Abstract: Embodiments are directed to securing data using attribute-based encryption. In an embodiment, a computer system encrypts a portion of data with an attribute-based encryption, including associating the encrypted portion of data with one or more encryption attributes. The computer system sends the encrypted portion of data and the one or more encryption attributes to a data store, which stores the first portion of data along with the one or more encryption attributes. The computer system also defines one or more access controls for the portion of data that include an identity of at least one user permitted to access the portion of data. The attribute-based encryption allows the encrypted portion of data to be provided by the data store upon request by the identified user when the request includes one or more search attributes that are relevant to the one or more encryption attributes.

Abstract: Embodiments are directed to storing encrypted data in a data store and to securely providing access to the encrypted data according to a predefined policy. A data storage system receives encrypted data. The data is encrypted using a private key. The data storage system stores the received encrypted data according to a predefined policy. The encryption and the policy prevents the storage system from unencrypting the encrypted data, while the policy allows the encrypted data to be released upon receiving a threshold number of requests from verified third parties. The data storage system implements a verifiable secret sharing scheme to verify that the encrypted data can be reconstituted without the data storage system decrypting the encrypted data. The data storage system can acknowledge that the received encrypted data has been verified and successfully stored.

Abstract: Embodiments are directed to securing data using attribute-based encryption. In an embodiment, a computer system encrypts a portion of data with an attribute-based encryption, including associating the encrypted portion of data with one or more encryption attributes. The computer system sends the encrypted portion of data and the one or more encryption attributes to a data store, which stores the first portion of data along with the one or more encryption attributes. The computer system also defines one or more access controls for the portion of data that include an identity of at least one user permitted to access the portion of data. The attribute-based encryption allows the encrypted portion of data to be provided by the data store upon request by the identified user when the request includes one or more search attributes that are relevant to the one or more encryption attributes.

Abstract: Embodiments are directed to storing encrypted data in a data store and to securely providing access to the encrypted data according to a predefined policy. A data storage system receives encrypted data. The data is encrypted using a private key. The data storage system stores the received encrypted data according to a predefined policy. The encryption and the policy prevents the storage system from unencrypting the encrypted data, while the policy allows the encrypted data to be released upon receiving a threshold number of requests from verified third parties. The data storage system implements a verifiable secret sharing scheme to verify that the encrypted data can be reconstituted without the data storage system decrypting the encrypted data. The data storage system can acknowledge that the received encrypted data has been verified and successfully stored.

Abstract: Embodiments are directed to securing data using attribute-based encryption. In an embodiment, a computer system encrypts a portion of data with an attribute-based encryption, including associating the encrypted portion of data with one or more encryption attributes. The computer system sends the encrypted portion of data and the one or more encryption attributes to a data store, which stores the first portion of data along with the one or more encryption attributes. The computer system also defines one or more access controls for the portion of data that include an identity of at least one user permitted to access the portion of data. The attribute-based encryption allows the encrypted portion of data to be provided by the data store upon request by the identified user when the request includes one or more search attributes that are relevant to the one or more encryption attributes.

Abstract: Embodiments are directed to storing encrypted data in a data store and to securely providing access to the encrypted data according to a predefined policy. A data storage system receives encrypted data. The data is encrypted using a private key. The data storage system stores the received encrypted data according to a predefined policy. The encryption and the policy prevents the storage system from unencrypting the encrypted data, while the policy allows the encrypted data to be released upon receiving a threshold number of requests from verified third parties. The data storage system implements a verifiable secret sharing scheme to verify that the encrypted data can be reconstituted without the data storage system decrypting the encrypted data. The data storage system can acknowledge that the received encrypted data has been verified and successfully stored.

Abstract: A digital escrow pattern for data services can include selective access for obscured data at a remote site or in a cloud service, distributing trust across multiple entities to avoid a single point of data compromise. Based on the pattern, a “trustworthy envelope” for any kind of payload enables curtained access through a variety of decorations or seals placed on the envelope that allow for a gamut of trust ranging with guarantees such as, but not limited to, confidentiality, privacy, anonymity, tamper detection, integrity, etc. For instance, XML tags can be applied or augmented to create trust envelopes for structured XML data. Some examples of mathematical transformations or ‘decorations’ that can be applied to the XML data include, but are not limited to, size-preserving encryption, searchable-encryption, or Proof(s) of Application, blind fingerprints, Proof(s) of Retrievability, etc.

