Patents by Inventor Christian Cachin
Christian Cachin has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11194921Abstract: Data masking is provided by, for at least one predetermined data item in data to be sent, applying a one-way function to that data item to produce a first value, producing a masked data item by encrypting the first value via a deterministic encryption scheme using a current encryption key for a current epoch, and replacing that data item by the masked data item. A data-provider computer sends the masked data to the data-user computer. On expiry of the current epoch, the data-provider computer generates a new encryption key for the encryption scheme in a new epoch, produces mask-update data, dependent on the current and new encryption keys, and sends the mask-update data to the data-user computer. The mask-update data permits updating, at the data-user computer, of masked data items produced with the current encryption key into masked data items produced with the new encryption key.Type: GrantFiled: November 25, 2019Date of Patent: December 7, 2021Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Christian Cachin, Jan L. Camenisch, Eduarda Freire Stögbuchner, Anja Lehmann
-
Patent number: 10754970Abstract: Data masking is provided by, for at least one predetermined data item in data to be sent, applying a one-way function to that data item to produce a first value, producing a masked data item by encrypting the first value via a deterministic encryption scheme using a current encryption key for a current epoch, and replacing that data item by the masked data item. A data-provider computer sends the masked data to the data-user computer. On expiry of the current epoch, the data-provider computer generates a new encryption key for the encryption scheme in a new epoch, produces mask-update data, dependent on the current and new encryption keys, and sends the mask-update data to the data-user computer. The mask-update data permits updating, at the data-user computer, of masked data items produced with the current encryption key into masked data items produced with the new encryption key.Type: GrantFiled: January 27, 2017Date of Patent: August 25, 2020Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Christian Cachin, Jan L. Camenisch, Eduarda Freire Stögbuchner, Anja Lehmann
-
Patent number: 10740484Abstract: Data masking is provided by, for at least one predetermined data item in data to be sent, applying a one-way function to that data item to produce a first value, producing a masked data item by encrypting the first value via a deterministic encryption scheme using a current encryption key for a current epoch, and replacing that data item by the masked data item. A data-provider computer sends the masked data to the data-user computer. On expiry of the current epoch, the data-provider computer generates a new encryption key for the encryption scheme in a new epoch, produces mask-update data, dependent on the current and new encryption keys, and sends the mask-update data to the data-user computer. The mask-update data permits updating, at the data-user computer, of masked data items produced with the current encryption key into masked data items produced with the new encryption key.Type: GrantFiled: November 1, 2017Date of Patent: August 11, 2020Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Christian Cachin, Jan L. Camenisch, Eduarda Freire Stögbuchner, Anja Lehmann
-
Publication number: 20200089903Abstract: Data masking is provided by, for at least one predetermined data item in data to be sent, applying a one-way function to that data item to produce a first value, producing a masked data item by encrypting the first value via a deterministic encryption scheme using a current encryption key for a current epoch, and replacing that data item by the masked data item. A data-provider computer sends the masked data to the data-user computer. On expiry of the current epoch, the data-provider computer generates a new encryption key for the encryption scheme in a new epoch, produces mask-update data, dependent on the current and new encryption keys, and sends the mask-update data to the data-user computer. The mask-update data permits updating, at the data-user computer, of masked data items produced with the current encryption key into masked data items produced with the new encryption key.Type: ApplicationFiled: November 25, 2019Publication date: March 19, 2020Inventors: Christian Cachin, Jan L. Camenisch, Eduarda Freire Stögbuchner, Anja Lehmann
-
Publication number: 20180218166Abstract: Data masking is provided by, for at least one predetermined data item in data to be sent, applying a one-way function to that data item to produce a first value, producing a masked data item by encrypting the first value via a deterministic encryption scheme using a current encryption key for a current epoch, and replacing that data item by the masked data item. A data-provider computer sends the masked data to the data-user computer. On expiry of the current epoch, the data-provider computer generates a new encryption key for the encryption scheme in a new epoch, produces mask-update data, dependent on the current and new encryption keys, and sends the mask-update data to the data-user computer. The mask-update data permits updating, at the data-user computer, of masked data items produced with the current encryption key into masked data items produced with the new encryption key.Type: ApplicationFiled: November 1, 2017Publication date: August 2, 2018Inventors: Christian Cachin, Jan L. Camenisch, Eduarda Freire Stögbuchner, Anja Lehmann
-
Publication number: 20180218164Abstract: Data masking is provided by, for at least one predetermined data item in data to be sent, applying a one-way function to that data item to produce a first value, producing a masked data item by encrypting the first value via a deterministic encryption scheme using a current encryption key for a current epoch, and replacing that data item by the masked data item. A data-provider computer sends the masked data to the data-user computer. On expiry of the current epoch, the data-provider computer generates a new encryption key for the encryption scheme in a new epoch, produces mask-update data, dependent on the current and new encryption keys, and sends the mask-update data to the data-user computer. The mask-update data permits updating, at the data-user computer, of masked data items produced with the current encryption key into masked data items produced with the new encryption key.Type: ApplicationFiled: January 27, 2017Publication date: August 2, 2018Inventors: Christian Cachin, Jan L. Camenisch, Eduarda Freire Stögbuchner, Anja Lehmann
