WO2006006931A1 - Storing of metadata - Google Patents
Storing of metadata Download PDFInfo
- Publication number
- WO2006006931A1 WO2006006931A1 PCT/SE2005/001141 SE2005001141W WO2006006931A1 WO 2006006931 A1 WO2006006931 A1 WO 2006006931A1 SE 2005001141 W SE2005001141 W SE 2005001141W WO 2006006931 A1 WO2006006931 A1 WO 2006006931A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- key
- information
- metadata
- encryption
- encryption key
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G09—EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
- G09C—CIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
- G09C1/00—Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04K—SECRET COMMUNICATION; JAMMING OF COMMUNICATION
- H04K1/00—Secret communication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0631—Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/60—Digital content management, e.g. content distribution
Definitions
- the present invention relates to a method and a database for decrypting stored encrypted information in the form of computer records in the database.
- each computer record in the stored information is coupled with a record database, in a database other than the database in which the information that it is intended to protect is stored, in which processing rules for the protected information are described.
- the encryption key is considered to be an attribute in the record database, whereby the stored information is represented by one entry in the record database.
- the present invention concerns decryption of stored encrypted information in the form of records in a database.
- the solution according to the invention is based on processing rules for computer records being stored together with the stored information.
- the invention comprises the identification of a key by a "key token", which is subsequently translated into an active key by looking it up in a key dictionary.
- the stored information according to the present invention is represented by a protected object that has authorisation links to the key via metadata, which determines whether a user may use the key or not.
- a method for at least one of decryption and encryption of stored encrypted information in the form of computer records in a database is specified. Metadata is stored together with the information content of a computer record, whereby the metadata controls processing of information in the computer record in that the information is limited by access rules defined by protected objects that are intended for decryption, whereby the protected objects are linked to the metadata.
- metadata comprises a key token, which is used for access to a cryptographic algorithm and an encryption key in an encryption key dictionary for storage of the same.
- a second embodiment comprises the use of the key token for translation to the cryptographic algorithm and an encryption key on the occasion on which processing of the data is carried out.
- a further embodiment specifies that access to the encryption key is limited by at least one protected object that is linked to the symbolic key and to the user of the encrypted information in the computer record.
- a processing of protected information that is initiated by a user and which activates metadata; a request is sent to an encryption key dictionary with the symbolic key as identification; the encryption key in the encryption key dictionary is linked to at least one protected object; access rights to the protected object are checked for the user of the encrypted content of the computer record; if the user has the right of access, the symbolic key in the metadata is replaced by the encryption algorithm and encryption key; and that the encryption process is carried out with the content of the metadata as controlling parameters.
- the encryption key dictionary is a table/dictionary comprising key symbols of metadata constituting the symbolic key.
- unprotected information is stored together with encrypted information.
- name and address for personal information is unprotected in a further embodiment, while civil registration numbers are encrypted according to the present invention.
- the present invention specifies a database with stored encrypted information in the form of computer records. Metadata is stored together with the information content in a computer record, whereby metadata controls the processing of information in the computer record through information being limited by access rules that are defined by the protected object intended to be decrypted, whereby the protected object is linked with the metadata.
- the database according to the present invention also allows the storage of information according to the embodiments of the methods described above through the attached dependent claims.
- Figure 1 illustrates in one embodiment how a group of users and an individual person obtain access to encrypted information stored in a database according to the present invention.
- each record in the stored information is linked to a record database in another database that describes processing rules.
- the present invention is built upon the storage of the processing rules together with the stored information.
- the key is regarded as an attribute in the record database.
- the stored information is represented by an entry in the record database.
- the stored information is represented by a protected object that has authorisation links via metadata to the key. This determines whether a person is authorised to use the key or not.
- Figure 1 illustrates in one embodiment how a group of users 12 and an individual person 14 obtain access to encrypted information stored in a database with respect to a computer record 20 stored in a database
- the database 10 comprises in one embodiment at least one protected object 16, which in itself comprises a set of confidential objects 1 and 2; a key look-up dictionary 18 and computer records 20 concerning some form of confidential information.
- the protected object 16 and the key dictionary may in a second embodiment exist outside of the database 10.
- a computer record constitutes according to the present invention something that has a known significance, for example a car registration, name, address, civic registration number and other items with a known significance.
- the computer record contains metadata and the encrypted original value ABCDF ..., see Figure 1.
- the protected object 16 constitutes a link between the key token and users.
- Several protected objects 16 may be present in the database 10, there may for example be one protected object for a personnel administration system and a second for a customer list.
- the area of application determines the protected objects 16 to which a user 12, 14 has access.
- Confidential objects are present in the protected object 16 in the database 10 with respect to access authorisation to computer records 20 for the users in the form of the personnel 12 and the individual user 14.
