RIV-1014
`Riverbed Technology v. Silver Peak Systems
`IPR2014-00245 / Page 1 of 5
`
`

`

`Patent Application Publication
`
`Sep. 12, 2002
`
`US 2002/0129260 A1
`
`13
`
`
`
`Computer
`
`
`System
`
`
`Computer System
`
`15‘
`
`I Rbgms
`
`I
`
`
`
`Client .E'pplication
`
`
`
`
`
`RIV-1014
`
`IPR2014-00245 / Page 2 of 5
`
`RIV-1014
`IPR2014-00245 / Page 2 of 5
`
`

`

`US 2002/0129260 A1
`
`Sep. 12, 2002
`
`METHOD AND SYSTEM FOR INTEGRATING
`ENCRYPTION FUNCTIONALITY INTO A
`DATABASE SYSTEM
`
`FIELD OF THE INVENTION
`
`[0001] The present invention relates to database systems,
`and more particularly to confidential data encryption in
`database systems.
`
`BACKGROUND OF THE INVENTION
`
`Just as computers have become more and more
`[0002]
`prevalent in everyday life, networks of linked computers
`have become important in distributing information amongst
`computer users. Many computer systems are organized
`according to a client/server metaphor. Generally, in client/
`server computing, end users are each provided with a
`desktop computer or terminal known as a “client.” The
`clients are connected using a network to another computer
`known as a “server”, because its general function is to serve
`or fulfill requests submitted by clients. Application programs
`running on the clients prepare requests and transmit them to
`the server over the network. A ‘network’ of computers can
`be any number of computers that are able to exchange
`information with one another. The computers may be
`arranged in any configuration and may be located in the
`same room or in different countries, so long as there is some
`way to connect them together (for example, by telephone
`lines or other communication systems) so they can exchange
`information. Just as computers may be connected together to
`make up a network, networks may also be connected
`together through tools known as bridges and gateways.
`These tools allow a computer in one network to exchange
`information with a computer in another network.
`
`[0003] Of particular interest in today’s computing envi-
`ronment are relational database applications. Relational
`DataBase Management System (RDBMS) software using a
`Structured Query Language (SQL) interface is well known
`in the art. The SQL interface has evolved into a standard
`language for RDBMS software and has been adopted as
`such by both the American Nationals Standard Organization
`(ANSI) and the International Standards Organization (ISO).
`
`In RDBMS software, all data is externally struc-
`[0004]
`tured into tables. The SQL interface allows users to formu-
`late relational operations on the tables either interactively, in
`batch files, or embedded in host
`languages such as C,
`COBOL, etc. Operators are provided in SQL that allow the
`user to manipulate the data, wherein each operator operates
`on either one or two tables and produces a new table as a
`result. The power of SQL lies in its ability to link informa-
`tion from multiple tables or views together to perform
`complex sets of procedures with a single statement.
`
`[0005] The power of being able to gather, store, and relate
`information in database systems and then operate on that
`information through SQL allows for an almost limitless
`range of applications for such technology. Together with
`computer networks, including the Internet, incredible oppor-
`tunities exist for people and businesses to communicate and
`to conduct commerce. Concerns arise with these opportu-
`nities, particularly with regard to ensuring confidentiality of
`personal information, sensitive communications, and finan-
`cial data.
`
`[0006] For example, users sometimes are required to input
`personal information, such as credit card information, for
`processing within a website. While security techniques may
`be used during the transmission of the data, within the
`database receiving and storing the information, the infor-
`mation remains accessible to the database administrator
`
`(DBA). ADBA refers to an individual who is responsible for
`the design, development, operation, safeguarding, mainte-
`nance, and use of a database. Unfortunately, the accessibility
`of the confidential, personal information of a user creates an
`opportunity for intruders/malicious DBAs to misuse the
`information.
`
`[0007] Accordingly, a need exists for a technique that
`provides users with a straightforward and flexible manner of
`protecting confidential information within a database. The
`present invention addresses such a need.
`
`SUMMARY OF THE INVENTION
`
`[0008] The present invention provides aspects for integrat-
`ing encryption functionality into a database system. The
`aspects include providing at least two functions to support
`data encryption in a database system. The at
`least
`two
`functions are utilized within structured query language state-
`ments to preserve confidentiality of user-specified data in the
`database system.
`
`[0009] Through the aspects of the present invention, users
`have better assurance that data private to a database appli-
`cation remains inaccessible to others, such as database
`administrators. Further,
`the provision of the encryption
`functionality of the present invention in an integrated man-
`ner with SQL creates a substantially unlimited range of
`database environments within which the present invention
`may be used. These and other advantages of the aspects of
`the present
`invention will be more fully understood in
`conjunction with the following detailed description and
`accompanying drawings.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[0010] FIG. 1 illustrates an overall block diagram of a
`computer system network in accordance with the present
`invention.
`
`[0011] FIG. 2 illustrates a diagram representation of a
`database system environment in accordance with the present
`invention.
`
`[0012] FIG. 3 illustrates a block flow diagram for achiev-
`ing the protection of confidential data in accordance with the
`present invention.
`
`DETAILED DESCRIPTION OF THE
`INVENTION
`
`[0013] The present invention relates to protection of con-
`fidential data within a database by a user. The following
`description is presented to enable one of ordinary skill in the
`art to make and use the invention and is provided in the
`context of a patent application and its requirements. Thus,
`the present invention is not intended to be limited to the
`embodiment shown, but is to be accorded the widest scope
`consistent with the principles and features is described
`herein.
`
`[0014] As shown in FIG. 1, a plurality of computer
`systems 1a, 1b, lc are interconnected via a network 2 (which
`
`RIV-1014
`
`IPR2014-00245 / Page 3 of 5
`
`RIV-1014
`IPR2014-00245 / Page 3 of 5
`
`

