公开(公告)号：US10353723B2

公开(公告)日：2019-07-16

申请号：US15883803

申请日：2018-01-30

Applicant: salesforce.com, inc.

Inventor： Raghavendran Hanumantharau ,  Yoram Tal

IPC: G06F9/455 ,  G06F16/242

Abstract: In some database systems, a user device may query for data records using a procedural language extension to structured query language (PL/SQL) call. However, some databases may not be configured to process PL/SQL code. In these cases, a virtual machine may intercept the PL/SQL call, and may transform the call to a format usable by the database. For example, the virtual machine may deconstruct the PL/SQL call to determine the procedural and query functions that comprise the PL/SQL call. The virtual machine may then search a database for non-PL/SQL code snippets that correspond to these determined functions, and may generate non-PL/SQL code (e.g., Java code) that may perform the same functions as the PL/SQL call. The virtual machine, the database, or a combination of the two may execute the non-PL/SQL code to retrieve the data records from the database, and may return the records to the user device.

公开(公告)号：US20190042288A1

公开(公告)日：2019-02-07

申请号：US15883803

申请日：2018-01-30

Applicant: salesforce.com, inc.

Inventor： Raghavendran Hanumantharau ,  Yoram Tal

IPC: G06F9/455 ,  G06F17/30

CPC classification number: G06F9/4552 ,  G06F9/45558 ,  G06F16/2448 ,  G06F16/2452 ,  G06F2009/45562 ,  G06F2009/45595

Abstract: In some database systems, a user device may query for data records using a procedural language extension to structured query language (PL/SQL) call. However, some databases may not be configured to process PL/SQL code. In these cases, a virtual machine may intercept the PL/SQL call, and may transform the call to a format usable by the database. For example, the virtual machine may deconstruct the PL/SQL call to determine the procedural and query functions that comprise the PL/SQL call. The virtual machine may then search a database for non-PL/SQL code snippets that correspond to these determined functions, and may generate non-PL/SQL code (e.g., Java code) that may perform the same functions as the PL/SQL call. The virtual machine, the database, or a combination of the two may execute the non-PL/SQL code to retrieve the data records from the database, and may return the records to the user device.

公开(公告)号：US20210377020A1

公开(公告)日：2021-12-02

申请号：US16889285

申请日：2020-06-01

Applicant: salesforce.com, inc.

Inventor： Dhanashree Kashid ,  Raghavendran Hanumantharau ,  Terry Chong ,  Andrew Stewart Tucker ,  Vadiraj Govardhan Hosur

IPC: H04L9/08 ,  G06F21/60 ,  H04L9/14 ,  G06F21/62

Abstract: Disclosed techniques relate to storing a key cache within a secure enclave. In some embodiments, a computing system receives, from an application, a request to access a database, where the request is associated with a particular account. The computing system then accesses, using an identifier associated with the particular account, a key cache stored in a secure enclave of a memory of the computing system to determine at least one private key associated with the request, where the key cache stores private keys of a key management system (KMS) for a plurality of accounts. The computing system performs a cryptographic operation for accessing the database within the secure enclave using the at least one private key. In various embodiments, disclosed techniques may improve the security of cryptographic private keys cached for a plurality of tenants.

公开(公告)号：US20200250325A1

公开(公告)日：2020-08-06

申请号：US16263751

申请日：2019-01-31

Applicant: salesforce.com, inc.

Inventor： Terry Chong ,  Jameison Bear Martin ,  Thomas Fanghaenel ,  Andrew Tucker ,  Nathaniel Wyatt ,  Raghavendran Hanumantharau ,  Assaf Ben-Gur ,  William Charles Mortimore, JR.

IPC: G06F21/62 ,  G06F21/60 ,  H04L9/08 ,  G06F16/2455

Abstract: System and methods of the disclosed subject matter provide segregating, at a memory storage coupled to a multitenant database system, first tenant data of a first tenant from at least second tenant data of a second tenant, based on a first tenant identifier. A first encryption key associated with the first tenant may be retrieved from a key cache memory based on the first tenant identifier, to encrypt one or more fragments of the first tenant data. The fragments of the first tenant data may be encrypted based on the retrieved encryption key. Non-encrypted header information may be generated for each of the encrypted fragments of the first tenant data, where the header information may have metadata including the first tenant identifier. The encrypted fragments of the first tenant data and the corresponding non-encrypted header information may be stored in the immutable storage.

公开(公告)号：US11841967B2

公开(公告)日：2023-12-12

申请号：US17562387

申请日：2021-12-27

Applicant: salesforce.com, inc.

Inventor： Terry Chong ,  Jameison Bear Martin ,  Thomas Fanghaenel ,  Andrew Tucker ,  Nathaniel Wyatt ,  Raghavendran Hanumantharau ,  Assaf Ben Gur ,  William Charles Mortimore, Jr.

IPC: G06F21/62 ,  G06F16/2455 ,  G06F21/60 ,  H04L9/08

CPC classification number: G06F21/6218 ,  G06F16/24552 ,  G06F21/604 ,  H04L9/08

Abstract: System and methods of the disclosed subject matter provide segregating, at a memory storage coupled to a multitenant database system, first tenant data of a first tenant from at least second tenant data of a second tenant, based on a first tenant identifier. A first encryption key associated with the first tenant may be retrieved from a key cache memory based on the first tenant identifier, to encrypt one or more fragments of the first tenant data. The fragments of the first tenant data may be encrypted based on the retrieved encryption key. Non-encrypted header information may be generated for each of the encrypted fragments of the first tenant data, where the header information may have metadata including the first tenant identifier. The encrypted fragments of the first tenant data and the corresponding non-encrypted header information may be stored in the immutable storage.

