WO2006006931A1 - Storing of metadata - Google Patents

Storing of metadata Download PDF

Info

Publication number
WO2006006931A1
WO2006006931A1 PCT/SE2005/001141 SE2005001141W WO2006006931A1 WO 2006006931 A1 WO2006006931 A1 WO 2006006931A1 SE 2005001141 W SE2005001141 W SE 2005001141W WO 2006006931 A1 WO2006006931 A1 WO 2006006931A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
information
metadata
encryption
encryption key
Prior art date
Application number
PCT/SE2005/001141
Other languages
French (fr)
Inventor
Kent SÖDERSTRÖM
Original Assignee
Infinisec Holding Ab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Infinisec Holding Ab filed Critical Infinisec Holding Ab
Publication of WO2006006931A1 publication Critical patent/WO2006006931A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04KSECRET COMMUNICATION; JAMMING OF COMMUNICATION
    • H04K1/00Secret communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution

Definitions

  • the present invention relates to a method and a database for decrypting stored encrypted information in the form of computer records in the database.
  • each computer record in the stored information is coupled with a record database, in a database other than the database in which the information that it is intended to protect is stored, in which processing rules for the protected information are described.
  • the encryption key is considered to be an attribute in the record database, whereby the stored information is represented by one entry in the record database.
  • the present invention concerns decryption of stored encrypted information in the form of records in a database.
  • the solution according to the invention is based on processing rules for computer records being stored together with the stored information.
  • the invention comprises the identification of a key by a "key token", which is subsequently translated into an active key by looking it up in a key dictionary.
  • the stored information according to the present invention is represented by a protected object that has authorisation links to the key via metadata, which determines whether a user may use the key or not.
  • a method for at least one of decryption and encryption of stored encrypted information in the form of computer records in a database is specified. Metadata is stored together with the information content of a computer record, whereby the metadata controls processing of information in the computer record in that the information is limited by access rules defined by protected objects that are intended for decryption, whereby the protected objects are linked to the metadata.
  • metadata comprises a key token, which is used for access to a cryptographic algorithm and an encryption key in an encryption key dictionary for storage of the same.
  • a second embodiment comprises the use of the key token for translation to the cryptographic algorithm and an encryption key on the occasion on which processing of the data is carried out.
  • a further embodiment specifies that access to the encryption key is limited by at least one protected object that is linked to the symbolic key and to the user of the encrypted information in the computer record.
  • a processing of protected information that is initiated by a user and which activates metadata; a request is sent to an encryption key dictionary with the symbolic key as identification; the encryption key in the encryption key dictionary is linked to at least one protected object; access rights to the protected object are checked for the user of the encrypted content of the computer record; if the user has the right of access, the symbolic key in the metadata is replaced by the encryption algorithm and encryption key; and that the encryption process is carried out with the content of the metadata as controlling parameters.
  • the encryption key dictionary is a table/dictionary comprising key symbols of metadata constituting the symbolic key.
  • unprotected information is stored together with encrypted information.
  • name and address for personal information is unprotected in a further embodiment, while civil registration numbers are encrypted according to the present invention.
  • the present invention specifies a database with stored encrypted information in the form of computer records. Metadata is stored together with the information content in a computer record, whereby metadata controls the processing of information in the computer record through information being limited by access rules that are defined by the protected object intended to be decrypted, whereby the protected object is linked with the metadata.
  • the database according to the present invention also allows the storage of information according to the embodiments of the methods described above through the attached dependent claims.
  • Figure 1 illustrates in one embodiment how a group of users and an individual person obtain access to encrypted information stored in a database according to the present invention.
  • each record in the stored information is linked to a record database in another database that describes processing rules.
  • the present invention is built upon the storage of the processing rules together with the stored information.
  • the key is regarded as an attribute in the record database.
  • the stored information is represented by an entry in the record database.
  • the stored information is represented by a protected object that has authorisation links via metadata to the key. This determines whether a person is authorised to use the key or not.
  • Figure 1 illustrates in one embodiment how a group of users 12 and an individual person 14 obtain access to encrypted information stored in a database with respect to a computer record 20 stored in a database
  • the database 10 comprises in one embodiment at least one protected object 16, which in itself comprises a set of confidential objects 1 and 2; a key look-up dictionary 18 and computer records 20 concerning some form of confidential information.
  • the protected object 16 and the key dictionary may in a second embodiment exist outside of the database 10.
  • a computer record constitutes according to the present invention something that has a known significance, for example a car registration, name, address, civic registration number and other items with a known significance.
  • the computer record contains metadata and the encrypted original value ABCDF ..., see Figure 1.
