Patent Grant
11640480
The present application is a National Phase entry of PCT Application No. PCT/EP2019/056886, filed Mar. 19, 2019, which claims priority from EP Patent Application No. 18169177.5, filed Apr. 25, 2018, each of which is hereby fully incorporated herein by reference.
The present disclosure relates to methods of sharing data messages containing sensitive data.
In IT security, Security Information and Event Management (SIEM) systems generate security data concerning threats, vulnerabilities, attacks and the like. SIEM systems generate SIEM data including, for example, network and system log files on which basis security analysis to identify, assess, monitor and respond to threats is undertaken for a computer system. It is increasingly desirable for multiple systems to share SIEM data to provide greater scope of insight of security-related data. For example, a first system may share SIEM data with a second system where the second system provides a SIEM data analysis service that may, for example, identify high-risk threats and opportunities for mitigation.
Challenges arise when sharing SIEM data between computer systems where the systems do not enjoy a trusted relationship because the nature of SIEM data is such that it can include highly sensitive information including names, e-mail addresses, IP addresses, identification of software and/or services executing in a system and the like. The sensitivity of such information is especially acute in view of the EU General Data Protection Regulation (GDPR) which imposes strict controls on the receipt, storage, use and distribution of personal information. The challenge is emphasized where multiple systems communicate and the degree of trust between pairs of systems differs such that data that is anonymized for one system need not be anonymized for another.
Accordingly, it would be beneficial to provide for the benefits of effective sharing of SIEM data while assuring the security of sensitive data.
The present disclosure accordingly provides, in a first aspect, a computer implemented method of sharing a data message containing multiple data fields between a provider computer system and a consumer computer system, wherein the provider and consumer computer systems have mutual mistrust, the method comprising: responsive to an authentication of the provider computer system, receiving a definition of one or more fields in the data message accessible to the consumer computer system, each field having associated a cryptographic key; responsive to an indication from a data storage server that a ciphertext of the data message is requested to be stored in the data storage server including a derivative of an identifier of the provider computer system, confirming the authenticity of the ciphertext by confirming the authenticity of the derivative, wherein each field of the ciphertext is encrypted using a corresponding cryptographic key; responsive to an authentication of the consumer computer system, issuing the consumer computer system with a cryptographic key for each of the fields in the data message accessible to the consumer computer system, such that the consumer computer system is operable to obtain the ciphertext from the data storage server and to decrypt the one or more accessible data fields and such that other data fields being non-accessible to the consumer are encrypted to anonymize such other data fields.
In some embodiments, the derivative of the identifier of the provider computer system is a hash or digest of an identifier of the provider.
In some embodiments, communication with each of the provider and consumer computer systems is encrypted using separate session keys.
In some embodiments, the operation responsive to the authentication of the consumer further comprises communicating a derivative of the data message to the consumer computer system such that the consumer computer system can identify the data message to the data storage server for retrieval thereof.
In some embodiments, the derivative of the data message is a hash or digest of the data message.
In some embodiments, at least some of the data fields in the data message are unencrypted.
The present disclosure accordingly provides, in a second aspect, a computer system including a processor and memory storing computer program code for performing the method set out above.
The present disclosure accordingly provides, in a third aspect, a computer program element comprising computer program code to, when loaded into a computer system and executed thereon, cause the computer to perform the method set out above.
Embodiments of the present disclosure will now be described, by way of example only, with reference to the accompanying drawings, in which:
Embodiments of the present disclosure include a communication protocol and key derivation function for encrypting selective parts of STEM data records using an onion-skin encryption methodology (e.g. nested encrypted elements utilizing multiple keys) for anonymizing parts of the encryption. Keys can be distributed to receiving systems via a novel protocol which uses trusted intermediaries to provide features of: assurance that messages are genuine; protection of sender identity; and assurance of anonymity of a message payload. In this way, STEM data containing sensitive information can be selectively anonymized in a targeted manner (such as by receiver) and communicated reliably to receiver systems without compromising the sensitive information.