-
Patent number: 9589153Abstract: A method for providing integrity and consistency of a cloud storage service to a group of mutually trusted clients may be provided. The cloud storage service may offer a set of operations, such as read, write, update, delete in respect to stored data to the clients, whereby each client only executes its own client operations when consuming one of the set of operations of the cloud storage service, and wherein each client detects data correctness of the cloud storage service based on a protocol providing fork-linearizablity.Type: GrantFiled: July 2, 2015Date of Patent: March 7, 2017Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Marcus Brandenburger, Christian Cachin, Nikola Knezevic
-
Publication number: 20160048703Abstract: A method for providing integrity and consistency of a cloud storage service to a group of mutually trusted clients may be provided. The cloud storage service may offer a set of operations, such as read, write, update, delete in respect to stored data to the clients, whereby each client only executes its own client operations when consuming one of the set of operations of the cloud storage service, and wherein each client detects data correctness of the cloud storage service based on a protocol providing fork-linearizablity.Type: ApplicationFiled: July 2, 2015Publication date: February 18, 2016Inventors: Marcus Brandenburger, Christian Cachin, Nikola Knezevic
-
Patent number: 9141813Abstract: A computer-implemented method for storing an object includes providing an object, an ordering vector of the object, the ordering vector being associated to a lexicographic order having at least one dimension, and base keys associated to each dimension of the lexicographic order; deriving a key by retrieving the base key associated to the first dimension of the lexicographic order for which the ordering vector has a value different from the smallest value, and applying a one-way function a number of times corresponding to the value of the ordering vector for the last dimension of the lexicographic order; encrypting the object with the key; and storing the object as encrypted.Type: GrantFiled: June 7, 2013Date of Patent: September 22, 2015Assignee: International Business Machines CorporationInventors: Christian Cachin, Robert Haas, Anil Kurmus, Alessandro Sorniotti
-
Publication number: 20140359309Abstract: The invention notably relates to a computerized system (301) comprising a storage system (302, 308) storing objects and attribute values associated to the objects. The attribute values are organized according to a set of N attribute types, N?1, such that, for each of said attribute types, an object can be associated with an attribute value. Each of said attribute types is associated to a respective graph. Each node of the respective graph is associated to a key. Said key is wrapped with a key associated to a parent node of said each node except for a root node. Also, said key is associated to one attribute value for the attribute type associated to the respective graph. Each of the objects is stored encrypted based on one or more keys. Each of said one or more keys is associated to one attribute value that is associated with said each of the objects. Such a system improves the deletion of objects stored on a storage system of a computerized system.Type: ApplicationFiled: November 16, 2012Publication date: December 4, 2014Inventors: Christian Cachin, Robert Haas, Alexis Hafner, Anil Kurmus, Alessandro Sorniotti
-
Patent number: 8681990Abstract: A system, method apparatus, and computer readable medium for managing renewal of a dynamic set of data items. Each data item has an associated renewal deadline, in a data item management system. A renewal schedule allocates to each data item a renewal interval for renewal of the data item. On addition of a new data item, if a potential renewal interval having a duration required for renewal of the data item, and having an ending at the renewal deadline for that item does not overlap a time period in the schedule during which the system is busy, the renewal schedule is automatically updated by allocating the potential renewal interval to the new data item. If the potential renewal interval does overlap a busy period, the renewal schedule is automatically updated by selecting an earlier renewal interval for at least one data item in the set.Type: GrantFiled: March 26, 2009Date of Patent: March 25, 2014Assignee: International Business Machines CorporationInventors: Christian Cachin, Patrick Droz, Robert Haas, Xiao-Yu Hu, Ilias Iliadis, René A. Pawlitzek
-
Patent number: 8655919Abstract: A system and method is provided for updating a hash tree in a protected environment. An integrity protection controller is provided for observing one or more system parameters of a storage system and one or more hash tree parameters of the hash trees, and for updating a hash tree in dependence on the storage system parameter and the hash tree parameter.Type: GrantFiled: July 11, 2008Date of Patent: February 18, 2014Assignee: International Business Machines CorporationInventors: Christian Cachin, Paul T. Hurley, Jan Kunigk, Roman A. Pletka
-
Publication number: 20140006802Abstract: A computer-implemented method for storing an object includes providing an object, an ordering vector of the object, the ordering vector being associated to a lexicographic order having at least one dimension, and base keys associated to each dimension of the lexicographic order; deriving a key by retrieving the base key associated to the first dimension of the lexicographic order for which the ordering vector has a value different from the smallest value, and applying a one-way function a number of times corresponding to the value of the ordering vector for the last dimension of the lexicographic order; encrypting the object with the key; and storing the object as encrypted.Type: ApplicationFiled: June 7, 2013Publication date: January 2, 2014Inventors: Christian Cachin, Robert Haas, Anil Kurmus, Alessandro Sorniotti
