Role based encryption without key management system

摘要

A role based security infrastructure for data encryption that does not require a key management system is provided. For each defined role, a unique key pair is generated. To encrypt a data set, a random encryption key is generated on the fly, and used to encrypt the data. To allow a role access to an encrypted data set, the corresponding encryption key is encrypted with the public key of that role, and stored in association with the encrypted data set. To access an encrypted data set, a private key associated with a role allowed access is used to decrypt the copy of the associated encryption key, which has been encrypted using the corresponding public key and stored in association with the data set. The decrypted encryption key is then used to decrypt the encrypted data set.

主权项

1. A computer implemented method for providing role based encryption within a role based authentication context, without the use of a key management system, the method comprising the steps of:
generating, by a computer, a unique key pair for each of a plurality of defined roles within the role based authentication context including generating at least one unique key pair using deterministic random number generation derived from a known secret to generate a consistent unique key pair from the same known secret, each said unique key pair comprising a public key and a corresponding private key, each defined role associated with one or more functions of an entity and one or more users of the entity; and encrypting, by a computer, at least one data set by performing at least the following steps:
generating a random encryption key on the fly;encrypting the data set with the generated encryption key; andfor at least one role allowed to access the encrypted data set, encrypting the encryption key with the public key associated with that role and storing the encrypted encryption key in association with the encrypted data set.