  • the protected object 16 constitutes a link between the key token and users.
  • Several protected objects 16 may be present in the database 10, there may for example be one protected object for a personnel administration system and a second for a customer list.
  • the area of application determines the protected objects 16 to which a user 12, 14 has access.
  • Confidential objects are present in the protected object 16 in the database 10 with respect to access authorisation to computer records 20 for the users in the form of the personnel 12 and the individual user 14.
  • Empty boxes in the protected object 16 specify that there is no pre-determined limit to the number of confidential objects in the protected object 16.
  • the security object may contain, for example, confidential objects for several users/personnel 12 and individual persons 14.
  • the confidential objects 1 and 2 contain principally information about limitations on their use, for example, that at confidential object may only be used during the daytime, between 8:00 and 17:00, Monday to Friday.
  • access to the information in a computer record 20 is controlled through the confidentiality objects in the protected object 16, through, for example, the user 12, 14 of the information being allowed all or any one of read/write/delete (R/W/D), execution, and other known processing methods for information in the computer record 20.
  • the term "access control" is here used to denote the granting of authorisation to the user 12, 14 to use an encryption key/an active key for a certain purpose, such as, for example, using it to decrypt or encrypt information in computer records 20, whereby access control results in the key being granted or in the generation of an error message.
  • access control is exercised in an organisation over personnel 12 that use the database 10 and over an individual person 14, such as, for example, the superior of the personnel 12, for processing of information in the computer records 20.
  • the personnel 12 and the individual person 14 may have different log-in authorisation for R/W/D, for execution, or for other known data processing methods for the information in the records 20 in the form of confidential objects 1 and 2.
  • the individual person 14, as superior, has in one embodiment other access rules than those of the personnel 12, which allow access to confidential information.
  • a member of the personnel 12 seeks access to confidential information following successful identity confirmation, via the protected object 16, this member can still not automatically read the information in the computer record 20 that stores, for example, confidential information about a person.
  • Metadata stored in the computer record in its main field that precedes the actual confidential information ABCDF ... to which the personnel 12 or the individual person 14 seek access for processing.
  • the metadata is used by the user when he or she has gained access to the encryption algorithm, such as, for example, AES (Advanced Encryption Standard) or other known encryption algorithm, and the encryption key.
  • the metadata controls the processing in such a manner that it consists of, among other functions:
  • the protected object 16 acts as a link between the encryption key that is comprised within a key token 100 in a key dictionary 18 according to the present invention and users 12, 14.
  • the key token 100 is included in the metadata of the computer record 20, which key token thus has information concerning the location in the database 10, or storage units connected to it, from which the encryption key is to be retrieved.
  • Access to information ABCDF ... is specified in one embodiment according to the present invention in the following manner through a method and a database 10.
  • the method according to the present invention concerns those operations that are generated in order to ensure encryption of information stored in databases 10.
  • the method is built upon metadata, encryption parameters and key tokens being stored together with the information content and where the metadata controls the processing of the information in the computer record 20.
  • the user 12, 14 of the stored information is limited by access rules defined by protected objects 16 linked to the metadata.
  • Metadata is at least one of data and information about other data or about other information.
  • the method comprises the addition of metadata to every computer record 20 that is to be protected by encryption, which metadata controls the processing of the protected contents of the computer record 20.
  • the key may not be stored together with the encrypted value for reasons of security.
  • the key is instead represented by a symbolic key that is used to translate into an encryption algorithm and an encryption key on the occasion of the actual processing. Access to the key is limited by one or several protected objects 16 that are linked to the symbolic key and to the user 12, 14 of the protected contents of the computer record
  • the encryption key (12Ae45GUYTb ) in the key dictionary is linked to one or several protected objects 16. Access rights to the protected object 16 are checked for the user of the protected contents of the computer record 20.
  • Encryption processing is carried out with the contents of the metadata as controlling parameters.
  • the fields of the computer record 20 with the symbolic key 100 in the metadata are coupled with the key token 100 in the key dictionary 18, whereby the confidential objects 1 and 2 find the key token 100 in the key dictionary with the aid of the following procedure.
  • the user 12, 14 requests access to information 20 with the aid of the identity of a confidential object 16.
  • the computer record 20 is read, whereby the key token that is included in the metadata is retrieved.
  • the symbolic key is sent together with the identity of the confidential object to the key dictionary 18. Processing in the key dictionary is carried out in two steps:
  • the user of information 20 has through access to the encryption algorithm and encryption key now achieved the possibility of decrypting the information 20.
  • Means in the present invention may consist of software or hardware of a combination of the same, known to one skilled in the arts in the technical area. Furthermore, it is the attached claims that specify the scope of protection for one skilled in the arts.

