公开(公告)号：US09282092B1

公开(公告)日：2016-03-08

申请号：US13790908

申请日：2013-03-08

Applicant: GOOGLE INC.

Inventor： Umesh Shankar ,  Joesph Bonneau

IPC: H04L29/06

CPC classification number: H04L63/0823

Abstract: Systems and methods for determining trust when interacting with online resources are described, including requesting a secure connection with an online resource; receiving a certificate from the online resource, wherein the certificate is signed by a chain of at least one certificate authority (CA) with the last CA in the chain being a root CA; determining that the root CA is an entity root CA without determining whether the root CA is a third-party root CA, wherein the entity root CA is associated with an entity certificate issued to an entity and the entity is associated with a score; determining whether the score is equal to or greater than a threshold; and, if the score is equal to or greater than the threshold, establishing the secure connection with the online resource.

Abstract translation: 描述了与在线资源交互时确定信任的系统和方法，包括请求与在线资源的安全连接; 从所述在线资源接收证书，其中所述证书由至少一个证书颁发机构（CA）的链签署，所述链中的最后一个CA是根CA; 确定根CA是实体根CA，而不确定根CA是否是第三方根CA，其中实体根CA与发布到实体的实体证书相关联，并且该实体与分数相关联; 确定分数是否等于或大于阈值; 并且如果分数等于或大于阈值，则建立与在线资源的安全连接。

公开(公告)号：US08966283B1

公开(公告)日：2015-02-24

申请号：US13768207

申请日：2013-02-15

Applicant: Google Inc.

Inventor： Umesh Shankar ,  Ruoming Pang ,  Benjamin Valerian Pflanz ,  Sarvar Patel ,  Darrell Kindred ,  Daniel Rebolledo Samper

IPC: G06F7/22 ,  G06F12/14 ,  G06F12/06

CPC classification number: G06F21/78 ,  G06F21/602 ,  G06F2221/2107

Abstract: This document describes methods and systems by which a data storage service migrates a volume of stored data from an unencrypted format to an encrypted format while still permitting user access to the data. The encryption process uses migration markers to identify records that have undergone the encryption process. When migration is complete, the service removes the migration markers and retains the encrypted data in a data storage facility.

Abstract translation: 本文档描述了数据存储服务将一系列存储数据从未加密格式迁移到加密格式的方法和系统，同时仍允许用户访问数据。 加密过程使用迁移标记来识别经过加密过程的记录。 迁移完成后，服务将删除迁移标记，并将加密数据保留在数据存储设备中。

公开(公告)号：US20160234215A1

公开(公告)日：2016-08-11

申请号：US13780425

申请日：2013-02-28

Applicant: Google Inc.

Inventor： Umesh Shankar

IPC: G06Q10/08 ,  H04L29/06 ,  G06Q30/06

CPC classification number: H04L63/10 ,  H04L63/20

Abstract: A cloud computing service implements a method of securing customer data from access to only authorized administrative elements that are part of the cloud computing service. The service defines a set of access policies for the data, such that each access policy includes a permitted action. When the service receives a request to access the customer data, the request may include an access credential and originate from an administrative element within the cloud computing service. The service will verify the access credential and use the access credential to identify one of the access policies. The service will then identify a permitted action that is associated with the identified access policy and return a data access token to the administrative element. The data access token permits the administrative element to perform the identified permitted action on the customer data.

Abstract translation: 云计算服务实现一种将客户数据从访问中保护到仅作为云计算服务一部分的授权管理元素的方法。 该服务为数据定义一组访问策略，使得每个访问策略包括允许的操作。 当服务接收到访问客户数据的请求时，请求可以包括访问凭证并且来自云计算服务中的管理元件。 该服务将验证访问凭据，并使用访问凭据来识别其中一个访问策略。 然后，服务将识别与所标识的访问策略相关联的允许动作，并将数据访问令牌返回给管理元素。 数据访问令牌允许管理元素对客户数据执行所识别的允许操作。

公开(公告)号：US20140250105A1

公开(公告)日：2014-09-04

申请号：US13784543

申请日：2013-03-04

Applicant: Google Inc.

Inventor： Umesh Shankar

IPC: G06F17/30

CPC classification number: G06F16/9535

Abstract: A method and/or system for reliable content recommendations may include receiving, from an electronic device, a request for one or more content recommendations. An indicator associated with the electronic device may be determined. A history of interactions, wherein the interactions may be associated with the indicator, may also be determined. One or more entity root certificates may be determined based on the history of interactions. Based on the one or more entity root certificates, one or more entities may be determined. One or more recommended content items may be determined, where the one or more recommended content items may be associated with the one or more entities. Content recommendation data may be communicated, to the electronic device, where the content recommendation data may comprises data related to the one or more recommended content items.

