Search Images Maps Play YouTube News Gmail Drive More »
Sign in
Screen reader users: click this link for accessible mode. Accessible mode has the same essential features but works better with your reader.

Patents

  1. Advanced Patent Search
Publication numberUS20070180240 A1
Publication typeApplication
Application numberUS 11/603,967
Publication dateAug 2, 2007
Filing dateNov 21, 2006
Priority dateJun 20, 1996
Also published asCN1146178C, CN1222272A, DE69730321D1, DE69730321T2, EP0891661A1, EP0891661B1, EP1477881A2, EP1477881A3, US6321201, US8402281, US20020174352, US20110246788, WO1997049211A1
Publication number11603967, 603967, US 2007/0180240 A1, US 2007/180240 A1, US 20070180240 A1, US 20070180240A1, US 2007180240 A1, US 2007180240A1, US-A1-20070180240, US-A1-2007180240, US2007/0180240A1, US2007/180240A1, US20070180240 A1, US20070180240A1, US2007180240 A1, US2007180240A1
InventorsUlf Dahl
Original AssigneeUlf Dahl
Export CitationBiBTeX, EndNote, RefMan
External Links: USPTO, USPTO Assignment, Espacenet
Data security system for a database
US 20070180240 A1
Abstract
A method and an apparatus for processing data provides protection for the data. The data is stored as encrypted data element values (DV) in records (P) in a first database (O-DB), each data element value being linked to a corresponding data element type (DT). In a second database (IAM-DB), a data element protection catalogue (DC) is stored, which for each individual data element type (DT) contains one or more protection attributes stating processing rules for data element values (DV), which in the first database (O-DB) are linked to the individual data element type (DT). In each user-initiated measure which aims at processing a given data element value (DV) in the first database (O-DB), a calling is initially sent to the data element protection catalogue for collecting the protection attribute/attributes associated with the corresponding data element types. The user's processing of the given data element value is controlled in conformity with the collected protection attribute/attributes.
Images(5)
Previous page
Next page
Claims(81)
1-8. (canceled)
9. A data processing method comprising:
maintaining a database containing a table of data in row and column format, at least portion of the data being encrypted;
maintaining, separate from the table of data, information for controlling access to a specified proper subset of data in the table; and
controlling access to the specified proper subset of data in the table according to the separately maintained information.
10. The method of claim 9, wherein controlling access comprises controlling access by a specified user or group of users.
11. The method of claim 9, wherein controlling access comprises controlling access by a specified program or group of programs.
12. The method of claim 9, wherein the separately maintained information comprises a separate table inaccessible to a user seeking access to the data.
13. The method of claim 9, wherein the separately maintained information comprises a separate table inaccessible to a program seeking access to the data.
14. The method of claim 9, wherein controlling access to the specified proper subset of the data comprises using a tamper-resistant hardware module.
15. The method of claim 14, wherein the tamper-resistant hardware module is used to perform a cryptographic operation on the data.
16. The method of claim 14, wherein the tamper-resistant hardware module is used to store at least a portion of the separately maintained information.
17. The method of claim 14, wherein the tamper-resistant hardware module comprises a hardware security module.
18. The method of claim 14, wherein the tamper-resistant hardware module is selected from the group consisting of a hardware security appliance and a cryptographic card.
19. The method of claim 9, wherein the specified proper subset of data comprises a specified column of data.
20. The method of claim 9, wherein the information for controlling access comprises information used in encrypting or decrypting data in the proper subset of data.
21. The method of claim 20, wherein the information used in encrypting or decrypting data comprises information identifying a way of encrypting or decrypting data in the proper subset of data.
22. The method of claim 9, wherein the information for controlling access comprises information identifying an owner of the proper subset of data.
23. The method of claim 9, wherein the information for controlling access comprises encrypted information.
24. The method of claim 9, further comprising:
receiving a request for access to a particular data element in the table, the particular data element containing encrypted data;
obtaining, from the separately maintained data, cryptographic information associated with a proper subset of data in the table, the proper subset containing the particular data element; and
decrypting the data in the particular data element using the cryptographic information.
25. The method of claim 24, wherein decrypting the data is done using a tamper-resistant hardware module.
26. The method of claim 25, wherein the tamper-resistant hardware module comprises a hardware security module.
27. The method of claim 25, wherein the tamper-resistant hardware module is selected from the group consisting of a hardware security appliance and a cryptographic card.
28. The method of claim 9, further comprising
receiving a request for access to a particular data element in the table, the particular data element containing encrypted data; and
obtaining, from the separately maintained data, information associated with a proper subset of data in the table, the proper subset containing the particular data element; and
providing decrypted data from the particular data element when the information from the separately maintained data indicates that the request for access to the particular data element is an authorized request.
29. The method of claim 28, further comprising decrypting the data from the particular data element using a tamper-resistant hardware module.
30. The method of claim 29, wherein the tamper-resistant hardware module comprises a hardware security module.
31. The method of claim 29, wherein the tamper-resistant hardware module is selected from the group consisting of a hardware security appliance and a cryptographic card.
32. A method comprising:
providing a database containing a table having at least two columns of data; encrypting data in a first column using first cryptographic information; encrypting data in a second column using second cryptographic information; storing first and second cryptographic information outside of the table;
controlling access to data in the first column using the first cryptographic information stored outside of the table; and
controlling access to data in the second column using the second cryptographic information stored outside of the table.
33. The method of claim 32, further comprising storing the first and second cryptographic information in a separate table inaccessible to a user seeking access to the data.
34. The method of claim 32, further comprising storing the first and second cryptographic information in a separate table inaccessible to a program seeking access to the data.
35. The method of claim 32, wherein the first and second cryptographic information are stored, in encrypted form, outside of the table.