An anonymization server 204 is provided has a hardware, software, firmware, physical or wholly or partly virtualized component for providing sharing of data between the provider 200 and the consumer 202. The anonymization server 204 is trusted by each of the provider 200 and the consumer 202 though there is mutual mistrust between the consumer 202 and the provider 200. The anonymization server provides authentication of each of the provider 200 and the consumer 202 and implements a data sharing agreement (DSA) on behalf of the provider 200.
A DSA is determined based on a definition of one or more fields in the data message of the provider 200 accessible to the consumer 202. The DSA can be realized by, for example, a cryptographic key such as a symmetric key for each of one or more fields in the data message such that access to the fields by the consumer 202 can be controlled by provision of selected keys dependent on the determined accessible fields. Thus, fields in the data message can be encrypted using the keys as a mechanism for anonymizing the data and access to the data can be controlled by controlling access to the keys.
Notably, the anonymization server 204 does not store the data message having fields encrypted by the provider 200. Rather, a secure storage server 206 is provided, the storage server 206 storing data messages (including their encrypted data fields) while having no access to keys required for access thereto. Thus, the secure storage server 206 maintains no relationship with the provider 200 or the consumer 202. Most preferably, the provider 200 and the consumer 202 also do not identify themselves to the secure storage server 206 such that the secure storage server 206 is unable to monitor or track entities storing and/or accessing data therein. For example, the provider 200 can communicate a derivative of its identifier (such as a hash or digest of an identifier of the provider 200) to the storage server 206 as an anonymized identification of the provider 200. The storage server 206 is adapted to confirm an authenticity of data messages requested for storage therein by confirming such derivative of an identity of the provider 200 is verifiable by the anonymization server 204. In this way, there is no coupling between the provider 200, the consumer 202 and the storage server 206.
Thus, in use, the provider 200 authenticates with the anonymization server 204 and defines a DSA for storage therein. The provider 200 further requests storage of a data message including one or more encrypted data fields in the storage server 206, which authenticates the provider 200 by a derivative of an identifier of the provider 200 with reference to the anonymization server 204. Subsequently, the consumer 202 can request (or be informed of) information on data message(s) available for it at the secure storage server 206 by authenticating with the anonymization server 204. The anonymization server 204 can identify individual messages by a derivative thereof, such as a digest or hash provided by the provider 200. The anonymization server 204 further issues the consumer 202 with cryptographic keys for access to authorized fields in a data message in accordance with the DSA. Subsequently, the authenticated consumer 202 requests a data message from the storage server 206 based on the derivative of the message (such as a hash or digest) provided by the anonymization server 204.
In this way, there need be no trust between the consumer 202 and the provider 200 and the secure storage server 206 need have no knowledge of either entity. The mutually trusted anonymization server 204 provides for the enforcement of granular access control to data fields of the data message based on the DSA provided by the provider 200 and using cryptographic keys to control field access by the consumer 202. Thus, data messages including sensitive information can be shared between providers and consumers without compromising the security of the sensitive information.
The method of
Considering the method of
Each data field identified for anonymization and protection against access except by authorized consumers are associated with a cryptographic key protecting the field.
Thus, it is possible to specify which parts of a data message are to be anonymized, what to anonymize and for who. The encryption of data fields that may be nested can use a multi-layer encryption technique by in applying encryption several times to a data field, first at one original layer, then upon another layer and so on, defining a hierarchy, using different keys for different components and layers.
Notably, in a multi-layered encryption scheme, multiple keys may be required to access a data field, such as nested fields with each level of nesting being encrypted by using different keys. In such arrangements, while a consumer may have access to a key for a nested field, if it does not also have access to a key for a nesting field then it may not be possible to decrypt the nested field.
