1. Field of the Invention
The present invention relates to a method for the processing of data which are stored in at least one database in at least partially encrypted form, in which case the data can be read by a user communicating with the database via a communications link and in which, if necessary, new data can be stored.
2. Description of the Prior Art
Data to be stored in a database are ever more frequently composed of non-critical parts, whose contents require no special secrecy, and critical data which, if at all, may be accessed only by a limited range of users. In order to store such critical data with protected access, it is known for the data to be stored in encrypted form. Cryptographic methods (for example DES, RAS, IDEA) are used for this purpose, and use symmetrical or asymmetrical keys in order to encrypt the data. In known methods for secure communication, the data are encrypted while being transmitted (line encryption) between the client and the server, the data then exist in unencrypted form once again at the central point, and are generally stored in unencrypted form in a central database. With these methods, there is a security gap, since anyone who has administrative access to the central database can read all the data. A solution to this problem is known, in which the data are encrypted on the central server and are stored in the database in encrypted form. In this case as well, there is still a security gap when accesses are made to the central point. Since they exist on the server in plaintext at one point in time, the data can be copied before or during the encryption process. One method of the type mentioned initially can be used, for example, in the area of medicine or by doctors, in the course of which, for example, a number of doctors, as users, have access to the patient data stored in a central database.
Sandhu, R. et al, Access control: Principles and practise, IEEE Communications Magazine, September 1994, pages 40-48, describes the access control provided via ACL. Access Control Lists are used to control who may access objects, and in what role. The rights to do so are stored in databases, and that an authorization database must be checked before access by the user.
Neumann, C., Security, Payment and Privacy for Network Commerce, IEEE J. on select. A. in Comm., Vol 13, No. 8, October 1995, pages 1523-1531, describes a protocol, in the description relating to FIG. 1 on page 1525, in which a client would like to communicate with a service provider. To do this, a session key is agreed via a server, and is used by the client to gain access to the provider.
An object of the present invention is to provide a method which can allow secure data transmission and storage in a system in which a number of users have access to a central database.
In order to solve this problem, in a method according to the invention of the type initially described, the data are decrypted and/or encrypted exclusively at the user end using a key which is stored in a central further database and can be transmitted exclusively to the authorized user.
The method according to the invention thus no longer involves the data being encrypted and decrypted at the central server end itself, and no longer uses line encryption, rather, by contrast, it provides for this to be done exclusively at the user end. In this case, the data are available in unencrypted form only at the doctor""s end (that is to say at the client), and the data are encrypted at the doctor""s end even before they are transmitted to the central database (server). This makes attacks on the central data storage point, which is at risk, very difficult, in particular even attacks by the system administration. Thus, in the method according to the invention, only encrypted data, or only encrypted data parts which contain critical information and, as a consequence, need to be especially protected, are transmitted via the communications link, which can be tapped. Non-critical data may also be transmitted, of course, in unencrypted form. Protection against unauthorized data access is furthermore ensured in that a special key is required for encryption and/or decryption, which key is allocated exclusively to authorized users from a central further database. This key is thus passed only to the users who are authorized for access, for example only to doctors who are authorized for access.