36. The method of claim 32, wherein at least a portion of the data is encrypted using a tamper-resistant hardware module.
37. The method of claim 36, wherein the tamper-resistant hardware module comprises a hardware security module.
38. The method of claim 36, wherein the tamper-resistant hardware module is selected from the group consisting of a hardware security appliance and a cryptographic card.
39. A database management system comprising:
a database containing a table having at least two columns of data, at least one column of data being encrypted; and
information stored outside of the table for controlling access to at least one column of data, the information including cryptographic information associated with the encrypted column of data.
40. The system of claim 39, wherein the information is stored in a separate table inaccessible to a user seeking access to the data.
41. The system of claim 39, wherein the information is stored in a separate table inaccessible to a program seeking access to the data.
42. The system of claim 39, wherein the information is stored in encrypted form.
43. The system of claim 39, further comprising a tamper-resistant hardware module for performing cryptographic operations on the encrypted column of data.
44. The system of claim 43, wherein the tamper-resistant hardware module comprises a hardware security module.
45. The system of claim 43, wherein the tamper-resistant hardware module is selected from the group consisting of a hardware security appliance and a cryptographic card.
46. A data processing method comprising:
maintaining a first set of data as a collection of records having fields, at least a portion of the data being encrypted;
maintaining, separate from the first set of data, information for controlling access to a specified proper subset of the first data; and
controlling access to the specified proper subset of the first set of data according to the separately maintained information.
47. The method of claim 46, wherein controlling access comprises controlling access by a specified user or group of users.
48. The method of claim 46, wherein controlling access comprises controlling access by a specified program or group of programs.
49. The method of claim 46, wherein the separately maintained information comprises information that is inaccessible to a user seeking access to the data.
50. The method of claim 46, wherein the separately maintained information comprises information that is inaccessible to a program seeking access to the data.
51. The method of claim 46, wherein controlling access to the specified proper subset of the data comprising using a tamper-resistant hardware module.
52. The method of claim 51, wherein the tamper-resistant hardware module is used to perform a cryptographic operation on the data.
53. The method of claim 51, wherein the tamper-resistant hardware module is used to store at least a portion of the separately maintained information.
54. The method of claim 51, wherein the tamper-resistant hardware module comprises a hardware security module.
55. The method of claims 51, wherein the tamper-resistant hardware module is selected from the group consisting of a hardware security appliance and a cryptographic card.
56. The method of claim 46, wherein the specified proper subset of data comprises a specified field of data.
57. The method of claim 46, wherein the information for controlling access comprises information used in encrypting or decrypting data in the proper subset of data.
58. The method of claim 46, wherein the information for controlling access comprises information identifying an owner of the proper subset of data.
59. The method of claim 46, wherein the information for controlling access comprises encrypted information.
60. The method of claim 46, further comprising:
receiving a request for access to a particular data element in the first set of data, the particular data element containing encrypted data;
obtaining, from the separately maintained data, cryptographic information associated with a proper subset of the first set of data, the proper subset containing the particular data element; and
decrypting the data in the particular data element using the cryptographic information.
61. The method of claim 60, wherein decrypting the data is done using a tamper-resistant hardware module.
62. The method of claim 61, wherein the tamper-resistant hardware module comprises a hardware security module.
63. The method of claim 61, wherein the tamper-resistant hardware module is selected from the group consisting of a hardware security appliance and a cryptographic card.
64. The method of claim 60, wherein the proper subset comprises data in one or more specified fields.
65. The method of claim 46, further comprising
receiving a request for access to a particular data element in the first set of data, the particular data element containing encrypted data; and
obtaining, from the separately maintained data, information associated with a proper subset of data in the first set of data, the proper subset containing the particular data element; and
providing decrypted data from the particular data element when the information from the separately maintained data indicates that the request for access to the particular data element is an authorized request.
66. The method of claim 65, further comprising decrypting the data from the particular data element using a tamper-resistant hardware module.
67. The method of claim 66, wherein the tamper-resistant hardware module comprises a hardware security module.
68. The method of claim 66, wherein the tamper-resistant hardware module is selected from the group consisting of a hardware security appliance and a cryptographic card.
69. A method comprising:
providing a database containing at least two columns of data;
encrypting data in a first column using first cryptographic information;
encrypting data in a second column using second cryptographic information;
storing the first and second cryptographic information apart from the two columns of data;
controlling access to data in the first column using the first cryptographic information; and
controlling access to data in the second column using the second cryptographic information.
70. The method of claim 69, further comprising storing the first and second cryptographic information in a location that is inaccessible to a user seeking access to the data.
71. The method of claim 69, further comprising storing the first and second cryptographic information in a location that is inaccessible to a program seeking access to the data.
72. The method of claim 69, wherein the first and second cryptographic information are stored, in encrypted form, outside of the first and second column.
73. The method of claim 69, wherein at least a portion of the data is encrypted using a tamper-resistant hardware module.
74. The method of claim 73, wherein the tamper-resistant hardware module comprises a hardware security module.
75. The method of claim 73, wherein the tamper-resistant hardware module is selected from the group consisting of a hardware security appliance and a cryptographic card.
76. A database management system comprising:
a database containing at least two columns of data, a first column of data being encrypted; and
information stored outside of the first column of data for controlling access to the first column of data, the information including cryptographic information associated with the first column of data.
77. The system of claim 76, where in the information is stored in a location that is inaccessible to a user seeking access to the first column of data.
78. The system of claim 76, where in the information is stored in a location that is inaccessible to a program seeking access to the first column of data.
79. The system of claim 76, wherein the information is stored in encrypted form.
80. The system of claim 76, further comprising a tamper-resistant hardware module for performing cryptographic operations on the first column of data.