Insofar as embodiments of the disclosure described are implementable, at least in part, using a software-controlled programmable processing device, such as a microprocessor, digital signal processor or other processing device, data processing apparatus or system, it will be appreciated that a computer program for configuring a programmable device, apparatus or system to implement the foregoing described methods is envisaged as an aspect of the present disclosure. The computer program may be embodied as source code or undergo compilation for implementation on a processing device, apparatus or system or may be embodied as object code, for example.
Suitably, the computer program is stored on a carrier medium in machine or device readable form, for example in solid-state memory, magnetic memory such as disk or tape, optically or magneto-optically readable memory such as compact disk or digital versatile disk etc., and the processing device utilizes the program or a part thereof to configure it for operation. The computer program may be supplied from a remote source embodied in a communications medium such as an electronic signal, radio frequency carrier wave or optical carrier wave. Such carrier media are also envisaged as aspects of the present disclosure.
It will be understood by those skilled in the art that, although the present disclosure has been described in relation to the above described example embodiments, the invention is not limited thereto and that there are many possible variations and modifications which fall within the scope of the invention. The scope of the present invention includes any novel features or combination of features disclosed herein. The applicant hereby gives notice that new claims may be formulated to such features or combination of features during prosecution of this application or of any such further applications derived therefrom. In particular, with reference to the appended claims, features from dependent claims may be combined with those of the independent claims and features from respective independent claims may be combined in any appropriate manner and not merely in the specific combinations enumerated in the claims.
| Number | Date | Country | Kind |
|---|---|---|---|
| 18169177 | Apr 2018 | EP | regional |
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/EP2019/056886 | 3/19/2019 | WO |
| Publishing Document | Publishing Date | Country | Kind |
|---|---|---|---|
| WO2019/206524 | 10/31/2019 | WO | A |
| Number | Name | Date | Kind |
|---|---|---|---|
| 8214584 | Johnson | Jul 2012 | B2 |
| 8572410 | Tkacik et al. | Oct 2013 | B1 |
| 9141303 | Kishi et al. | Sep 2015 | B2 |
| 9189609 | Antony | Nov 2015 | B1 |
| 9608810 | Ghetti et al. | Mar 2017 | B1 |
| 10038557 | Dimitrakos et al. | Jul 2018 | B2 |
| 10091183 | Stumpf et al. | Oct 2018 | B2 |
| 10341118 | Yang et al. | Jul 2019 | B2 |
| 10389709 | Potlapally et al. | Aug 2019 | B2 |
| 10420879 | Heck et al. | Sep 2019 | B2 |
| 10505721 | Dimitrakos et al. | Dec 2019 | B2 |
| 10541811 | Peddada et al. | Jan 2020 | B2 |
| 10607018 | Amidi | Mar 2020 | B2 |
| 10972263 | Gryb et al. | Apr 2021 | B2 |
| 11025429 | Enke et al. | Jun 2021 | B2 |
| 20040039925 | McMillan et al. | Feb 2004 | A1 |
| 20050235143 | Kelly | Oct 2005 | A1 |