Abstract: A method may include, based on a set of capabilities, requesting access to data, metadata or both protected by a composite wrapper comprising a first wrapper and a second wrapper. The wrappers are each defined by different mathematical transformations performed by a component separate from the computing device. Based on an access privilege for the data, the metadata or both determined from the set of capabilities, visibility may be granted through at least one of the first or second wrapper based on independent evaluations of the first and second wrappers relative to the access privilege.

Abstract: A digital escrow pattern and trustworthy platform is provided for data services including mathematical transformation techniques, such as searchable encryption techniques, for obscuring data stored at remote site or in a cloud service, distributing trust across multiple entities to avoid a single point of data compromise. Using the techniques of a trustworthy platform, data (and associated metadata) is decoupled from the containers that hold the data (e.g., file systems, databases, etc.) enabling the data to act as its own custodian through imposition of a shroud of mathematical complexity that is pierced with presented capabilities, such as keys granted by a cryptographic key generator of a trust platform. Sharing of, or access to, the data or a subset of that data is facilitated in a manner that preserves and extends trust without the need for particular containers for enforcement.

Abstract: A data store provides access to portions of secured data. Each portion is associated with a client-defined access control and is encrypted with attribute-based encryption. This encryption associates each portion with an encryption attribute, and enables the portion to be provided, based on a request, in accordance its client-defined access control and when the request's search attribute is relevant its encryption attribute. First and second portions are provided in response to first and second requests. Each request includes the same search attribute, and the first and second portions are associated with the same encryption attribute. The first portion is provided based on a first access control granting access to a first identity access and the search attribute being relevant to the encryption attribute. The second portion is provided based on a second access control granting access to a second identity and the search attribute being relevant to the encryption attribute.

Abstract: Embodiments are directed to allowing a user to store encrypted, third-party-accessible data in a data store and to providing third party data access to a user's encrypted data according to a predefined policy. A data storage system receives encrypted data from a user at a data storage system. The data is encrypted using the user's private key. The data storage system stores the received encrypted data according to a predefined policy. The encryption prevents the storage system from gaining access to the encrypted data, while the policy allows the encrypted data to be released upon receiving a threshold number of requests from verified third parties. The data storage system implements a verifiable secret sharing scheme to verify that the encrypted data can be reconstituted without the data storage system accessing the encrypted data. The data storage system synchronously acknowledges that the received encrypted data has been verified and successfully stored.

Abstract: Embodiments are directed to securing data in the cloud, securely encrypting data that is to be stored in the cloud and to securely decrypting data accessed from the cloud. In one scenario, an instantiated trust service receives information indicating that a trust server is to be instantiated. The trust service instantiates the trust server, which is configured to store key references and encrypted keys. The trust service receives the public key portion of a digital certificate for each publisher and subscriber that is to have access to various specified portions of encrypted data. A data access policy is then defined that specifies which encrypted data portions can be accessed by which subscribers.

Abstract: Embodiments are directed to storing encrypted data in a data store and to securely providing access to the encrypted data according to a predefined policy. A data storage system receives encrypted data. The data is encrypted using a private key. The data storage system stores the received encrypted data according to a predefined policy. The encryption and the policy prevents the storage system from unencrypting the encrypted data, while the policy allows the encrypted data to be released upon receiving a threshold number of requests from verified third parties. The data storage system implements a verifiable secret sharing scheme to verify that the encrypted data can be reconstituted without the data storage system decrypting the encrypted data. The data storage system can acknowledge that the received encrypted data has been verified and successfully stored.