Abstract

The invention concerns a method for the decryption of encrypted information stored in the form of computer records (20) in a database (10). Metadata is stored together with the information content of a computer record, whereby metadata controls the processing of information in the computer records (20) through information being limited by access rules that are defined by protected objects (16) intended for decryption, whereby the protected objects (16) are linked to metadata.

Description

Title
Storing of metadata Technical Area
The present invention relates to a method and a database for decrypting stored encrypted information in the form of computer records in the database.
The Prior Art
As is specified in prior art technology through the Swedish patent with publication number SE-C2-506 853, there is a need for increased protection against unauthorised intrusion into such items as computer databases for the protection of the integrity of individuals when personal databases, for example, are created. The Government has introduced restrictions against the correlation, of personal databases in order to prevent uncontrolled registration of personal information. There is for this reason a requirement within business, the armed forces, the banking system, the insurance system, the police authorities, and other institutions and organisations that deal with sensitive personal information and other information that is subject to confidentiality restrictions, for protection against intrusion of databases used for such purposes.
In the patent that has the publication number SE-C2-506 853, each computer record in the stored information is coupled with a record database, in a database other than the database in which the information that it is intended to protect is stored, in which processing rules for the protected information are described. The encryption key is considered to be an attribute in the record database, whereby the stored information is represented by one entry in the record database.
There is a requirement to be able to store information and key for at least one of encryption and decryption in a manner that is both more compact and easier to manage, for example, together with the information, without it being possible to obtain the key directly through a record in the database.
Summary of the Invention The present invention concerns decryption of stored encrypted information in the form of records in a database. The solution according to the invention is based on processing rules for computer records being stored together with the stored information.
Thus, the invention comprises the identification of a key by a "key token", which is subsequently translated into an active key by looking it up in a key dictionary. The stored information according to the present invention is represented by a protected object that has authorisation links to the key via metadata, which determines whether a user may use the key or not. In order to solve the existing problem and to achieve the intended purpose with the present invention, a method for at least one of decryption and encryption of stored encrypted information in the form of computer records in a database is specified. Metadata is stored together with the information content of a computer record, whereby the metadata controls processing of information in the computer record in that the information is limited by access rules defined by protected objects that are intended for decryption, whereby the protected objects are linked to the metadata.
In one embodiment of the method according to the present invention, metadata comprises a key token, which is used for access to a cryptographic algorithm and an encryption key in an encryption key dictionary for storage of the same.
A second embodiment comprises the use of the key token for translation to the cryptographic algorithm and an encryption key on the occasion on which processing of the data is carried out.
A further embodiment specifies that access to the encryption key is limited by at least one protected object that is linked to the symbolic key and to the user of the encrypted information in the computer record.
The following steps are carried out in a further embodiment: a processing of protected information that is initiated by a user and which activates metadata; a request is sent to an encryption key dictionary with the symbolic key as identification; the encryption key in the encryption key dictionary is linked to at least one protected object; access rights to the protected object are checked for the user of the encrypted content of the computer record; if the user has the right of access, the symbolic key in the metadata is replaced by the encryption algorithm and encryption key; and that the encryption process is carried out with the content of the metadata as controlling parameters. One embodiment comprises the case in which the encryption key dictionary is a table/dictionary comprising key symbols of metadata constituting the symbolic key.
In another embodiment, unprotected information is stored together with encrypted information. In addition, the name and address for personal information is unprotected in a further embodiment, while civil registration numbers are encrypted according to the present invention.