81. The system of claim 80, wherein the tamper-resistant hardware module comprises a hardware security module.
82. The system of claim 80, wherein the tamper-resistant hardware module is selected from the group consisting of a hardware security appliance and a cryptographic card.
83. The method of claim 9, further comprising revealing an unauthorized access to the data.
84. The method of claim 32, wherein controlling access to data in the first column comprises revealing unauthorized access to the data.
85. The method of claim 46, wherein controlling access comprising revealing unauthorized access to the first set of data.
86. The method of claim 69, wherein controlling access to data in the first columns comprises revealing unauthorized access to the data.
87. The system of claim 39, wherein the information stored outside of the table comprises information for revealing unauthorized access to the database.
88. The system of claim 76, wherein the information stored outside of the table comprises information for revealing unauthorized access to the database.
Description
    CROSS-REFERENCE TO RELATED CASES
  • [0001]
    This is a continuation of U.S. patent application Ser. No. 09/840,188, filed on Apr. 24, 2001, which is a continuation of U.S. patent application Ser. No. 09/027,585, filed on Feb. 23, 1998, now U.S. Pat. No. 6,321,201, which is a national phase filing of International Application No. PCT/SE97/01089, filed on Jun. 18, 1997. The entire contents of each of these is incorporated by reference herein.
  • TECHNICAL FIELD
  • [0002]
    The present invention relates to the technical field of computer-aided information management, and concerns more specifically a method and an apparatus for data processing for accomplishing increased protection against unauthorized processing of data
  • BACKGROUND ART
  • [0003]
    In the field of computer-aided information management, it is strongly required that the protection against unauthorized access of data registers be increased, especially against violation of the individual's personal registers, i.e. registers containing information on individuals. In particular, there are regulations restricting and prohibiting the linking and matching of personal registers. Also in other fields, such as industry, defense, banking, insurance, etc, improved protection is desired against unauthorized access to the tools, databases, applications etc. that are used for administration and storing of sensitive information.
  • [0004]
    WO95/15628, which has the same owner as the present application, discloses a method for storing data, which results in increased possibilities of linking and matching with no risk of reduced integrity. The method, which is illustrated schematically in FIGS. 1 and 2 on the enclosed drawing sheets, concerns storing of information comprising on the one hand an identifying piece of information or original identity OID, for instance personal code numbers Pcn and, on the other hand, descriptive information DI. The information OID+DI is stored as records P in a database O-DB according to the following principle:
  • [0005]
    Step 1 OID (Pcn) is encrypted by means of a first, preferably non-reversible algorithm ALG1 to an update identity UID;
  • [0006]
    Step 2 UID is encrypted by means of a second, reversible algorithm ALG2 to a storage identity SID;
  • [0007]
    Step 3 SID and DI are stored as a record P in the database O-DB, SID serving as a record identifier;
  • [0008]
    Step 4 At predetermined times, an alteration of SID in all or selected records P is accomplished by SID of these records being decrypted by means of a decrypting algorithm ALG3 to UID, whereupon UID is encrypted by means of a modified second, reversible algorithm or ALG2′ to a new storage identity SID′, which is introduced as a new record identifier in the associated record P as replacement for previous SID. This results in a security-enhancing “floating” alteration of SID of the records.
  • [0009]
    For a closer description of the details and advantages of this encrypting and storing method, reference is made to WO95/15628, which is to be considered to constitute part of the present description. The storing principle according to steps 1-4 above is herein referred to as PTY, which is an abbreviation of the principal of PROTEGRITY which stands for “Protection and Integrity”.
  • [0010]
    A detailed technical description of PTY is also supplied in the document “PROTEGRITY (ASIS) Study 2”, Ver. 1.2, 1 Mar. 1996, by Leif Jonson. Also this document is to be considered to constitute part of the present description.
  • [0011]
    In the technical field at issue, so-called shell protections are today the predominant method of protection. Shell protection comprises on the one hand the external security (premises) and, on the other hand, an authorization check system ACS with user's passwords for controlling the access. ACS is used as shell protection for main frames, client/server systems and PC, but it does not give full protection and the information at issue can often relatively easily be subjected to unauthorized access. This protection has been found more “sensitive” information is be stored, which must permit managing via distribution, storing and processing in dynamically changing environments, especially local distribution to personal computers. Concurrently with this development, the limits of the system will be more and more indistinct and the effect afforded by a shell protection deteriorates.
  • SUMMARY OF THE INVENTION
  • [0012]
    In view of that stated above, the object of the present invention is to provide an improved method for processing information, by means of which it is possible to increase the protection against unauthorized access to sensitive information.
  • [0013]
    A special object of the invention is to provide a technique for data processing or managing, which makes it possible for the person responsible for the system, the management of the organization etc. to easily establish and continuously adapt the user's possibility of processing stored information that is to be protected.
  • [0014]
    A further object of the invention is to provide a technique for data processing which offers protection against attempts at unauthorized data processing by means of non-accepted software.
  • [0015]
    One more object of the invention is to provide a technique for data processing according to the above-mentioned objects, which can be used in combination with the above-described PTY principle, for providing a safety system with an extremely high level of protection.
  • [0016]
    Thus, the invention provides a method for processing of data that is to be protected, comprising the measure of storing the data as encrypted data element values of records in a first database (O-DB), each data element value being linked to a corresponding data element type.
  • [0017]
    The inventive method is characterised by the following further measures:
  • [0018]
    storing in a second database (IAM-DB) a data element protection catalogue, which for each individual data element type contains one or more protection attributes stating processing rules for data element values, which in the first database are linked to the individual data element type,
  • [0019]
    in each user-initiated measure aiming at processing of a given data element value in the first database, initially producing a compelling calling to the data element protection catalogue for collecting the protection attribute/attributes associated with the corresponding data element type, and compellingly controlling the processing of the given data element value in conformity with the collected protection attribute/attributes.
