公开(公告)号：US20200320213A1

公开(公告)日：2020-10-08

申请号：US16373066

申请日：2019-04-02

Applicant: SAP SE

Inventor： Benny Fuhry ,  Jayanth Jain Hassan Ajith Kumar ,  Florian Kerschbaum

IPC: G06F21/62 ,  G06F16/2455 ,  G06F16/248

Abstract: Embodiments offer database security utilizing dictionary encoding, with certain functionality being implemented inside a secure environment, e.g., a Trusted Execution Environment (TEE). In particular, the secure environment receives a secret key from a data owner, and receives an encrypted query range and a dictionary reference from a query engine. Based upon the query range decrypted using the secret key, and also the dictionary loaded from a database, the secure environment searches the dictionary to produce list of value identifiers corresponding to the query range. The value identifiers are communicated outside the secure environment to the query engine for further processing (e.g., to generate RecordIDs), ultimately producing a query result for a user. Particular embodiments may leverage the processing power of an in-memory database engine in order to perform the role of the query engine that interacts with the secure environment.

公开(公告)号：US09830470B2

公开(公告)日：2017-11-28

申请号：US14880095

申请日：2015-10-09

Applicant: SAP SE

Inventor： Florian Kerschbaum ,  Benny Fuhry ,  Wei Xu ,  Josef Köeble ,  Walter Tighzert

IPC: G06F21/62 ,  H04L9/08 ,  H04L29/06

CPC classification number: G06F21/6227 ,  H04L9/008 ,  H04L9/0819 ,  H04L63/0281 ,  H04L63/0478 ,  H04L2209/76

Abstract: Methods, systems, and computer-readable storage media for processing queries in analytical web applications over encrypted data. Implementations include actions of receiving, by a database driver executed on a server-side computing device and from a client-side proxy, a query and one or more encryption keys, the one or more encryption keys having been selected by the client-side proxy based on operations required to perform the query, performing at least one operation of the query to provide a query result including encrypted data, and transmitting, by the database driver, the encrypted data to the client-side proxy, the client-side proxy processing the encrypted data to provide plaintext data to an end user.

公开(公告)号：US20210266329A1

公开(公告)日：2021-08-26

申请号：US16791761

申请日：2020-02-14

Applicant: SAP SE

Inventor： Benny Fuhry ,  Lina Hirschoff ,  Florian Kerschbaum

IPC: H04L29/06 ,  H04L9/32

Abstract: Aspects of the current subject matter are directed to secure group file sharing. An architecture for end-to-end encrypted, group-based file sharing using a trusted execution environment (TEE) is provided to protect confidentiality and integrity of data and management of files, enforce immediate permission and membership revocations, support deduplication, and mitigate rollback attacks.

公开(公告)号：US20210248253A1

公开(公告)日：2021-08-12

申请号：US16787787

申请日：2020-02-11

Applicant: SAP SE

Inventor： Benny Fuhry ,  Jonas Boehler

IPC: G06F21/62 ,  H04L29/06

Abstract: Aspects of the current subject matter are directed to performing privacy-preserving analytics over sensitive data without sharing plaintext data and without requiring a trusted third party. Implementations provide for utilizing a trusted execution environment within a server to compute the privacy-preserving result. Data owners via user devices send their encrypted data directly to an enclave managed by a trusted execution environment, without the server and the cloud service provider for the server seeing the plaintext data. The enclave computes the analytics directly on the data and releases the privacy-preserving result that can be ensured by code analysis and remote attestation from all parties.

公开(公告)号：US20170103227A1

公开(公告)日：2017-04-13

申请号：US14880095

申请日：2015-10-09

Applicant: SAP SE

Inventor： Florian Kerschbaum ,  Benny Fuhry ,  Wei Xu ,  Josef Köeble ,  Walter Tighzert

IPC: G06F21/62 ,  H04L29/06 ,  H04L9/08

CPC classification number: G06F21/6227 ,  H04L9/008 ,  H04L9/0819 ,  H04L63/0281 ,  H04L63/0478 ,  H04L2209/76

Abstract: Methods, systems, and computer-readable storage media for processing queries in analytical web applications over encrypted data. Implementations include actions of receiving, by a database driver executed on a server-side computing device and from a client-side proxy, a query and one or more encryption keys, the one or more encryption keys having been selected by the client-side proxy based on operations required to perform the query, performing at least one operation of the query to provide a query result including encrypted data, and transmitting, by the database driver, the encrypted data to the client-side proxy, the client-side proxy processing the encrypted data to provide plaintext data to an end user.

