CA2153497A1 - Apparatus and method for storing data - Google Patents
Apparatus and method for storing dataInfo
- Publication number
- CA2153497A1 CA2153497A1 CA002153497A CA2153497A CA2153497A1 CA 2153497 A1 CA2153497 A1 CA 2153497A1 CA 002153497 A CA002153497 A CA 002153497A CA 2153497 A CA2153497 A CA 2153497A CA 2153497 A1 CA2153497 A1 CA 2153497A1
- Authority
- CA
- Canada
- Prior art keywords
- sid
- storage
- identities
- identity
- uid
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
- 238000000034 method Methods 0.000 title claims abstract description 16
- 238000003860 storage Methods 0.000 claims abstract description 99
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 62
- 230000002441 reversible effect Effects 0.000 claims abstract description 30
- 230000014759 maintenance of location Effects 0.000 claims description 2
- 239000000306 component Substances 0.000 description 16
- 102100040427 Alpha-1,3/1,6-mannosyltransferase ALG2 Human genes 0.000 description 13
- 101000891547 Homo sapiens Alpha-1,3/1,6-mannosyltransferase ALG2 Proteins 0.000 description 13
- 230000004075 alteration Effects 0.000 description 9
- 102100039059 Dol-P-Man:Man(5)GlcNAc(2)-PP-Dol alpha-1,3-mannosyltransferase Human genes 0.000 description 5
- 101000958975 Homo sapiens Dol-P-Man:Man(5)GlcNAc(2)-PP-Dol alpha-1,3-mannosyltransferase Proteins 0.000 description 5
- 238000013475 authorization Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 3
- 102100040428 Chitobiosyldiphosphodolichol beta-mannosyltransferase Human genes 0.000 description 2
- 101000891557 Homo sapiens Chitobiosyldiphosphodolichol beta-mannosyltransferase Proteins 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 241000518994 Conta Species 0.000 description 1
- 101100496087 Mus musculus Clec12a gene Proteins 0.000 description 1
- 230000033228 biological regulation Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000002226 simultaneous effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
- H04L9/0897—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04K—SECRET COMMUNICATION; JAMMING OF COMMUNICATION
- H04K1/00—Secret communication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/14—Protection against unauthorised use of memory or access to memory
- G06F12/1408—Protection against unauthorised use of memory or access to memory by using cryptography
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/16—Program or content traceability, e.g. by watermarking
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
- G06F21/6254—Protecting personal data, e.g. for financial or medical purposes by anonymising data, e.g. decorrelating personal data from the owner's identification
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/86—Secure or tamper-resistant housings
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2101—Auditing as a secondary aspect
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2153—Using hardware token as a secondary aspect
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y10—TECHNICAL SUBJECTS COVERED BY FORMER USPC
- Y10S—TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y10S707/00—Data processing: database and file management or data structures
- Y10S707/99931—Database or file accessing
- Y10S707/99939—Privileged access
Abstract
A method and an apparatus for storing data comprising an original identity (OID) and associated descriptive information (DI) are disclosed. By means of a first algorithm (ALG1), the original identity (OID) is encrypted to an update identity (UID) which, by means of a reversible algorithm (ALG2), is encrypted to a storage identity (SID) which is stored as a record (P) on a storage medium along with associated descriptive information (DI). At the times when the storage identities (SID) of selected records (P) are to be replaced with new storage identities (SID'), the storage identities (SID) are decrypted in order to recreate the corresponding update identities (UID), which then are encrypted, by means of a new and altered reversible algorithm (ALG2'), to new storage identities (SID') intended to replace the previous storage identities (SID).
Description
WO95/15628 215 3 ~ ~ 7 PCT/SE94/00882 APPARATUS AND METHOD FOR STORING DATA
This invention relates to an apparatus and a method for storing data, more specifically data comprising iden-tifying information, such as personal code numbers, as well as associated descriptive information.
In computer-aided information management, it is imperative that the individual's personal integrity be protected against violation when setting up and keeping personal registers, i.e. registers cont~;ning information on individuals. Also in industry, banking and defence, as well as many other sectors where computer-aided information management is used, it is essential that stored data be protected against unauthorised access. In particular, there are regulations restricting or prohibiting the linking and matching of personal reg-isters, since this often results in one or more new per-sonal registers cont~; n; ng sensitive informa~ion that can be directly linked to individuals.
There is, however, a great need of being able to link and match different personal registers without pos-ing a threat to the personal integrity of the individual.
Within this technical field, there are differentcryptographic storage methods in which, for security rea-sons, the information to be stored is irst encrypted and then stored on a storage medium. However, these prior-art encrypting methods are often sensitive to tracking, since every registration in or update of a database involves an alteration which, by means of tracking tools, can be linked to the corresponding non-encrypted original infor-mation bearing a one-to-one relation to the encrypted information. After a number of trackings, all the encrypted information can be converted to plain text.
This invention aims at solving the above problem of the prior art and to this end provides an apparatus as set forth in appended claim l, as well as a method as set forth in appended claim 7.
According to the invention, the information to be stored comprises an original identity OID and associated descriptive information DI. Examples of the original identity are personal code number, drawing number, docu-ment identity, and registration number for vehicles. The associated descriptive information is such information as does not reveal the original identity, i.e. that cannot be linked directly thereto. A distinctive feature of the invention is that the original identity OID is completely separated from the descriptive information DI, which is achieved by initially having the original identity OID
undergo a first encryption by means of a first algorithm ALGl, resulting in an update identity UID. Then, the update identity UID undergoes a second encryption by means of a reversible algorithm ALG2, resulting in a storage identity SID. The thus-created storage identity SID is, along with ass~ciated descriptive information DI, stored as a record on a storage medium. Thus, the origi-nal identity is completely separated from the associated descriptive information. If the original identity con-sists of a personal code number or the like, the result-ing records may be regarded as pure information records in contrast to personal records.
In order to prevent the descriptive information DI
from ever being relinked to the original identity OID, the first algorithm ALGl preferably is a non-reversible algorithm, i.e. an algorithm giving each original iden-tity a unique update identity and providing a great num-ber of identities when decrypting efforts are made.
Furthermore, the invention is distinguished by the fact that the original identity OID is encrypted in two separate steps when generating the storage identity SID, and that the second encrypting step is performed by means of a reversible algorithm ALG2. These distinctive fea-tures of the invention enable the creation of "floating"
This invention relates to an apparatus and a method for storing data, more specifically data comprising iden-tifying information, such as personal code numbers, as well as associated descriptive information.
In computer-aided information management, it is imperative that the individual's personal integrity be protected against violation when setting up and keeping personal registers, i.e. registers cont~;ning information on individuals. Also in industry, banking and defence, as well as many other sectors where computer-aided information management is used, it is essential that stored data be protected against unauthorised access. In particular, there are regulations restricting or prohibiting the linking and matching of personal reg-isters, since this often results in one or more new per-sonal registers cont~; n; ng sensitive informa~ion that can be directly linked to individuals.
