Method and apparatus for facilitating role-based cryptographic key management for a database

US 20070230706A1
Filed: 01/09/2007
Published: 10/04/2007
Est. Priority Date: 04/04/2006
Status: Active Grant

First Claim

Patent Images

1. A method for facilitating role-based cryptographic key management, the method comprising:

receiving a request at a database server from a user to perform a cryptographic operation on data on the database server, wherein the user is a member of a role, and wherein the role has been granted permission to perform the cryptographic operation on the data;

receiving from the user at the database server a user key, which is associated with the user;

unwrapping a wrapped role key with the user key to obtain a role key, which is associated with the role;

unwrapping a wrapped data key with the role key to obtain a data key, which is used to encrypt and decrypt the data; and

using the data key to perform the cryptographic operation on the data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention provides a system that facilitates role-based cryptographic key management. The system operates by receiving a request at a database server from a user to perform a cryptographic operation on data on the database server, wherein the user is a member of a role, and wherein the role has been granted permission to perform the cryptographic operation on the data. Next, the system receives from the user at the database server a user key, which is associated with the user. The system then unwraps a wrapped role key with the user key to obtain a role key, which is associated with the role. Next, the system unwraps a wrapped data key with the role key to obtain a data key, which is used to encrypt and decrypt the data. Finally, the system uses the data key to perform the cryptographic operation on the data.

116 Citations

View as Search Results

21 Claims

1. A method for facilitating role-based cryptographic key management, the method comprising:
- receiving a request at a database server from a user to perform a cryptographic operation on data on the database server, wherein the user is a member of a role, and wherein the role has been granted permission to perform the cryptographic operation on the data;
  
  receiving from the user at the database server a user key, which is associated with the user;
  
  unwrapping a wrapped role key with the user key to obtain a role key, which is associated with the role;
  
  unwrapping a wrapped data key with the role key to obtain a data key, which is used to encrypt and decrypt the data; and
  
  using the data key to perform the cryptographic operation on the data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising adding a second user to the role by:
    - receiving a second user key at the database server, wherein the second user key is associated with the second user;
      
      receiving a command to add the second user to the role; and
      
      in response to the command, wrapping the role key with the second user key.
  - 3. The method of claim 2, wherein the second user key is an asymmetric key, wherein a public key portion of the second user key is stored on the database server, and wherein the second user is added to the role while the second user is offline by using the public key portion of the second user key.
  - 4. The method of claim 3, wherein the public key portion of the second user key is protected by one of:
    - a certificate;
      
      a digital signature;
      
      a server key;
      
      or an administrator key.
  - 5. The method of claim 1, further comprising granting permission to the role to perform the cryptographic operation on the data by:
    - receiving a command to grant permission to the role to perform the cryptographic operation on the data; and
      
      in response to the command, wrapping the data key with the role key.
  - 6. The method of claim 1, further comprising granting membership in the role to a second role by:
    - receiving a command to grant membership in the role to a second role; and
      
      in response to the command, wrapping the role key with a second role key.
  - 7. The method of claim 1, wherein the role key and the data key are never revealed outside of the database server.
  - 8. The method of claim 1, wherein the data key is a column key, wherein a column key is used to perform cryptographic operations on a column, a row, or a cell, within a database.
  - 9. The method of claim 1, further comprising removing a user from a role by deleting the wrapped role key that is wrapped with the user key associated with the user.
  - 10. The method of claim 1, further comprising revoking a role'"'"'s ability to perform cryptographic operations on the data by deleting the wrapped data key that is wrapped with the role key associated with the role.

11. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for facilitating role-based cryptographic key management, the method comprising:
- receiving a request at a database server from a user to perform a cryptographic operation on data on the database server, wherein the user is a member of a role, and wherein the role has been granted permission to perform the cryptographic operation on the data;
  
  receiving from the user at the database server a user key, which is associated with the user;
  
  unwrapping a wrapped role key with the user key to obtain a role key, which is associated with the role;
  
  unwrapping a wrapped data key with the role key to obtain a data key, which is used to encrypt and decrypt the data; and
  
  using the data key to perform the cryptographic operation on the data.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The computer-readable storage medium of claim 11, wherein the method further comprises adding a second user to the role by:
    - receiving a second user key at the database server, wherein the second user key is associated with the second user;
      
      receiving a command to add the second user to the role; and
      
      in response to the command, wrapping the role key with the second user key.
  - 13. The computer-readable storage medium of claim 12, wherein the second user key is an asymmetric key, wherein a public key portion of the second user key is stored on the database server, and wherein the second user is added to the role while the second user is offline by using the public key portion of the second user key.
  - 14. The computer-readable storage medium of claim 13, wherein the public key portion of the second user key is protected by one of:
    - a certificate;
      
      a digital signature;
      
      a server key;
      
      or an administrator key.
  - 15. The computer-readable storage medium of claim 11, wherein the method further comprises granting permission to the role to perform the cryptographic operation on the data by:
    - receiving a command to grant permission to the role to perform the cryptographic operation on the data; and
      
      in response to the command, wrapping the data key with the role key.
  - 16. The computer-readable storage medium of claim 11, wherein the method further comprises granting membership in the role to a second role by:
    - receiving a command to grant membership in the role to a second role; and
      
      in response to the command, wrapping the role key with a second role key.
  - 17. The computer-readable storage medium of claim 11, wherein the role key and the data key are never revealed outside of the database server.
  - 18. The computer-readable storage medium of claim 11, wherein the data key is a column key, wherein a column key is used to perform cryptographic operations on a column, a row, or a cell, within a database.
  - 19. The computer-readable storage medium of claim 11, wherein the method further comprises removing a user from a role by deleting the wrapped role key that is wrapped with the user key associated with the user.
  - 20. The computer-readable storage medium of claim 11, wherein the method further comprises revoking a role'"'"'s ability to perform cryptographic operations on the data by deleting the wrapped data key that is wrapped with the role key associated with the role.

21. An apparatus configured to facilitate role-based cryptographic key management, comprising:
- a database server;
  
  a receiving mechanism configured to receive a request at the database server from a user to perform a cryptographic operation on data on the database server, wherein the user is a member of a role, and wherein the role has been granted permission to perform the cryptographic operation on the data;
  
  wherein the receiving mechanism is further configured to receive from the user at the database server a user key, which is associated with the user;
  
  a cryptographic mechanism configured to unwrap a wrapped role key with the user key to obtain a role key, which is associated with the role;
  
  wherein the cryptographic mechanism is further configured to unwrap a wrapped data key with the role key to obtain a data key, which is used to encrypt and decrypt the data; and
  
  wherein the cryptographic mechanism is further configured to use the data key to perform the cryptographic operation on the data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Youn, Paul

Granted Patent

US 8,064,604 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/277
CPC Class Codes

G06Q 20/3829   involving key management

H04L 2463/062   applying encryption of the ...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 9/0822   using key encryption key

H04L 9/083   involving central third par...

Method and apparatus for facilitating role-based cryptographic key management for a database

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

116 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for facilitating role-based cryptographic key management for a database

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

116 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links