-
公开(公告)号:US11487900B2
公开(公告)日:2022-11-01
申请号:US16530937
申请日:2019-08-02
Applicant: salesforce.com, inc.
Inventor: Olumayokun Obembe , Gregory Lapouchnian , Vijayanth Devadhar , Jason Woods , Karthikeyan Govindarajan , Ashwini Bijwe , Prasad Peddada
Abstract: Within one or more instances of a computing environment where an instance is a self-contained architecture to provide at least one database with corresponding search and file system. User information from the one or more instances of the computing environment is organized as zones. A zone is based on one or more characteristics of corresponding user information that are different than the instance to which the user information belongs. User information is selectively obfuscated prior to transmitting blocks of data including the obfuscated user information. The selective obfuscation is based on zone information for one or more zones to which the user information belongs.
-
公开(公告)号:US11368292B2
公开(公告)日:2022-06-21
申请号:US16931210
申请日:2020-07-16
Applicant: salesforce.com, inc.
Inventor: Prasad Peddada , Taher Elgamal , Aaron Johnson , Ryan Guest
Abstract: Methods and systems for securing customer data in a multi-tenant database environment are described. A key identifier received from a security server may be stored by an application server. The key identifier may be associated with a private key that is accessible by the security server and not accessible by the application server. A request to derive a symmetric key may be transmitted from the application server to the security server, the request including a public key generated by the application server, a salt value, and the key identifier. The symmetric key may then be derived based on the transmitted public key and the private key using a key derivation function. The application server may then receive and store the symmetric key in an in-memory cache, and be used to securely encrypt data received by the application server from client devices.
-
公开(公告)号:US11303449B2
公开(公告)日:2022-04-12
申请号:US16015768
申请日:2018-06-22
Applicant: salesforce.com, inc.
Inventor: Prasad Peddada
IPC: H04L29/06 , H04L9/32 , H04L67/141 , H04L9/08 , G06F16/27
Abstract: Methods, systems, and devices for validation at an application server are described. The application server may validate a user device utilizing a public-private key pair, and may refrain from establishing a database connection until the user device is validated. For example, the application server may transmit a private key and a public key identifier to the user device. When the application server receives a session establishment message that is based on a private key and that contains the public key identifier, the application server may determine the public key of the public-private key pair based on the identifier. The application server may validate that the session establishment message is received from the user device based on the private key and the determined public key. Based on this validation procedure, the application server may establish a database connection with a database, granting the validated user device access to requested data.
-
公开(公告)号:US11258617B1
公开(公告)日:2022-02-22
申请号:US17111972
申请日:2020-12-04
Applicant: salesforce.com, inc.
Inventor: Prasad Peddada , Taher Elgamal
Abstract: A client device may be provisioned with a digital certificate to support various operations. The client may transmit a certificate request to a server. The server may initiate a key agreement process using a short-lived private key generated at the server and a public key of the device to derive a symmetric key. The symmetric key may be used to encrypt a payload that includes the digital certificate and an associated private key. Further, the server initiates a key agreement process using the partial private key that was generated for the client and the short-lived public key. A partial key agreement result, and the encrypted payload may be transmitted to the client. The client may complete the key agreement process using the partial key agreement result and a respective portion of the private key. The client may derive the encryption key and decrypt the payload to access the digital certificate.
-
公开(公告)号:US11095634B2
公开(公告)日:2021-08-17
申请号:US16263871
申请日:2019-01-31
Applicant: salesforce.com, inc.
Inventor: Prasad Peddada , Taher Elgamal
Abstract: Techniques are disclosed relating to user authentication using multi-party computation and public key cryptography. In some embodiments, a client system may receive, from a server system, an authentication challenge that includes a first partial signature value. The client system may access key-pair information that includes, for a server key-pair, a server public key and a second component of a server private key, where the server system has access to a first component of the server private key. The client system may then generate a second partial signature value using the second component of the server private key but not an entirety of the server private key, and may generate a final signature value based on the first and second partial signature values. Using the final signature value, the client system may then determine whether the authentication challenge was sent by the server system.
-
Patent Agency Ranking
公开(公告)号:US10541811B2
公开(公告)日:2020-01-21
申请号:US14635265
申请日:2015-03-02
Applicant: salesforce.com, inc.
Inventor: Prasad Peddada , Jeremy Horwitz , Taher Elgamal , Matthew Steele , Ryan Guest
IPC: H04L9/08
Abstract: Embodiments include an apparatus for securing customer data and include a processor, and one or more stored sequences of instructions which, when executed, cause the processor to store an encrypted first key fragment in a first storage area, store an encrypted second key fragment in a separate second storage area, wherein access to the first storage area and to the second storage area is mutually exclusive. The instructions further cause the processor to decrypt the encrypted first key fragment and the encrypted second key fragment using a key set and keys associated with a hardware security module based on receiving a request to derive a master key. The master key is derived using the decrypted first key fragment and the decrypted second key fragment and stored in an in-memory cache. The master key is used to encrypt or to decrypt encrypted customer data.
-
公开(公告)号:US10374794B1
公开(公告)日:2019-08-06
申请号:US15638920
申请日:2017-06-30
Applicant: salesforce.com, inc.