There is, however, a great need of being able to link and match different personal registers without pos-ing a threat to the personal integrity of the individual.
Within this technical field, there are differentcryptographic storage methods in which, for security rea-sons, the information to be stored is irst encrypted and then stored on a storage medium. However, these prior-art encrypting methods are often sensitive to tracking, since every registration in or update of a database involves an alteration which, by means of tracking tools, can be linked to the corresponding non-encrypted original infor-mation bearing a one-to-one relation to the encrypted information. After a number of trackings, all the encrypted information can be converted to plain text.
This invention aims at solving the above problem of the prior art and to this end provides an apparatus as set forth in appended claim l, as well as a method as set forth in appended claim 7.
According to the invention, the information to be stored comprises an original identity OID and associated descriptive information DI. Examples of the original identity are personal code number, drawing number, docu-ment identity, and registration number for vehicles. The associated descriptive information is such information as does not reveal the original identity, i.e. that cannot be linked directly thereto. A distinctive feature of the invention is that the original identity OID is completely separated from the descriptive information DI, which is achieved by initially having the original identity OID
undergo a first encryption by means of a first algorithm ALGl, resulting in an update identity UID. Then, the update identity UID undergoes a second encryption by means of a reversible algorithm ALG2, resulting in a storage identity SID. The thus-created storage identity SID is, along with ass~ciated descriptive information DI, stored as a record on a storage medium. Thus, the origi-nal identity is completely separated from the associated descriptive information. If the original identity con-sists of a personal code number or the like, the result-ing records may be regarded as pure information records in contrast to personal records.
In order to prevent the descriptive information DI
from ever being relinked to the original identity OID, the first algorithm ALGl preferably is a non-reversible algorithm, i.e. an algorithm giving each original iden-tity a unique update identity and providing a great num-ber of identities when decrypting efforts are made.
Furthermore, the invention is distinguished by the fact that the original identity OID is encrypted in two separate steps when generating the storage identity SID, and that the second encrypting step is performed by means of a reversible algorithm ALG2. These distinctive fea-tures of the invention enable the creation of "floating"
2 1 ~ 3 4 9 7 PCT/SE94/00882 storage identities of the records in order to prevent all unauthorised tracking. According to the invention, the storage identities SID of selected records, preferably all the records, stored on the storage medium are, at certain times, replaced with new storage identities SID'.
As a result, the information obtA;ne~ by tracking, if any, is perfectly useless as soon as the storage identi-ties according to the invention have been replaced with new ones. The storage identities SID of the stored records are, according to the invention, altered by first decrypting the storage identities SID of the selected records by means of a third algorithm ALG3, recreating the correspo~i ng update identities UID. It will be appreciated that the third algorithm ALG3 for decryption is directly related to the reversible algorithm ALG2 which, at a previous time, was used for creating the storage identities SID from the update identities UID.
Then, the reversible algorithm ALG2 is altered to a new reversible algorithm ALG2', whereupon the recreated update identities UID are encrypted to new storage iden-tities SID' by means of the altered, new reversible algo-rithm ALG2'.
The times when the storage identities are replaced with new ones may be controlled completely at random, occur at set intervals, depend on the number of updates, and so forth.
In a preferred r~ho~ir?nt of the invention, the selected records are, when given new storage identities, also moved to new physical locations on the storage medium. In combination with "floating" storage identi-ties, this effectively prevents all attempts at unauthor-ised tracking.
The invention enables efficient retrieval of stored data for operative as well as strategic purposes, as well as so-called longitudinal update of strategic data.
When retrieving data for operative purposes, the descriptive information stored for a given original iden-WO9Stl5628 PCT/SE94/00882 2153~97 ~ 4 tity is retrieved for reading, update, alteration, print-out, and so forth. According to the invention, this is possible by first encrypting such a given original iden-tity to a storage identity in two steps by means of the above two algorithms. All stored records containing the thus-obt~i n~ storage identity can be expediently located and the correspo~ding descriptive information be retriev-ed. In particular, such retrieval of operative data asso-ciated with a given original identity does not require any decryption of the corresponAing storage identity, nor any storage of the given original identity, which pre-vents all unwanted linking between the original identity and the associated descriptive information.
In order to retrieve data for strategic purposes, the storage identity can be put to effective use when putting together data that have the same storage identi-ty. Retrieving data for strategic purposes differs from retrieving data for operative purposes in that one does not wish or need to know to which original identity a certain item of descriptive information belongs, but one nevertheless has to be absolutely certain that all the descriptive information retrieved belongs to the same original identity. Obviously, this is of great importance when, and this is a case of particular interest, the ori-ginal identity corresponds to a specific individual,since the invention makes it possible to put together, for strategic purposes, descriptive information relating to different individuals, without any risk of their iden-tities being revealed. It is to be understood that the invention enables so-called longitudinal update of stra-tegic information, which among other things means that a given individual is observed for some time and that, at different times, new descriptive information is stored in such a manner that it can be linked to information pre-viously stored for the same individual, without therebeing any risk of revealing the identity of the indivi-dual.
-It should be emphasised that the storage of new descriptive information associated with a certain origi-nal identity does not necessarily require the creation of a new record contA;n;~g the storage identity and the descriptive information. The new descriptive information may instead be stored in an existing record whose storage identity corresponds to the original identity at issue.
These and other distinctive features, properties and advantages of the invention are stated in the appended claims and also appear from the following description of one mode of implementation of the invention. In the draw-ings, Fig. 1 is a block diagram illustrating how the invention can be implemented in a computer system, Fig. 2 illustrates different encrypting steps used when storing information in accordance with the inven-tion, and Fig. 3 illustrates encrypting and decrypting steps used when altering the storage identities in accordance with the invention.
Reference is now made to Fig. 1, which illustrates a computer system comprising an authorisation check sys-tem ACS, which may be of any known type; a number of user tools or applications, of which one is designated APPL 1;
a database manager DBM; a database 10, which here includes a public register 20 for storing public informa-tion, an operative register 30 for storing operative data, and a strategic register 40 for storing strategic data; a hardware component 50; and a program module 60.
The invention is chiefly implemented in the hardware com-ponent 50 and the program module 60.
The hardware component 50 has an encapsulation that renders it tamper-proof in order to prevent monitoring by tracking tools or compilation. The hardware component 50 acts as a distributed processor, which in particular has the functions of 21S349~
- creating reversible and non-reversible encrypting algo-rithms, - supplying randomly-produced variables for encrypting and decrypting algorithms, - initiating, e.g. at times chosen at random, an altera-tion of the storage identities of stored records, - storing the encrypting and decrypting algorithms last used, - storing information on user authorisations, if several users are to be authorised to have A~ C.~ to an opera-tive record, and - linking an original identity (e.g. a personal code num-ber) to the right record in a database.
