Allowed secure data movement

JP7872113B2Active Publication Date: 2026-06-09INTERNATIONAL BUSINESS MACHINE CORPORATION

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Patents
Current Assignee / Owner
INTERNATIONAL BUSINESS MACHINE CORPORATION
Filing Date
2022-07-07
Publication Date
2026-06-09

Smart Images

  • Figure 0007872113000001
    Figure 0007872113000001
  • Figure 0007872113000002
    Figure 0007872113000002
  • Figure 0007872113000003
    Figure 0007872113000003
Patent Text Reader

Abstract

The system includes an authenticated encryption layer comprising logic configured to encrypt data received at the authenticated encryption layer from an authorized application at a source node, the data being encrypted using a first key to obtain first encrypted data. The logic is configured to encrypt the first encrypted data using a second key to obtain second encrypted data, and generate a watermark for the first encrypted data or a watermark for the second encrypted data, or both. The logic is configured to generate a watermark token for the first encrypted data or a watermark token for the second encrypted data, or both.
Need to check novelty before this filing date? Find Prior Art

Claims

1. A system having an authenticated encryption layer, wherein the authenticated encryption layer is Encrypting data received by the authenticated encryption layer from an authorized application on the source node, wherein the data is encrypted using a first key to obtain first encrypted data. The first encrypted data is encrypted using a second key to obtain a second encrypted data that is double-encrypted. The act of generating a watermark for the first encrypted data or a watermark for the second encrypted data or both, wherein the watermark for the first encrypted data is a unique identifier generated using a first watermark key associated with the first encrypted data, and the watermark for the second encrypted data is a unique identifier generated using a second watermark key associated with the second encrypted data, Generating a watermark token for the first encrypted data or a watermark token for the second encrypted data, or both, wherein the watermark token for the first encrypted data is a unique identifier generated using a first watermark token key associated with the first encrypted data, and the watermark token for the second encrypted data is a unique identifier generated using a second watermark token key associated with the second encrypted data. A system with logic configured to perform a certain action.

2. The system according to claim 1, comprising a trusted verifier, the trusted verifier being configured to verify a watermark or watermark token or both generated for the first encrypted data, and the trusted verifier being configured to transmit the verification of the watermark generated for the first encrypted data to a transcoder.

3. The system according to claim 1, wherein the authenticated encryption layer comprises logic configured to cause the second encrypted data and the generated watermark to be stored in data storage.

4. The system according to claim 3, wherein the authenticated encryption layer comprises logic configured to cause the generated watermark token to be stored in the data storage.

5. The system according to claim 3, wherein the authenticated encryption layer comprises logic configured to generate the watermark of the second encrypted data, the data storage has access rights to the watermark key associated with the watermark generated for the second encrypted data, the data storage is configured to verify the watermark generated for the second encrypted data using the watermark key associated with the watermark generated for the second encrypted data, and the data storage is configured to store the second encrypted data and the generated watermark only upon successful verification of the watermark generated for the second encrypted data.

6. The transcoder comprises logic configured such that the authenticated encryption layer generates the watermark of the second encrypted data, The aforementioned transcoder, Reading the second encrypted data and the watermark generated for the second encrypted data from the data storage, Verify the watermark generated for the second encrypted data using the watermark key associated with the watermark generated for the second encrypted data. The system according to claim 3, comprising logic configured to perform the following:

7. The system according to claim 3, comprising a transcoder, wherein the authenticated encryption layer comprises logic configured to generate the watermark for the first encrypted data, the transcoder comprises logic configured to read the second encrypted data and the watermark generated for the first encrypted data from the data storage, the transcoder is configured to decrypt the second encrypted data using the second key to obtain the first encrypted data, and the transcoder is configured to verify the watermark generated for the first encrypted data using the watermark key associated with the watermark generated for the first encrypted data.

8. The system includes a transcoder, and the authenticated encryption layer includes logic configured to generate the watermark token for the second encrypted data, The aforementioned transcoder, Reading the second encrypted data and the watermark token generated for the second encrypted data from the data storage, Verify the watermark token generated for the second encrypted data using the watermark token key associated with the watermark token generated for the second encrypted data. The system according to claim 4, comprising logic configured to perform the following:

9. The system according to claim 4, comprising a transcoder, wherein the authenticated cryptographic layer comprises logic configured to generate the watermark token for the first encrypted data, the transcoder comprises logic configured to read the second encrypted data and the watermark token generated for the first encrypted data from the data storage, the transcoder is configured to decrypt the second encrypted data using the second key to obtain the first encrypted data, and the transcoder is configured to verify the watermark token generated for the first encrypted data using the watermark token key associated with the watermark token generated for the first encrypted data.