  • [0020]
    In the present application the following definitions are used:
      • “Processing” may include all kinds of measures which mean any form of reading, printing, altering, coding, moving, copying etc. of data that is to be protected by the inventive method.
      • “Data element type” identifies a specific category of data. For example, identification information (name and address) could be particular data element type. Whereas, some descriptive information (social allowance) could be a different data element type, and other descriptive information could be yet another different data element type”.
      • “Data element value” concerns a value which in a given record specifies a data element type.
  • [0024]
    “Record” concerns a number of data element values which belong together and which are linked to the respective data element types, optionally also including a record identifier, by means of which the record can be identified. Example:
    DATA ELEMENT TYPE
    RECORD ID SOCIAL ALLOWANCE CAR
    XXXX XXXXX encrypted data encrypted data
    element value element value
    YYYY YYYYY encrypted data encrypted data
    element value element value
      • “Protection attribute indicating rules of processing” may concern:
        • data stored in the data element protection catalogue and providing complete information on the rule or rules applying to the processing of the corresponding data element, and/or
        • data stored in the data element protection catalogue and requiring additional callings to information stored in some other place, which, optionally in combination with the protection attributes, states the processing rules involved.
      • “Collection of protection attributes” may concern:
        • collection of the protection attributes in the form as stored in the data element protection catalogue, and/or
        • collection of data recovered from the protection attributes, for instance by decryption thereof.
      • “Encryption” may concern any form of encryption, tricryption, conversion of coding of plain-text data to non-interpretable (encrypted) data, and is especially to concern also methods of conversion including hashing.
  • [0032]
    The inventive method offers a new type of protection, which differs essentially from the prior-art shell protection and which works on the cell or data element level. Each data element type used in the records in the first database is thus associated with one or more protection attributes, which are stored in a separate data element protection catalogue and which protection attributes state rules of how to process the corresponding data element values. It should be particularly noted that the calling to the data element protection catalogue is required, or in other words compelling. This means that in a system, in which the method according to the invention is implemented, a user, who for instance wants to read a certain data element value in a given record in the first database, by his attempt to access to the element value automatically produces a system calling to the data element protection catalogue in the second database for collecting the protection attributes associated with the corresponding data element types. The continued processing procedure (reading of data element value) of the system is also controlled compellingly in accordance with the collected protection attribute/attributes applying to the corresponding data element types.
  • [0033]
    The term “data element protection catalogue” and the use thereof according to the invention must not be confused with the known term “active dictionary”, which means that, in addition to an operative database, there is a special table indicating different definitions or choices for data element values in the operative database, for instance that a data element value “yellow” in terms of definition means a color code which is within a numeric interval stated in such a reference table.
  • [0034]
    Preferably, the processing rules stated by the protection attributes are inaccessible to the user, and the read or collected protection attributes are preferably used merely internally by the system for controlling the processing. A given user, who, for instance, wants to read information stored in the database regarding a certain individual, thus need not at all be aware of the fact that certain protection attributes have been activated and resulted in certain, sensitive information for this individual being excluded from the information that is made available on e.g. a display. Each user-initiated measure aiming at processing of data element values thus involves on the one hand a compelling calling to the data element protection catalogue and, on the other hand, a continued processing which is compellingly subjected to those processing rules that are stated by the protection attributes, and this may thus be accomplished without the user obtaining information on what rules control the processing at issue, and especially without the user having any possibility of having access to the rules.
  • [0035]
    By altering, adding and removing protection attributes in the data element protection catalogue, the person responsible for the system or an equivalent person may easily determine, for each individual data element type, the processing rules applying to data element values associated with the individual data element type and thus easily maintain a high and clear safety quality in the system.
  • [0036]
    According to the invention, it is thus the individual data element (date element type) and not the entire register that becomes the controlling unit for the way in which the organization, operator etc. responsible for the system has determined the level of quality, responsibility and safety regarding the management of information.
  • [0037]
    To obtain a high level of protection, the data element protection catalogue is preferably encrypted so as to prevent unauthorized access thereto.
  • [0038]
    As preferred protection attributes, the present invention provides the following possibilities, which, however, are to be considered an incomplete, exemplifying list:
  • [0039]
    1. Statement of what “strength” or “level” (for instance none, 1, 2 . . . ) of encryption is to be used for storing the corresponding data element values in the database. Different data element values within one and the same record may thus be encrypted with mutually different strength.
  • [0040]
    2. Statement of what “strength” or “level” (for in-stance none, 1, 2, . . . ) of encryption is to be used for the corresponding data element values if these are to be transmitted on a net.
  • [0041]
    3. Statement of program and/or versions of program that are authorised to be used for processing the corresponding data element values.
  • [0042]
    4. Statement of “owner” of the data element type. Different data element values within one and the same record can thus have different owners.
  • [0043]
    5. Statement of sorting-out rules for the corresponding data element values, for instance, statement of method and time for automatic removal of the corresponding data element values from the database.
  • [0044]
    6. Statement whether automatic logging is to be made when processing the corresponding data element values.
  • [0045]
    According to a specially preferred embodiment of the invention, the above-described PTY storing method is used for encryption of all data that is to be encrypted in both the database (i.e. the data element values) and the data element protection catalogue (i.e. the protection attributes). In the normal case where each record has a record identifier (corresponding to SID) above), preferably also the record identifier is protected by means of PTY. Specifically, a floating alteration of the record identifiers in both the operative database and the data element protection catalogue can be made at desired intervals and at randomly selected times, in accordance with the above-described PTY principle. In the preferred embodiment, especially the encapsulated processor which is used for the PTY encryption can also be used for implementation of the callings to the data element protection catalogue and the procedure for processing according to the collected protection attributes.