Furthermore, the present invention specifies a database with stored encrypted information in the form of computer records. Metadata is stored together with the information content in a computer record, whereby metadata controls the processing of information in the computer record through information being limited by access rules that are defined by the protected object intended to be decrypted, whereby the protected object is linked with the metadata. The database according to the present invention also allows the storage of information according to the embodiments of the methods described above through the attached dependent claims.
Brief Description of the Drawing The current invention will be described with reference to the attached drawing for a better understanding of the embodiments and examples given of the invention, whereby the only drawing:
Figure 1 illustrates in one embodiment how a group of users and an individual person obtain access to encrypted information stored in a database according to the present invention.
Detailed Description of Preferred Embodiments
As has here been previously described with respect to the Swedish patent with publication number SE-C2-506 853, the following differences exist between SE-C2-506 853 and the present invention:
• In SE-C2-506 853, each record in the stored information is linked to a record database in another database that describes processing rules. The present invention is built upon the storage of the processing rules together with the stored information. • In SE-C2-506 853, the key is regarded as an attribute in the record database.
According to the solution presented by the present invention, this means that the key is identified by a "key token", which is subsequently translated into an active key by look-up in a key dictionary.
• In SE-C2-506 853, the stored information is represented by an entry in the record database. In the solution according to the present invention, the stored information is represented by a protected object that has authorisation links via metadata to the key. This determines whether a person is authorised to use the key or not.
The only attached drawing in the present description, Figure 1, illustrates in one embodiment how a group of users 12 and an individual person 14 obtain access to encrypted information stored in a database with respect to a computer record 20 stored in a database
10 according to the present invention. The database 10 comprises in one embodiment at least one protected object 16, which in itself comprises a set of confidential objects 1 and 2; a key look-up dictionary 18 and computer records 20 concerning some form of confidential information. The protected object 16 and the key dictionary may in a second embodiment exist outside of the database 10.
A computer record constitutes according to the present invention something that has a known significance, for example a car registration, name, address, civic registration number and other items with a known significance. The computer record contains metadata and the encrypted original value ABCDF ..., see Figure 1.
With respect to the protected objects, these contain a number of confidential objects. The protected object 16 constitutes a link between the key token and users. Several protected objects 16 may be present in the database 10, there may for example be one protected object for a personnel administration system and a second for a customer list. The area of application determines the protected objects 16 to which a user 12, 14 has access.
Confidential objects are present in the protected object 16 in the database 10 with respect to access authorisation to computer records 20 for the users in the form of the personnel 12 and the individual user 14. In order to give a clear overview, as an example only stored in two records in the form of confidential objects 1 and 2. Empty boxes in the protected object 16 specify that there is no pre-determined limit to the number of confidential objects in the protected object 16. The security object may contain, for example, confidential objects for several users/personnel 12 and individual persons 14. The confidential objects 1 and 2 contain principally information about limitations on their use, for example, that at confidential object may only be used during the daytime, between 8:00 and 17:00, Monday to Friday.
For logging in and processing of the information, here denoted as ABCDF ..., in the computer record 20, access to the information in a computer record 20 is controlled through the confidentiality objects in the protected object 16, through, for example, the user 12, 14 of the information being allowed all or any one of read/write/delete (R/W/D), execution, and other known processing methods for information in the computer record 20. The term "access control" is here used to denote the granting of authorisation to the user 12, 14 to use an encryption key/an active key for a certain purpose, such as, for example, using it to decrypt or encrypt information in computer records 20, whereby access control results in the key being granted or in the generation of an error message.
