Protection of encryption keys in a database
First Claim
1. A method for protecting encryption keys in a database, comprising:
- receiving a first password at a database server from a first individual entity, wherein said database server is associated with said database;
receiving a second password at said database server from a second individual entity;
generating, by at least one microprocessor, a first key, wherein said first key is protected using said first password;
generating a second key, wherein said second key is protected using said second password;
encrypting a third key using said second key to generate an encrypted third key, said third key being included in said encryption keys of said database; and
encrypting said encrypted third key using said first key, wherein use of said third key requires said first password to be provided to said database server by said first individual entity and said second password to be provided to said database server by said second individual entity, said first password being received at said database server separately and independently of said second password, said first individual entity being different and independent from said second individual entity, and said database server enforcing ownership of said first key by said first individual entity and enforcing ownership of said second key by said second individual entity.
1 Assignment
0 Petitions
Accused Products
Abstract
System, method, computer program product embodiments and combinations and sub-combinations thereof for protection of encryption keys in a database are described herein. An embodiment includes a master key and a dual master key, both of which are used to encrypt encryption keys in a database. To access encrypted data, the master key and dual master key must be supplied to a database server by two separate entities, thus requiring dual control of the master and dual master keys. Furthermore, passwords for the master and dual master keys must be supplied separately and independently, thus requiring split knowledge to access the master and dual master keys. In another embodiment, a master key and a key encryption key derived from a user password is used for dual control. An embodiment also includes supplying the secrets for the master key and dual master key through server-private files.
65 Citations
24 Claims
-
1. A method for protecting encryption keys in a database, comprising:
-
receiving a first password at a database server from a first individual entity, wherein said database server is associated with said database; receiving a second password at said database server from a second individual entity; generating, by at least one microprocessor, a first key, wherein said first key is protected using said first password; generating a second key, wherein said second key is protected using said second password; encrypting a third key using said second key to generate an encrypted third key, said third key being included in said encryption keys of said database; and encrypting said encrypted third key using said first key, wherein use of said third key requires said first password to be provided to said database server by said first individual entity and said second password to be provided to said database server by said second individual entity, said first password being received at said database server separately and independently of said second password, said first individual entity being different and independent from said second individual entity, and said database server enforcing ownership of said first key by said first individual entity and enforcing ownership of said second key by said second individual entity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A database server configured to protect encryption keys in a database, comprising:
-
a microprocessor; and a memory in communication with said microprocessor, said memory storing a plurality of processing instructions, wherein said plurality of instructions direct said microprocessor to; receive a first password at said database server from a first individual entity; receive a second password at said database server from a second individual entity; generate a first key, wherein said first key is protected using said first password; generate a second key, wherein said second key is protected using said second password; encrypt a third key using said second key to generate an encrypted third key, said third key being included in said encryption keys of said database; and encrypt said encrypted third key using said first key, wherein use of said third key requires said first password to be provided to said database server by said first individual entity and said second password to be provided to said database server by said second individual entity, said first password being received at said database server separately and independently of said second password, said first individual entity being different and independent from said second individual entity, and said database server enforcing ownership of said first key by said first individual entity and enforcing ownership of said second key by said second individual entity. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A non-transitory computer program product having control logic stored therein, said control logic enabling a microprocessor to protect encryption keys in a database according to a method, said method comprising:
-
receiving a first password at a database server from a first individual entity, wherein said database server is associated with said database; receiving a second password at said database server from a second individual entity; generating a first key, wherein said first key is protected using said first password; generating a second key, wherein said second key is protected using said second password; encrypting a third key using said second key to generate an encrypted third key, said third key being included in said encryption keys of said database; and encrypting said encrypted third key using said first key, wherein use of said third key requires said first password to be provided to said database server by said first individual entity and said second password to be provided to said database server by said second individual entity, said first password being received at said database server separately and independently of said second password, said first individual entity being different and independent from said second individual entity, and said database server enforcing ownership of said first key by said first individual entity and enforcing ownership of said second key by said second individual entity.
-
Specification