unit; and

a database system comprising;

one or more processors; and

a computer-readable medium having stored thereon instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising;

receiving, from a database client, a client request to perform a database operation using first encrypted data as an encrypted value of a field of a database to be operated on by the database operation, wherein the first encrypted data has been encrypted by the database client using a first encryption key;

providing, to the secure hardware unit, a system request for performing one or more data processing operations corresponding to the database operation, the system request including (i) the first encrypted data, (ii) data identifying the first encryption key, (iii) one or more database entries including second encrypted data that has been encrypted using a second encryption key, and (iv) data identifying the second encryption key, wherein the secure hardware unit;

decrypts the first encrypted data using the first encryption key to generate first decrypted data and decrypts the second data using the second encryption key to generate second decrypted data;

generates output data by performing the one or more data processing operations on at least one database entry having a decrypted value of the field that matches the first decrypted data; and

provides the output data to the database system; and

receiving, from the secure hardware unit and by the database system, the output data representing an output of the one or more data processing operations.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including a system that includes a secure hardware unit; and a database system including one or more processors; and a computer-readable medium having stored instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including: receiving a client request to perform a database operation using first encrypted data as an encrypted value of a field to be operated on by the database operation, where the first encrypted data has been encrypted by a database client using a first encryption key; providing, to the secure hardware unit, a system request for performing one or more data processing operations, the system request including (i) the first encrypted data and (ii) data identifying the first encryption key; and receiving, from the secure hardware unit, output data representing an output of the one or more data processing operations.

15 Citations

19 Claims

1. A system, comprising:
- a secure hardware unit; and
  
  a database system comprising;
  
  one or more processors; and
  
  a computer-readable medium having stored thereon instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising;
  
  receiving, from a database client, a client request to perform a database operation using first encrypted data as an encrypted value of a field of a database to be operated on by the database operation, wherein the first encrypted data has been encrypted by the database client using a first encryption key;
  
  providing, to the secure hardware unit, a system request for performing one or more data processing operations corresponding to the database operation, the system request including (i) the first encrypted data, (ii) data identifying the first encryption key, (iii) one or more database entries including second encrypted data that has been encrypted using a second encryption key, and (iv) data identifying the second encryption key, wherein the secure hardware unit;
  
  decrypts the first encrypted data using the first encryption key to generate first decrypted data and decrypts the second data using the second encryption key to generate second decrypted data;
  
  generates output data by performing the one or more data processing operations on at least one database entry having a decrypted value of the field that matches the first decrypted data; and
  
  provides the output data to the database system; and
  
  receiving, from the secure hardware unit and by the database system, the output data representing an output of the one or more data processing operations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the operations further comprise:
    - determining that the database operation requires accessing the one or more database entries in the database; and
      
      obtaining, from the database, the one or more database entries including the second encrypted data that has been encrypted using a second encryption key in response to determining that the database operation requires accessing the one or more database entries in the database.
  - 3. The system of claim 2, wherein the first encryption key and the second encryption key are the same encryption key.
  - 4. The system of claim 2, wherein the first encryption key and the second encryption key are different encryption keys.
  - 5. The system of claim 1, wherein the secure hardware unit includes:
    - a key store that stores multiple encryption keys including the first encryption key; and
      
      circuitry or software to perform operations comprising;
      
      obtaining the first encryption key based on the data identifying the first encryption key.
  - 6. The system of claim 1, wherein the operations further comprise:
    - providing a response including the output data representing the output of the one or more data processing operations to the database client.
  - 7. The system of claim 1, wherein providing, to the secure hardware unit, the system request for performing the one or more data processing operations further comprises:
    - determining that the first encrypted data has been encrypted using the first encryption key; and
      
      in response to determining that the first encrypted data has been encrypted using the first encryption key, providing, to the secure hardware unit, the system request for performing the one or more data processing operations.
  - 8. The system of claim 1, wherein the secure hardware unit is a trusted platform module that is integrated with the one or more processors of the database system on a common board.
  - 9. The system of claim 1, wherein the secure hardware unit is integrated directly alongside a main processor of the database system.