Here, in the example according to Figure 1 , access control is exercised in an organisation over personnel 12 that use the database 10 and over an individual person 14, such as, for example, the superior of the personnel 12, for processing of information in the computer records 20. The personnel 12 and the individual person 14 may have different log-in authorisation for R/W/D, for execution, or for other known data processing methods for the information in the records 20 in the form of confidential objects 1 and 2. The individual person 14, as superior, has in one embodiment other access rules than those of the personnel 12, which allow access to confidential information. When a member of the personnel 12 seeks access to confidential information following successful identity confirmation, via the protected object 16, this member can still not automatically read the information in the computer record 20 that stores, for example, confidential information about a person. There is, in contrast, metadata stored in the computer record in its main field that precedes the actual confidential information ABCDF ... to which the personnel 12 or the individual person 14 seek access for processing. The metadata is used by the user when he or she has gained access to the encryption algorithm, such as, for example, AES (Advanced Encryption Standard) or other known encryption algorithm, and the encryption key. The metadata controls the processing in such a manner that it consists of, among other functions:
1. describing the data format under which the protected records are stored
2. denoting whether an initial vector (IV) is used
3. denoting whether the information has been compressed 4. denoting whether an integrity check is to be carried out on the encrypted contents.
The protected object 16 acts as a link between the encryption key that is comprised within a key token 100 in a key dictionary 18 according to the present invention and users 12, 14. The key token 100 is included in the metadata of the computer record 20, which key token thus has information concerning the location in the database 10, or storage units connected to it, from which the encryption key is to be retrieved.
Access to information ABCDF ... is specified in one embodiment according to the present invention in the following manner through a method and a database 10. The method according to the present invention concerns those operations that are generated in order to ensure encryption of information stored in databases 10. The method is built upon metadata, encryption parameters and key tokens being stored together with the information content and where the metadata controls the processing of the information in the computer record 20. The user 12, 14 of the stored information is limited by access rules defined by protected objects 16 linked to the metadata. Metadata is at least one of data and information about other data or about other information.
The method comprises the addition of metadata to every computer record 20 that is to be protected by encryption, which metadata controls the processing of the protected contents of the computer record 20. The key may not be stored together with the encrypted value for reasons of security. The key is instead represented by a symbolic key that is used to translate into an encryption algorithm and an encryption key on the occasion of the actual processing. Access to the key is limited by one or several protected objects 16 that are linked to the symbolic key and to the user 12, 14 of the protected contents of the computer record
20.
The processing is carried out in one embodiment according to the following steps:
1. A processing of protected information ABCDF ... initiated by a user 12, 14, which in turn activates metadata.
2. An enquiry is made to a key dictionary 18 with the symbolic key 100 as identification.
3. The encryption key (12Ae45GUYTb ...) in the key dictionary is linked to one or several protected objects 16. Access rights to the protected object 16 are checked for the user of the protected contents of the computer record 20.
4. If right of access has been granted, the symbolic key in the metadata is replaced by the encryption algorithm and encryption key.
5. Encryption processing is carried out with the contents of the metadata as controlling parameters.
The fields of the computer record 20 with the symbolic key 100 in the metadata are coupled with the key token 100 in the key dictionary 18, whereby the confidential objects 1 and 2 find the key token 100 in the key dictionary with the aid of the following procedure. The user 12, 14 requests access to information 20 with the aid of the identity of a confidential object 16. The computer record 20 is read, whereby the key token that is included in the metadata is retrieved. The symbolic key is sent together with the identity of the confidential object to the key dictionary 18. Processing in the key dictionary is carried out in two steps:
1. A check that the user has the right to use the confidential object for this operation and that the key token has a link to the confidential object. 2. Translation of the key token to an encryption algorithm and encryption key.
The user of information 20 has through access to the encryption algorithm and encryption key now achieved the possibility of decrypting the information 20.
Means in the present invention may consist of software or hardware of a combination of the same, known to one skilled in the arts in the technical area. Furthermore, it is the attached claims that specify the scope of protection for one skilled in the arts.