Abstract translation: 用于可靠内容建议的方法和/或系统可以包括从电子设备接收对一个或多个内容建议的请求。 可以确定与电子设备相关联的指示符。 也可以确定相互作用可能与指标相关联的交互历史。 可以基于交互的历史来确定一个或多个实体根证书。 基于一个或多个实体根证书，可以确定一个或多个实体。 可以确定一个或多个推荐的内容项目，其中一个或多个推荐的内容项目可以与一个或多个实体相关联。 内容推荐数据可以被传送到电子设备，其中内容推荐数据可以包括与一个或多个推荐内容项相关的数据。

公开(公告)号：US20140095614A1

公开(公告)日：2014-04-03

申请号：US14024423

申请日：2013-09-11

Applicant: Google Inc.

Inventor： Sara Lee Su ,  Gregory Dardyk ,  Michael Brandt ,  Jonathan Mcphie ,  Umesh Shankar ,  Marlo James McGriff, II ,  Jose Javier Zuniga, JR. ,  Mor Miller ,  Travis Harrison Kroll Green ,  Tomer Amarilio ,  Brandon Kyle Trew ,  Hristo Stefanov Stefanov ,  Christoph Urs Oehler ,  Dan Fredinburg ,  Andrew Swerdlow ,  Etienne Deguine ,  Giora Unger ,  Max Michiel Loubser ,  Kyle Garner Harrison ,  Lars Fabian Kruger ,  Peter Tomlinson Klein ,  Si-Wai Yan Lai ,  Joseph Adam Taylor ,  Alison Michelle Huml ,  Tilke Mary Judd ,  Bao Lam ,  Geva Rechav ,  Mark Russell Thomas ,  Lauren A. Schmidt

IPC: H04L29/08

CPC classification number: H04L67/306 ,  G06Q50/02 ,  H04L67/02 ,  H04L67/22

Abstract: A method includes gathering a plurality of instances of online activity associated with a user, analyzing the plurality of instances of online activity to determine a characteristic that is likely to correspond to a profile attribute of the user and generating a profile enrichment suggestion for the user based on the determined characteristic.

Abstract translation: 一种方法包括收集与用户相关联的多个在线活动实例，分析在线活动的多个实例以确定可能对应于用户的简档属性并且为用户生成简档丰富建议的特征 关于确定的特点。

公开(公告)号：US09436943B1

公开(公告)日：2016-09-06

申请号：US13793097

申请日：2013-03-11

Applicant: Google Inc.

Inventor： Umesh Shankar ,  Glenn Edward Durfee ,  Darrell Kindred

IPC: G06F5/00 ,  G06Q20/38

CPC classification number: G06Q20/3821 ,  G06Q20/401

Abstract: A method of authorizing a transaction may include receiving, by a hosted service from a client device, a request to access an account and determining whether a user of the client device is permitted to access the account. The method may include, in response to determining that the user is permitted to access the account, receiving, from the client device, a request to initiate a transaction, determining whether the transaction is a long-lived transaction, in response to determining that the transaction is a long-lived transaction, creating a transaction credential associated with the long-lived transaction, and determining, based at least in part on the transaction credential, whether the execution of the long-lived transaction is authorized.

Abstract translation: 授权交易的方法可以包括通过托管服务从客户端设备接收访问帐户的请求并确定客户端设备的用户是否被允许访问帐户。 该方法可以响应于确定用户被允许访问帐户，响应于确定所述交易是否是长寿命交易，从客户端设备接收到发起交易的请求，确定该交易是否是长寿命交易 交易是一种长寿命的交易，创建与长期交易相关联的交易凭证，以及至少部分地基于交易凭证来确定长期交易的执行是否被授权。

公开(公告)号：US09245105B1

公开(公告)日：2016-01-26

申请号：US13772943

申请日：2013-02-21

Applicant: Google Inc.

Inventor： Umesh Shankar ,  Glenn Edward Durfee ,  William Gary Conner, II ,  Scott Thomas Garriss

IPC: G06F21/44

CPC classification number: G06F21/44 ,  G06F21/6218

Abstract: A method of controlling access to one or more data resources may include receiving, from a client device by an authentication server device, a request to access a data resource. The request may include a job identifier associated with a job. The method may include transmitting, by the authentication server device to a scheduling server device, the job identifier, receiving, by the authentication server device from the scheduling server device, job information associated with the job, determining, by the authentication server device, whether at least a portion of the job information satisfies an access policy associated with the data resource, and granting the job access to the data resource in response to the at least a portion of the job information satisfying the access policy.