公开(公告)号：US12164658B2

公开(公告)日：2024-12-10

申请号：US17819292

申请日：2022-08-11

Applicant: SAP SE

Inventor： Benny Fuhry ,  Jonas Boehler

IPC: G06F21/78 ,  G06F21/62 ,  H04L9/40 ,  G06F21/71

Abstract: Aspects of the current subject matter are directed to performing privacy-preserving analytics over sensitive data without sharing plaintext data and without requiring a trusted third party. Implementations provide for utilizing a trusted execution environment within a server to compute the privacy-preserving result. Data owners via user devices send their encrypted data directly to an enclave managed by a trusted execution environment, without the server and the cloud service provider for the server seeing the plaintext data. The enclave computes the analytics directly on the data and releases the privacy-preserving result that can be ensured by code analysis and remote attestation from all parties.

公开(公告)号：US11546341B2

公开(公告)日：2023-01-03

申请号：US16791761

申请日：2020-02-14

Applicant: SAP SE

Inventor： Benny Fuhry ,  Lina Hirschoff ,  Florian Kerschbaum

IPC: H04L9/40 ,  H04L9/32

Abstract: Aspects of the current subject matter are directed to secure group file sharing. An architecture for end-to-end encrypted, group-based file sharing using a trusted execution environment (TEE) is provided to protect confidentiality and integrity of data and management of files, enforce immediate permission and membership revocations, support deduplication, and mitigate rollback attacks.

公开(公告)号：US20220391526A1

公开(公告)日：2022-12-08

申请号：US17819292

申请日：2022-08-11

Applicant: SAP SE

Inventor： Benny Fuhry ,  Jonas Boehler

IPC: G06F21/62 ,  H04L9/40

Abstract: Aspects of the current subject matter are directed to performing privacy-preserving analytics over sensitive data without sharing plaintext data and without requiring a trusted third party. Implementations provide for utilizing a trusted execution environment within a server to compute the privacy-preserving result. Data owners via user devices send their encrypted data directly to an enclave managed by a trusted execution environment, without the server and the cloud service provider for the server seeing the plaintext data. The enclave computes the analytics directly on the data and releases the privacy-preserving result that can be ensured by code analysis and remote attestation from all parties.

公开(公告)号：US11449624B2

公开(公告)日：2022-09-20

申请号：US16787787

申请日：2020-02-11

Applicant: SAP SE

Inventor： Benny Fuhry ,  Jonas Boehler

IPC: G06F21/62 ,  G06F21/71 ,  H04L9/40 ,  G06F21/82

Abstract: Aspects of the current subject matter are directed to performing privacy-preserving analytics over sensitive data without sharing plaintext data and without requiring a trusted third party. Implementations provide for utilizing a trusted execution environment within a server to compute the privacy-preserving result. Data owners via user devices send their encrypted data directly to an enclave managed by a trusted execution environment, without the server and the cloud service provider for the server seeing the plaintext data. The enclave computes the analytics directly on the data and releases the privacy-preserving result that can be ensured by code analysis and remote attestation from all parties.

公开(公告)号：US11048816B2

公开(公告)日：2021-06-29

申请号：US16373066

申请日：2019-04-02

Applicant: SAP SE

Inventor： Benny Fuhry ,  Jayanth Jain Hassan Ajith Kumar ,  Florian Kerschbaum

IPC: G06F12/14 ,  G06F11/30 ,  G06F21/62 ,  G06F16/2455 ,  G06F16/248

Abstract: Embodiments offer database security utilizing dictionary encoding, with certain functionality being implemented inside a secure environment, e.g., a Trusted Execution Environment (TEE). In particular, the secure environment receives a secret key from a data owner, and receives an encrypted query range and a dictionary reference from a query engine. Based upon the query range decrypted using the secret key, and also the dictionary loaded from a database, the secure environment searches the dictionary to produce list of value identifiers corresponding to the query range. The value identifiers are communicated outside the secure environment to the query engine for further processing (e.g., to generate RecordIDs), ultimately producing a query result for a user. Particular embodiments may leverage the processing power of an in-memory database engine in order to perform the role of the query engine that interacts with the secure environment.