- Empty boxes in the protected object 16 specify that there is no pre-determined limit to the number of confidential objects in the protected object 16.
- the security object may contain, for example, confidential objects for several users/personnel 12 and individual persons 14.
- the confidential objects 1 and 2 contain principally information about limitations on their use, for example, that at confidential object may only be used during the daytime, between 8:00 and 17:00, Monday to Friday.
- access to the information in a computer record 20 is controlled through the confidentiality objects in the protected object 16, through, for example, the user 12, 14 of the information being allowed all or any one of read/write/delete (R/W/D), execution, and other known processing methods for information in the computer record 20.
- the term "access control" is here used to denote the granting of authorisation to the user 12, 14 to use an encryption key/an active key for a certain purpose, such as, for example, using it to decrypt or encrypt information in computer records 20, whereby access control results in the key being granted or in the generation of an error message.
- access control is exercised in an organisation over personnel 12 that use the database 10 and over an individual person 14, such as, for example, the superior of the personnel 12, for processing of information in the computer records 20.
- the personnel 12 and the individual person 14 may have different log-in authorisation for R/W/D, for execution, or for other known data processing methods for the information in the records 20 in the form of confidential objects 1 and 2.
- the individual person 14, as superior, has in one embodiment other access rules than those of the personnel 12, which allow access to confidential information.
- a member of the personnel 12 seeks access to confidential information following successful identity confirmation, via the protected object 16, this member can still not automatically read the information in the computer record 20 that stores, for example, confidential information about a person.
- Metadata stored in the computer record in its main field that precedes the actual confidential information ABCDF ... to which the personnel 12 or the individual person 14 seek access for processing.
- the metadata is used by the user when he or she has gained access to the encryption algorithm, such as, for example, AES (Advanced Encryption Standard) or other known encryption algorithm, and the encryption key.
- the metadata controls the processing in such a manner that it consists of, among other functions:
- the protected object 16 acts as a link between the encryption key that is comprised within a key token 100 in a key dictionary 18 according to the present invention and users 12, 14.
- the key token 100 is included in the metadata of the computer record 20, which key token thus has information concerning the location in the database 10, or storage units connected to it, from which the encryption key is to be retrieved.
- Access to information ABCDF ... is specified in one embodiment according to the present invention in the following manner through a method and a database 10.
- the method according to the present invention concerns those operations that are generated in order to ensure encryption of information stored in databases 10.
- the method is built upon metadata, encryption parameters and key tokens being stored together with the information content and where the metadata controls the processing of the information in the computer record 20.
- the user 12, 14 of the stored information is limited by access rules defined by protected objects 16 linked to the metadata.
- Metadata is at least one of data and information about other data or about other information.
- the method comprises the addition of metadata to every computer record 20 that is to be protected by encryption, which metadata controls the processing of the protected contents of the computer record 20.
- the key may not be stored together with the encrypted value for reasons of security.
- the key is instead represented by a symbolic key that is used to translate into an encryption algorithm and an encryption key on the occasion of the actual processing. Access to the key is limited by one or several protected objects 16 that are linked to the symbolic key and to the user 12, 14 of the protected contents of the computer record
- the encryption key (12Ae45GUYTb ) in the key dictionary is linked to one or several protected objects 16. Access rights to the protected object 16 are checked for the user of the protected contents of the computer record 20.
- Encryption processing is carried out with the contents of the metadata as controlling parameters.
- the fields of the computer record 20 with the symbolic key 100 in the metadata are coupled with the key token 100 in the key dictionary 18, whereby the confidential objects 1 and 2 find the key token 100 in the key dictionary with the aid of the following procedure.
- the user 12, 14 requests access to information 20 with the aid of the identity of a confidential object 16.
- the computer record 20 is read, whereby the key token that is included in the metadata is retrieved.
- the symbolic key is sent together with the identity of the confidential object to the key dictionary 18. Processing in the key dictionary is carried out in two steps:
- the user of information 20 has through access to the encryption algorithm and encryption key now achieved the possibility of decrypting the information 20.
- Means in the present invention may consist of software or hardware of a combination of the same, known to one skilled in the arts in the technical area. Furthermore, it is the attached claims that specify the scope of protection for one skilled in the arts.