The data may be composed of data parts and association data which identify a person or an object and describe a person or an object, in which case the identifying data parts are stored in a first database and the descriptive data parts are stored in a second database, in each case with an association data item. Those data parts which are stored in the other database can be found using the identically formed association data, and in which case at least the association data item of the identifying data parts and, if required, the descriptive data parts are encrypted, and can be decrypted using the transmitted key. Two separate databases are thus used in this case and preferably, but not necessarily, do not communicate with one another. The databases are object-oriented databases which, for example, contain patient data in the form of patient-specific files. At least the critical data are encrypted, non-critical data need not necessarily be stored in encrypted form in the second database. If, for example, the data are medically relevant patient data, then data which either refer to a person or contain other critical information are stored, like the association data item, in encrypted form in the second database which contains the descriptive data parts. Non-critical data, to which, for example, unlimited access may be allowed in the course of epidemiological investigations, are stored in unencrypted form in this database. On the other hand, the demographic patient data are stored in the first database, and the encrypted association data item is stored as an encrypted reference. Since the data which identify the patients are stored in unencrypted form in the first database, it is possible to search for a patient in this database and to determine the encrypted association data item while, however, access to the second database with the descriptive data is possible only if the association data item can be decrypted so that it is possible to search for the association data item, which is stored in unencrypted form in the second database, and to call up the data. Furthermore, it is possible to provide a further encryption stage, namely when the first and the second database communicate with one another. In a case such as this, the relevant data can be protected using a method such as described in PCT Application WO 97/49211 or U.S. Pat. No. 5,606,610.
Furthermore, according to the invention, it is possible to provide for the descriptive data parts to be stored together with association data in a group-specific second database, which is associated with a specific user group, which includes personnel who may have authorized access to the stored data. User groups are thus formed, with each user group being assigned a group-specific second database. All group members have authorized access to this database. Such a group may be, for example, a group formed by a number of doctors who have a group practice. All of them have access to a common patient list and, since they are authorized to have the key or can be authorized to be given the key, they can call up the appropriate data without having to obtain the patient""s consent. The composition of the respective groups may change and, of course, it is also possible for one doctor to belong to a number of groups, in the same way that it is also possible, of course, for one patient to have a file in a number of group databases, for example in a first group involving a number of family doctors, and in a second group which comprises, for example, a number of internists. It is likewise also possible, if necessary, to inhibit access by the patient to his data for a specific group, and to enable it if required.
The identifying data parts together with the association data may, according to the invention, be stored in a first database which is common to all users, or to all users in a group. This represents an information database which each user has to be able to select in order to obtain the relevant association data at all. This is an easy way to create the capability to check the authorization of the requesting user. Authorization data which are used to authorize access by the user to the data in the first database may thus specifically be checked in a further database which contains authorization data and is effectively connected upstream of the first database, in which case access to data in the first database is enabled or inhibited depending on the result of the check.
The key transmitted to the user may be transmitted to him or her only once, and it is then permanently kept by the authorized user. However, it has been found to be expedient for the relevant key to be transmitted with each request to the user since, of course, the key may also change over the course of time. In order to ensure that the key is not read without authorization in the course of this transmission process, which would mean that an unauthorized third party could access the data, in an embodiment of the invention the key which is transmitted to the user is encrypted using a user-related public key (IndPubKey), and is decrypted by the user using a user-related private key (IndPrivKey). This means that each authorized user, that is to say the doctor in a group practice for example, has a private key. The key required for encryption and decryption is sent to him or her in encrypted form, and the asymmetric public key is used for encryption. The doctor can now decrypt this using his or her private key, and call up the relevant data using the key which then exists in unencrypted form.
According to the invention, the key which is transmitted to the user is a private group key (DomPrivKey) which is assigned to a specific user group, and by means of which a public group key (DomPubKey), by means of which the association data item and, if required, further data parts are encrypted, is decrypted, or is encrypted for the storage of data. The transmitted key is thus also an asymmetric private key, by means of which the public matching key, using which the relevant data parts are encrypted, can be opened. Thus, in this case, two different asymmetric key pairs are used.
As an alternative to this, it is possible to provide for the association data item to be encrypted using a public file key (FilePubKey) and for the encrypted association data item to be assigned a private file key (FilePrivKey), by means of which the association data item encrypted using the public file key can be encrypted and decrypted. The private file key is encrypted and decrypted using the public group key (DomPubKey). Thus, in this case, the asymmetric file key pair is also provided, by means of which the data are encrypted and decrypted, with the private file key once again being encrypted using the public group key, which the doctor can open by decryption using the private group key that he possesses. Thus, in this variant of the method, three asymmetric key pairs are used. Alternatively, the association data item may also be encrypted using a symmetrical file key (FileSymKey) which, for its part, is encrypted and decrypted using the public group key (DomPubKey).