Inventor: Prasad Peddada , Taher ElGamal
Abstract: System and methods for secure transmission are described and include receiving, by a first computing system, an encrypted token generated using a public key of an asymmetric key pair; receiving, by the first computing system, a first partially decrypted token generated by applying a first private key fragment of a private key of the asymmetric key pair to the encrypted token; applying, by the first computing system, a second private key fragment of the private key to the encrypted token to generate a second partially decrypted token; applying, by the first computing system, a third private key fragment of the private key to the encrypted token to generate a third partially decrypted token; and combining the first partially decrypted token, the second partially decrypted token and the third partially decrypted token to generate a decrypted token.
-
公开(公告)号:US20190229908A1
公开(公告)日:2019-07-25
申请号:US15879265
申请日:2018-01-24
Applicant: salesforce.com, inc.
Inventor: Prasad Peddada , Taher ElGamal
Abstract: Methods, systems, and devices for encryption key storage are described. An application server may store an encryption key in volatile memory and access the key directly from the volatile memory when performing an encryption process. In some cases, a user may supply the encryption key to the application server on demand. Accordingly, when the application server is restarted, the encryption key may be purged from the memory. In some cases, the encryption key may be wrapped in a public key, and the application server may derive a private key to decrypt the public key-encrypted information to access the encryption key and store it in the volatile memory. Additionally or alternatively, the user may supply a first fragment of the encryption key, and the application server may derive the encryption key from the first fragment and a second fragment of the encryption key retrieved from a database.
-
公开(公告)号:US20170366470A1
公开(公告)日:2017-12-21
申请号:US15690631
申请日:2017-08-30
Applicant: salesforce.com, inc.
Inventor: Nathan Jensen-Horne , Dileep Burki , Walter Sims Harley , Matthew Small , Kenneth Douglas Scott , David Andrew Brooks , Prasad Peddada , Hemang Patel , Gaurav Chawla , Theresa Vietvu , Shriman Gurram
IPC: H04L12/911 , G06F9/50 , H04L12/24 , H04L29/08
CPC classification number: H04L47/70 , G06F9/5061 , H04L41/5054 , H04L47/783 , H04L67/10
Abstract: Disclosed herein are techniques for identifying computing resources specified by a representation of a computing service. In some implementations, a request to analyze a computing service provided via a computing environment may be received. The computing service may have an activated state in which the computing service is available for use and a deactivated state in which the computing service is not available for use. The computing environment may comprise a plurality of computing resources each defining a variable unit of computing functionality within the computing environment. Each computing resource may be associated with a respective parameter corresponding with a respective parameter value that specifies a level of the variable unit of computing functionality defined by the computing resource. The computing service may be represented by a metadata model comprising a plurality of nodes, at least some of which specify a respective one or more of the parameter values.
-
公开(公告)号:US20170053134A1
公开(公告)日:2017-02-23
申请号:US15344353
申请日:2016-11-04
Applicant: salesforce.com, inc.
Inventor: Mukul Raj Kumar , Prasad Peddada
CPC classification number: G06F21/6227 , G06F17/30011 , G06F17/30321 , G06F17/30336 , G06F17/30477 , G06F17/3071 , G06F17/30864 , G06F21/6209 , G06F21/6218 , G06F21/6245 , G06F21/6254 , G06F2221/2107 , H04L63/08
Abstract: In accordance with disclosed embodiments, there are provided systems and methods for implementing an encrypted search index. According to a particular embodiment such a system a processor and a memory to execute instructions at the system; a search index stored on disk within the system comprised of a plurality of individual search index files, the search index having customer information stored therein, wherein at least one of the individual search index files constitutes a term dictionary or a term index type file having internal structure which allows a portion of the individual search index file to be updated, encrypted, and/or decrypted without affecting the internal structure of the individual search index file; a file input/output (IO) layer to encrypt the customer information being written into the individual search index file and to decrypt the customer information being read from the individual search index file, wherein the file IO layer encrypts and decrypts only a portion of the individual search index file in reply to an operation without requiring decryption or encryption of the individual search index file in its entirety; and a query interface to execute the operation against the customer information stored in the memory in its decrypted form. Other related embodiments are disclosed.
Abstract translation: 根据所公开的实施例,提供了用于实现加密搜索索引的系统和方法。 根据这样的系统的特定实施例,处理器和在系统处执行指令的存储器; 存储在由多个单独搜索索引文件组成的系统中的盘上的搜索索引,该搜索索引具有存储在其中的顾客信息,其中至少一个单独的搜索索引文件构成术语字典或具有内部的术语索引类型文件 结构,其允许单个搜索索引文件的一部分被更新,加密和/或解密,而不影响各个搜索索引文件的内部结构; 文件输入/输出(IO)层,用于加密被写入到各个搜索索引文件中的客户信息,并且解密从各个搜索索引文件读取的客户信息,其中文件IO层只加密和解密一部分 单独的搜索索引文件,以对操作进行回复,而不需要完全解密或加密各个搜索索引文件; 以及查询接口,以解密形式对存储在存储器中的客户信息执行操作。 公开了其他相关实施例。
-
-
-
-
-
-
-
-
-
Search Results
74
records
(took 0.028 seconds)
