Managing encryption keys per logical block on a persistent memory device
US-2024346188-A1 · Oct 17, 2024 · US
Field level data protection for cloud services using asymmetric cryptography
US9965645B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9965645-B2 |
| Application number | US-201615153439-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 12, 2016 |
| Priority date | Sep 18, 2013 |
| Publication date | May 8, 2018 |
| Grant date | May 8, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Systems, apparatuses, and methods for providing data security for data that is stored in a cloud-level platform. In one embodiment, each session is associated with specific session “keys” for use in encrypting and decrypting data. The session specific keys are generated by a client application and the client public key of a public/private key pair is provided to the cloud platform as part of a user authentication process. If the user is properly authenticated, then the platform creates its own set of keys and sends the server public key of a public/private key pair to the client. When the client requests a data record or document, the platform can determine if the user is authorized to have access to the entire data record or document or only to certain fields or portions of the record or document. Based on that determination, the platform may selectively encrypt certain fields or portions of the record or document with the client public key.
First claim
Opening claim text (preview).
What is claimed is: 1. A method for improving the performance of a computing platform, the method comprising: receiving a first electronic communication from a remote computing device requesting access to a data record having a plurality of elements stored in a data storage element of the platform, the first electronic communication including authentication data corresponding to a user of the remote computing device, wherein the authentication data comprises a key for the remote computing device, the key being: (i) specific to a communication session related to the first electronic communication, and (ii) different from a subsequent key for the remote computing device included in the authentication data corresponding to the user as part of a different communication session; analyzing the key to determine that the user is authorized to access some but not all of the plurality of elements of the data record requested as part of the first electronic communication; generating a second electronic communication to the remote computing device that includes an encrypted version of the requested data record, wherein the encrypted version includes: (i) a first portion of the plurality of elements included in the data record requested by the remote computing device that is encrypted using the key for the remote computing device to enable the remote computing device to decrypt the first portion of the plurality of the elements, and (ii) a second portion of the plurality of elements included in the data record requested by the remote computing device that is encrypted differently than the first portion to prevent the remote computing device from decrypting the second portion of the plurality of elements. 2. The method of claim 1 , further comprising: accessing the data record from the data storage element; and decrypting the first portion of the plurality of elements of the data record prior to generating the second electronic communication. 3. The method of claim 1 , wherein analyzing the authentication data further comprises: verifying the authentication data against a database of users' authentication data; and identifying the first portion of the plurality of elements in the requested data record that the user is authorized to access. 4. The method of claim 1 , wherein analyzing the authentication data further comprises: determining a user's role in an organization based on the authentication data; and determining the first portion of the plurality of elements in the requested data record that the user is authorized to access based on the user's role. 5. The method of claim 1 , wherein the key received as part of the authentication data is a first public key that is part of a first public/private key pair; and the second portion of the plurality of elements in the data requested data record is encrypted using a second public key of a second public/private key pair. 6. The method of claim 1 , wherein the first portion of the plurality of elements comprises data contained in a data field of the data record. 7. A multi-tenant computing service platform, comprising: an electronic processor programmed to execute a set of instructions; a data storage element in which the set of instructions are stored and in which data records are stored, wherein when executed by the processor the set of instructions cause the platform to be configured to receive a first electronic communication from a remote computing device requesting access to a data record having a plurality of elements stored in the data storage element, the first electronic communication including authentication data corresponding to a user of the remote computing device, wherein the authentication data comprises a key for the remote computing device, the key being: (i) specific to a communication session related to the first electronic communication, and (ii) different from a subsequent key for the remote computing device included in the authentication data corresponding to the user as part of a different communication session; analyze the key to determine that the user is authorized to access some but not all of the plurality of elements of the data record requested as part of the first electronic communication; generate a second electronic communication to the remote computing device that includes an encrypted version of the requested data record wherein the encrypted version includes: (i) a first portion of the plurality of elements included in the data record requested by the remote computing device that is encrypted using the key for the remote computing device to enable the remote computing device to decrypt the first portion of the plurality of the elements, and (ii) a second portion of the plurality of elements included in the data record requested by the remote computing device that is encrypted differently than the first portion to prevent the remote computing device from decrypting the second portion of the plurality of elements. 8. The multi-tenant computing service platform of claim 7 , wherein the multi-tenant computing service platform is further configured to: access the data record from the data storage element; and decrypt the first portion of the plurality of elements of the data record prior to generating the second electronic communication. 9. The multi-tenant computing service platform of claim 7 , wherein the data storage element comprises a database. 10. The multi-tenant computing service platform of claim 7 , further configured to: receive the key as part of the authentication data as a first public key that is part of a first public/private key pair for the remote computing device; and encrypt the second portion of the plurality of elements in the data requested data record using a second public key of a second public/private key pair. 11. The multi-tenant computing service platform of claim 7 , wherein the first portion of the plurality of elements comprises data contained in a data field of the data record. 12. A method comprising: sending a first electronic communication from a client computing device to a remote multi-tenant computing platform requesting access to a data record having a plurality of elements stored in a data storage of a multi-tenant computing platform, the first electronic communication including authentication data corresponding to a user of the client computing device, wherein the authentication data comprises a key for the client computing device, the key being: (i) specific to a communication session related to the first electronic communication, and (ii) different from a subsequent key for the client computing device included in the authentication data corresponding to the user as part of a different communication session; receiving at the client computing device a second electronic communication from the multi-tenant computing platform that includes an encrypted version of the requested data record, wherein the encrypted version includes: (i) a first portion of the plurality of elements that is encrypted using the key for the client computing device to enable the client computing device to decrypt the first portion of the plurality of elements, and (ii) a second portion of the plurality of elements that is encrypted differently than the first portion the client computing device from decrypting the second portion of the plurality of elements; and decrypting the first portion of the plurality of elements. 13. The method of claim 12 , wherein: the key is a public key of a public/private encryption key pair that is sent to the multi-tenant computing platform; and the first portion of the plurality of elements is decrypted using a private key
Assignees
Inventors
Classifications
for authentication of entities (cryptographic mechanisms or cryptographic arrangements for entity authentication H04L9/32) · CPC title
wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption (cryptographic mechanisms or cryptographic arrangements for public-key encryption H04L9/30) · CPC title
Entity profiles · CPC title
for supporting key management in a packet data network (cryptographic mechanisms or cryptographic arrangements for key management H04L9/08) · CPC title
- H04L63/045Primary
wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption (cryptographic mechanisms or cryptographic arrangements using a plurality of keys or algorithms H04L9/14) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9965645B2 cover?
- Systems, apparatuses, and methods for providing data security for data that is stored in a cloud-level platform. In one embodiment, each session is associated with specific session “keys” for use in encrypting and decrypting data. The session specific keys are generated by a client application and the client public key of a public/private key pair is provided to the cloud platform as part of a …
- Who is the assignee on this patent?
- Netsuite Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/045. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue May 08 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).