Claims

Claims
1. A method for at least one of decrypting and encrypting encrypted information stored in the form of computer records (20) in a database (10), characterised in that metadata is stored (100) ["(100)" wrongly placed] in the form of a key token together with the information content in a computer record (20), whereby the said metadata (100) controls processing of information in the computer record (20) through the information being limited by access rules defined by protected objects (16) intended for at least one of decryption and encryption, whereby the protected objects (16) are linked to the said metadata.
2. A method according to claim 1, characterised in that the said metadata comprises a key token (100), which is used for access to an encryption algorithm (AES) and an encryption key in an encryption key dictionary (18) for storage of the same.
3. A method according to claim 2, characterised in that the key token (100) is used for the translation to the said encryption algorithm and encryption key on the occasion on which processing of the information is carried out.
4. A method according to either claim 2 or 3, characterised in that access to the encryption key is limited by at least one protected object (16) that is linked to the key token (100) and to the user (12) of the encrypted information in the computer record (20).
5. A method according to any one of claims 2-4, characterised by the following steps: a processing of protected information that is initiated by a user and which activates metadata; a request is sent to an encryption key dictionary with the symbolic key as identification; the encryption key in the encryption key dictionary is linked to at least one protected object; access rights to the protected object are checked for the user of the encrypted content of the computer record; if the user has the right of access, the symbolic key in the metadata is replaced by the said encryption algorithm and encryption key; and that the encryption process is carried out with the content of the metadata as controlling parameters.
6. A method according to either claim 2 or 5, characterised in that the encryption key dictionary is a table comprising key symbols of metadata constituting the said symbolic key.
7. A method according to any one of claims 1-6, characterised in that unprotected information is stored together with encrypted information.
8. A method according to claim 7, characterised in that names and addresses of personal information are unprotected, while civic registration numbers are encrypted.
9. A database (10) with stored encrypted information in the form of computer records (20), ch aracterised in that metadata is stored (100) together with the information content in a computer record (20), whereby the said metadata controls processing of information in the computer record (20) through the information being limited by access rules defined by protected objects (16) intended for decryption, whereby the protected objects (16) are linked to the said metadata.
10. A database according to claim 9, characterised in that the said metadata comprises a key token, which is used for access to an encryption algorithm and an encryption key in a key dictionary (18) for storage of the same.
11. A database according to claim 10, characterised in that the key token is used for the translation to the said encryption algorithm and encryption key on the occasion on which processing of the information is carried out.
12. A database according to either claim 10 or 11, characterised in that access to the encryption key is limited by at least one protected object that is linked to the symbolic key and to the user of the encrypted information in the computer record.
13. A database according to any one of claims 10-12, characterised in that it comprises: means that allow a processing of protected information that is initiated by a user and which activates metadata; means that send a request to an encryption key dictionary with the symbolic key as identification; that the encryption key in the encryption key dictionary is linked to at least one protected object; means for checking access rights to the protected object for the user of the encrypted content of the computer record; means for replacing, if the user has the right of access, the symbolic key in the metadata is replaced by the said encryption algorithm and encryption key; and means that carry out the encryption process out with the content of the metadata as controlling parameters.
14. A database according to either claim 10 or 13, characterised in that the encryption key dictionary is a table comprising key symbols of metadata constituting the said symbolic key.
15. A database according to any one of claims 9-13, characterised in that unprotected information is stored together with encrypted information.
16. A database according to claim 15, characterised in that names and addresses of personal information are unprotected, while civic registration numbers are encrypted.
PCT/SE2005/001141 2004-07-09 2005-07-08 Storing of metadata WO2006006931A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SE0401841A SE527925C2 (en) 2004-07-09 2004-07-09 Procedure for decryption and database of encrypted data information
SE0401841-2 2004-07-09

Publications (1)

Publication Number Publication Date
WO2006006931A1 true WO2006006931A1 (en) 2006-01-19

Family

ID=32867226

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2005/001141 WO2006006931A1 (en) 2004-07-09 2005-07-08 Storing of metadata

Country Status (3)

