Secure Database

US 20180165470A1
Filed: 12/13/2016
Published: 06/14/2018
Est. Priority Date: 12/13/2016
Status: Active Application

First Claim

Patent Images

1. A system, comprising:

a secure hardware unit; and

a database system comprising;

one or more processors; and

a computer-readable medium having stored thereon instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising;

receiving a client request to perform a database operation using first encrypted data as an encrypted value of a field to be operated on by the database operation, wherein the first encrypted data has been encrypted by a database client using a first encryption key;

providing, to the secure hardware unit, a system request for performing one or more data processing operations, the system request including (i) the first encrypted data and (ii) data identifying the first encryption key; and

receiving, from the secure hardware unit and by the database system, output data representing an output of the one or more data processing operations.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including a system that includes a secure hardware unit; and a database system including one or more processors; and a computer-readable medium having stored instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including: receiving a client request to perform a database operation using first encrypted data as an encrypted value of a field to be operated on by the database operation, where the first encrypted data has been encrypted by a database client using a first encryption key; providing, to the secure hardware unit, a system request for performing one or more data processing operations, the system request including (i) the first encrypted data and (ii) data identifying the first encryption key; and receiving, from the secure hardware unit, output data representing an output of the one or more data processing operations.

6 Citations

20 Claims

1. A system, comprising:
- a secure hardware unit; and
  
  a database system comprising;
  
  one or more processors; and
  
  a computer-readable medium having stored thereon instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising;
  
  receiving a client request to perform a database operation using first encrypted data as an encrypted value of a field to be operated on by the database operation, wherein the first encrypted data has been encrypted by a database client using a first encryption key;
  
  providing, to the secure hardware unit, a system request for performing one or more data processing operations, the system request including (i) the first encrypted data and (ii) data identifying the first encryption key; and
  
  receiving, from the secure hardware unit and by the database system, output data representing an output of the one or more data processing operations.
- View Dependent Claims (2, 3, 4, 5, 6, 8, 9, 10)
- - 2. The system of claim 1, wherein the operations further comprise:
    - determining that the database operation requires accessing one or more database entries in a database; and
      
      obtaining, from the database, a database entry including second encrypted data that has been encrypted using a second encryption key,wherein the system request further includes (iii) the second encrypted data and (iv) data identifying the second encryption key.
  - 3. The system of claim 2, wherein the first encryption key and the second encryption key are the same encryption key.
  - 4. The system of claim 2, wherein the first encryption key and the second encryption key are different encryption keys.
  - 5. The system of claim 1, wherein the secure hardware unit includes:
    - a key store that stores multiple encryption keys including the first encryption key; and
      
      circuitry or software to perform operations comprising;
      
      obtaining the first encryption key based on the data identifying the first encryption key;
      
      decrypting the first encrypted data using the first encryption key to generate first decrypted data; and
      
      performing the one or more data processing operations using the first decrypted data to generate the output of the one or more data processing operations.
  - 6. The system of claim 5, wherein the circuitry or software of the secure hardware unit performs operations further comprising:
    - encrypting, using the first encryption key, the output of the one or more data processing operations to generate the output data; and
      
      providing the output data to the database system. The system of claim 1, wherein the operations further comprise;
      
      providing a response including the output data representing the output of the one or more data processing operations to the database client.
  - 8. The system of claim 1, wherein providing, to the secure hardware unit, the system request for performing the one or more data processing operations further comprises:
    - determining that the first encrypted data has been encrypted using the first encryption key; and
      
      in response to determining that the first encrypted data has been encrypted using the first encryption key, providing, to the secure hardware unit, the system request for performing the one or more data processing operations.
  - 9. The system of claim 1, wherein the secure hardware unit is a trusted platform module that is integrated with the one or more processors of the database system on a common board.
  - 10. The system of claim 1, wherein the secure hardware unit is integrated directly alongside a main processor of the database system.

11. A computer-implemented method, comprising:
- receiving, by a database system, a client request to perform a database operation using first encrypted data as an encrypted value of a field to be operated on by the database operation, wherein the first encrypted data has been encrypted by a database client using a first encryption key;
  
  providing, by the database system and to a secure hardware unit, a system request for performing one or more data processing operations, the system request including (i) the first encrypted data and (ii) data identifying the first encryption key; and
  
  receiving, from the secure hardware unit and by the database system, output data representing an output of the one or more data processing operations.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The computer-implemented method of claim 11, further comprising:
    - determining that the database operation requires accessing one or more database entries in a database; and
      
      in response to determining that the database operation requires accessing one or more database entries in the database, obtaining, by the database system and from a database, a database entry including second encrypted data that has been encrypted using a second encryption key,wherein the system request further includes (iii) the second encrypted data and (iv) data identifying the second encryption key.
  - 13. The computer-implemented method of claim 12, wherein the first encryption key and the second encryption key are the same encryption key.
  - 14. The computer-implemented method of claim 12, wherein the first encryption key and the second encryption key are different encryption keys.
  - 15. The computer-implemented method of claim 11, wherein the data identifying the first encryption key identifies a memory location in the secure hardware unit that stores the first encryption key.
  - 16. The computer-implemented method of claim 11, further comprising:
    - performing one or more additional data processing operations on the output data to complete the database operation.
  - 17. The computer-implemented method of claim 11, further comprising:
    - providing, from the database system to the database client, a response indicating a completion of the database operation.
  - 18. The computer-implemented method of claim 11, wherein the output data has been encrypted by the secure hardware unit using the first encryption key.

19. A computer-readable medium having stored thereon instructions that, when executed by the one or more computers, cause the one or more computers to perform operations comprising:
- receiving, by a database system, a client request to perform a database operation using first encrypted data as an encrypted value of a field to be operated on by the database operation, wherein the first encrypted data has been encrypted by a database client using a first encryption key;
  
  providing, by the database system to a secure hardware unit, a system request for performing one or more data processing operations, the system request including (i) the first encrypted data and (ii) data identifying the first encryption key; and
  
  receiving, from the secure hardware unit and by the database system, output data representing an output of the one or more data processing operations.
- View Dependent Claims (20)
- - 20. The computer-readable medium of claim 19, wherein the operations further comprise:
    - determining that the database operation requires accessing one or more database entries in a database; and
      
      in response to determining that the database operation requires accessing one or more database entries in the database, obtaining, by the database system from a database, a database entry including second encrypted data that has been encrypted using a second encryption key,wherein the system request further includes (iii) the second encrypted data and (iv) data identifying the second encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Chronicle LLC
Original Assignee
X Development LLC (Alphabet Inc.)
Inventors
Nachenberg, Carey Stover

Granted Patent

US 10,284,535 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6227   where protection concerns t...

G06F 21/74   operating in dual or compar...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 9/0897   involving additional device...

Secure Database

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

6 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure Database

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links