Thus, the hardware component 50 may comprise a micl G~ ~ G~essor ~ a microcode-~l Gy lammed PROM storage, required I/O units, encrypting and decrypting units, and storage units for storing information on the algo-rithms employed as well as the user authorisations. The construction of the hardware component 50 may vary with different applications and is easily implemented by those skilled in the art with the aid of the present descrip-tion, for which reason the construction of this component will not be described in more detail here.
The program module 60 primarily serves to handle the dialogue between the hardware compo~ent 50 and the user application at issue. The program module 60 also hAn~les the dialogue between the hardware component 50 and the authorisation check system ACS, and the sorting out or removal of stored data, events log, and so forth. The program module 60 may also transfer records from opera-tive registers to strategic registers when records are being sorted out from the former.
In the following description of the system of Fig. l, the designations given below will be used for describing the encrypting and decrypting algorithms WO95115628 21~ 3 4 9 7 PCT/SE94100882 employed. Generally speaking, the encrypting and decrypt-ing algorithms can be described as follows:
FType(Random number, Input data) = Results wherein F designates a function, Type indicates the type of function. (In this embodiment, the following types are used:
FKIR = Non-reversible encrypting algorithm FKR = Reversible encrypting algorithm FDKR = Decrypting algorithm), R~n~om number represents one or more constants and/or variables included in the function F, Input data are the data to be encrypted or decrypted, and Results indicate a unique function value for a given function.
The process for storing information in the database lO will now be described with reference to Figs l and 2 in conjunction. It is a condition that the information to be stored can be divided into identifying information and associated descriptive information. The following infor-mation on a specific individual is given as an example.
INFORMATION TO BE STORED
IDENTIFYING DESCRIPTIVE
INFORMATION INFORMATION
PERSONAL CODE NUMBER NAME ADDRESS DI
(PCN) In the first step of the process, the information is divided into identifying information and descriptive information.
2153~97 8 In a second step (illustrated in Fig. 2), the iden-tifying information (PCN, NAME, ADDRESS) is stored in the public register 20, optionally in the form of plain text, since this information is of the type that is generally accessible.
In a third step, an original identity OID is select-ed from the identifying information. In this example, OID = personal code number PCN. The original identity OID
is encrypted by means of a non-reversible algorithm ALGl, which is produced at random by the hardware component 50.
This non-reversible encryption results in an update iden-tity UID as follows:
ALGl: FKIR(Random number, OID) = UID
The encrypting algorithm ALGl is such that attempts at decryption of the update identity UID to the original identity OID results in a great number of identities, which makes it impossible to link a spec fic UID to the correspon~i ng OID.
In a fourth step, the update identity UID is encrypted by means of a reversible algorithm ALG2, which also is produced at random by the hardware component 50.
This reversible encryption results in a storage identity SID as follows:
ALG2: FKR(Random number, UID) = SID
The encrypting algorithm ALG2 is such that there exists a correspon~; ng decrypting algorithm ALG3 by means of which the storage identity SID can be decrypted in order to recreate the update identity UID.
In a fifth step, the obtAin~ storage identity SID
is stored along with the descriptive information DI as an information record P on the storage medium, which is designated M in Fig. 2. In this example, the record P is WO95/15628 215 3 4 9 7 pcTlsEs4loo882 stored in the operative database 30 as well as in the strategic database 40.
Preferably, all alterations in the databases are performed in randomly time-controlled batches, such that every alteration in one register normally involves simul-taneous alteration or addition of a plurality of records, which is intended to prevent tracking. To this end, data can be stored temporarily in a buffer store, optionally in encrypted form.
As appears from the foregoing, a stored information record P has the following general appearance:
¦ Storage identity (SID) ¦Descriptive information (DI)¦
Since the original identity OID is encrypted in two steps, of which the first is non-reversible and the second is reversible, it is possible to store the descriptive information DI along with a storage identity SID that never can be l; nke~ to the original identity OID, as well as to create "floating" (i.e. which change over time) storage identities SID while ret~ ng the possibility of locating, for a specific original identity OID, the associated descriptive information DI stored.
The process for creating "floating" storage identi-ties will now be described in more detail with reference to Fig. 3.
As mentioned above, the storage identities SID are changed over time in order to prevent, or at least make much more difficult, all attempts at tracking, i.e.
unauthorised attempts at locating, when a register is updated, where and in which form given original informa-tion is stored on the storage medium.
The times when the storage identities SID are to be replaced with new storage identities SID' can be control-led at random by the hardware component 50. Alternative-ly, these times can be controlled by other factors, such 2153~97 as the number of alterations in or updates of the data-base.
At every time, one decrypts the storage identities SID of all the records P whose storage identities are to "float" or be altered. The hardware component 50 has an internal storage, in which is stored information on the reversible algorithm ALG2 last used, which makes it pos-sible, at each time, to produce in the hardware component 50 a corresponding decrypting algorithm ALG3, by means of which the storage identities SID can be decrypted in order to recreate the corresponding update identities UID.
ALG3: FDKR(RAn~m number, SID) = UID
Thus, the following relationship applies:
FDKR(Random number, FKR(Random number, UID)) =
UID
Thereafter, the hardware component 50 produces, by means of new random numbers (Random numbers') a new and altered reversible algorithm ALG2', by means of which the recreated update identities UID are reversibly encrypted to new and altered storage identifies SID' to be stored along with the associated descriptive information in the selected records.
ALG2': FKR(Random number', UID) = SID' As described in the foregoing in connection with general storage of information, the alteration of the storage identities on the storage medium preferably takes place in a batch.
When the storage identities SID of the records P
are thus to be replaced with the new storage identities (SID'), one may, as a further matter of precaution, move the records P to new physical locations on the storage medium.
WO95/lS628 21 5 3 ~ 9 7 ~ PCT/SE94/00882 In a preferred embodiment of the invention, such an alteration of the storage identities is produced every time the content of the databases is to be altered or updated.
Operative data is retrieved from the operative reg-ister 30 in Fig. 1 in the following manner. To begin with, the user inputs the current original identity OID, i.e. PCN, to the program application APPL 1 along with a statement c-onc~rning the requested information. APPL 1 stores the PCN and the statement on the requested infor-mation, i.e. the statement on the register or database where the information is to be searched for, and then transmits the PCN and the database statement to the data-base manager DBM which is to retrieve the requested information. The database manager notes that the records of the current-dat~h~se are protected by the inventive system, and therefore transmits the PCN along with the database name to the ~Loylam module 60 and the hardware ~omponent 50. The database name indicated is used for producing, from tabular information stored in the hard-ware component 50, correct algorithms ALG1 and ALG2 by means of which the PCN is converted via the update iden-tity UID to the storage identity SID. The thus-produced storage identity SID is transmitted to the database man-ager DBM, which then searches in the database at issue(here the operative register 30) for descriptive informa-tion DI whose storage identities correspond to the stor-age identity SID produced. The database manager DBM
returns the descriptive information DI to the application APPL 1, which links the thus-produced descriptive infor-mation DI to the personal code number PCN. It should here be emphasised that the personal code number is stored in APPL 1 only, i.e. in the working storage of the computer, and the identity of the individual thus remains perfectly safe.
