-
公开(公告)号:US20150356314A1
公开(公告)日:2015-12-10
申请号:US14320135
申请日:2014-06-30
Applicant: salesforce.com, inc.
Inventor: Mukul Raj Kumar , Prasad Peddada
CPC classification number: G06F21/6227 , G06F17/30011 , G06F17/30321 , G06F17/30336 , G06F17/30477 , G06F17/3071 , G06F17/30864 , G06F21/6209 , G06F21/6218 , G06F21/6245 , G06F21/6254 , G06F2221/2107 , H04L63/08
Abstract: In accordance with disclosed embodiments, there are provided systems and methods for implementing an encrypted search index. According to a particular embodiment such a system a processor and a memory to execute instructions at the system; a search index stored on disk within the system comprised of a plurality of individual search index files, the search index having customer information stored therein, wherein at least one of the individual search index files constitutes a term dictionary or a term index type file having internal structure which allows a portion of the individual search index file to be updated, encrypted, and/or decrypted without affecting the internal structure of the individual search index file; a file input/output (IO) layer to encrypt the customer information being written into the individual search index file and to decrypt the customer information being read from the individual search index file, wherein the file IO layer encrypts and decrypts only a portion of the individual search index file in reply to an operation without requiring decryption or encryption of the individual search index file in its entirety; and a query interface to execute the operation against the customer information stored in the memory in its decrypted form. Other related embodiments are disclosed.
Abstract translation: 根据所公开的实施例,提供了用于实现加密搜索索引的系统和方法。 根据这样的系统的特定实施例,处理器和在系统处执行指令的存储器; 存储在由多个单独搜索索引文件组成的系统中的盘上的搜索索引,该搜索索引具有存储在其中的顾客信息,其中至少一个单独的搜索索引文件构成术语字典或具有内部的术语索引类型文件 结构,其允许单个搜索索引文件的一部分被更新,加密和/或解密,而不影响各个搜索索引文件的内部结构; 文件输入/输出(IO)层,用于加密被写入到各个搜索索引文件中的客户信息,并且解密从各个搜索索引文件读取的客户信息,其中文件IO层只加密和解密一部分 单独的搜索索引文件,以对操作进行回复,而不需要完全解密或加密各个搜索索引文件; 以及查询接口,以解密形式对存储在存储器中的客户信息执行操作。 公开了其他相关实施例。
-
公开(公告)号:US20230195905A1
公开(公告)日:2023-06-22
申请号:US17645251
申请日:2021-12-20
Applicant: salesforce.com, inc.
Inventor: Prasad Peddada , Glenn Martin Brunette, JR.
CPC classification number: G06F21/602 , G06F21/57 , G06F9/45558 , G06F2009/45587
Abstract: Methods, systems, apparatuses, devices, and computer program products are described. A virtual machine may receive, from an application associated with a tenant, a request to perform a cryptographic operation for the application at the virtual machine. Based on receiving the request, the virtual machine may determine that the tenant is limited to using a designated set of cryptographic operations in accordance with a cryptographic operation validation policy associated with the tenant. In some examples, the virtual machine may identify a designated version of the cryptographic operation, from the designated set of cryptographic operations, that corresponds to the cryptographic operation indicated by the request in satisfaction of the cryptographic operation validation policy. The virtual machine may execute the designated version of the cryptographic operation and return a result of the execution to the application.
-
公开(公告)号:US20230032867A1
公开(公告)日:2023-02-02
申请号:US17387033
申请日:2021-07-28
Applicant: salesforce.com, inc.
Inventor: Prasad Peddada , Taher Elgamal , Joseph Salowey
IPC: H04L9/32
Abstract: Methods, systems, and devices supporting data processing are described. In some systems, a first service executing on a datacenter may receive a request to establish a secure connection and a certificate from a second service. The datacenter may be provisioned with an indication of certificates that have been revoked by a certificate authority (CA). The first service may validate a certificate chain for the certificate from the second service based on the certificates that have been revoked by the CA. If a certificate of the certificate chain has been revoked, the first service may not establish the connection with the second service. If the certificates of the certificate chain have not been revoked, the first service may establish a secure connection with the second service. The services may communicate in accordance with validating the certificate chain.
-
公开(公告)号:US11489828B2
公开(公告)日:2022-11-01
申请号:US17112525
申请日:2020-12-04
Applicant: salesforce.com, inc.
Inventor: Prasad Peddada , Taher Elgamal
Abstract: A service may leverage a mutual transport layer security (mTLS) service to authenticate a client that is configured with a client certificate chain. The client may request access to the service, and the service may transmit a redirection response to the client. The redirection response may indicate an endpoint for the mTLS service that is associated with the tenant. In response to receiving the redirection response, the client may perform a digital handshake with the mTLS service, and the mTLS service may validate the client digital certificate and digitally sign the client digital certificate. The mTLS may transmit a redirection response, which redirects the client to the service where the client presents an indication of the digitally signed digital certificate chain. The service may validate the chain of trust associated with the digitally signed digital certificate chain and issue an indication that the client is authenticated to access the service.