Abstract
Description
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
SE0401841A SE527925C2 (en) | 2004-07-09 | 2004-07-09 | Procedure for decryption and database of encrypted data information |
SE0401841-2 | 2004-07-09 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2006006931A1 true WO2006006931A1 (en) | 2006-01-19 |
Family
ID=32867226
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/SE2005/001141 WO2006006931A1 (en) | 2004-07-09 | 2005-07-08 | Storing of metadata |
Country Status (3)
Country | Link |
---|---|
CN (1) | CN101057433A (en) |
SE (1) | SE527925C2 (en) |
WO (1) | WO2006006931A1 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008037605A1 (en) * | 2006-09-27 | 2008-04-03 | International Business Machines Corporation | Encrypting and decrypting database records |
CN101587479B (en) * | 2008-06-26 | 2011-04-13 | 北京人大金仓信息技术股份有限公司 | Database management system kernel oriented data encryption/decryption system and method thereof |
US8340297B2 (en) * | 2006-05-12 | 2012-12-25 | Samsung Electronics Co., Ltd. | Method and apparatus for efficiently providing location of contents encryption key |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5661799A (en) * | 1994-02-18 | 1997-08-26 | Infosafe Systems, Inc. | Apparatus and storage medium for decrypting information |
SE506853C2 (en) * | 1996-06-20 | 1998-02-16 | Anonymity Prot In Sweden Ab | Method of data processing |
US5757908A (en) * | 1994-04-25 | 1998-05-26 | International Business Machines Corporation | Method and apparatus for enabling trial period use of software products: method and apparatus for utilizing an encryption header |
-
2004
- 2004-07-09 SE SE0401841A patent/SE527925C2/en not_active IP Right Cessation
-
2005
- 2005-07-08 WO PCT/SE2005/001141 patent/WO2006006931A1/en active Application Filing
- 2005-07-08 CN CN 200580030086 patent/CN101057433A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5661799A (en) * | 1994-02-18 | 1997-08-26 | Infosafe Systems, Inc. | Apparatus and storage medium for decrypting information |
US5757908A (en) * | 1994-04-25 | 1998-05-26 | International Business Machines Corporation | Method and apparatus for enabling trial period use of software products: method and apparatus for utilizing an encryption header |
SE506853C2 (en) * | 1996-06-20 | 1998-02-16 | Anonymity Prot In Sweden Ab | Method of data processing |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8340297B2 (en) * | 2006-05-12 | 2012-12-25 | Samsung Electronics Co., Ltd. | Method and apparatus for efficiently providing location of contents encryption key |
KR101352513B1 (en) | 2006-05-12 | 2014-01-20 | 삼성전자주식회사 | Method and apparatus for providing efficiently the location of contents encryption key |
WO2008037605A1 (en) * | 2006-09-27 | 2008-04-03 | International Business Machines Corporation | Encrypting and decrypting database records |
US7904732B2 (en) | 2006-09-27 | 2011-03-08 | Rocket Software, Inc. | Encrypting and decrypting database records |
CN101587479B (en) * | 2008-06-26 | 2011-04-13 | 北京人大金仓信息技术股份有限公司 | Database management system kernel oriented data encryption/decryption system and method thereof |
Also Published As
Publication number | Publication date |
---|---|
SE527925C2 (en) | 2006-07-11 |
SE0401841D0 (en) | 2004-07-09 |
CN101057433A (en) | 2007-10-17 |
SE0401841L (en) | 2006-01-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
TWI388183B (en) | System and method for dis-identifying sensitive information and associated records | |
EP0885417B1 (en) | Access control/crypto system | |
US7111005B1 (en) | Method and apparatus for automatic database encryption | |
JP4167300B2 (en) | Data processing method and apparatus | |
KR100269527B1 (en) | Method and system for the secure transmission and storage of protectable information | |
CA2287871C (en) | Secure document management system | |
EP0636259B1 (en) | Cryptographic data security in a secured computer system | |
US7587608B2 (en) | Method and apparatus for storing data on the application layer in mobile devices | |
US7487366B2 (en) | Data protection program and data protection method | |
KR101296195B1 (en) | A method for controlling access to file systems, related system, SIM card and computer program product for use therein | |
USRE41546E1 (en) | Method and system for managing security tiers | |
US20050004924A1 (en) | Control of access to databases | |
US20090240956A1 (en) | Transparent encryption using secure encryption device | |
US8286001B2 (en) | Method and central processing unit for processing encrypted software | |
JPH09510305A (en) | Data storage device and method | |
AU2002213436A1 (en) | Method and apparatus for automatic database encryption | |
US20070180259A1 (en) | Secure Personal Medical Process | |
EP2027553A1 (en) | Method, system and computer program for securely storing data | |
US20050005128A1 (en) | System for controlling access to stored data | |
WO2006006931A1 (en) | Storing of metadata | |
JPH1124997A (en) | Security method for recording computer generated file and computer readable recording medium to store security program | |
US20040221164A1 (en) | Method for the encryption and decryption of data by various users | |
JP4338185B2 (en) | How to encrypt / decrypt files | |
JPH10340232A (en) | File copy preventing device, and file reader | |
US9152636B2 (en) | Content protection system in storage media and method of the same |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DPEN | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed from 20040101) | ||
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 200580030086.1 Country of ref document: CN |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSANT TO RULE 69(1) EPC OF 05-06-2007 |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 05756944 Country of ref document: EP Kind code of ref document: A1 |