Data are retrieved from the strategic database 40 without resorting to the use of any original identity 215349~
OID. The search is based directly on the descriptive information, and since descriptive information associated with one and the same individual is stored along with the same storage identity SID, all descriptive information associated with a single individual is easily put toget-her without in any way threatening the anonymity of the individual.
Different encrypting algorithms can be used in the operative register 30 and the strategic register 40. How-ever, the non-reversible algorithm ALG1 may be the same.
Furthermore, it will be appreciated that the tabular algorithm information stored in the hardware component 50 may comprise many more registers than are shown in Fig. 1.
The inventive embodiment described above can be modified in many ways within the scope of the invention as defined in the appended claims. The term "encryption"
is meant to encompass the term '~hAch;~g~ throughout.
In one modification of the inventive method that is of particular interest, each information record P in the operative database 30 is supplemented with a user iden-tity UI as follows.
Storage User Descriptive identity identity information (SID) (UI) (DI) Thus, it becomes possible to link records to individual users in the operative database. When a user attempts at retrieving the information in a record, it is checked whether he is authorised to have access to the record in question. In particular, it becomes possible for differ-ent users to store descriptive information about one andthe same individual without enabling unauthorised users to gain access to the information stored. The user iden-tity UI in stored records can be changed without affect-ing the storage identity SID or the descriptive informa-tion DI. If a user is to have access to records contain-WO95/15628 2 1~ 3 4 9 7 PCT/SE94/00882 ing other user identities UI than his own, the hardwarecomponent 50 can be supplemented with a table contAin;ng stored information that controls such authorisation.
Another conceivable modification of the embodiment described provides the possibility of using a reversible algorithm in the first encrypting step ALGl, which does not, however, involve the same degree of security as the use of a non-reversible algorithm.
Finally, it should be mentioned that, if need be, also the descriptive information can be encrypted before storage by means of a reversible algorithm in order to ~n~AnCP security even further.
As a result, the information obtA;ne~ by tracking, if any, is perfectly useless as soon as the storage identi-ties according to the invention have been replaced with new ones. The storage identities SID of the stored records are, according to the invention, altered by first decrypting the storage identities SID of the selected records by means of a third algorithm ALG3, recreating the correspo~i ng update identities UID. It will be appreciated that the third algorithm ALG3 for decryption is directly related to the reversible algorithm ALG2 which, at a previous time, was used for creating the storage identities SID from the update identities UID.
Then, the reversible algorithm ALG2 is altered to a new reversible algorithm ALG2', whereupon the recreated update identities UID are encrypted to new storage iden-tities SID' by means of the altered, new reversible algo-rithm ALG2'.
The times when the storage identities are replaced with new ones may be controlled completely at random, occur at set intervals, depend on the number of updates, and so forth.
In a preferred r~ho~ir?nt of the invention, the selected records are, when given new storage identities, also moved to new physical locations on the storage medium. In combination with "floating" storage identi-ties, this effectively prevents all attempts at unauthor-ised tracking.
The invention enables efficient retrieval of stored data for operative as well as strategic purposes, as well as so-called longitudinal update of strategic data.
When retrieving data for operative purposes, the descriptive information stored for a given original iden-WO9Stl5628 PCT/SE94/00882 2153~97 ~ 4 tity is retrieved for reading, update, alteration, print-out, and so forth. According to the invention, this is possible by first encrypting such a given original iden-tity to a storage identity in two steps by means of the above two algorithms. All stored records containing the thus-obt~i n~ storage identity can be expediently located and the correspo~ding descriptive information be retriev-ed. In particular, such retrieval of operative data asso-ciated with a given original identity does not require any decryption of the corresponAing storage identity, nor any storage of the given original identity, which pre-vents all unwanted linking between the original identity and the associated descriptive information.
In order to retrieve data for strategic purposes, the storage identity can be put to effective use when putting together data that have the same storage identi-ty. Retrieving data for strategic purposes differs from retrieving data for operative purposes in that one does not wish or need to know to which original identity a certain item of descriptive information belongs, but one nevertheless has to be absolutely certain that all the descriptive information retrieved belongs to the same original identity. Obviously, this is of great importance when, and this is a case of particular interest, the ori-ginal identity corresponds to a specific individual,since the invention makes it possible to put together, for strategic purposes, descriptive information relating to different individuals, without any risk of their iden-tities being revealed. It is to be understood that the invention enables so-called longitudinal update of stra-tegic information, which among other things means that a given individual is observed for some time and that, at different times, new descriptive information is stored in such a manner that it can be linked to information pre-viously stored for the same individual, without therebeing any risk of revealing the identity of the indivi-dual.
-It should be emphasised that the storage of new descriptive information associated with a certain origi-nal identity does not necessarily require the creation of a new record contA;n;~g the storage identity and the descriptive information. The new descriptive information may instead be stored in an existing record whose storage identity corresponds to the original identity at issue.
These and other distinctive features, properties and advantages of the invention are stated in the appended claims and also appear from the following description of one mode of implementation of the invention. In the draw-ings, Fig. 1 is a block diagram illustrating how the invention can be implemented in a computer system, Fig. 2 illustrates different encrypting steps used when storing information in accordance with the inven-tion, and Fig. 3 illustrates encrypting and decrypting steps used when altering the storage identities in accordance with the invention.
Reference is now made to Fig. 1, which illustrates a computer system comprising an authorisation check sys-tem ACS, which may be of any known type; a number of user tools or applications, of which one is designated APPL 1;
a database manager DBM; a database 10, which here includes a public register 20 for storing public informa-tion, an operative register 30 for storing operative data, and a strategic register 40 for storing strategic data; a hardware component 50; and a program module 60.
The invention is chiefly implemented in the hardware com-ponent 50 and the program module 60.
The hardware component 50 has an encapsulation that renders it tamper-proof in order to prevent monitoring by tracking tools or compilation. The hardware component 50 acts as a distributed processor, which in particular has the functions of 21S349~
- creating reversible and non-reversible encrypting algo-rithms, - supplying randomly-produced variables for encrypting and decrypting algorithms, - initiating, e.g. at times chosen at random, an altera-tion of the storage identities of stored records, - storing the encrypting and decrypting algorithms last used, - storing information on user authorisations, if several users are to be authorised to have A~ C.~ to an opera-tive record, and - linking an original identity (e.g. a personal code num-ber) to the right record in a database.
Thus, the hardware component 50 may comprise a micl G~ ~ G~essor ~ a microcode-~l Gy lammed PROM storage, required I/O units, encrypting and decrypting units, and storage units for storing information on the algo-rithms employed as well as the user authorisations. The construction of the hardware component 50 may vary with different applications and is easily implemented by those skilled in the art with the aid of the present descrip-tion, for which reason the construction of this component will not be described in more detail here.