| 20080022385 | Crowell et al. | Jan 2008 | A1 |
| 20080263372 | Sako et al. | Oct 2008 | A1 |
| 20090222631 | Sugiura | Sep 2009 | A1 |
| 20090323967 | Peirce et al. | Dec 2009 | A1 |
| 20110231671 | Locker et al. | Sep 2011 | A1 |
| 20110271073 | Ikeda et al. | Nov 2011 | A1 |
| 20110296197 | Konetski et al. | Dec 2011 | A1 |
| 20120036370 | Lim et al. | Feb 2012 | A1 |
| 20120117381 | Lo et al. | May 2012 | A1 |
| 20120297189 | Hayton et al. | Nov 2012 | A1 |
| 20130097421 | Lim | Apr 2013 | A1 |
| 20130191648 | Bursell | Jul 2013 | A1 |
| 20130243197 | Sherwood et al. | Sep 2013 | A1 |
| 20140012916 | van Ham | Jan 2014 | A1 |
| 20140149666 | Nakagawa et al. | May 2014 | A1 |
| 20140208111 | Brandwine et al. | Jul 2014 | A1 |
| 20140282539 | Sonnek | Sep 2014 | A1 |
| 20140380035 | Marinelli et al. | Dec 2014 | A1 |
| 20150222606 | Yan | Aug 2015 | A1 |
| 20150312759 | Kim | Oct 2015 | A1 |
| 20160261408 | Peddada et al. | Sep 2016 | A1 |
| 20160342394 | Tsirkin | Nov 2016 | A1 |
| 20160344724 | Shoshan | Nov 2016 | A1 |
| 20160352516 | Oberheide et al. | Dec 2016 | A1 |
| 20170048061 | Bohdan et al. | Feb 2017 | A1 |
| 20170052907 | Price, Jr. et al. | Feb 2017 | A1 |
| 20170063853 | Lim | Mar 2017 | A1 |
| 20170286695 | Shetty et al. | Oct 2017 | A1 |
| 20170286696 | Shetty et al. | Oct 2017 | A1 |
| 20170286698 | Shetty et al. | Oct 2017 | A1 |
| 20170288863 | Dimitrakos et al. | Oct 2017 | A1 |
| 20170288871 | Dimitrakos et al. | Oct 2017 | A1 |
| 20180323967 | Courtney | Nov 2018 | A1 |
| 20180332011 | Gray | Nov 2018 | A1 |
| 20190034218 | El-Moussa et al. | Jan 2019 | A1 |
| 20190034645 | El-Moussa et al. | Jan 2019 | A1 |
| 20190050247 | El-Moussa et al. | Feb 2019 | A1 |
| 20190052613 | Karlsen | Feb 2019 | A1 |
| 20210203495 | Daniel et al. | Jul 2021 | A1 |
| 20210218564 | Daniel et al. | Jul 2021 | A1 |
| Number | Date | Country |
|---|---|---|
| 2991785 | Feb 2017 | CA |
| 2645618 | Oct 2013 | EP |
| 2472491 | Feb 2011 | GB |
| 2015061267 | Mar 2015 | JP |
| WO-2008141167 | Nov 2008 | WO |
| WO-2013091221 | Jun 2013 | WO |
| WO-2017116260 | Jul 2017 | WO |
| WO-2017129657 | Aug 2017 | WO |
| Entry |
|---|
| “Cloud Discovery Data Anonymization,” Anonymize user data in Cloud App Security, Microsoft Docs, Apr. 20, 2020, Retrieved From the Internet: https://docs.microsoft.com/en-us/cloud-app-security/cloud-discovery-anonymizer , 8 pages. |
| Extended Search Report for European Application No. EP18169177.5, dated Oct. 9, 2018, 10 pages. |
| GB Combined Search and Examination Report for GB Application No. GB1806724.9 dated Nov. 13, 2018, 10 pages. |
| International Search Report and Written Opinion for Application No. PCT/EP2019/056886, dated Apr. 9, 2019, 12 pages. |
| Neuman B.C., et al., “Kerberos: An Authentication Service for Computer Networks,” ISI Research Report, ISI/RS-94-399, Sep. 1994, 8 pages. |
| Bragg R., “The Encrypting File System,” How EFS Works, Jun. 29, 2009, retrieved from: https://technet.microsoft.com/enus/library/cc700811.aspx#mainSection on Jul. 26, 2018, 14 pages. |
| Bremer J., “Intercepting System Calls on x86_64 Windows,” May 15, 2012, Development & Security, retrieved from: http://jbremer.org/intercepting-system-calls-onx8664-windows/ on Jul. 26, 2018, pp. 1-9. |
