Method and system for securing data
First Claim
Patent Images
1. A method for securing user data, or data, possessed by a data owner, comprising:
- a. devising a concealing mechanism;
b. concealing, according to said concealing mechanism, and encrypting, using a data encryption key, said data to generate secure data and metadata, such that said data can be reconstructed by using said secure data, said metadata and said data encryption key in accordance with said concealing mechanism;
c. encrypting said metadata with another encryption key to generate encrypted metadata;
d. saving said secure data and said encrypted metadata to a data store, and associating a unique data identifier with said secure data and said encrypted metadata in said data store, such that said secure data and said encrypted metadata are uniquely identifiable in said data store;
e. generating a data access object, wherein said data access object comprises said data encryption key;
f. obtaining one or more recipient encryption keys;
g. encrypting said data access object by using said one or more recipient encryption keys to generate a data access token;
h. saving said data access token to said data store, and associating said data access token with said unique data identifier.
0 Assignments
0 Petitions
Accused Products
Abstract
A method and system for securing user data, or data, possessed by a data owner, are disclosed. In one aspect data is concealed and encrypted to ensure data confidentiality, and may also be signed to ensure data integrity and authenticity. In another aspect accesses to data are controlled by the data owner through a distributed access control system. In another aspect the public keys of users are distributed automatically in a distributed manner, and are controlled by the users owning the corresponding public and private key pairs.
21 Citations
17 Claims
-
1. A method for securing user data, or data, possessed by a data owner, comprising:
-
a. devising a concealing mechanism; b. concealing, according to said concealing mechanism, and encrypting, using a data encryption key, said data to generate secure data and metadata, such that said data can be reconstructed by using said secure data, said metadata and said data encryption key in accordance with said concealing mechanism; c. encrypting said metadata with another encryption key to generate encrypted metadata; d. saving said secure data and said encrypted metadata to a data store, and associating a unique data identifier with said secure data and said encrypted metadata in said data store, such that said secure data and said encrypted metadata are uniquely identifiable in said data store; e. generating a data access object, wherein said data access object comprises said data encryption key; f. obtaining one or more recipient encryption keys; g. encrypting said data access object by using said one or more recipient encryption keys to generate a data access token; h. saving said data access token to said data store, and associating said data access token with said unique data identifier. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for securing user data or data, possessed by a data owner, comprising:
- a data store configured to allow said data owner to store data;
a client computer having at least one processor, a network interface, and a machine-readable medium storing instructions that, when executed by said at least one processor, cause said at least one processor to perform operations, on behalf of said data owner, comprising;a. generating a data encryption key; b. concealing, according to a concealing mechanism, and encrypting, using said data encryption key, said data to generate secure data and metadata, such that said data can be reconstructed by using said secure data, said metadata and said data encryption key in accordance with said concealing mechanism; c. encrypting said metadata with said data encryption key to generate encrypted metadata; d. generating a unique data identifier; e. saving said secure data and said encrypted metadata to said data store, and associating said unique data identifier with said secure data and said encrypted metadata in said data store, such that said secure data and said encrypted metadata are uniquely identifiable in said data store; wherein said client computer further comprising a user interface, and said machine-readable medium storing additional instructions that, when executed by said at least one processor, cause said at least one processor to perform operations, on behalf of said data owner, comprising; a. selecting, by said data owner using said user interface, one or more recipients, each having a public and private key pair and having made the public key of said key pair accessible to said data owner; b. retrieving the public keys of said one or more recipients, respectively, and the public key of said data owner, as recipient encryption keys; c. generating a data access object, comprising said data encryption key, and one or more access permissions corresponding respectively to said one or more recipients, wherein each of said one or more access permissions comprises a permission role assigned by said data owner using said user interface, wherein said permission role comprises a reader role and a writer role, wherein said reader role allows read-only access to data, and said writer role allows read-write access to data; d. encrypting said data access object by using said recipient encryption keys to generate a data access token; e. saving said data access token to said data store, and associating said data access token with said unique data identifier. - View Dependent Claims (15, 16, 17)
- a data store configured to allow said data owner to store data;
Specification