  • [0046]
    The invention will now be explained in more detail with reference to the accompanying drawings, which schematically illustrate the inventive principle implemented in an exemplifying data system.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • [0047]
    FIG. 1 (prior art) schematically shows the principle of storing of data information according to the PTY principle in WO95/15628.
  • [0048]
    FIG. 2 (prior art) schematically shows the principle of producing floating storing identities according to the PTY principle in WO95/15628.
  • [0049]
    FIG. 3 schematically shows a computer system for implementing the method according to the invention.
  • [0050]
    FIG. 4 schematically shows the principle of data processing according to the invention with compelling callings to a data element protection catalogue.
  • [0051]
    FIG. 5 shows an example of a display image for determining of protection attributes in the data element protection catalogue.
  • DESCRIPTION OF THE PREFERRED EMBODIMENT
  • [0052]
    In the following, the designation IAM (which stands for Information Assets Manager) will be used for the components and applications which in the embodiment are essential to the implementation of the invention.
  • [0053]
    Reference is first made to FIG. 3, which schematically illustrates a data managing system, in which the present invention is implemented and in which the following databases are included for storing information, in this example person-related information:
      • An open database P-DB which contains generally accessible data, such as personal name, article name, address etc. with the personal code number Pcn as plain text as record identifier;
      • An operative database O-DB, which contains data that is to be protected. Encrypted identification, in this case an encrypted personal code number, is used as record identifier (=storage identity SID). O-DB is used by authorised users for processing of individual records, such as reading and update;
      • An archive-database A-DB, which contains data transferred (sorted out) from the operative database O-DB and which is used for statistic questions, but not for questions directed to individual records. The transfer from O-DB to A-DB may take place in batches.
      • A database IAM-DB, which is a database essential to the implementation of the invention. This database contains a data element protection catalogue with protection attributes for such data element types as are associated with data element values in records—in the operative database O-DB. This database IAM-DB is preferably physically separated from the other O-DB and is inaccessible to the user. However, two or more sets of the data element protection catalogue may be available: on the one hand an original version to which only an authorised IAM operator has access and, on the other hand, a copy version which imports the data element protection catalogue from the original version and which may optionally be stored on the same file storage as the operative database O-DB. The two versions may be remote from each other, for instance be located in two different cities.
  • [0058]
    The data system in FIG. 3 further comprises a hardware component 10, a control module 20 (IAM-API), and a program module 30 (PTY-API). The function of these three components will now be described in more detail.
  • [0000]
    Hardware Component 10
  • [0059]
    The hardware component 10 acts as a distributed processor of its own in a computer. It has an encapsulation that makes it completely tamper-proof, which means that monitoring by so-called trace tools will not be possible.
  • [0060]
    The hardware component 10 can as an independent unit perform at least the following functions:
  • [0061]
    Creating variable, reversible and non-reversible encrypting algorithms for the PTY encryption and providing the algorithms with the necessary variables;
  • [0062]
    Initiating alterations of storage identities (SID) in stored data according to PTY, on the one hand data in O-DB and, on the other hand, data in the data element protection catalogue of IAM-DB;
  • [0063]
    Storing user authorizations having access to records in O-DB; and
  • [0064]
    Linking original identities OID to the correct record in O-DB.
  • [0000]
    Control Module 20 (IAM-API)
  • [0065]
    The control module 20 controls the handling of the types of data protection that the system can supply.
  • [0066]
    The control module carries out the processing requested via API (Application Program Interface) programming interface.
  • [0000]
    Program Module 30 (PTY-API) 30
  • [0067]
    The program module (PTY-API) 30 handles the dialogue between the application 40 involved (including ACS) and the hardware component 10. This module may further log events and control sorting out/removal of data from the operative database O-DB.
  • [0068]
    Reference is now made to FIG. 4, which illustrates the same four databases (P-DB, O-DB, A-DB, IAM-DB) as in FIG. 3 and which schematically illustrates how the processing of individual data elements are, according to the invention, controlled according to the rules that are stated by protection attributes in the data element protection catalogue, which is stored in the database IAM-DB.
  • [0069]
    The data that is to be stored concerns in this example a certain individual and contains: (1) generally accessible data such as name and address, (2) identifying information, such as personal code number (Pcn), and (3) descriptive information (DI). The generally accessible data name and address is stored together with personal code number (Pcn) in the open database P-DB, said storage being performable as plain text since this information is of the type that is generally accessible.
  • [0070]
    For storing the identifying information in combination with the descriptive information DI, the following steps will, however, be made, in which the following designations are used to describe encrypting and decrypting algorithms. Generally speaking, the encrypting and decrypting algorithms can be described as follows:
    F Type(Random number, Input data)=Results wherein:
  • [0071]
    F designates a function.
  • [0072]
    Type indicates the type of function as follows:
      • FKIR=Non-reversible encrypting algorithm
      • FKR=Reversible encrypting algorithm
      • FDKR=Decrypting algorithm
  • [0076]
    Random number
      • represents one or more constants and/or
      • variables included in the function F.
  • [0079]
    Input data
      • are the data to be encrypted or decrypted, and
  • [0081]
    Results indicate a unique function value for a given function
  • [0082]
    Step 1 Division of the information
      • Identifying information is separated from descriptive information;
  • [0084]
    Step 2 Preparation of storage identity SID:
      • An original identity OID is selected based on the identifying information. OID is here selected to be equal to the personal code number Pcn of the individual. OID is encrypted by means of a non-reversible encrypting algorithm ALG1, pre-pared randomly by the hardware component 10, to an update identity UID as follows:
        ALG1: F KIR(Random number, OID)=UID
      • ALG1 is such that attempts at decryption of UID to OID result in a great number of identities, which makes it impossible to link a specific UID to the corresponding OID.