| Extended European Search for EP Application No. 18174203.2, dated Jul. 5, 2018, 10 pages. |
| GB Combined Search and Examination Report for GB Application No. GB1808602.5 dated Nov. 26, 2018, 5 pages. |
| GB Combined Search and Examination Report for GB Application No. GB1808601.7 dated Nov. 26, 2018, 5 pages. |
| Hunt G., et al., “Detours: Binary Interception of Win32 Functions,” Proceedings ofthe 3rd USENIX Windows NT Symposium, Jul. 1999, retrieved from: http://research.microsoft.com/sn/detours, pp. 1-9. |
| International Preliminary Report on Patentability for Application No. PCT/EP2015/071773, dated Apr. 6, 2017, 7 pages. |
| International Preliminary Report on Patentability for Application No. PCT/EP2015/072000, dated Apr. 6, 2017, 9 pages. |
| International Search Report and Written Opinion for Application No. PCT/EP2015/071773, dated Oct. 26, 2015, 8 pages. |
| International Search Report and Written Opinion for PCT Application No. PCT/EP2019/061237 dated May 27, 2019, 15 pages. |
| International Search Report and Written Opinion for Application No. PCT/EP2015/072000, dated Nov. 4, 2015, 10 pages. |
| International Search Report and Written Opinion for PCT Application No. PCT/EP2017/051339 dated Mar. 31, 2017, 10 pages. |
| International Search Report and Written Opinion for PCT Application No. PCT/EP2017/051610 dated Mar. 31, 2017, 8 pages. |
| International Search Report and Written Opinion for PCT Application No. PCT/EP2017/051613 dated Apr. 20, 2017, 10 pages. |
| International Search Report and Written Opinion for PCT Application No. PCT/EP2017/051614 dated Mar. 31, 2017, 8 pages. |
| International Search Report and Written Opinion for PCT Application No. PCT/EP2019/061236 dated Jun. 3, 2019, 17 pages. |
| Kim S.W., “Intercepting System API Calls,” Intel® Software, Mar. 7, 2012, 13 pages. |
| “Luna HSM”, anonymous, XP055488416, Aug. 10, 2013, retrieved from http://www.cc.com.pl/pl/prods/safenet/pdf/SafeNet_Product_Brief_Luna_SA.pdf, 2 pages. |
| Muller T, et al., “TreVisor: OS-Independent Software-Based Full Disk Encryption Secure against Main Memory Attacks,” ACNS 2012, Jun. 26, 2012, pp. 66-83. |
| Myers D.S et al., “Intercepting Arbitrary Functions on Windows, UNIX, and Macintosh OS X Platforms,” CS-TR-4585, UMIACS-TR-2004-28, Jan. 2004, 9 pages. |
| Popek G.J., et al., “Formal Requirement for Virtualizable Third Generation Architectures,” Communications ofthe AMC, Jul. 1974, vol. 17 (7), pp. 412-421. |
| Saboonchi N., “Hardware Security Module Performance Optimization by Using a “Key Pool”,” XP055487989, Dec. 25, 2014, Retrieved from the Internet: https://people.kth.se/˜maguire/DEGREE-PROJECT-REPORTS/141225-Nima_Saboonchi-with-cover.pdf [retrieved on Jun. 26, 2018], 71 pages. |
| Search Report for European Application No. EP18174202 dated Jul. 10, 2018, 11 pages. |
| VMWARE. Inc, “vSphere Storage—Update 1,” Modified Jul. 12, 2018, VMware vSphere 6.0, VMware ESXi 6.0, vCenter Server 6.0, 315 pages. |
| Zhang F., et al., “CloudVisor: Retrofitting Protection of Virtual Machines in Multi-tenant Cloud with Nested Virtualization,” SOSP'11, Oct. 23, 2011, pp. 203-216. |
| Communication pursuant to Article 94(3) EPC for European Application No. 19711103.2, dated Jul. 5, 2022, 7 pages. |
| Number | Date | Country | |
|---|---|---|---|
| 20210248266 A1 | Aug 2021 | US |
