Computer program products and systems for transparent data encryption and decryption

US 7,743,403 B2
Filed: 05/23/2008
Issued: 06/22/2010
Est. Priority Date: 04/24/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A computer program product embodied in a tangible medium of expression comprising programming instructions, operable by a directory service that provides a central repository for information about system resources and users available in a data processing system, for:

receiving a directory message requesting data that is maintained by the directory service;

determining if the requested data is stored in encrypted form in a database maintained by the directory service, wherein the database comprises a directory and the requested data comprises an attribute value corresponding to an attribute of a directory object maintained in the directory;

determining if, in response to a policy corresponding to the requested data, a receiver is a trusted client, wherein the policy corresponding to the requested data specifies (i) whether the attribute may be accessed and (ii) a manner of accessing the attribute;

delivering the requested data in unencrypted form if the client is trusted; and

delivering the requested data in encrypted form if the client is untrusted.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for transparently encrypting (and decrypting) sensitive data stored in a directory (or other database) is provided. Sensitive data, a password for example, may be required by a client in a distributed data processing environment. When the database entry is created, the sensitive data received from a user, or more generally, a client, may be encrypted, and saved in the directory entry in encrypted form. Encryption of sensitive data may be performed in accordance with a predetermined set of policies. When the sensitive information is needed, it may be selectively delivered in encrypted or unencrypted form based on a policy in the set. Policies may include criteria external to the database, and interfaced to the database via a policy engine.

227 Citations

11 Claims

1. A computer program product embodied in a tangible medium of expression comprising programming instructions, operable by a directory service that provides a central repository for information about system resources and users available in a data processing system, for:
- receiving a directory message requesting data that is maintained by the directory service;
  
  determining if the requested data is stored in encrypted form in a database maintained by the directory service, wherein the database comprises a directory and the requested data comprises an attribute value corresponding to an attribute of a directory object maintained in the directory;
  
  determining if, in response to a policy corresponding to the requested data, a receiver is a trusted client, wherein the policy corresponding to the requested data specifies (i) whether the attribute may be accessed and (ii) a manner of accessing the attribute;
  
  delivering the requested data in unencrypted form if the client is trusted; and
  
  delivering the requested data in encrypted form if the client is untrusted.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer program product of claim 1 wherein the data is encrypted using a client-specific key as specified by the policy corresponding to the requested data.
  - 3. The computer program product of claim 2 further comprising programming instructions for:
    - retrieving the client-specific key from a keystore, if the client is a trusted client; and
      
      decrypting the requested data stored in encrypted form.
  - 4. The computer program product of claim 1 further comprising programming instructions for:
    - receiving data for storage in the database;
      
      determining, in response to a policy corresponding to the received data, one of an encrypted and unencrypted form of storage of the received data; and
      
      if the form of storage of the received data is determined to be the encrypted form, encrypting the received data in response to an encryption key based on the policy corresponding to the received data.
  - 5. The computer program product of claim 4 wherein the database further comprises a schema that defines (i) types of the objects entries that can be stored in the database and (ii) a list of attribute types of each object type, and wherein each of the object entries is associated with an object class and each of the object entries are an instantiation of an object class as defined by the schema.
  - 6. The computer program product of claim 4 wherein at least one of the policy corresponding to the received data and the policy corresponding to the requested data comprises criteria external to the database, the criteria external to the database including a network address that is usable to identify whether a network is trusted.

7. A data processing system comprising:
- protocol engine circuitry operable for receiving data for storage in a database, the database comprising a plurality of object entries representing users, systems and system resources, wherein each object entry of the plurality of object entries comprises an associated attribute value pertaining to the object entity, and the received data is one such attribute value that pertains to one of the object entries;
  
  data access circuitry, coupled to the protocol engine circuitry, and operable for determining, as determined by a policy engine coupled to the data access circuitry and based on a policy corresponding to the received data, one of an encrypted and unencrypted form of storage of the received data;
  
  encrypting circuitry operable for, if the form of storage of the received data is the encrypted form, encrypting the received data using an encryption key that is based on the policy corresponding to the received data;
  
  receiving circuitry for receiving a request for the data;
  
  circuitry operable for determining if the requested data is stored in encrypted form in the database;
  
  circuitry operable for determining if, in response to a policy corresponding to the requested data, a receiver is a trusted client;
  
  circuitry operable for delivering the requested data in unencrypted form if the client is trusted; and
  
  circuitry operable for delivering the requested data in encrypted form if the client is untrusted.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The data processing system of claim 7 wherein the data is encrypted using a client-specific key, and further comprising:
    - circuitry for determining if a network coupling the receiver to the database is trusted;
      
      circuitry, responsive to the determination that both the network is trusted and the client is trusted, for (i) retrieving the client-specific key from a keystore, (ii) decrypting the requested data stored in encrypted form using the client-specific key, and (iii) delivering the requested data in unencrypted form.
  - 9. The data processing system of claim 7 wherein the database further comprises a schema that defines (i) types of the objects entries that can be stored in the database and (ii) a list of attribute types of each object type, and wherein each of the object entries is associated with an object class and each of the object entries are an instantiation of an object class as defined by the schema.
  - 10. The data processing system of claim 9 wherein the database comprises a directory and the received data comprises an attribute value corresponding to an attribute of a directory object.
  - 11. The data processing system of claim 9 wherein at least one of the policy corresponding to the received data and the policy corresponding to the requested data comprises criteria external to the database, the criteria external to the database including a network address that is usable to identify whether a network is trusted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
McCarty, Richard James
Primary Examiner(s)
Hoffman; Brandon S

Application Number

US12/126,420
Publication Number

US 20080235759A1
Time in Patent Office

760 Days
Field of Search

None
US Class Current

726/1
CPC Class Codes

G06F 21/10 Protecting distributed prog...

Computer program products and systems for transparent data encryption and decryption

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

227 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Computer program products and systems for transparent data encryption and decryption

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

227 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links