Abstract: Embodiments are directed to allowing a user to store encrypted, third-party-accessible data in a data store and to providing third party data access to a user's encrypted data according to a predefined policy. A data storage system receives encrypted data from a user at a data storage system. The data is encrypted using the user's private key. The data storage system stores the received encrypted data according to a predefined policy. The encryption prevents the storage system from gaining access to the encrypted data, while the policy allows the encrypted data to be released upon receiving a threshold number of requests from verified third parties. The data storage system implements a verifiable secret sharing scheme to verify that the encrypted data can be reconstituted without the data storage system accessing the encrypted data. The data storage system synchronously acknowledges that the received encrypted data has been verified and successfully stored.

Abstract: A method may include, based on a set of capabilities, requesting access to data, metadata or both protected by a composite wrapper comprising a first wrapper and a second wrapper. The wrappers are each defined by different mathematical transformations performed by a component separate from the computing device. Based on an access privilege for the data, the metadata or both determined from the set of capabilities, visibility may be granted through at least one of the first or second wrapper based on independent evaluations of the first and second wrappers relative to the access privilege.

Abstract: Embodiments are directed to securing data using attribute-based encryption. In an embodiment, a computer system encrypts a portion of data with an attribute-based encryption, including associating the encrypted portion of data with one or more encryption attributes. The computer system sends the encrypted portion of data and the one or more encryption attributes to a data store, which stores the first portion of data along with the one or more encryption attributes. The computer system also defines one or more access controls for the portion of data that include an identity of at least one user permitted to access the portion of data. The attribute-based encryption allows the encrypted portion of data to be provided by the data store upon request by the identified user when the request includes one or more search attributes that are relevant to the one or more encryption attributes.

Abstract: A data store provides access to portions of secured data. Each portion is associated with a client-defined access control and is encrypted with attribute-based encryption. This encryption associates each portion with an encryption attribute, and enables the portion to be provided, based on a request, in accordance its client-defined access control and when the request's search attribute is relevant its encryption attribute. First and second portions are provided in response to first and second requests. Each request includes the same search attribute, and the first and second portions are associated with the same encryption attribute. The first portion is provided based on a first access control granting access to a first identity access and the search attribute being relevant to the encryption attribute. The second portion is provided based on a second access control granting access to a second identity and the search attribute being relevant to the encryption attribute.

Abstract: Embodiments are directed to providing attribute-based data access. In an embodiment, a data request specifies one or more search data attributes describing requested data that is to be found in a data store. The data store is configured to provide access to secured data according to access controls defined by one or more clients. The secured data includes data that is associated with a particular client and that is encrypted using attribute-based encryption, which associates the data with one or more encryption data attributes and that enables the data to be provided if conditions in the corresponding access controls are met. The particular portion of data is provided based on determining that the conditions in the corresponding access controls are met, and that at least one of the search data attributes is determined to be relevant to at least one of the encryption data attributes.

Abstract: A digital escrow pattern for data services can include selective access for obscured data at a remote site or in a cloud service, distributing trust across multiple entities to avoid a single point of data compromise. Based on the pattern, a “trustworthy envelope” for any kind of payload enables curtained access through a variety of decorations or seals placed on the envelope that allow for a gamut of trust ranging with guarantees such as, but not limited to, confidentiality, privacy, anonymity, tamper detection, integrity, etc. Verifiable trust is provided through families of techniques that are referred to as wrapper composition. Multiple concentric and/or lateral transform wrappers or layers can wholly or partially transform data, metadata or both to mathematical transform (e.g., encrypt, distribute across storage, obscure) or otherwise introduce lack of visibility to some or all of the data, metadata or both.

Abstract: Embodiments are directed to providing attribute-based data access. In an embodiment, a data request specifies one or more search data attributes describing requested data that is to be found in an anonymous directory. The anonymous directory is configured to provide access to secured data according to access controls defined one or more clients. The secured data includes data that is associated with a particular client and that is encrypted using multi-authority attribute-based encryption, which associates the data with one or more encryption data attributes and that enables the data to be provided if conditions in the corresponding access controls are met. The particular portion of data is provided based on determining that the conditions in the corresponding access controls are met, and that at least one of the search data attributes is determined to be relevant to at least one of the encryption data attributes.