The program module 60 primarily serves to handle the dialogue between the hardware compo~ent 50 and the user application at issue. The program module 60 also hAn~les the dialogue between the hardware component 50 and the authorisation check system ACS, and the sorting out or removal of stored data, events log, and so forth. The program module 60 may also transfer records from opera-tive registers to strategic registers when records are being sorted out from the former.
In the following description of the system of Fig. l, the designations given below will be used for describing the encrypting and decrypting algorithms WO95115628 21~ 3 4 9 7 PCT/SE94100882 employed. Generally speaking, the encrypting and decrypt-ing algorithms can be described as follows:
FType(Random number, Input data) = Results wherein F designates a function, Type indicates the type of function. (In this embodiment, the following types are used:
FKIR = Non-reversible encrypting algorithm FKR = Reversible encrypting algorithm FDKR = Decrypting algorithm), R~n~om number represents one or more constants and/or variables included in the function F, Input data are the data to be encrypted or decrypted, and Results indicate a unique function value for a given function.
The process for storing information in the database lO will now be described with reference to Figs l and 2 in conjunction. It is a condition that the information to be stored can be divided into identifying information and associated descriptive information. The following infor-mation on a specific individual is given as an example.
INFORMATION TO BE STORED
IDENTIFYING DESCRIPTIVE
INFORMATION INFORMATION
PERSONAL CODE NUMBER NAME ADDRESS DI
(PCN) In the first step of the process, the information is divided into identifying information and descriptive information.
2153~97 8 In a second step (illustrated in Fig. 2), the iden-tifying information (PCN, NAME, ADDRESS) is stored in the public register 20, optionally in the form of plain text, since this information is of the type that is generally accessible.
In a third step, an original identity OID is select-ed from the identifying information. In this example, OID = personal code number PCN. The original identity OID
is encrypted by means of a non-reversible algorithm ALGl, which is produced at random by the hardware component 50.
This non-reversible encryption results in an update iden-tity UID as follows:
ALGl: FKIR(Random number, OID) = UID
The encrypting algorithm ALGl is such that attempts at decryption of the update identity UID to the original identity OID results in a great number of identities, which makes it impossible to link a spec fic UID to the correspon~i ng OID.
In a fourth step, the update identity UID is encrypted by means of a reversible algorithm ALG2, which also is produced at random by the hardware component 50.
This reversible encryption results in a storage identity SID as follows:
ALG2: FKR(Random number, UID) = SID
The encrypting algorithm ALG2 is such that there exists a correspon~; ng decrypting algorithm ALG3 by means of which the storage identity SID can be decrypted in order to recreate the update identity UID.
In a fifth step, the obtAin~ storage identity SID
is stored along with the descriptive information DI as an information record P on the storage medium, which is designated M in Fig. 2. In this example, the record P is WO95/15628 215 3 4 9 7 pcTlsEs4loo882 stored in the operative database 30 as well as in the strategic database 40.
Preferably, all alterations in the databases are performed in randomly time-controlled batches, such that every alteration in one register normally involves simul-taneous alteration or addition of a plurality of records, which is intended to prevent tracking. To this end, data can be stored temporarily in a buffer store, optionally in encrypted form.
As appears from the foregoing, a stored information record P has the following general appearance:
¦ Storage identity (SID) ¦Descriptive information (DI)¦
Since the original identity OID is encrypted in two steps, of which the first is non-reversible and the second is reversible, it is possible to store the descriptive information DI along with a storage identity SID that never can be l; nke~ to the original identity OID, as well as to create "floating" (i.e. which change over time) storage identities SID while ret~ ng the possibility of locating, for a specific original identity OID, the associated descriptive information DI stored.
The process for creating "floating" storage identi-ties will now be described in more detail with reference to Fig. 3.
As mentioned above, the storage identities SID are changed over time in order to prevent, or at least make much more difficult, all attempts at tracking, i.e.
unauthorised attempts at locating, when a register is updated, where and in which form given original informa-tion is stored on the storage medium.
The times when the storage identities SID are to be replaced with new storage identities SID' can be control-led at random by the hardware component 50. Alternative-ly, these times can be controlled by other factors, such 2153~97 as the number of alterations in or updates of the data-base.
At every time, one decrypts the storage identities SID of all the records P whose storage identities are to "float" or be altered. The hardware component 50 has an internal storage, in which is stored information on the reversible algorithm ALG2 last used, which makes it pos-sible, at each time, to produce in the hardware component 50 a corresponding decrypting algorithm ALG3, by means of which the storage identities SID can be decrypted in order to recreate the corresponding update identities UID.
ALG3: FDKR(RAn~m number, SID) = UID
Thus, the following relationship applies:
FDKR(Random number, FKR(Random number, UID)) =
UID
Thereafter, the hardware component 50 produces, by means of new random numbers (Random numbers') a new and altered reversible algorithm ALG2', by means of which the recreated update identities UID are reversibly encrypted to new and altered storage identifies SID' to be stored along with the associated descriptive information in the selected records.
ALG2': FKR(Random number', UID) = SID' As described in the foregoing in connection with general storage of information, the alteration of the storage identities on the storage medium preferably takes place in a batch.
When the storage identities SID of the records P
are thus to be replaced with the new storage identities (SID'), one may, as a further matter of precaution, move the records P to new physical locations on the storage medium.
WO95/lS628 21 5 3 ~ 9 7 ~ PCT/SE94/00882 In a preferred embodiment of the invention, such an alteration of the storage identities is produced every time the content of the databases is to be altered or updated.
Operative data is retrieved from the operative reg-ister 30 in Fig. 1 in the following manner. To begin with, the user inputs the current original identity OID, i.e. PCN, to the program application APPL 1 along with a statement c-onc~rning the requested information. APPL 1 stores the PCN and the statement on the requested infor-mation, i.e. the statement on the register or database where the information is to be searched for, and then transmits the PCN and the database statement to the data-base manager DBM which is to retrieve the requested information. The database manager notes that the records of the current-dat~h~se are protected by the inventive system, and therefore transmits the PCN along with the database name to the ~Loylam module 60 and the hardware ~omponent 50. The database name indicated is used for producing, from tabular information stored in the hard-ware component 50, correct algorithms ALG1 and ALG2 by means of which the PCN is converted via the update iden-tity UID to the storage identity SID. The thus-produced storage identity SID is transmitted to the database man-ager DBM, which then searches in the database at issue(here the operative register 30) for descriptive informa-tion DI whose storage identities correspond to the stor-age identity SID produced. The database manager DBM
returns the descriptive information DI to the application APPL 1, which links the thus-produced descriptive infor-mation DI to the personal code number PCN. It should here be emphasised that the personal code number is stored in APPL 1 only, i.e. in the working storage of the computer, and the identity of the individual thus remains perfectly safe.