Abstract translation: 控制对一个或多个数据资源的访问的方法可以包括：通过认证服务器设备从客户端设备接收访问数据资源的请求。 请求可以包括与作业相关联的作业标识符。 该方法可以包括由认证服务器设备向调度服务器设备发送作业标识符，由认证服务器设备从调度服务器设备接收与作业相关联的作业信息，由认证服务器设备确定是否 作业信息的至少一部分满足与数据资源相关联的访问策略，并且响应于满足访问策略的作业信息的至少一部分，授权对数据资源的作业访问。

公开(公告)号：US09148283B1

公开(公告)日：2015-09-29

申请号：US14067162

申请日：2013-10-30

Applicant: Google Inc.

Inventor： Umesh Shankar ,  Andrei Kulik ,  Bodo Moller ,  Sarvar Patel ,  Brian N. Bershad ,  David Erb

IPC: H04L9/32 ,  H04L9/08

CPC classification number: H04L9/321 ,  H04L9/0819 ,  H04L63/0428 ,  H04L63/101 ,  H04L63/104 ,  H04L67/1097 ,  H04L2463/062

Abstract: An encrypted resource is stored in association with an access control list. A request to retrieve the resource is received. The wrapped key and the authentication credentials are sent, from the application server system, to a key server system. An unencrypted version of the resource encryption key is received from the key server system if the key server system determines that the authentication credentials correspond to a user in the group of users identified by the group identifier. The stored encrypted resource is decrypted using the received unencrypted version of the resource encryption key to generate an unencrypted version of the resource. The unencrypted version of the resource is sent, from the application server system, to the client application.

Abstract translation: 与访问控制列表相关联地存储加密资源。 接收到检索资源的请求。 包裹的密钥和认证凭证从应用服务器系统发送到密钥服务器系统。 如果密钥服务器系统确定认证凭证对应于由组标识符标识的用户组中的用户，则从密钥服务器系统接收到资源加密密钥的未加密版本。 存储的加密资源使用所接收的未加密版本的资源加密密钥进行解密，以生成资源的未加密版本。 将资源的未加密版本从应用服务器系统发送到客户端应用程序。

公开(公告)号：US09077541B2

公开(公告)日：2015-07-07

申请号：US14296008

申请日：2014-06-04

Applicant: Google Inc.

Inventor： Cyrill Osterwalder ,  Christophe DeCanniere ,  Bartosz Jan Przydatek ,  Umesh Shankar

IPC: G06F11/30 ,  H04L9/32 ,  G06F21/60 ,  G06F21/62

CPC classification number: H04L9/3242 ,  G06F21/6218 ,  G06F2221/2107 ,  H04L9/0894

Abstract: A storage service receives a binary large object (blob) for storage, and the service creates first and second sets of data chunks from the blob. The chunks in the first set together equal the blob, and the service uses one or more encryption keys to encrypt each of the data chunks in the first set. The chunks in the second set also together equal the blob. The service assigns a message authentication code (MAC) to each data chunk in the second set. The service stores the encrypted data chunks in one or more data stores, and it stores the encryption keys and the MACs as metadata in a metadata memory.

Abstract translation: 存储服务接收用于存储的二进制大对象（blob），并且该服务从该Blob创建第一组和第二组数据块。 第一组中的块一起等于blob，并且该服务使用一个或多个加密密钥来加密第一组中的每个数据块。 第二集中的块也在一起等于斑点。 服务将消息认证码（MAC）分配给第二组中的每个数据块。 该服务将加密的数据块存储在一个或多个数据存储中，并且将加密密钥和MAC作为元数据存储在元数据存储器中。

公开(公告)号：US20140289539A1

公开(公告)日：2014-09-25

申请号：US14296008

申请日：2014-06-04

Applicant: Google Inc.

Inventor： Cyrill Osterwalder ,  Christophe DeCanniere ,  Bartosz Jan Przydatek ,  Umesh Shankar

IPC: H04L9/32 ,  G06F21/60

CPC classification number: H04L9/3242 ,  G06F21/6218 ,  G06F2221/2107 ,  H04L9/0894

Abstract: A storage service receives a binary large object (blob) for storage, and the service creates first and second sets of data chunks from the blob. The chunks in the first set together equal the blob, and the service uses one or more encryption keys to encrypt each of the data chunks in the first set. The chunks in the second set also together equal the blob. The service assigns a message authentication code (MAC) to each data chunk in the second set. The service stores the encrypted data chunks in one or more data stores, and it stores the encryption keys and the MACs as metadata in a metadata memory.

Abstract translation: 存储服务接收用于存储的二进制大对象（blob），并且该服务从该Blob创建第一组和第二组数据块。 第一组中的块一起等于blob，并且该服务使用一个或多个加密密钥来加密第一组中的每个数据块。 第二集中的块也在一起等于斑点。 服务将消息认证码（MAC）分配给第二组中的每个数据块。 该服务将加密的数据块存储在一个或多个数据存储中，并且将加密密钥和MAC作为元数据存储在元数据存储器中。