`

`US 2002/0129260 A1
`
`Sep. 12, 2002
`
`could be the public Internet or a private intra-corporate
`Intranet or wide area network). It should be appreciated that
`although FIG. 1 illustrates a network of computer systems,
`this is meant as exemplary and not restrictive of the type of
`environment suitable for the aspects of the present inven-
`tion. Thus, the aspects may also be provided within a single
`computing system environment. Accordingly, one (1c) of the
`computer systems is shown expanded for further illustration.
`
`[0015] Computer system IC has a processor 13 for con-
`trolling the overall operation of the computer system 1c, a
`high speed cache memory 12, a long-term storage device 14
`(e.g., hard disk drive), and a database management system
`15, e.g., an RDBMS system, such as DB2.
`
`In accordance with the present invention, functions
`[0016]
`are provided that achieve privacy and user control of access
`to data in the database system 15, so that only users with the
`proper access and password can view the data. These
`functions are integrated into the database system 15 to allow
`access via SQL statements executed in the database system
`15. The integration of the functionality into the database
`system 15 with the present
`invention occurs through a
`straightforward approach that can be utilized as desired with
`any client application of the database, as described in more
`detail hereinbelow.
`
`[0017] Referring to the diagrams of FIG. 2 and FIG. 3,
`functions, including encrypt function 20 and decrypt func-
`tion 22, achieve the protection of confidential data in the
`database system 15. The functions 20 and 22 are suitably
`provided as user-defined functions in the database system 15
`(step 30). Auser-defined function (UDF) generally refers to
`a function that
`is defined to the database management
`system and can be referenced thereafter in SQL queries.
`Alternatively,
`the functions 20 and 22 may be defined
`through standard techniques as built-in functions within a
`database system. The functions 20 and 22 can then be
`utilized via SQL to ensure data confidentiality in the data-
`base system 15 (step 32), i.e., the encrypt function 20 is
`processed by SQL processing 24 to generate the encrypted
`form of data as the data is inserted or updated from a client
`application 26 in the database system 15, while SQL pro-
`cessing 24 of
`the decrypt
`function 22 generates
`the
`decrypted form of the data during selects from the database
`system 15 by the client application 24. Thus, each item of
`data can be uniquely encrypted. Alternatively, a single
`key/password can be used to encrypt an entire column of
`data in the database system 15.
`
`[0018] By way of example, suppose a table exists for
`social security numbers (SSN) of employees (EMP) of a
`company in the database system 15. The following example
`SQL statements illustrate the use of the encrypt and decrypt
`functions and encryption password in accordance with the
`present invention to ensure confidentiality with such a table.
`INSERT INTO EMP (SSN) VALUES ENCRYPT (‘289-46-
`8832’,
`‘GEORGE’);
`SELECT DECRYPT
`(SSN,
`‘GEORGE’) FROM EMP; In this example, the SELECT
