公开(公告)号：US11849026B2

公开(公告)日：2023-12-19

申请号：US17228986

申请日：2021-04-13

Applicant: SAP SE

Inventor： Martin Schindewolf ,  Meinolf Block ,  Christoph Hohner ,  Sascha Zorn

IPC: H04L9/08 ,  G06F21/62 ,  H04L9/14

CPC classification number: H04L9/0822 ,  G06F21/6218 ,  H04L9/14

Abstract: The present disclosure involves systems, software, and computer implemented methods for database integration with an external key management system. One example method includes receiving, by a database system, a key encryption key from an external key management system external to the database system that is used to encrypt a data encryption key used to encrypt database data. The data encryption key is obtained, by the database system, using the key encryption key. Encrypted database data is decrypted, by the database system and using the data encryption key, to obtain decrypted database data before performing an operation on the decrypted database data. The database system determines that the external key management system has performed an operation on the key encryption key. In response to determining that the external key management system has performed the operation on the key encryption key, the database system modifies operation of the database system.

公开(公告)号：US20220329413A1

公开(公告)日：2022-10-13

申请号：US17228986

申请日：2021-04-13

Applicant: SAP SE

Inventor： Martin Schindewolf ,  Meinolf Block ,  Christoph Hohner ,  Sascha Zorn

IPC: H04L9/08 ,  H04L9/14 ,  G06F21/62

Abstract: The present disclosure involves systems, software, and computer implemented methods for database integration with an external key management system. One example method includes receiving, by a database system, a key encryption key from an external key management system external to the database system that is used to encrypt a data encryption key used to encrypt database data. The data encryption key is obtained, by the database system, using the key encryption key. Encrypted database data is decrypted, by the database system and using the data encryption key, to obtain decrypted database data before performing an operation on the decrypted database data. The database system determines that the external key management system has performed an operation on the key encryption key. In response to determining that the external key management system has performed the operation on the key encryption key, the database system modifies operation of the database system.

公开(公告)号：US20210099289A1

公开(公告)日：2021-04-01

申请号：US16590047

申请日：2019-10-01

Applicant: SAP SE

Inventor： Christoph Hohner ,  Sascha Zorn ,  Meinolf Block ,  Martin Schindewolf

IPC: H04L9/08 ,  H04L9/14

Abstract: A method, a system, and a computer program product for performing key management configurations. One or more encryption keys for encrypting one or more data payloads for accessing one or more databases are received. The received encryption keys are compared to a plurality of encryption keys associated with the databases. Based on the comparison, a configuration of at least one database is changed using the received encryption keys. The changed configuration is stored.

公开(公告)号：US10235531B2

公开(公告)日：2019-03-19

申请号：US15202498

申请日：2016-07-05

Applicant: SAP SE

Inventor： Meinolf Block ,  Christoph Hohner ,  Martin Schindewolf ,  Sascha Zorn

IPC: G06F17/30 ,  G06F7/00 ,  G06F21/60 ,  G06F21/62 ,  G06F21/00

Abstract: Methods, systems, and apparatus, including computer program products, are provided for configuring access controls to a database. In one aspect there is provided a method. The method may include receiving, from a first user, a table declaration for creating a database table in a database; generating, based on the table declaration, the database table; receiving, from the first user, a specification of one or more access mechanisms that have a privilege to access the database table; receiving a designation of at least one column in the database table as a protected column and one or more users who have a privilege to access the content of the protected column; and providing control over access to the content of the protected column based at least in part on the specification of the one or more access mechanisms and the designation of the at least one column and the second user.

公开(公告)号：US20180131517A1

公开(公告)日：2018-05-10

申请号：US15347431

申请日：2016-11-09

Applicant: SAP SE

Inventor： Meinolf Block ,  Christoph Hohner ,  Martin Schindewolf ,  Sascha Zorn

IPC: H04L9/32 ,  H04L9/08 ,  H04L9/14 ,  G06F17/30

CPC classification number: H04L9/0894 ,  G06F21/6227 ,  H04L9/0891 ,  H04L9/3226 ,  H04L9/3236

Abstract: Embodiments manage access to cryptography keys for database data, within a secure key store of a local key server owned by a new (security) operating system (OS) user separate from an original default OS user. Existing principles governing distinct OS user access privileges engrained within the OS itself, are leveraged to preclude the default OS user from accessing files of the new security OS user. Embodiments thus segregate the right to read secure cryptography keys of a secure key store, from the right to administer database installation on the OS level. While the original default OS user retains access to the encrypted data, the new security OS user now owns the cryptography key necessary to decrypt that database data. Thus, the default OS user is denied enough information to unlock the database data, enhancing its security. Embodiments are particularly useful for promoting data security in cloud setups and multi-tenant databases.