-
公开(公告)号:US11463544B1
公开(公告)日:2022-10-04
申请号:US17537240
申请日:2021-11-29
Applicant: salesforce.com, inc.
Inventor: Prasad Peddada , Sriram Shankarlal , Giridharan Sridharan , Nirav K. Butala
Abstract: A cloud infrastructure is configured and deployed for managing services executed on a cloud platform. The cloud infrastructure includes a control datacenter configured to communicate with one or more service datacenters. The service datacenter deploys one or more application programming interfaces (API's) associated with a service. The service datacenter also deploys an administration agent. The control datacenter hosts an engine that receives requests from users to perform administration operations by invoking the administration API's. In this manner, the control datacenter functions as a centralized control mechanism that effectively distributes administration operation requests as they are received from users to service datacenters that can service the requests. The cloud infrastructure provides an auditable, compliant and secure management system for administering services for distributed systems running in the cloud.
-
Patent Agency Ranking
公开(公告)号:US20220247554A1
公开(公告)日:2022-08-04
申请号:US17162766
申请日:2021-01-29
Applicant: salesforce.com, inc.
Inventor: Prasad Peddada , Taher Elgamal
Abstract: Methods and systems for securing customer data in a multi-tenant database environment are described. A security module running on a database server may generate a private key-public key pair in response to receiving a request to store client data in a database. The security module may then transmit a request to derive a symmetric key to a key server, the request including the generated public key. The key server may derive a symmetric key, using key agreement and a key derivation function, based on the received public key and a private key managed by the key server. The security module may then receive the symmetric key from the key server and encrypt the client data. To facilitate decryption, the public key used to generate the symmetric key and an identifier for the private key managed by the key server may be stored in metadata associated with the client data.
-
公开(公告)号:US20220131688A1
公开(公告)日:2022-04-28
申请号:US17646823
申请日:2022-01-03
Applicant: salesforce.com, inc.
Inventor: Prasad Peddada , Taher Elgamal
Abstract: A client may transmit an authentication request to a server. The server may initiate a key agreement process using a short-lived private key generated at the server and a public key of the device, generate a shared secret, and derive a symmetric key. The symmetric key may be used to encrypt a random challenge. Further, the server initiates a key agreement process for the client using the partial private key that was generated for the client and the short-lived public key generated at the server. A partial key agreement result and the encrypted random challenge may be transmitted to the client. The client may complete the key agreement process using the partial key agreement result and a respective portion of the private key. The client may derive the encryption key and decrypt the random challenge. An indication of the random challenge may be transmitted to the server, which authenticates the client.
-
公开(公告)号:US20220029796A1
公开(公告)日:2022-01-27
申请号:US16938632
申请日:2020-07-24
Applicant: salesforce.com, inc.
Inventor: Prasad Peddada , Taher Elgamal
Abstract: A client may transmit an authentication request to a server. the server may initiate a key agreement process using a short-lived private key generated at the server and a public key of the device, generate a shared secret, and derive a symmetric key. The symmetric key may be used to encrypt a random challenge. Further, the server initiates a key agreement process for the client using the partial private key that was generated for the client and the short-lived public key generated at the server. A partial key agreement result and the encrypted random challenge may be transmitted to the client. The client may complete the key agreement process using the partial key agreement result and a respective portion of the private key. The client may derive the encryption key and decrypt the random challenge. An indication of the random challenge may be transmitted to the server, which authenticates the client.
-
公开(公告)号:US20220021524A1
公开(公告)日:2022-01-20
申请号:US16931210
申请日:2020-07-16
Applicant: salesforce.com, inc.
Inventor: Prasad Peddada , Taher Elgamal , Aaron Johnson , Ryan Guest
Abstract: Methods and systems for securing customer data in a multi-tenant database environment are described. A key identifier received from a security server may be stored by an application server. The key identifier may be associated with a private key that is accessible by the security server and not accessible by the application server. A request to derive a symmetric key may be transmitted from the application server to the security server, the request including a public key generated by the application server, a salt value, and the key identifier. The symmetric key may then be derived based on the transmitted public key and the private key using a key derivation function. The application server may then receive and store the symmetric key in an in-memory cache, and be used to securely encrypt data received by the application server from client devices.
-
公开(公告)号:US11190344B2
公开(公告)日:2021-11-30
申请号:US16425729
申请日:2019-05-29
Applicant: salesforce.com, inc.
Inventor: Prasad Peddada , Taher Elgamal
Abstract: A method is disclosed. The method includes, in a client device, acquiring first and second asymmetric cryptographic key pairs for a user, where each key pair includes a public key and a corresponding private key, securing the private key of the second key pair in a cryptographic processor, and splitting the private key of the first key pair into plural private key fragments, so that a sum of the plural private key fragments equals the private key of the first key pair. The method further includes storing at least one of the plural private key fragments on the client device, and registering the user with an identity service not hosted on the client device. Registering the user includes providing to the identity service, for use in securely authenticating the user, the public keys of the first and second key pairs, and the plural private key fragment(s) excluding the at least one private key fragment secured on the client device.
-
-
-
-
-
-
-
-
-
Search Results
74
records
(took 0.034 seconds)
