Electrical computers and digital processing systems: support – System access control based on user identification by...
Reexamination Certificate
2000-06-07
2004-09-07
Peeso, Thomas R. (Department: 2132)
Electrical computers and digital processing systems: support
System access control based on user identification by...
C713S155000, C713S168000, C713S189000, C713S193000, C713S152000, C713S152000
Reexamination Certificate
active
06789195
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to a method for the processing of data which are stored in at least one database in at least partially encrypted form, in which case the data can be read by a user communicating with the database via a communications link and in which, if necessary, new data can be stored.
2. Description of the Prior Art
Data to be stored in a database are ever more frequently composed of non-critical parts, whose contents require no special secrecy, and critical data which, if at all, may be accessed only by a limited range of users. In order to store such critical data with protected access, it is known for the data to be stored in encrypted form. Cryptographic methods (for example DES, RAS, IDEA) are used for this purpose, and use symmetrical or asymmetrical keys in order to encrypt the data. In known methods for secure communication, the data are encrypted while being transmitted (line encryption) between the client and the server, the data then exist in unencrypted form once again at the central point, and are generally stored in unencrypted form in a central database. With these methods, there is a security gap, since anyone who has administrative access to the central database can read all the data. A solution to this problem is known, in which the data are encrypted on the central server and are stored in the database in encrypted form. In this case as well, there is still a security gap when accesses are made to the central point. Since they exist on the server in plaintext at one point in time, the data can be copied before or during the encryption process. One method of the type mentioned initially can be used, for example, in the area of medicine or by doctors, in the course of which, for example, a number of doctors, as users, have access to the patient data stored in a central database.
Sandhu, R. et al, Access control: Principles and practise, IEEE Communications Magazine, September 1994, pages 40-48, describes the access control provided via ACL. Access Control Lists are used to control who may access objects, and in what role. The rights to do so are stored in databases, and that an authorization database must be checked before access by the user.
Neumann, C., Security, Payment and Privacy for Network Commerce, IEEE J. on select. A. in Comm., Vol 13, No. 8, October 1995, pages 1523-1531, describes a protocol, in the description relating to
FIG. 1
on page 1525, in which a client would like to communicate with a service provider. To do this, a session key is agreed via a server, and is used by the client to gain access to the provider.
SUMMARY OF THE INVENTION
An object of the present invention is to provide a method which can allow secure data transmission and storage in a system in which a number of users have access to a central database.
In order to solve this problem, in a method according to the invention of the type initially described, the data are decrypted and/or encrypted exclusively at the user end using a key which is stored in a central further database and can be transmitted exclusively to the authorized user.
The method according to the invention thus no longer involves the data being encrypted and decrypted at the central server end itself, and no longer uses line encryption, rather, by contrast, it provides for this to be done exclusively at the user end. In this case, the data are available in unencrypted form only at the doctor's end (that is to say at the client), and the data are encrypted at the doctor's end even before they are transmitted to the central database (server). This makes attacks on the central data storage point, which is at risk, very difficult, in particular even attacks by the system administration. Thus, in the method according to the invention, only encrypted data, or only encrypted data parts which contain critical information and, as a consequence, need to be especially protected, are transmitted via the communications link, which can be tapped. Non-critical data may also be transmitted, of course, in unencrypted form. Protection against unauthorized data access is furthermore ensured in that a special key is required for encryption and/or decryption, which key is allocated exclusively to authorized users from a central further database. This key is thus passed only to the users who are authorized for access, for example only to doctors who are authorized for access.
The data may be composed of data parts and association data which identify a person or an object and describe a person or an object, in which case the identifying data parts are stored in a first database and the descriptive data parts are stored in a second database, in each case with an association data item. Those data parts which are stored in the other database can be found using the identically formed association data, and in which case at least the association data item of the identifying data parts and, if required, the descriptive data parts are encrypted, and can be decrypted using the transmitted key. Two separate databases are thus used in this case and preferably, but not necessarily, do not communicate with one another. The databases are object-oriented databases which, for example, contain patient data in the form of patient-specific files. At least the critical data are encrypted, non-critical data need not necessarily be stored in encrypted form in the second database. If, for example, the data are medically relevant patient data, then data which either refer to a person or contain other critical information are stored, like the association data item, in encrypted form in the second database which contains the descriptive data parts. Non-critical data, to which, for example, unlimited access may be allowed in the course of epidemiological investigations, are stored in unencrypted form in this database. On the other hand, the demographic patient data are stored in the first database, and the encrypted association data item is stored as an encrypted reference. Since the data which identify the patients are stored in unencrypted form in the first database, it is possible to search for a patient in this database and to determine the encrypted association data item while, however, access to the second database with the descriptive data is possible only if the association data item can be decrypted so that it is possible to search for the association data item, which is stored in unencrypted form in the second database, and to call up the data. Furthermore, it is possible to provide a further encryption stage, namely when the first and the second database communicate with one another. In a case such as this, the relevant data can be protected using a method such as described in PCT Application WO 97/49211 or U.S. Pat. No. 5,606,610.
Furthermore, according to the invention, it is possible to provide for the descriptive data parts to be stored together with association data in a group-specific second database, which is associated with a specific user group, which includes personnel who may have authorized access to the stored data. User groups are thus formed, with each user group being assigned a group-specific second database. All group members have authorized access to this database. Such a group may be, for example, a group formed by a number of doctors who have a group practice. All of them have access to a common patient list and, since they are authorized to have the key or can be authorized to be given the key, they can call up the appropriate data without having to obtain the patient's consent. The composition of the respective groups may change and, of course, it is also possible for one doctor to belong to a number of groups, in the same way that it is also possible, of course, for one patient to have a file in a number of group databases, for example in a first group involving a number of family doctors, and in a second group which comprises, for example, a number of internists. It is likewise also possible, if necessary, to inhibit access by the patie
Becker Michael
Lijzer Gregor De
Prihoda Heinz
Schmidt Volker
Striebel Werner
Peeso Thomas R.
Schiff & Hardin LLP
Siemens Aktiengesellschaft
LandOfFree
Secure data processing method does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Secure data processing method, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Secure data processing method will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3203734