      • Then UID is encrypted by means of a reversible algorithm ALG2, which is also produced at random by the hardware component 10, for generating a storage identity SID as follows:
        ALG2: F KR R(Random number, UID)=SID
      • ALG2 is such that there exists a corresponding decrypting algorithm ALG3, by means of which SID can be decrypted in order to recreate UID.
      • The storage identity SID is used, as described in step 4 above, as encrypted record identifier when storing encrypted data element values DV in the operative database O-DB.
  • [0090]
    Step 3 Production of encrypted data element values DV: The descriptive information DI associated with the original identity OID is converted into one or more encrypted data element values DV linked to a data element type DT each.
  • [0091]
     The encryption takes place as described below with a reversible encryption function FKR, which like the algorithms ALG1 and ALG2 above is also produced at random by the hardware component 10. The invention is distinguished by a compelling calling here being sent to the data element protection catalogue in the database IAM-DB for automatic collection of the protection attribute which is linked to the data element type at issue and which indicates “strength” or degree with which the encryption of the descriptive data is to be performed so as to generate the data element value DV.
  • [0092]
     The table, which in FIG. 4 is shown below the database IAMDB, symbolizes an exemplifying content of the data element protection catalogue, here designated DPC. As an example, it may here be assumed that the protection function Funcl corresponds to “degree of encryption”. If the descriptive information DI at issue is to be stored as a data element value DV associated with the specific data element type DT1 in the data element protection catalogue, the protection attribute “5” registered in the data element protection catalogue is collected automatically in this case. The descriptive information DI at issue will thus, automatically and compellingly, be encrypted with the strength “5” for generating an encrypted data element value DV as follows:
    F KR(Random number, DI)=encrypted data element value DV
      • For storing a less sensitive data element, for instance a data element of the data element type DT3, the compelling calling to the data element protection catalogue in IAM-DB would instead have resulted in the protection attribute “no” being collected, in which case no encryption would have been made on the descriptive data at issue, which then could be stored as plain text in the operative database ODE.
  • [0094]
    Step 4 Storing of records in the operative database O-DB: The encrypted storage identity SID according to step 2 in combination with the corresponding encrypted data element value or data element values DV according step 3 are stored as a record in the operative database O-DB.
  • [0095]
    As appears from the foregoing, a stored information record P has the following general appearance:
    Descript. information in the form
    of encrypted data element values
    Storage identity (SID) DV1 DV2 DV3 DV4
  • [0096]
    The original identity OID is encrypted according to the PTY principle in two steps, of which the first is non-reversible and the second is reversible. Thus, it is impossible to store the descriptive information DI along with a storage identity SID that never can be linked to the original identity OID, as well as to create “floating”, i.e. which change over time, storage identities SID while retaining the possibility of locating, for a specific original identity OID, the associated descriptive information DI stored.
  • [0097]
    The descriptive data DI is stored in accordance with protection attributes linked to each individual data element. This results in a still higher level of protection and a high degree of flexibility as to the setting up of rules, and continuous adaptation thereof, of how sensitive data is allowed to be used and can be used, down to the data element level.
  • [0098]
    To increase the level of protection still more, the data element protection catalogue DPC is preferably stored in IAM-DB in encrypted form in accordance with the PTY principle, in which case for instance the data element types correspond to the above storage identity and the protection attributes correspond to the descriptive information or data element values above, as schematically illustrated in FIG. 4. This efficiently prevents every attempt at circumventing the data element protection by unauthorized access and interpretation of the content of the data element protection catalogue.
  • [0099]
    In the illustrated embodiment, PTY can thus have the following functions:
  • [0100]
    Protecting the original identity OID in encrypted form (SID) on the operative database O-DB (as is known from said WO95/15628),
  • [0101]
    Protecting information in IAM-DB, particularly the protection attributes of the data element protection catalogue and the associated record identifier, and
  • [0102]
    Protecting descriptive information DI in the form of encrypted data element values DV for the data element types that have the corresponding protection activated in the data element protection catalogue, and in accordance with the corresponding protection attributes.
  • [0000]
    Functionality Protection
  • [0103]
    In the above embodiment of the procedure for inputting data in the operative database O-DB, only “degree of encryption” has so far been discussed as data element protection attribute in the data element protection catalogue DC. However, this is only one example among a number of possible protection attributes in the data element protection catalogue, which normally offers a plurality of protection attitudes for each data element. Preferred protection attributes have been indicated above in the general description.
  • [0104]
    A particularly interesting protection attribute is “protected programs”. The use of this data element protection attribute means that the data system may offer a new type of protection, which is here called “functionality protection and which means that only accepted or certified programs are allowed to be used and can be used in the system in the processing of data. It should be noted that this type of protection is still, according to the invention, on the data element level.
  • [0105]
    Now assume for the purpose of illustration that Func2 in the data element protection catalogue DPC in FIG. 4 corresponds to this protection attribute and that data elements of the data element type DTI and DT2, respectively, are only allowed to be processed with the accepted applications or programs P1 and P2, respectively. Unauthorized handling of the corresponding data elements by means of, for instance, a different program P3, or a modified version P1′ of P1, should be prevented. As protection attribute in the data element protection catalogue, data identifying PI and P2 is therefore stored. In a preferred example, an encryptographic check sum P1* and P2*, respectively, is created, in a manner known per se, based on every accepted program P1 and P2, respectively. These check sums may be considered to constitute a unique fingerprint of the respective accepted programs, and these fingerprints can be stored as protection catalogue as illustrated schematically in FIG. 4. It should however be noted that such check sums for accepted programs can optionally be stored in a data element protection attributes in the data element protection catalogue of their own for registering of accepted programs, separately from the data element protection catalogue with protection attributes for encryption strength.