Data are retrieved from the strategic database 40 without resorting to the use of any original identity 215349~
OID. The search is based directly on the descriptive information, and since descriptive information associated with one and the same individual is stored along with the same storage identity SID, all descriptive information associated with a single individual is easily put toget-her without in any way threatening the anonymity of the individual.
Different encrypting algorithms can be used in the operative register 30 and the strategic register 40. How-ever, the non-reversible algorithm ALG1 may be the same.
Furthermore, it will be appreciated that the tabular algorithm information stored in the hardware component 50 may comprise many more registers than are shown in Fig. 1.
The inventive embodiment described above can be modified in many ways within the scope of the invention as defined in the appended claims. The term "encryption"
is meant to encompass the term '~hAch;~g~ throughout.
In one modification of the inventive method that is of particular interest, each information record P in the operative database 30 is supplemented with a user iden-tity UI as follows.
Storage User Descriptive identity identity information (SID) (UI) (DI) Thus, it becomes possible to link records to individual users in the operative database. When a user attempts at retrieving the information in a record, it is checked whether he is authorised to have access to the record in question. In particular, it becomes possible for differ-ent users to store descriptive information about one andthe same individual without enabling unauthorised users to gain access to the information stored. The user iden-tity UI in stored records can be changed without affect-ing the storage identity SID or the descriptive informa-tion DI. If a user is to have access to records contain-WO95/15628 2 1~ 3 4 9 7 PCT/SE94/00882 ing other user identities UI than his own, the hardwarecomponent 50 can be supplemented with a table contAin;ng stored information that controls such authorisation.
Another conceivable modification of the embodiment described provides the possibility of using a reversible algorithm in the first encrypting step ALGl, which does not, however, involve the same degree of security as the use of a non-reversible algorithm.
Finally, it should be mentioned that, if need be, also the descriptive information can be encrypted before storage by means of a reversible algorithm in order to ~n~AnCP security even further.
Claims (11)
1. An apparatus for storing data comprising an ori-ginal identity (OID) and associated descriptive informa-tion (DI), c h a r a c t e r i s e d by a first encrypting means (50) which is arranged, by means of a first algorithm (ALG1), to encrypt the origi-nal identity (OID) to an update identity (UID), a second encrypting means (50) which is arranged, by means of a reversible algorithm (ALG2), to encrypt the update identity (UID) to a storage identity (SID), which is to be stored along with associated descriptive infor-mation (DI) as a record (P) on a storage medium (30, 40), and a decrypting means (50) which is arranged, at times when the storage identities (SID) of selected stored records (P) are to be replaced with new storage identi-ties (SID'), to decrypt these storage identities (SID) in order to recreate the corresponding update identities (UID), the second encrypting means (50) being arranged, at said times and by means of an altered reversible algo-rithm (ALG2'), to encrypt the recreated update identities (UID) to new storage identities (SID'), which are to replace the previous storage identities (SID).
2. An apparatus as set forth in claim 1, c h a r -a c t e r i s e d by a means arranged to randomly estab-lish said times when the storage identities (SID) of the selected records (P) are to be replaced with new storage identities (SID').
3. An apparatus as set forth in any one of the pre-ceding claims, c h a r a c t e r i s e d by the first algorithm (ALG1) for creating the update identity (UID) being a non-reversible algorithm.
4. An apparatus as set forth in any one of the pre-ceding claims, c h a r a c t e r i s e d by the first and the second encrypting means and the decrypting means being implemented as a hardware component (50).
5. An apparatus as set forth in claim 4, c h a r -a c t e r i s e d by the hardware component (50) compris-ing a processor of its own, which is adapted to act as a distributed processor in a computer.
6. An apparatus as set forth in claim 4 or 5, c h a r a c t e r i s e d by the hardware component (50) being adapted to create variable algorithms and compris-ing a means for storing the algorithms last created.
7. A method for storing data comprising an original identity (OID) and associated descriptive information (DI), c h a r a c t e r i s e d by the steps of encrypting the original identity (OID) to an update identity (UID) by means of a first algorithm (ALG1), encrypting the update identity (UID) to a storage identity (SID) by means of a reversible algorithm (ALG2), storing the storage identity (SID) and the descrip-tive information (DI) as a record (P) on a storage medium (30, 40), and performing the following substeps at times when the storage identities (SID) of selected stored records (P) are to be replaced with new storage identities (SID'):
- decrypting the storage identities ( SID) of the selected records (P) in order to recreate the corresponding update identities ( UID), - altering the reversible algorithm (ALG2) and encrypt-ing, by means of the altered reversible algorithm (ALG2'), the recreated update identities (UID) to new storage identities (SID'), and - replacing the storage identities (SID) of the selected records (P) with the new storage identities (SID').
- decrypting the storage identities ( SID) of the selected records (P) in order to recreate the corresponding update identities ( UID), - altering the reversible algorithm (ALG2) and encrypt-ing, by means of the altered reversible algorithm (ALG2'), the recreated update identities (UID) to new storage identities (SID'), and - replacing the storage identities (SID) of the selected records (P) with the new storage identities (SID').
8. A method as set forth in claim 7, c h a r a c -t e r i s e d by the step of selecting, as said selected records (P), all the records (P) stored on the storage medium (30, 40).
9. A method as set forth in claim 7 or 8, c h a r -a c t e r i s e d in that the step of replacing the stor-age identities (SID) of the selected records (P) with the new storage identities (SID') is carried out in a batch, so that the storage identities (SID) of the selected records (P) are altered essentially simultaneously on the storage medium (30, 40).
10. A method as set forth in any one of claims 7-9, c h a r a c t e r i s e d in that the step of replacing the storage identities (SID) of the selected records (P) with new storage identities (SID') also comprises moving the selected records (P) to new physical locations on the storage medium (30, 40).
11. A method as set forth in any one of claims 7-10, c h a r a c t e r i s e d by the step of encrypting also the descriptive information (DI) before this is stored on the storage medium in the respective records (P).