Country Link
CN (1) CN101057433A (en)
SE (1) SE527925C2 (en)
WO (1) WO2006006931A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008037605A1 (en) * 2006-09-27 2008-04-03 International Business Machines Corporation Encrypting and decrypting database records
CN101587479B (en) * 2008-06-26 2011-04-13 北京人大金仓信息技术股份有限公司 Database management system kernel oriented data encryption/decryption system and method thereof
US8340297B2 (en) * 2006-05-12 2012-12-25 Samsung Electronics Co., Ltd. Method and apparatus for efficiently providing location of contents encryption key

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5661799A (en) * 1994-02-18 1997-08-26 Infosafe Systems, Inc. Apparatus and storage medium for decrypting information
SE506853C2 (en) * 1996-06-20 1998-02-16 Anonymity Prot In Sweden Ab Method of data processing
US5757908A (en) * 1994-04-25 1998-05-26 International Business Machines Corporation Method and apparatus for enabling trial period use of software products: method and apparatus for utilizing an encryption header

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5661799A (en) * 1994-02-18 1997-08-26 Infosafe Systems, Inc. Apparatus and storage medium for decrypting information
US5757908A (en) * 1994-04-25 1998-05-26 International Business Machines Corporation Method and apparatus for enabling trial period use of software products: method and apparatus for utilizing an encryption header
SE506853C2 (en) * 1996-06-20 1998-02-16 Anonymity Prot In Sweden Ab Method of data processing

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8340297B2 (en) * 2006-05-12 2012-12-25 Samsung Electronics Co., Ltd. Method and apparatus for efficiently providing location of contents encryption key
KR101352513B1 (en) 2006-05-12 2014-01-20 삼성전자주식회사 Method and apparatus for providing efficiently the location of contents encryption key
WO2008037605A1 (en) * 2006-09-27 2008-04-03 International Business Machines Corporation Encrypting and decrypting database records
US7904732B2 (en) 2006-09-27 2011-03-08 Rocket Software, Inc. Encrypting and decrypting database records
CN101587479B (en) * 2008-06-26 2011-04-13 北京人大金仓信息技术股份有限公司 Database management system kernel oriented data encryption/decryption system and method thereof

Also Published As

Publication number Publication date
SE527925C2 (en) 2006-07-11
SE0401841D0 (en) 2004-07-09
CN101057433A (en) 2007-10-17
SE0401841L (en) 2006-01-10

Similar Documents

Publication Publication Date Title
TWI388183B (en) System and method for dis-identifying sensitive information and associated records
EP0885417B1 (en) Access control/crypto system
US7111005B1 (en) Method and apparatus for automatic database encryption
JP4167300B2 (en) Data processing method and apparatus
KR100269527B1 (en) Method and system for the secure transmission and storage of protectable information
CA2287871C (en) Secure document management system
EP0636259B1 (en) Cryptographic data security in a secured computer system
US7587608B2 (en) Method and apparatus for storing data on the application layer in mobile devices
US7487366B2 (en) Data protection program and data protection method
KR101296195B1 (en) A method for controlling access to file systems, related system, SIM card and computer program product for use therein
USRE41546E1 (en) Method and system for managing security tiers
US20050004924A1 (en) Control of access to databases
US20090240956A1 (en) Transparent encryption using secure encryption device
US8286001B2 (en) Method and central processing unit for processing encrypted software
JPH09510305A (en) Data storage device and method
AU2002213436A1 (en) Method and apparatus for automatic database encryption
US20070180259A1 (en) Secure Personal Medical Process
EP2027553A1 (en) Method, system and computer program for securely storing data
US20050005128A1 (en) System for controlling access to stored data
WO2006006931A1 (en) Storing of metadata
JPH1124997A (en) Security method for recording computer generated file and computer readable recording medium to store security program
US20040221164A1 (en) Method for the encryption and decryption of data by various users
JP4338185B2 (en) How to encrypt / decrypt files
JPH10340232A (en) File copy preventing device, and file reader
US9152636B2 (en) Content protection system in storage media and method of the same

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DPEN Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed from 20040101)
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

WWE Wipo information: entry into national phase

Ref document number: 200580030086.1

Country of ref document: CN

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSANT TO RULE 69(1) EPC OF 05-06-2007

122 Ep: pct application non-entry in european phase

Ref document number: 05756944

Country of ref document: EP

Kind code of ref document: A1