10. It is equipped with a transcoder, The transcoder comprises logic configured to encrypt the first encrypted data using a third key and create a third encrypted data, The aforementioned transcoder, Generating a watermark of the third encrypted data using a third watermark key associated with the third encrypted data, wherein the watermark of the third encrypted data is a unique identifier generated using the third watermark key, Sending the third encrypted data and any generated watermark to an authorized recipient. The system according to claim 7, configured to perform the following.

11. The authorized recipient verifies the watermark generated for the third encrypted data using the watermark key associated with the third encrypted data, Using the third key, decrypt the third encrypted data and obtain the first encrypted data. Verify the watermark generated for the first encrypted data using the watermark key associated with the watermark generated for the first encrypted data, In response to the successful verification of the watermark generated for the third encrypted data and the watermark generated for the first encrypted data, the first encrypted data is decrypted using the first key and the data is obtained. The system according to claim 10, comprising logic configured to perform the following:

12. Receiving second encrypted data, a watermark, and a first watermark token from data storage in response to a data request from a destination node outside an authorized cryptographic trust zone, wherein the second encrypted data is data that has been encrypted with a first key to create the first encrypted data, and then encrypted with a second key to create the second encrypted data. The watermark includes a first watermark generated for the first encrypted data and a second watermark generated for the second encrypted data, wherein the first watermark is a unique identifier generated using a first watermark key associated with the first encrypted data, and the second watermark is a unique identifier generated using a second watermark key associated with the second encrypted data, and the first watermark token is generated for the first encrypted data, and the receiving Verify the second watermark generated for the second encrypted data, In response to the verification of the second watermark, the second encrypted data is decrypted using the second key and the first encrypted data is obtained. Verify the first watermark generated for the first encrypted data, The transmission of the first encrypted data to a trusted verifier in response to the verification of the first watermark, wherein the trusted verifier is configured to verify the first watermark token generated for the first encrypted data, In response to receiving verification of the first watermark token generated for the first encrypted data from the trusted verifier, the first encrypted data is encrypted using a third key to create the third encrypted data, The act of generating a third watermark or a third watermark token or both of the third encrypted data, wherein the third watermark is a unique identifier generated using a third watermark key associated with the third encrypted data, and the third watermark token is a unique identifier generated using a third watermark token key associated with the third encrypted data. Sending the third encrypted data, the watermark, and the watermark token, including the third watermark or the third watermark token or both, to an authorized recipient. Computer implementation methods, including those mentioned above.

13. The computer implementation method according to claim 12, wherein the trusted verifier is configured to decrypt the first encrypted data using the first key and obtain the data.

14. The computer implementation method according to claim 12, wherein the trusted verifier includes a pre-filter function configured to verify that the data is not encrypted, and the trusted verifier transmits the verification only in response to the success of the verification that the data is not encrypted.

15. The receiving of internally encrypted data by a trusted verifier, at least in part, based on a data request from a destination node outside an authorized cryptographic trust zone, wherein the internally encrypted data is data encrypted with an internal key to create the internally encrypted data, The verification of an internal watermark token generated for the internal encrypted data by the trusted verifier, wherein the internal watermark token is a unique identifier generated using a first watermark internal token key associated with the internal encrypted data, and is generated for the internal encrypted data, In response to the successful verification of the aforementioned internal watermark token, the trusted verifier generates a new internal watermark token and returns the new internal watermark token to the transcoder, wherein the new internal watermark token is a unique identifier generated using a second internal watermark token key associated with the internal encrypted data, and is generated for the new internal encrypted data. Computer implementation methods, including those mentioned above.

16. The aforementioned data request is a data write request, and the method is In response to the successful verification of the internal watermark token, the trusted verifier decrypts the internal encrypted data using the internal key and obtains the data. The aforementioned reliable verifier determines, using a pre-filter function, that the data is not encrypted, In response to the aforementioned reliable verifier's determination that the verification of the inner watermark token was successful and that the data is not encrypted, the verifier returns a first verification message to the transcoder. The computer implementation method according to claim 15, including the method described in claim 15.

17. The computer implementation method according to claim 15, wherein the data request is a data read request.

18. The trusted verifier receives the internal watermark token generated for the internal encrypted data from the transcoder, The trusted verifier verifies the internal watermark token generated for the internal encrypted data, and the trusted verifier returns a second verification message to the transcoder in response to the successful verification of the internal watermark token generated for the internal encrypted data. The computer implementation method according to claim 15, including the method described in claim 15.

19. The trusted verifier returns the internal watermark token generated for the internal encrypted data to the transcoder. The computer implementation method according to claim 16, including the method described in claim 16.

20. A computer program for causing a computer to perform the method described in any one of claims 12 to 14.

21. A computer program for causing a computer to perform the method described in any one of claims 15 to 19.