`statement returns the value “289-46-8832.”
`
`In a further embodiment, the encrypt function 20
`[0019]
`may encrypt a password hint, as well. Apassword hint refers
`to a phrase that assists data owners in remembering their
`passwords. With the ability to encapsulate password hints,
`another function, GETHINT, can be defined that returns an
`encapsulated password hint.
`
`[0020] When the inclusion of a hint for the password is
`desired, such as the use of the hint “WASHINGTON” for
`remembering the password of “GEORGE”, the insert state-
`ment for the example becomes:
`
`INSERT INTO EMP (SSN) VALUES
`[0021]
`ENCRYPT (‘289-46-8832’,
`‘GEORGE’,
`‘WASH-
`INGTON’);
`
`[0022] A select statement to get the hint:
`
`[0023] SELECT GETHINT (SSN) FROM EMP;
`
`[0024]
`
`returns the value “WASHINGTON.”
`
`[0025] As demonstrated by the example, the encrypt func-
`tion 20 and decrypt function 22 preferably follow the basic
`formats:
`
`[0026] ENCRYPT (data-string-expression,
`word-string-expression) returns varchar
`
`[0027] DECRYPT (data-string-expression,
`word-string-expression) returns varchar or
`
`[0028] ENCRYPT (data-string-expression
`password-string-expression) returns clob
`
`[0029] DECRYPT (data-string-expression
`password-string-expression) returns clob.
`
`pass-
`
`pass-
`
`(clob),
`
`(clob),
`
`[0030] The format for the encrypt function 20 with a
`password hint preferably follows the format:
`
`pass-
`[0031] ENCRYPT (data-string-expression,
`word-string
`expression,
`hint-string
`expression)
`returns varchar or
`
`(clob),
`[0032] ENCRYPT (data-string-expression
`password-string expression, hint-string-expression)
`returns clob
`
`[0033] And, for the GETHINT function:
`
`[0034] GETHINT (data-string-expression)
`varchar or
`
`returns
`
`[0035] GETHINT (data-string-expression
`returns varchar
`
`(clob))
`
`In the foregoing formats, varchar suitably refers to
`[0036]
`variable-length character data with a length of ‘n’ characters,
`and clob refers to character large object, i.e., a sequence of
`characters (single-byte, multi-byte, or both) where the length
`can be up to 2 gigabytes that can be used to store large text
`objects, as is well understood in the art. In an exemplary
`embodiment, the password valid length is 6 to 128 and the
`hint valid length is 0 to 32. The provision of the password
`may be done explicitly, or in alternate embodiment, for
`systems utilizing a login context that requires a user to enter
`password,
`the password entered could be utilized as an
`implicit provision of the encryption key password for the
`encrypt functions.
`
`[0037] With the encryption techniques using a password
`as an encryption key,
`the present
`invention provides a
`straightforward and flexible technique to protect confidential
`data in a database in a manner that allows integration with
`well-established, non-proprietary SQL techniques. Accord-
`ingly, users have better assurance that data private to a
`database application remains inaccessible to others, such as
`database administrators. Further,
`the provision of
`the
`encryption functionality of the present
`invention in an
`
`RIV-1014
`
`IPR2014-00245 / Page 4 of 5
`
`RIV-1014
`IPR2014-00245 / Page 4 of 5
`
`