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
SE9303984-0 | 1993-11-30 | ||
SE9303984A SE501128C2 (en) | 1993-11-30 | 1993-11-30 | Device and method for storing data information |
Publications (1)
Publication Number | Publication Date |
---|---|
CA2153497A1 true CA2153497A1 (en) | 1995-06-08 |
Family
ID=20391947
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA002153497A Abandoned CA2153497A1 (en) | 1993-11-30 | 1994-09-23 | Apparatus and method for storing data |
Country Status (13)
Country | Link |
---|---|
US (1) | US5606610A (en) |
EP (1) | EP0732014B1 (en) |
JP (1) | JP3678746B2 (en) |
KR (1) | KR100366271B1 (en) |
AT (1) | ATE241878T1 (en) |
AU (1) | AU671049B2 (en) |
BR (1) | BR9406073A (en) |
CA (1) | CA2153497A1 (en) |
DE (1) | DE69432754D1 (en) |
FI (1) | FI953564A (en) |
NO (1) | NO309960B1 (en) |
SE (1) | SE501128C2 (en) |
WO (1) | WO1995015628A1 (en) |
Families Citing this family (60)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5699428A (en) * | 1996-01-16 | 1997-12-16 | Symantec Corporation | System for automatic decryption of file data on a per-use basis and automatic re-encryption within context of multi-threaded operating system under which applications run in real-time |
SE9600955L (en) * | 1996-03-13 | 1997-09-14 | Analysity Ab | Device and procedure for automated needs analysis and performance monitoring in personal management operations |
SE506853C2 (en) | 1996-06-20 | 1998-02-16 | Anonymity Prot In Sweden Ab | Method of data processing |
SE9602834L (en) * | 1996-07-22 | 1998-01-23 | Analysity Ab | Apparatus and method for multidimensional pattern analysis |
GB9712459D0 (en) * | 1997-06-14 | 1997-08-20 | Int Computers Ltd | Secure database system |
JP3272283B2 (en) * | 1997-11-14 | 2002-04-08 | 富士通株式会社 | Electronic data storage device |
US6148342A (en) * | 1998-01-27 | 2000-11-14 | Ho; Andrew P. | Secure database management system for confidential records using separately encrypted identifier and access request |
US20010044901A1 (en) * | 1998-03-24 | 2001-11-22 | Symantec Corporation | Bubble-protected system for automatic decryption of file data on a per-use basis and automatic re-encryption |
EP1026603A3 (en) * | 1999-02-02 | 2002-01-30 | SmithKline Beecham Corporation | Apparatus and method for depersonalizing information |
US6857076B1 (en) * | 1999-03-26 | 2005-02-15 | Micron Technology, Inc. | Data security for digital data storage |
US7096370B1 (en) * | 1999-03-26 | 2006-08-22 | Micron Technology, Inc. | Data security for digital data storage |
DE19925910B4 (en) | 1999-06-07 | 2005-04-28 | Siemens Ag | Method for processing or processing data |
US6938022B1 (en) * | 1999-06-12 | 2005-08-30 | Tara C. Singhal | Method and apparatus for facilitating an anonymous information system and anonymous service transactions |
GB9920644D0 (en) * | 1999-09-02 | 1999-11-03 | Medical Data Service Gmbh | Novel method |
US6732113B1 (en) | 1999-09-20 | 2004-05-04 | Verispan, L.L.C. | System and method for generating de-identified health care data |
US8473452B1 (en) | 1999-09-20 | 2013-06-25 | Ims Health Incorporated | System and method for analyzing de-identified health care data |
US7093137B1 (en) * | 1999-09-30 | 2006-08-15 | Casio Computer Co., Ltd. | Database management apparatus and encrypting/decrypting system |
US6449621B1 (en) * | 1999-11-03 | 2002-09-10 | Ford Global Technologies, Inc. | Privacy data escrow system and method |
US6397224B1 (en) * | 1999-12-10 | 2002-05-28 | Gordon W. Romney | Anonymously linking a plurality of data records |
GB2366051B (en) * | 2000-05-02 | 2005-01-05 | Ibm | Method, system and program product for private data access or use based on related public data |
US7178035B1 (en) * | 2000-11-02 | 2007-02-13 | Ati International, Srl | Write once system and method for facilitating digital encrypted transmissions |
US7958376B2 (en) * | 2000-11-02 | 2011-06-07 | Ati Technologies Ulc | Write once system and method for facilitating digital encrypted transmissions |
US20020066038A1 (en) * | 2000-11-29 | 2002-05-30 | Ulf Mattsson | Method and a system for preventing impersonation of a database user |
US7454796B2 (en) * | 2000-12-22 | 2008-11-18 | Canon Kabushiki Kaisha | Obtaining temporary exclusive control of a printing device |
US7526795B2 (en) * | 2001-03-27 | 2009-04-28 | Micron Technology, Inc. | Data security for digital data storage |
US7266699B2 (en) * | 2001-08-30 | 2007-09-04 | Application Security, Inc. | Cryptographic infrastructure for encrypting a database |
JP2003083243A (en) * | 2001-09-05 | 2003-03-19 | Toyota Industries Corp | Displacement control device for variable displacement compressor |
DE60130902T2 (en) | 2001-11-23 | 2008-07-17 | Protegrity Research & Development | Method for detecting intrusion into a database system |
JP3941513B2 (en) * | 2002-01-11 | 2007-07-04 | ソニー株式会社 | Recording method, recording apparatus, reproducing method, and reproducing apparatus |
FI20020808A (en) * | 2002-04-29 | 2003-10-30 | Mediweb Oy | Saving sensitive data |
US20040078238A1 (en) * | 2002-05-31 | 2004-04-22 | Carson Thomas | Anonymizing tool for medical data |
GB0222896D0 (en) * | 2002-10-03 | 2002-11-13 | Avoca Systems Ltd | Method of and apparatus for transferring data |
JP2006523995A (en) * | 2003-03-21 | 2006-10-19 | コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ | Privacy of user identity in authorization certificate |
FI116170B (en) * | 2003-04-11 | 2005-09-30 | Jouko Kronholm | Method of conveying return information from a feedback system, as well as data transmission system |
US20050203921A1 (en) * | 2004-03-11 | 2005-09-15 | Newman Aaron C. | System for protecting database applications from unauthorized activity |
AU2004201058B1 (en) * | 2004-03-15 | 2004-09-09 | Lockstep Consulting Pty Ltd | Means and method of issuing Anonymous Public Key Certificates for indexing electronic record systems |
CA2564313A1 (en) * | 2004-05-05 | 2005-11-17 | Ims Health Incorporated | Data encryption applications for multi-source longitudinal patient-level data integration |
JP2008503798A (en) * | 2004-05-05 | 2008-02-07 | アイエムエス ソフトウェア サービシズ リミテッド | Mediated data encryption for long-term patient-level databases |
WO2005109294A2 (en) * | 2004-05-05 | 2005-11-17 | Ims Health Incorporated | Multi-source longitudinal patient-level data encryption process |
US7743069B2 (en) * | 2004-09-03 | 2010-06-22 | Sybase, Inc. | Database system providing SQL extensions for automated encryption and decryption of column data |
US7797342B2 (en) * | 2004-09-03 | 2010-09-14 | Sybase, Inc. | Database system providing encrypted column support for applications |
