Method and apparatus for using an external security device to secure data in a database

US 20060288232A1
Filed: 06/16/2005
Published: 12/21/2006
Est. Priority Date: 06/16/2005
Status: Active Grant

First Claim

Patent Images

1. A method for using an external security device to secure data in a database without having to modify database applications, the method comprising:

receiving a request at the database to perform an encryption/decryption operation, wherein the encryption/decryption operation is performed with the assistance of the external security module in a manner that is transparent to database applications;

in response to the request, passing a wrapped column key to the external security module, wherein the wrapped column key is a column key encrypted with a master key that exists only within the external security module;

decrypting the wrapped column key in the external security module to retrieve the column key;

returning the column key to the database;

performing an encryption/decryption operation on data in the database using the column key; and

erasing the column key from memory in the database.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention provides a system that facilitates using an external security device to secure data in a database without having to modify database applications. The system operates by receiving a request at the database to perform an encryption/decryption operation, wherein the encryption/decryption operation is performed with the assistance of the external security module in a manner that is transparent to database applications. In response to the request, the system passes a wrapped (encrypted) column key (a key used to encrypt data within the database) to an external security module, wherein the wrapped column key is a column key encrypted with a master key that exists only within the external security module. The system then unwraps (decrypts) the wrapped column key in the external security module to retrieve the column key. Next, the system returns the column key to the database. The system then performs an encryption/decryption operation on data in the database using the column key. Finally, the system erases the column key from memory in the database.

109 Citations

30 Claims

1. A method for using an external security device to secure data in a database without having to modify database applications, the method comprising:
- receiving a request at the database to perform an encryption/decryption operation, wherein the encryption/decryption operation is performed with the assistance of the external security module in a manner that is transparent to database applications;
  
  in response to the request, passing a wrapped column key to the external security module, wherein the wrapped column key is a column key encrypted with a master key that exists only within the external security module;
  
  decrypting the wrapped column key in the external security module to retrieve the column key;
  
  returning the column key to the database;
  
  performing an encryption/decryption operation on data in the database using the column key; and
  
  erasing the column key from memory in the database.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising generating the master key by:
    - sending a request to the external security module to create a random key with a data key type to be used as the master key;
      
      flagging the master key as non-exportable; and
      
      receiving a handle from the external security module at the database that facilitates referencing the master key during subsequent database transactions.
  - 3. The method of claim 1, further comprising generating the wrapped column key by:
    - generating a random number in the external security module for use as the column key;
      
      encrypting the column key with the master key in the external security module;
      
      flagging the wrapped column key as exportable;
      
      passing the wrapped column key to the database; and
      
      storing the wrapped column key in a column key metadata table.
  - 4. The method of claim 1, further comprising generating the wrapped column key by:
    - generating a random number in the database for use as the column key;
      
      passing the column key to the external security module;
      
      encrypting the column key with the master key in the external security module;
      
      flagging the wrapped column key as exportable;
      
      passing the wrapped column key to the database; and
      
      storing the wrapped column key in a column key metadata table.
  - 5. The method of claim 1, wherein the external security module can be a hardware security module or a software security module.
  - 6. The method of claim 1, further comprising storing data in the external security module.
  - 7. The method of claim 1, wherein the external security module is authenticated to the database via at least one of:
    - a direct attachment to the database;
      
      a username and a password; and
      
      a strong authentication method, including a security token or a smart card.
  - 8. The method of claim 1, wherein the encryption can be either symmetric encryption or asymmetric encryption.

9. A method for using an external security device to secure data in a database without having to modify database applications, the method comprising:
- receiving a request at the database to perform an encryption/decryption operation, wherein the encryption/decryption operation is performed with the assistance of the external security module in a manner that is transparent to database applications;
  
  in response to the request, passing a wrapped column key and data to the external security module, wherein the wrapped column key is a column key encrypted with a master key that exists only within the external security module;
  
  decrypting the wrapped column key within the external security module to retrieve the column key;
  
  performing an encryption/decryption operation on the data within the external security module using the column key; and
  
  returning the encrypted/decrypted data to the database.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, further comprising generating the master key by:
    - sending a request to the external security module to create a random key with a wrapper key type to be used as the master key, flagging the master key as non-exportable; and
      
      receiving a handle from the external security module at the database that facilitates referencing the master key during subsequent database transactions.
  - 11. The method of claim 9, further comprising generating the wrapped column key by:
    - generating a random number in the external security module for use as the column key;
      
      encrypting the column key with the master key in the external security module;
      
      flagging the wrapped column key as exportable and sensitive, wherein the wrapped column key is only exportable in an encrypted state;
      
      passing the wrapped column key to the database; and
      
      storing the wrapped column key in a column key metadata table.
  - 12. The method of claim 9, wherein the external security module can be a hardware security module or a software security module.
  - 13. The method of claim 9, further comprising storing data in the external security module.
  - 14. The method of claim 9, wherein the external security module is authenticated to the database via at least one of:
    - a direct attachment to the database;
      
      a username and a password; and
      
      a strong authentication method, including a security token or a smart card.
  - 15. The method of claim 9, wherein the encryption can be either symmetric encryption or asymmetric encryption.

16. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for using an external security device to secure data in a database without having to modify database applications, the method comprising:
- receiving a request at the database to perform an encryption/decryption operation, wherein the encryption/decryption operation is performed with the assistance of the external security module in a manner that is transparent to database applications;
  
  in response to the request, passing a wrapped column key to the external security module, wherein the wrapped column key is a column key encrypted with a master key that exists only within the external security module;
  
  decrypting the wrapped column key in the external security module to retrieve the column key;
  
  returning the column key to the database;
  
  performing an encryption/decryption operation on data in the database using the column key; and
  
  erasing the column key from memory in the database.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The computer-readable storage medium of claim 16, wherein the method further comprises generating the master key by:
    - sending a request to the external security module to create a random key with a data key type to be used as the master key;
      
      flagging the master key as non-exportable; and
      
      receiving a handle from the external security module at the database that facilitates referencing the master key during subsequent database transactions.
  - 18. The computer-readable storage medium of claim 16, wherein the method further comprises generating the wrapped column key by:
    - generating a random number in the external security module for use as the column key;
      
      encrypting the column key with the master key in the external security module;
      
      flagging the wrapped column key as exportable;
      
      passing the wrapped column key to the database; and
      
      storing the wrapped column key in a column key metadata table.
  - 19. The computer-readable storage medium of claim 16, wherein the method further comprises generating the wrapped column key by:
    - generating a random number in the database for use as the column key;
      
      passing the column key to the external security module;
      
      encrypting the column key with the master key in the external security module;
      
      flagging the wrapped column key as exportable;
      
      passing the wrapped column key to the database; and
      
      storing the wrapped column key in a column key metadata table.
  - 20. The computer-readable storage medium of claim 16, wherein the external security module can be a hardware security module or a software security module.
  - 21. The computer-readable storage medium of claim 16, wherein the method further comprises storing data in the external security module.
  - 22. The computer-readable storage medium of claim 16, wherein the external security module is authenticated to the database via at least one of:
    - a direct attachment to the database;
      
      a username and a password; and
      
      a strong authentication method, including a security token or a smart card.
  - 23. The computer-readable storage medium of claim 16, wherein the encryption can be either symmetric encryption or asymmetric encryption.

24. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for using an external security device to secure data in a database without having to modify database applications, the method comprising:
- receiving a request at the database to perform an encryption/decryption operation, wherein the encryption/decryption operation is performed with the assistance of the external security module in a manner that is transparent to database applications;
  
  in response to the request, passing a wrapped column key and data to the external security module, wherein the wrapped column key is a column key encrypted with a master key that exists only within the external security module;
  
  decrypting the wrapped column key within the external security module to retrieve the column key;
  
  performing an encryption/decryption operation on the data within the external security module using the column key; and
  
  returning the encrypted/decrypted data to the database.
- View Dependent Claims (25, 26, 27, 28, 29, 30)
- - 25. The computer-readable storage medium of claim 24, wherein the method further comprises generating the master key by:
    - sending a request to the external security module to create a random key with a wrapper key type to be used as the master key;
      
      flagging the master key as non-exportable; and
      
      receiving a handle from the external security module at the database that facilitates referencing the master key during subsequent database transactions.
  - 26. The computer-readable storage medium of claim 24, wherein the method further comprises generating the wrapped column key by:
    - generating a random number in the external security module for use as the column key;
      
      encrypting the column key with the master key in the external security module;
      
      flagging the wrapped column key as exportable and sensitive, wherein the wrapped column key is only exportable in an encrypted state;
      
      passing the wrapped column key to the database; and
      
      storing the wrapped column key in a column key metadata table.
  - 27. The computer-readable storage medium of claim 24, wherein the external security module can be a hardware security module or a software security module.
  - 28. The computer-readable storage medium of claim 24, wherein the method further comprises storing data in the external security module.
  - 29. The computer-readable storage medium of claim 24, wherein the external security module is authenticated to the database via at least one of:
    - a direct attachment to the database;
      
      a username and a password; and
      
      a strong authentication method, including a security token or a smart card.
  - 30. The computer-readable storage medium of claim 24, wherein the encryption can be either symmetric encryption or asymmetric encryption.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Wong, Daniel ManHung, Ho, Min-Hank, Youn, Paul, Lei, Chon

Granted Patent

US 7,639,819 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/185
CPC Class Codes

G06F 21/6227   where protection concerns t...

G06F 2221/2153   Using hardware token as a s...

H04L 9/0822   using key encryption key

H04L 9/0897   involving additional device...

Method and apparatus for using an external security device to secure data in a database

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

109 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for using an external security device to secure data in a database

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

109 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links