  • [0106]
    If the last-mentioned type of protection “protected programs” is used, it should also be noted that the system, in connection with a user-initiated measure aiming at processing of a given data element, for instance in-putting a new data element value in a certain record, need not, carry out a complete examination of all programs accepted in the system. If, for instance, the user tries to use a program P3 for inputting in the operative database O-DB a new data element value, a compelling calling is sent to the data element protection catalogue in connection with the corresponding data element type, for instance DTI. The associated protection attribute P1* is then collected from the data element protection catalogue, which means that such a data element value is only allowed to be stored by means of the program P1. The attempt at registering the data element value by means of the program P3 would therefore fail.
  • [0107]
    By periodic use of the above-described functionality protection, it is possible to reveal and/or prevent that an unauthorized person (for instance a “hacker”) breaks into the system by means of a non-accepted program and modifies and/or adds descriptive data in such a manner that the descriptive data will then be identifying for the record. The data element values are thus not allowed to become identifying in the operative database O-DB.
  • [0000]
    Traceability/Logging
  • [0108]
    “Logging” or “traceability” is another type of protection which according to the invention can be linked to a data element type in the data element protection catalogue. If this protection is activated for a certain data element type, each processing of the corresponding data element values in the operative database O-DB will automatically and compellingly result in relevant information on the processing (“user”, “date”, “record”, “user pro-gram” etc.) being logged in a suitable manner, so that based on the log, it is possible to investigate after-wards who has processed the data element values at issue, when, by means of which program etc.
  • [0000]
    Reading of Data from the Operative Database O-DB
  • [0109]
    In connection with a user-initiated measure aiming at reading/altering data element values in the stored records in the operative database O-DB, the following steps are carried out, which specifically also comprise a compelling calling to the data element protection catalogue and “unpacking” of the data which is controlled automatically and compellingly by collected protection attributes.
  • [0110]
    Step 1 The record is identified by producing the storage identity SID at issue based on the original identity OID, (Pcn) that is associated with the data element value DV which is to be read, as follows
    F KR(F KIR(OID))=SID
  • [0111]
    Step 2 When the record has been found by means of SID, the encrypted data element value DV (i.e. the encrypted descriptive data that is to be read) is decrypted as follows by means of a decrypting algorithm FDKR:
    F DKR(DV)=descriptive data (plain text)
  • [0112]
     The carrying out of this decryption of the data element value, however, requires that the encryption-controlling protection attribute of the data element is first collected by the system from the data element protection catalogue DC, i.e. the attribute indicating with which strength or at which level the data element value DV stored in O-DB has been encrypted. Like in the above procedure for inputting of data in O-DB, also when reading, a compelling calling thus is sent to the data element protection catalogue DC for collecting information which is necessary for carrying out the processing, in this case the unpacking.
  • [0113]
     It will be appreciated that such a compelling calling to the data element protection catalogue DPC, when making an attempt at reading, may result in the attempt failing, wholly or partly, for several reasons, depending on the protection attribute at issue, which is linked to the data element value/values that is/are to be read. For instance, the attempt at reading may be interrupted owing to the user trying to use a non-accepted program and/or not being authorized to read the term involved.
  • [0114]
    If the data element protection catalogue is encrypted, the decoding key can be stored in a storage position separate from the first and the second database.
  • [0115]
    FIG. 5 shows an example of a user interface in the form of a dialogue box, by means of which a person responsible for IAM, i.e. a person responsible for security, may read and/or alter the protection attributes stated in the data element protection catalogue. In the Example in FIG. 5, the data element types “Housing allowance” and “Social allowance” have both been provided with protection attributes concerning encryption, sorting out, logging and owner. Moreover, registration of authorized users and protected programs linked to the data element type “Social allowance” has taken place in submenus.
Patent Citations
Cited PatentFiling datePublication dateApplicantTitle
US4218582 *Oct 6, 1977Aug 19, 1980The Board Of Trustees Of The Leland Stanford Junior UniversityPublic key cryptographic apparatus and method
US4375579 *Jan 30, 1980Mar 1, 1983Wisconsin Alumni Research FoundationDatabase encryption and decryption circuit and method using subkeys
US4405829 *Dec 14, 1977Sep 20, 1983Massachusetts Institute Of TechnologyCryptographic communications system and method
US4417338 *Apr 13, 1981Nov 22, 1983Wisconsin Alumni Research FoundationCryptographic key sharing circuit and method using code correction
US4424414 *May 1, 1978Jan 3, 1984Board Of Trustees Of The Leland Stanford Junior UniversityExponentiation cryptographic apparatus and method
US4649233 *Apr 11, 1985Mar 10, 1987International Business Machines CorporationMethod for establishing user authenication with composite session keys among cryptographically communicating nodes
US4757534 *Feb 3, 1987Jul 12, 1988International Business Machines CorporationCode protection using cryptography