`

`US 2002/0129260 A1
`
`Sep. 12, 2002
`
`integrated manner with SQL creates a substantially unlim-
`ited range of database environments within which the
`present invention may be used.
`
`[0038] Although the present invention has been described
`in accordance with the embodiments shown, one of ordinary
`skill in the art will readily recognize that there could be
`variations to the embodiments and those variations would be
`
`within the spirit and scope of the present invention. Accord-
`ingly, many modifications may be made by one of ordinary
`skill in the art without departing from the spirit and scope of
`the appended claims.
`What is claimed is:
`
`1. A method for integrating encryption functionality into
`a database system, the method comprising:
`
`two functions to support data
`least
`(a) providing at
`encryption in a database system; and
`
`(b) utilizing the at least two functions within structured
`query language statements.
`2. The method of claim 1 wherein step (a) further com-
`prises (al) adding the at least two functions as user-defined
`functions in the database system.
`3. The method of claim 2 wherein the user-defined func-
`
`tions fiirther comprise a first function to encrypt the user-
`specified data when inserted or updated in the database
`system.
`4. The method of claim 3 wherein the user-defined func-
`
`the
`tions further comprise a second function to decrypt
`user-specified data when selected from the database system.
`5. The method of claim 3 wherein the first function further
`
`encrypts the user-specified data with a user-specified pass-
`word.
`6. The method of claim 5 wherein the first function further
`
`encrypts with a password hint.
`7. The method of claim 6 wherein the user-defined func-
`
`tions further comprise a third function to get the password
`hint.
`
`8. Asystem for integrating encryption functionality into a
`database system, the system comprising:
`
`at least one computer processing device; and
`
`a database management system installed on the at least
`one computer processing device, the database manage-
`ment system supporting utilization of at
`least
`two
`functions for data encryption via structured query lan-
`guage.
`
`two
`least
`9. The system of claim 8 wherein the at
`functions further comprise user-defined functions in the
`database management system.
`10. The system of claim 9 wherein the user-defined
`functions further comprise a first function to encrypt the
`user-specified data when inserted or updated in the database
`management system.
`11. The method of claim 10 wherein the user-defined
`
`functions further comprise a second function to decrypt the
`user-specified data when selected from the database man-
`agement system.
`12. The system of claim 10 wherein the first function
`further encrypts the user-specified data with a user-specified
`password.
`13. The system of claim 12 wherein the first function
`further encrypts with a password hint.
`14. The system of claim 13 wherein the user-defined
`functions further comprise a third function to get the pass-
`word hint.
`
`15. A computer readable medium containing program
`instructions for integrating encryption functionality into a
`database system, the program instructions comprising:
`
`two functions to support data
`least
`(a) providing at
`encryption in a database system; and
`
`(b) utilizing the at least two functions within structured
`query language statements.
`16. The program instructions of claim 15 wherein step (a)
`further comprising (al) adding the at least two functions as
`user-defined functions in the database system.
`17. The program instructions of claim 16 wherein the
`user-defined functions further comprise a first function to
`encrypt the user-specified data when inserted or updated in
`the database system, and a second function to decrypt the
`user-specified data when selected from the database system.
`18. The program instructions of claim 17 wherein the first
`function further encrypts the user-specified data with a
`user-specified password.
`19. The program instructions of claim 18 wherein the first
`function further encrypts with a password hint.
`20. The program instructions of claim 19 wherein the
`user-defined functions further comprise a third function to
`get the password hint.
`
`*
`
`*
`
`*
`
`*
`
`*
`
`RIV-1014
`
`IPR2014-00245 / Page 5 of 5
`
`RIV-1014
`IPR2014-00245 / Page 5 of 5
`
`