-
Patent number: 8422686Abstract: A method for automated validation and execution of cryptographic key and certificate deployment and distribution includes providing one or more keys; providing one or more key deployment points; and distributing the one or more keys to the one or more key deployment points in an automated manner based on a matrix or pattern mapping of each of the one or more keys to be distributed to each of the one or more key deployment points.Type: GrantFiled: June 19, 2008Date of Patent: April 16, 2013Assignee: International Business Machines CorporationInventors: Christian Cachin, Robert Haas, Timothy J. Hahn, Xiaoyu Hu, Ilias Iliadis, Rene Pawlitzek, John T. Peck
-
Publication number: 20120323851Abstract: Methods and systems for reading from and writing to a distributed, asynchronous and fault-tolerant storage system. The storage system includes storage nodes communicating with clients. The method includes a first client writing an object to the storage system and a second client reading the object from the storage system. For the first client, previous transient metadata relating to a previously written version of the object is retrieved and a new version of the object together with new transient metadata is stored. For the second client, a set of transient metadata from a third set of nodes amongst storage nodes is retrieved, a specific version of the object as stored on the storage system is determined, and a specific version of the corresponding object from a fourth set of nodes amongst storage nodes is retrieved. Two sets of nodes amongst all sets have at least one node in common.Type: ApplicationFiled: August 28, 2012Publication date: December 20, 2012Applicant: International Business Machines CorporationInventors: Cristina Basescu, Christian Cachin, Ittay Eyal, Robert Haas, Marko Vukolic
-
Publication number: 20120284231Abstract: Methods and systems for reading from and writing to a distributed, asynchronous and fault-tolerant storage system. The storage system includes storage nodes communicating with clients. The method includes a first client writing an object to the storage system and a second client reading the object from the storage system. For the first client, previous transient metadata relating to a previously written version of the object is retrieved and a new version of the object together with new transient metadata is stored. For the second client, a set of transient metadata from a third set of nodes amongst storage nodes is retrieved, a specific version of the object as stored on the storage system is determined, and a specific version of the corresponding object from a fourth set of nodes amongst storage nodes is retrieved. Two sets of nodes amongst all sets have at least one node in common.Type: ApplicationFiled: May 4, 2012Publication date: November 8, 2012Applicant: International Business Machines CorporationInventors: Cristina Basescu, Christian Cachin, Ittay Eyal, Robert Haas, Marko Vukolic
-
Patent number: 7853015Abstract: A method for generating a session key on demand in a network among participating network devices, including choosing a private and public key according to a public key encryption scheme, and broadcasting the public key to each other participating network device; choosing a local contribution value from a multiplicative group of size q; encrypting the local contribution value under the received public key to an encrypted contribution value and sending the encrypted contribution value; receiving encrypted contribution values and deriving decrypted contribution values by applying the private key; deriving a blinded session key from the decrypted contribution values and the local contribution value; agreeing on one of the blinded session keys by using an agreement protocol; and deriving the session key from the agreed-on blinded session key by applying one of the decrypted contribution values and the contribution value A corresponding computer program element, computer program product, and computer device.Type: GrantFiled: August 14, 2008Date of Patent: December 14, 2010Assignee: International Business Machines CorporationInventors: Reto Strobl, Christian Cachin
-
Patent number: 7844496Abstract: The invention provides methods, apparatus and systems for securely processing an originator request of a customer. This originator request can be sent to at least one first entity.Type: GrantFiled: May 5, 2003Date of Patent: November 30, 2010Assignee: International Business Machines CorporationInventors: Joy Algesheimer, Christian Cachin, Jan Camenisch, Guenter Karjoth
-
Patent number: 7802102Abstract: The present invention provides a method for transferring encrypted information from one storage area to other storage area wherein cryptographic data protection scheme having protection attributes are applied on the data. A crypto container having cryptographic properties represents cryptographically protected data. The attributes that have been attached to the container at the time when data is added or removed from the container determine the scheme of data protection being applied. Crypto container can be converted or serialized for storage or transmission, here the conversion spread only to the protected data parts which possibly includes crypto containers in protected form but may not the attached crypto attributes. These attributes must be stored or transmitted in another form.Type: GrantFiled: October 24, 2006Date of Patent: September 21, 2010Assignee: International Business Machines CorporationInventors: Roman A. Pletka, Patrick Droz, Christian Cachin
-
Publication number: 20090316907Abstract: A method for automated validation and execution of cryptographic key and certificate deployment and distribution includes providing one or more keys; providing one or more key deployment points; and distributing the one or more keys to the one or more key deployment points in an automated manner based on a matrix or pattern mapping of each of the one or more keys to be distributed to each of the one or more key deployment points.Type: ApplicationFiled: June 19, 2008Publication date: December 24, 2009Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Christian Cachin, Timothy J. Hahn, Robert Haas, Xiaoyu Hu, Ilias Iliadis, Rene Pawlitzek, John T. Peck