US4850017 *May 29, 1987Jul 18, 1989International Business Machines Corp.Controlled use of cryptographic keys via generating station established control values
US4876716 *Aug 24, 1987Oct 24, 1989Nec CorporationKey distribution method
US4935961 *Jul 27, 1988Jun 19, 1990Gargiulo Joseph LMethod and apparatus for the generation and synchronization of cryptographic keys
US4955082 *Jan 11, 1989Sep 4, 1990The Tokyo Electric Power Company Ltd.Mobile communication system
US4956769 *May 16, 1988Sep 11, 1990Sysmith, Inc.Occurence and value based security system for computer databases
US5136642 *May 31, 1991Aug 4, 1992Kabushiki Kaisha ToshibaCryptographic communication method and cryptographic communication device
US5148481 *Jul 1, 1991Sep 15, 1992International Business Machines CorporationTransaction system security method and apparatus
US5150411 *Jan 16, 1991Sep 22, 1992OmnisecCryptographic system allowing encrypted communication between users with a secure mutual cipher key determined without user interaction
US5265221 *Dec 2, 1992Nov 23, 1993Tandem ComputersAccess restriction facility method and apparatus
US5271007 *Sep 23, 1991Dec 14, 1993Fuji Xerox Co., Ltd.Network system having controlled access to available resources
US5283830 *Sep 30, 1992Feb 1, 1994International Computers LimitedSecurity mechanism for a computer system
US5369702 *Oct 18, 1993Nov 29, 1994Tecsec IncorporatedDistributed cryptographic object method
US5375169 *May 28, 1993Dec 20, 1994Tecsec, IncorporatedCryptographic key management method and apparatus
US5438508 *Sep 12, 1994Aug 1, 1995Digital Equipment CorporationLicense document interchange format for license management system
US5446903 *May 4, 1993Aug 29, 1995International Business Machines CorporationMethod and apparatus for controlling access to data elements in a data processing system based on status of an industrial process by mapping user's security categories and industrial process steps
US5459860 *Oct 5, 1992Oct 17, 1995International Business Machines CorporationComputerized system and process for managing a distributed database system
US5493668 *Mar 30, 1992Feb 20, 1996International Business Machines CorporationMultiple processor system having software for selecting shared cache entries of an associated castout class for transfer to a DASD with one I/O operation
US5504814 *Jan 24, 1994Apr 2, 1996Hughes Aircraft CompanyEfficient security kernel for the 80960 extended architecture
US5606610 *Sep 23, 1994Feb 25, 1997Anonymity Protection In Sweden AbApparatus and method for storing data
US5659614 *Nov 28, 1994Aug 19, 1997Bailey, Iii; John E.Method and system for creating and storing a backup copy of file data stored on a computer
US5661799 *Feb 18, 1994Aug 26, 1997Infosafe Systems, Inc.Apparatus and storage medium for decrypting information
US5680452 *Feb 24, 1995Oct 21, 1997Tecsec Inc.Distributed cryptographic object method
US5699428 *Jan 16, 1996Dec 16, 1997Symantec CorporationSystem for automatic decryption of file data on a per-use basis and automatic re-encryption within context of multi-threaded operating system under which applications run in real-time
US5717755 *Sep 13, 1994Feb 10, 1998Tecsec,Inc.Distributed cryptographic object method
US5751949 *May 23, 1995May 12, 1998Mci CorporationData security system and method
US5757908 *Sep 4, 1996May 26, 1998International Business Machines CorporationMethod and apparatus for enabling trial period use of software products: method and apparatus for utilizing an encryption header
US5768276 *Jun 7, 1995Jun 16, 1998Telefonaktiebolaget Lm EricssonDigital control channels having logical channels supporting broadcast SMS
US5898781 *Sep 10, 1997Apr 27, 1999Tecsec IncorporatedDistributed cryptographic object method
US5915017 *Jan 14, 1998Jun 22, 1999Altera CorporationMethod and apparatus for securing programming data of programmable logic device
US5915025 *Jan 15, 1997Jun 22, 1999Fuji Xerox Co., Ltd.Data processing apparatus with software protecting functions
US5917915 *Jun 20, 1995Jun 29, 1999Sony CorporationScramble/descramble method and apparatus for data broadcasting
US5933498 *Nov 5, 1997Aug 3, 1999Mrj, Inc.System for controlling access and distribution of digital property
US5940507 *Jan 28, 1998Aug 17, 1999Connected CorporationSecure file archive through encryption key management
US5963642 *Dec 30, 1996Oct 5, 1999Goldstein; Benjamin D.Method and apparatus for secure storage of data
US6098172 *Sep 12, 1997Aug 1, 2000Lucent Technologies Inc.Methods and apparatus for a computer network firewall with proxy reflection
US6172664 *Dec 6, 1994Jan 9, 2001Sharp Kabushiki KaishaElectronic apparatuses capable of scrambling confidential data for display
US6199582 *Jul 8, 1999Mar 13, 2001Advance Denki Kougyou KabushikiFlow control valve
US6321201 *Feb 23, 1998Nov 20, 2001Anonymity Protection In Sweden AbData security system for a database having multiple encryption levels applicable on a data element value level
Referenced by
Citing PatentFiling datePublication dateApplicantTitle
US7836046 *Jan 21, 2008Nov 16, 2010Oracle Financial Services Software LimitedMethod and system for facilitating verification of an entity based on business requirements
US9524345Aug 26, 2010Dec 20, 2016Richard VanderDriftEnhancing content using linked context
US9639707Jan 10, 2011May 2, 2017Richard W. VanderDriftSecure data storage and communication for network computing
US20090187553 *Jan 21, 2008Jul 23, 2009Suman Kumar SarkarMethod and system for facilitating verification of an entity based on business requirements
Classifications
U.S. Classification713/165, 726/28, 713/167, 726/27, 713/193, 726/29, 714/E11.207
International ClassificationG06F1/00, G09C1/00, G06F12/14, G06F21/62, H04K1/00, G06K9/00, H04L9/00, G06F17/30, G06F11/30, H04L9/32, H03M1/68, G06F7/04, H04N7/16
Cooperative ClassificationY10S707/99939, G06F21/6227, H04L9/0894, G06F2221/2141, G06F21/6245, G06F21/6218, G06F2221/2149, H04L9/088, G06F2211/007
European ClassificationG06F21/62B, G06F21/62B1, G06F21/62B5