公开(公告)号：US12147558B2

公开(公告)日：2024-11-19

申请号：US17968136

申请日：2022-10-18

Applicant: SAP SE

Inventor： Patrick Voelker ,  Holger Mack ,  Meinolf Block ,  Thorsten Glebe ,  Mihnea Andrei ,  Yong Sik Kwon ,  Dirk Thomsen ,  Martin Schindewolf ,  Martin Kittel ,  Myung Sun Park ,  Beomsoo Kim ,  Martin Heidel ,  Christian Bensberg ,  Fabian Garagnon ,  Michael Muehle ,  Sergej Hardock ,  Johannes Beigel ,  Sascha Zorn ,  Christoph Hohner ,  Andreas Hartel

IPC: G06F21/00 ,  G06F21/62 ,  H04L9/08

Abstract: A database system includes a persistent storage system, a memory storing metadata defining a tenant object and a plurality of database artifacts, a first instance of the tenant object, the first instance associated with a first plurality of the database artifacts including first data associated with the first instance of the tenant object, and a second instance of the tenant object, the second instance associated with a second plurality of the database artifacts including second data associated with the second instance of the tenant object. A processing unit is to execute program code of a database instance to cause the database system to encrypt the first data associated with the first instance of the tenant object using a first public encryption key and store the encrypted first data in the persistent storage system, and encrypt the second data associated with the second instance of the tenant object using a second public encryption key and store the encrypted second data in the persistent storage system.

公开(公告)号：US10142100B2

公开(公告)日：2018-11-27

申请号：US15203663

申请日：2016-07-06

Applicant: SAP SE

Inventor： Meinolf Block ,  Christoph Hohner ,  Martin Schindewolf ,  Sascha Zorn

IPC: G06F21/62 ,  H04L9/30 ,  H04L9/08 ,  H04L9/32 ,  G06F17/30

Abstract: A system for managing user-controlled security keys in cloud-based scenarios is provided. In some implementations, the system performs operations comprising receiving an information request from a user device via a network, and generating a database query based at least in part upon the information request. The operations can comprise generating a request for a secret key for decrypting encrypted data when the database query requests the encrypted data and/or generating a request for a secret key for encrypting data when the database query requests to encrypt data. The operations can also comprise providing the request to a security key management entity via a network, receiving secret key information from the security key management entity via the network, and using the secret key information to form decrypted data or encrypted data. Related systems, methods, and articles of manufacture are also described.

公开(公告)号：US20230412374A1

公开(公告)日：2023-12-21

申请号：US17818750

申请日：2022-08-10

Applicant: SAP SE

Inventor： Christoph Hohner ,  Martin Schindewolf ,  Sascha Zorn ,  Meinolf Block

IPC: H04L9/08 ,  G06F16/27 ,  G06F16/23

CPC classification number: H04L9/0894 ,  G06F16/2379 ,  G06F16/27

Abstract: The present disclosure relates to computer-implemented methods, software, and systems for the replication of secret keys between server nodes. Keys for encryption and decryption are persisted in a log file on a first database hosted on a primary server. The log file comprises data for executed database transactions at the first database and key management operations at a first key store. In response to triggering a synchronization between the primary server and a secondary server, a set of sequential entries of the log file are replayed at the secondary server from the first database. An execution of a transaction is replicated at a secondary database at the secondary server based on data for an entry at the log file and a key management operation associated with a key at the first key store that is persisted in another entry of the log file is replicated.

公开(公告)号：US11533168B2

公开(公告)日：2022-12-20

申请号：US16723466

申请日：2019-12-20

Applicant: SAP SE

Inventor： Martin Schindewolf ,  Meinolf Block ,  Christoph Höhner ,  Sascha Zorn

IPC: H04L9/08 ,  G06F16/27 ,  G06F16/25 ,  G06F21/62

Abstract: The system described herein provides for storing the databases and encryption keys for decrypting the data in the databases into two separate partitions. In an embodiment, the first partition includes the databases while the second partition includes a configuration database and a payload database. The payload database stores a data encryption key for decrypting the data stored in the databases. The payload database is encrypted and may be decrypted using a body encryption key. The body encryption key itself is encrypted twice. In the first instance a key encryption key is generated and in the second instance a second access key is generated. The key encryption key or the second access key may be used to decrypt the body encryption key. The second access key is stored in a secure location, to be retrieved in situations when the key encryption key is inaccessible.

公开(公告)号：US11296870B2

公开(公告)日：2022-04-05

申请号：US16590047

申请日：2019-10-01

Applicant: SAP SE

Inventor： Christoph Hohner ,  Sascha Zorn ,  Meinolf Block ,  Martin Schindewolf

IPC: H04L9/08 ,  H04L9/14

Abstract: A method, a system, and a computer program product for performing key management configurations. One or more encryption keys for encrypting one or more data payloads for accessing one or more databases are received. The received encryption keys are compared to a plurality of encryption keys associated with the databases. Based on the comparison, a configuration of at least one database is changed using the received encryption keys. The changed configuration is stored.