公开(公告)号：US11374748B2

公开(公告)日：2022-06-28

申请号：US16849401

申请日：2020-04-15

Applicant: salesforce.com, inc.

Inventor： Vadiraj Govardhan Hosur ,  Andrew Tucker ,  Terry Chong ,  Raghavendran Hanumantharau ,  Dhanashree Kashid ,  Scott Daniel Wisniewski ,  Prithviraj Vasanth ,  Pranesh Radhakrishnan

IPC: H04L9/08 ,  G06F21/60 ,  G06F21/62

Abstract: Disclosed techniques relate to caching tenant encryption keys for a multi-tenant database. In some embodiments, a computing system encrypts data for a database in a multi-tenant database system using encryption keys assigned to respective tenants that are using the database. The computing system may store the encryption keys in a cache and, in response to a key rotation request for a first tenant, invalidate an entry in the cache for the first encryption key of the first tenant. The computing system may block writes for the first tenant until a new key is cached (e.g., based on retrieval from a key management system). In various embodiments, disclosed techniques may reduce encryption latency.

公开(公告)号：US11238174B2

公开(公告)日：2022-02-01

申请号：US16263751

申请日：2019-01-31

Applicant: salesforce.com, inc.

Inventor： Terry Chong ,  Jameison Bear Martin ,  Thomas Fanghaenel ,  Andrew Tucker ,  Nathaniel Wyatt ,  Raghavendran Hanumantharau ,  Assaf Ben-Gur ,  William Charles Mortimore, Jr.

IPC: G06F21/62 ,  G06F16/2455 ,  G06F21/60 ,  H04L9/08

Abstract: System and methods of the disclosed subject matter provide segregating, at a memory storage coupled to a multitenant database system, first tenant data of a first tenant from at least second tenant data of a second tenant, based on a first tenant identifier. A first encryption key associated with the first tenant may be retrieved from a key cache memory based on the first tenant identifier, to encrypt one or more fragments of the first tenant data. The fragments of the first tenant data may be encrypted based on the retrieved encryption key. Non-encrypted header information may be generated for each of the encrypted fragments of the first tenant data, where the header information may have metadata including the first tenant identifier. The encrypted fragments of the first tenant data and the corresponding non-encrypted header information may be stored in the immutable storage.

公开(公告)号：US11483150B2

公开(公告)日：2022-10-25

申请号：US16889285

申请日：2020-06-01

Applicant: salesforce.com, inc.

Inventor： Dhanashree Kashid ,  Raghavendran Hanumantharau ,  Terry Chong ,  Andrew Stewart Tucker ,  Vadiraj Govardhan Hosur

IPC: H04L29/06 ,  H04L9/08 ,  G06F21/60 ,  G06F21/62 ,  H04L9/14

Abstract: Disclosed techniques relate to storing a key cache within a secure enclave. In some embodiments, a computing system receives, from an application, a request to access a database, where the request is associated with a particular account. The computing system then accesses, using an identifier associated with the particular account, a key cache stored in a secure enclave of a memory of the computing system to determine at least one private key associated with the request, where the key cache stores private keys of a key management system (KMS) for a plurality of accounts. The computing system performs a cryptographic operation for accessing the database within the secure enclave using the at least one private key. In various embodiments, disclosed techniques may improve the security of cryptographic private keys cached for a plurality of tenants.

公开(公告)号：US20220121766A1

公开(公告)日：2022-04-21

申请号：US17562387

申请日：2021-12-27

Applicant: salesforce.com, inc.

Inventor： Terry Chong ,  Jameison Bear Martin ,  Thomas Fanghaenel ,  Andrew Tucker ,  Nathaniel Wyatt ,  Raghavendran Hanumantharau ,  Assaf Ben Gur ,  William Charles Mortimore, JR.

IPC: G06F21/62 ,  G06F16/2455 ,  G06F21/60 ,  H04L9/08

Abstract: System and methods of the disclosed subject matter provide segregating, at a memory storage coupled to a multitenant database system, first tenant data of a first tenant from at least second tenant data of a second tenant, based on a first tenant identifier. A first encryption key associated with the first tenant may be retrieved from a key cache memory based on the first tenant identifier, to encrypt one or more fragments of the first tenant data. The fragments of the first tenant data may be encrypted based on the retrieved encryption key. Non-encrypted header information may be generated for each of the encrypted fragments of the first tenant data, where the header information may have metadata including the first tenant identifier. The encrypted fragments of the first tenant data and the corresponding non-encrypted header information may be stored in the immutable storage.

公开(公告)号：US20210328789A1

公开(公告)日：2021-10-21

申请号：US16849401

申请日：2020-04-15

Applicant: salesforce.com, inc.

Inventor： Vadiraj Govardhan Hosur ,  Andrew Tucker ,  Terry Chong ,  Raghavendran Hanumantharau ,  Dhanashree Kashid ,  Scott Daniel Wisniewski ,  Prithviraj Vasanth ,  Pranesh Radhakrishnan

IPC: H04L9/08 ,  G06F21/60 ,  G06F21/62

Abstract: Disclosed techniques relate to caching tenant encryption keys for a multi-tenant database. In some embodiments, a computing system encrypts data for a database in a multi-tenant database system using encryption keys assigned to respective tenants that are using the database. The computing system may store the encryption keys in a cache and, in response to a key rotation request for a first tenant, invalidate an entry in the cache for the first encryption key of the first tenant. The computing system may block writes for the first tenant until a new key is cached (e.g., based on retrieval from a key management system). In various embodiments, disclosed techniques may reduce encryption latency.