US2021185026A1PendingUtilityA1

System and method for hierarchy manipulation in an encryption key management system

56
Assignee: FORNETIX LLCPriority: Feb 26, 2016Filed: Jan 29, 2021Published: Jun 17, 2021
Est. expiryFeb 26, 2036(~9.6 yrs left)· nominal 20-yr term from priority
G06F 21/602G06F 2212/1052G06F 12/128G06F 21/604G06F 2212/621H04L 63/0853H04L 63/061H04L 63/062G06F 12/1408
56
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Examples described herein relate to manipulation of a structure of a policy hierarchy, while reformulating policies associated with the manipulated nodes, or other nodes effected by the manipulation, of the hierarchy. In some examples, a node may be created, moved, and/or deleted, and the manipulated node (and other nodes effected by the manipulation of the node) may reformulate their respective policies based on their new positions within the policy hierarchy. In some examples, nodes indirectly effected by the hierarchy manipulation may be moved within the hierarchy as a result.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . Non-transitory computer-readable media comprising computer-readable instructions such that, when executed, causes one or more processors to:
 restructure a policy hierarchy comprising a plurality of nodes by switching a child node of the plurality of nodes from being a child of a first parent node of the plurality of nodes to being a child of a second parent node of the plurality of nodes, each of the plurality of nodes is associated with one or more policies, wherein each of the one or more policies are used to evaluate whether one or more cryptographic attributes of a security object used to encrypt data is secure;   after restructuring the policy hierarchy, determine a set of policies by including the one or more policies associated with the second parent node and the one or more policies associated with the child node; and   determine an acceptability of the security object based on the set of policies.   
     
     
         2 . The non-transitory computer-readable media of  claim 1 , wherein the set of policies further comprises the one or more policies associated with any parent node of the child node. 
     
     
         3 . The non-transitory computer-readable media of  claim 1 , wherein the one or more processors are further configured to:
 build a policy cache comprising the one or more policies associated with the first parent node and the one or more policies associated with the child node; and   in response to restructuring the policy hierarchy, rebuild the policy cache to comprise the set of policies.   
     
     
         4 . The non-transitory computer-readable media of  claim 1 , wherein restructuring the policy hierarchy comprises deleting the first parent node. 
     
     
         5 . The non-transitory computer-readable media of  claim 1 , wherein restructuring the policy hierarchy comprises moving the first parent node away from being a parent of the child node. 
     
     
         6 . The non-transitory computer-readable media of  claim 1 , wherein restructuring the policy hierarchy comprises inserting the second parent node as a parent of the child node. 
     
     
         7 . The non-transitory computer-readable media of  claim 1 , wherein restructuring the policy hierarchy comprises moving the child node away from being a child of the first parent node to being a child of the second parent node. 
     
     
         8 . The non-transitory computer-readable media of  claim 1 , wherein the security object is allowed to encrypt the data in response to determining the acceptability of the security object based on the set of policies. 
     
     
         9 . The non-transitory computer-readable media of  claim 1 , wherein one of the set of policies is used to evaluated a size of the security object or a string length of the security object. 
     
     
         10 . The non-transitory computer-readable media of  claim 1 , one or more processors are further configured to:
 determine that a first policy of the set of policies is in conflict with a second policy of the set of policies, wherein the first policy is associated with the child node, and the second policy is associated with the second parent node; and   removing both the first policy and the second policy from the set of policies.   
     
     
         11 . A method, comprising:
 restructuring a policy hierarchy comprising a plurality of nodes by switching a child node of the plurality of nodes from being a child of a first parent node of the plurality of nodes to being a child of a second parent node of the plurality of nodes, each of the plurality of nodes is associated with one or more policies, wherein each of the one or more policies are used to evaluate whether one or more cryptographic attributes of a security object used to encrypt data is secure;   after restructuring the policy hierarchy, determining a set of policies by including the one or more policies associated with the second parent node and the one or more policies associated with the child node; and   determining an acceptability of the security object based on the set of policies.   
     
     
         12 . The method of  claim 11 , wherein the set of policies further comprises the one or more policies associated with any parent node of the child node. 
     
     
         13 . The method of  claim 11 , further comprising:
 building a policy cache comprising the one or more policies associated with the first parent node and the one or more policies associated with the child node; and   in response to restructuring the policy hierarchy, rebuilding the policy cache to comprise the set of policies.   
     
     
         14 . The method of  claim 11 , wherein the security object is allowed to encrypt the data in response to determining the acceptability of the security object based on the set of policies. 
     
     
         15 . The method of  claim 11 , further comprising:
 determining that a first policy of the set of policies is in conflict with a second policy of the set of policies, wherein the first policy is associated with the child node, and the second policy is associated with the second parent node; and   removing both the first policy and the second policy from the set of policies.   
     
     
         16 . A system, comprising:
 a memory; and   a processor configured to:
 restructure a policy hierarchy comprising a plurality of nodes by switching a child node of the plurality of nodes from being a child of a first parent node of the plurality of nodes to being a child of a second parent node of the plurality of nodes, each of the plurality of nodes is associated with one or more policies, wherein each of the one or more policies are used to evaluate whether one or more cryptographic attributes of a security object used to encrypt data is secure; 
 after restructuring the policy hierarchy, determine a set of policies by including the one or more policies associated with the second parent node and the one or more policies associated with the child node; and 
 determine an acceptability of the security object based on the set of policies. 
   
     
     
         17 . The system of  claim 16 , wherein the set of policies further comprises the one or more policies associated with any parent node of the child node. 
     
     
         18 . The system of  claim 16 , wherein the processor is further configured to:
 build a policy cache comprising the one or more policies associated with the first parent node and the one or more policies associated with the child node; and   in response to restructuring the policy hierarchy, rebuild the policy cache to comprise the set of policies.   
     
     
         19 . The system of  claim 16 , wherein the security object is allowed to encrypt the data in response to determining the acceptability of the security object based on the set of policies. 
     
     
         20 . The system of  claim 16 , wherein the processor is further configured to:
 determine that a first policy of the set of policies is in conflict with a second policy of the set of policies, wherein the first policy is associated with the child node, and the second policy is associated with the second parent node; and   removing both the first policy and the second policy from the set of policies.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.