FR2881248A1 (en) * | 2005-01-26 | 2006-07-28 | France Telecom | Personal medical data management system for insured patient, has computing subsystem with units to generate common key from identification data of person, and another subsystem with database associating sensitive personal data to key |
US20080022136A1 (en) * | 2005-02-18 | 2008-01-24 | Protegrity Corporation | Encryption load balancing and distributed policy enforcement |
US20070174271A1 (en) * | 2005-02-18 | 2007-07-26 | Ulf Mattsson | Database system with second preprocessor and method for accessing a database |
SE0500541L (en) * | 2005-03-08 | 2006-09-09 | Inator Kb | Authorization system and method |
US7522751B2 (en) * | 2005-04-22 | 2009-04-21 | Daon Holdings Limited | System and method for protecting the privacy and security of stored biometric data |
DE602005018548D1 (en) | 2005-04-22 | 2010-02-04 | Daon Holdings Ltd | SYSTEM AND PROCEDURE FOR PRIVACY PROTECTION U |
WO2007096890A2 (en) * | 2006-02-27 | 2007-08-30 | Sentrigo Inc. | Device, system and method of database security |
KR100697613B1 (en) * | 2006-06-22 | 2007-03-22 | 주식회사 엘지에스 | Optical film and planar lighting source apparatus using the same |
US9355273B2 (en) * | 2006-12-18 | 2016-05-31 | Bank Of America, N.A., As Collateral Agent | System and method for the protection and de-identification of health care data |
US20100031321A1 (en) | 2007-06-11 | 2010-02-04 | Protegrity Corporation | Method and system for preventing impersonation of computer system user |
US9158933B2 (en) * | 2007-08-17 | 2015-10-13 | Sybase, Inc. | Protection of encryption keys in a database |
JP4640410B2 (en) * | 2007-12-25 | 2011-03-02 | カシオ計算機株式会社 | Database management apparatus and recording medium |
US8225106B2 (en) * | 2008-04-02 | 2012-07-17 | Protegrity Corporation | Differential encryption utilizing trust modes |
US20100114607A1 (en) * | 2008-11-04 | 2010-05-06 | Sdi Health Llc | Method and system for providing reports and segmentation of physician activities |
US9141758B2 (en) * | 2009-02-20 | 2015-09-22 | Ims Health Incorporated | System and method for encrypting provider identifiers on medical service claim transactions |
US20110071994A1 (en) * | 2009-09-22 | 2011-03-24 | Appsimple, Ltd | Method and system to securely store data |
US20110162074A1 (en) * | 2009-12-31 | 2011-06-30 | Sap Portals Israel Ltd | Apparatus and method for remote processing while securing classified data |
US8862902B2 (en) * | 2011-04-29 | 2014-10-14 | Seagate Technology Llc | Cascaded data encryption dependent on attributes of physical memory |
EP3256981B1 (en) | 2015-01-14 | 2021-03-03 | Hewlett-Packard Enterprise Development LP | System, apparatus and method for anonymizing data prior to threat detection analysis |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
IL100238A (en) * | 1991-12-04 | 1995-01-24 | Labaton Isaac J | Device and method for credit accounts charging |
US5392357A (en) * | 1991-12-09 | 1995-02-21 | At&T Corp. | Secure telecommunications |
US5343527A (en) * | 1993-10-27 | 1994-08-30 | International Business Machines Corporation | Hybrid encryption method and system for protecting reusable software components |
-
1993
- 1993-11-30 SE SE9303984A patent/SE501128C2/en not_active IP Right Cessation
-
1994
- 1994-09-23 BR BR9406073A patent/BR9406073A/en not_active IP Right Cessation
- 1994-09-23 AT AT95900329T patent/ATE241878T1/en not_active IP Right Cessation
- 1994-09-23 CA CA002153497A patent/CA2153497A1/en not_active Abandoned
- 1994-09-23 KR KR1019950703151A patent/KR100366271B1/en not_active IP Right Cessation
- 1994-09-23 EP EP95900329A patent/EP0732014B1/en not_active Expired - Lifetime
- 1994-09-23 US US08/464,891 patent/US5606610A/en not_active Expired - Lifetime
- 1994-09-23 DE DE69432754T patent/DE69432754D1/en not_active Expired - Lifetime
- 1994-09-23 AU AU81183/94A patent/AU671049B2/en not_active Ceased
- 1994-09-23 JP JP51554595A patent/JP3678746B2/en not_active Expired - Lifetime
- 1994-09-23 WO PCT/SE1994/000882 patent/WO1995015628A1/en active IP Right Grant
-
1995
- 1995-06-26 NO NO952546A patent/NO309960B1/en unknown
- 1995-07-26 FI FI953564A patent/FI953564A/en unknown
Also Published As
Publication number | Publication date |
---|---|
JP3678746B2 (en) | 2005-08-03 |
BR9406073A (en) | 1995-12-12 |
AU8118394A (en) | 1995-06-19 |
ATE241878T1 (en) | 2003-06-15 |
SE9303984L (en) | 1994-11-21 |
DE69432754D1 (en) | 2003-07-03 |
EP0732014B1 (en) | 2003-05-28 |
FI953564A0 (en) | 1995-07-26 |
KR960703295A (en) | 1996-06-19 |
AU671049B2 (en) | 1996-08-08 |
SE9303984D0 (en) | 1993-11-30 |
NO952546D0 (en) | 1995-06-26 |
NO309960B1 (en) | 2001-04-23 |
FI953564A (en) | 1995-07-26 |
SE501128C2 (en) | 1994-11-21 |
EP0732014A1 (en) | 1996-09-18 |
US5606610A (en) | 1997-02-25 |
WO1995015628A1 (en) | 1995-06-08 |
JPH09510305A (en) | 1997-10-14 |
KR100366271B1 (en) | 2003-04-11 |
NO952546L (en) | 1995-07-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US5606610A (en) | Apparatus and method for storing data | |
EP0891661B1 (en) | Method and apparatus for data protection allowing for multiple encryption levels applicable on a data element type level | |
EP0885417B1 (en) | Access control/crypto system | |
US9460298B1 (en) | Sensitive data aliasing | |
US20090138944A1 (en) | Method and apparatus for camouflaging of data, information and functional transformations | |
CN101002417A (en) | System and method for dis-identifying sensitive information and assocaites records | |
JPH11143780A (en) | Method and device for managing secret information in database | |
JPH11272681A (en) | Recording method for individual information and record medium thereof | |
US7508938B1 (en) | Method and apparatus for generating and using a tamper-resistant encryption key | |
US7330851B2 (en) | Data security through dissembly of data elements or connections between elements | |
EP1207443A2 (en) | Encryption of databases based on a combination of hardware and software | |
CA2257975C (en) | Method and apparatus for data processing | |
Toubba | Employing Encryption to Secure Consumer Data | |
KOCHANSKI et al. | SECURITY BULLETIN | |
Piano | There are two aspects to the issue of protection of data. We will try to cope with both of them in this chapter. The first, and commonly understood, aspect is that we wish to deny access to data to those people who do not have a right to access these data. This is also commonly referred as the protection of privacy for personal data and maintenance | |
WO2001001222A1 (en) | Securing databases using mutual consent access |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
EEER | Examination request | ||
FZDE | Discontinued |