US2021185026A1PendingUtilityA1
System and method for hierarchy manipulation in an encryption key management system
Est. expiryFeb 26, 2036(~9.6 yrs left)· nominal 20-yr term from priority
G06F 21/602G06F 2212/1052G06F 12/128G06F 21/604G06F 2212/621H04L 63/0853H04L 63/061H04L 63/062G06F 12/1408
56
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
Examples described herein relate to manipulation of a structure of a policy hierarchy, while reformulating policies associated with the manipulated nodes, or other nodes effected by the manipulation, of the hierarchy. In some examples, a node may be created, moved, and/or deleted, and the manipulated node (and other nodes effected by the manipulation of the node) may reformulate their respective policies based on their new positions within the policy hierarchy. In some examples, nodes indirectly effected by the hierarchy manipulation may be moved within the hierarchy as a result.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . Non-transitory computer-readable media comprising computer-readable instructions such that, when executed, causes one or more processors to:
restructure a policy hierarchy comprising a plurality of nodes by switching a child node of the plurality of nodes from being a child of a first parent node of the plurality of nodes to being a child of a second parent node of the plurality of nodes, each of the plurality of nodes is associated with one or more policies, wherein each of the one or more policies are used to evaluate whether one or more cryptographic attributes of a security object used to encrypt data is secure; after restructuring the policy hierarchy, determine a set of policies by including the one or more policies associated with the second parent node and the one or more policies associated with the child node; and determine an acceptability of the security object based on the set of policies.
2 . The non-transitory computer-readable media of claim 1 , wherein the set of policies further comprises the one or more policies associated with any parent node of the child node.
3 . The non-transitory computer-readable media of claim 1 , wherein the one or more processors are further configured to:
build a policy cache comprising the one or more policies associated with the first parent node and the one or more policies associated with the child node; and in response to restructuring the policy hierarchy, rebuild the policy cache to comprise the set of policies.
4 . The non-transitory computer-readable media of claim 1 , wherein restructuring the policy hierarchy comprises deleting the first parent node.
5 . The non-transitory computer-readable media of claim 1 , wherein restructuring the policy hierarchy comprises moving the first parent node away from being a parent of the child node.
6 . The non-transitory computer-readable media of claim 1 , wherein restructuring the policy hierarchy comprises inserting the second parent node as a parent of the child node.
7 . The non-transitory computer-readable media of claim 1 , wherein restructuring the policy hierarchy comprises moving the child node away from being a child of the first parent node to being a child of the second parent node.
8 . The non-transitory computer-readable media of claim 1 , wherein the security object is allowed to encrypt the data in response to determining the acceptability of the security object based on the set of policies.
9 . The non-transitory computer-readable media of claim 1 , wherein one of the set of policies is used to evaluated a size of the security object or a string length of the security object.
10 . The non-transitory computer-readable media of claim 1 , one or more processors are further configured to:
determine that a first policy of the set of policies is in conflict with a second policy of the set of policies, wherein the first policy is associated with the child node, and the second policy is associated with the second parent node; and removing both the first policy and the second policy from the set of policies.
11 . A method, comprising:
restructuring a policy hierarchy comprising a plurality of nodes by switching a child node of the plurality of nodes from being a child of a first parent node of the plurality of nodes to being a child of a second parent node of the plurality of nodes, each of the plurality of nodes is associated with one or more policies, wherein each of the one or more policies are used to evaluate whether one or more cryptographic attributes of a security object used to encrypt data is secure; after restructuring the policy hierarchy, determining a set of policies by including the one or more policies associated with the second parent node and the one or more policies associated with the child node; and determining an acceptability of the security object based on the set of policies.
12 . The method of claim 11 , wherein the set of policies further comprises the one or more policies associated with any parent node of the child node.
13 . The method of claim 11 , further comprising:
building a policy cache comprising the one or more policies associated with the first parent node and the one or more policies associated with the child node; and in response to restructuring the policy hierarchy, rebuilding the policy cache to comprise the set of policies.
14 . The method of claim 11 , wherein the security object is allowed to encrypt the data in response to determining the acceptability of the security object based on the set of policies.
15 . The method of claim 11 , further comprising:
determining that a first policy of the set of policies is in conflict with a second policy of the set of policies, wherein the first policy is associated with the child node, and the second policy is associated with the second parent node; and removing both the first policy and the second policy from the set of policies.
16 . A system, comprising:
a memory; and a processor configured to:
restructure a policy hierarchy comprising a plurality of nodes by switching a child node of the plurality of nodes from being a child of a first parent node of the plurality of nodes to being a child of a second parent node of the plurality of nodes, each of the plurality of nodes is associated with one or more policies, wherein each of the one or more policies are used to evaluate whether one or more cryptographic attributes of a security object used to encrypt data is secure;
after restructuring the policy hierarchy, determine a set of policies by including the one or more policies associated with the second parent node and the one or more policies associated with the child node; and
determine an acceptability of the security object based on the set of policies.
17 . The system of claim 16 , wherein the set of policies further comprises the one or more policies associated with any parent node of the child node.
18 . The system of claim 16 , wherein the processor is further configured to:
build a policy cache comprising the one or more policies associated with the first parent node and the one or more policies associated with the child node; and in response to restructuring the policy hierarchy, rebuild the policy cache to comprise the set of policies.
19 . The system of claim 16 , wherein the security object is allowed to encrypt the data in response to determining the acceptability of the security object based on the set of policies.
20 . The system of claim 16 , wherein the processor is further configured to:
determine that a first policy of the set of policies is in conflict with a second policy of the set of policies, wherein the first policy is associated with the child node, and the second policy is associated with the second parent node; and removing both the first policy and the second policy from the set of policies.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.