10. A computer-implemented method, comprising:
- receiving, by a database system and from a database client, a client request to perform a database operation using first encrypted data as an encrypted value of a field of a database to be operated on by the database operation, wherein the first encrypted data has been encrypted by the database client using a first encryption key;
  
  providing, by the database system and to a secure hardware unit, a system request for performing one or more data processing operations corresponding to the database operation, the system request including (i) the first encrypted data, (ii) data identifying the first encryption key, (iii) one or more database entries including second encrypted data that has been encrypted using a second encryption key, and (iv) data identifying the second encryption key, wherein the secure hardware unit;
  
  decrypts the first encrypted data using the first encryption key to generate first decrypted data and decrypts the second data using the second encryption key to generate second decrypted data;
  
  generates output data by performing the one or more data processing operations on at least one database entry having a decrypted value of the field that matches the first decrypted data; and
  
  provides the output data to the database system; and
  
  receiving, from the secure hardware unit and by the database system, the output data representing an output of the one or more data processing operations.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The computer-implemented method of claim 10, further comprising:
    - determining that the database operation requires accessing the one or more database entries in the database; and
      
      in response to determining that the database operation requires accessing one or more database entries in the database, obtaining, by the database system and from the database, the one or more database entries including second encrypted data that has been encrypted using a second encryption key.
  - 12. The computer-implemented method of claim 11, wherein the first encryption key and the second encryption key are the same encryption key.
  - 13. The computer-implemented method of claim 11, wherein the first encryption key and the second encryption key are different encryption keys.
  - 14. The computer-implemented method of claim 10, wherein the data identifying the first encryption key identifies a memory location in the secure hardware unit that stores the first encryption key.
  - 15. The computer-implemented method of claim 10, further comprising:
    - performing one or more additional data processing operations on the output data to complete the database operation.
  - 16. The computer-implemented method of claim 10, further comprising:
    - providing, from the database system to the database client, a response indicating a completion of the database operation.
  - 17. The computer-implemented method of claim 10, wherein the output data has been encrypted by the secure hardware unit using the first encryption key.

18. A computer-readable medium having stored thereon instructions that, when executed by the one or more computers, cause the one or more computers to perform operations comprising:
- receiving, by a database system and from a database client, a client request to perform a database operation using first encrypted data as an encrypted value of a field of a database to be operated on by the database operation, wherein the first encrypted data has been encrypted by the database client using a first encryption key;
  
  providing, by the database system to a secure hardware unit, a system request for performing one or more data processing operations corresponding to the database operation, the system request including (i) the first encrypted data, (ii) data identifying the first encryption key, (iii) one or more database entries including second encrypted data that has been encrypted using a second encryption key, and (iv) data identifying the second encryption key, wherein the secure hardware unit;
  
  decrypts the first encrypted data using the first encryption key to generate first decrypted data and decrypts the second data using the second encryption key to generate second decrypted data;
  
  generates output data by performing the one or more data processing operations on at least one database entry having a decrypted value of the field that matches the first decrypted data; and
  
  provides the output data to the database system; and
  
  receiving, from the secure hardware unit and by the database system, the output data representing an output of the one or more data processing operations.
- View Dependent Claims (19)
- - 19. The computer-readable medium of claim 18, wherein the operations further comprise:
    - determining that the database operation requires accessing the one or more database entries in the database; and
      
      in response to determining that the database operation requires accessing one or more database entries in the database, obtaining, by the database system from the database, the one or more database entries including second encrypted data that has been encrypted using a second encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Chronicle LLC
Original Assignee
Chronicle LLC
Inventors
Nachenberg, Carey Stover
Primary Examiner(s)
Abedin, Shanto

Application Number

US15/376,786
Publication Number

US 20180165470A1
Time in Patent Office

875 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6227   where protection concerns t...

G06F 21/74   operating in dual or compar...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 9/0897   involving additional device...

Secure database

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

15 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Secure database

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links