In order in addition to allow the person whose data are stored to have access to this data, the invention can provide for this person as well to have the private file key (FilePrivKey) by means of which, as described, the association data item and, if required, further data parts are encrypted, so this person can access the personal data and, if required, can edit the data and can store it in encrypted form. This is expedient, for example, if such a person receives medically relevant data at home which, in this way, can then be entered in the personal data file. Such data may be, for example, blood pressure values or the insulin content or the like, i.e., data which the patient can receive at home. This avoids a tedious visit to the doctor.
According to the invention, the encrypted data parts to be stored in the second database are encrypted using the public group key (DomPubKey) or the public file key (FilePubKey). The decryption process takes place using the respective asymmetric private key. This can result in a problem if the data which identify somebody are encrypted using a public key and such data are also stored in the second database, since this key is known. If an unauthorized third party is searching for data relating to a specific person, he can now encrypt the identification data known to him, for example the surname and the first name of the person, using the known public key, and can search for the patient in the second database, using the string which results from this process. The same access possibility can occur in the opposite direction if the association data stored in unencrypted form in the second database are encrypted systematically using public keys, and the first database is then searched for the encrypted association data. In order to overcome this, an expedient development of the invention provides that the data parts and/or association data to be encrypted are expanded by having random data added to them before encryption, and the expanded data are encrypted using the public group key (DomPubKey) or the public file key (FilePubKey). Since the unauthorized third party does not know what random data have been attached, the third party cannot produce a string which will allow searching in whatever database it might be. This further improves the security of the method. During reading, the attached random data are automatically identified as such, and are ignored.
As described, it may also be necessary to encrypt descriptive data parts. Since this may occasionally involve large quantities of data, encryption of such data using an asymmetric key has been found to be very time-consuming. In order to overcome this, according to the invention, that at least those data parts which are to be encrypted and, if required, expanded, are initially encrypted using a symmetrical data key (DatSymKey) which is encrypted using the public group key (DomPubKey) or the public file key (FilePubKey). This encrypted symmetrical data key is stored together with the data parts and can be decrypted in a corresponding manner. The encryption process with a symmetric key takes place about 2000 times faster than the encryption process using an asymmetric key.
According to the invention, the keys may be produced by a central production point, if required a group""s own central production point. For example, this may be a trust center or, if the group has its own central production point, a group member may be defined as the xe2x80x9cproduction pointxe2x80x9d, and he or she is given the appropriate authorization for key production and has the appropriate production machines installed in his or her area. As an alternative to this, the keys can be produced by the user himself or herself.
According to the invention, those data parts which are to be stored in the second database and are to be encrypted may be assigned further data, which define an encryption machine used for encryption and are encrypted together. Various encryption machines, which each operate with specific key lengths or encrypt only specific parts of the data, can be installed in the user""s area. By means of the associated further data, information relating to this is stored, so that the algorithm which carries out the user-end data processing can identify the encryption machine which it must access, at least for decryption.
According to the invention, each person or each object within a user group may be assigned only one association data item. In order to notify changes within the stored data, and to make them comprehensible, according to the invention when new data are being stored, the already existing data are stored as a data item version so that version definition is carried out whenever a storage process takes place. In order furthermore to make it clear who has carried out any change or else has called up data, according to the invention an identification data item for the calling or storing user is attached to each data item which is called up and/or newly stored, i.e., a user signature is attached.
It has been found to be expedient to use an encryption table in the course of the encryption process, this encryption table being provided at the user end and containing information about those data sections which are to be encrypted, the data changes or data expansions that need to be carried out in order to maintain the data integrity, and the encryption itself. Such an encryption table, which, for example, applies to a specific user group, defines what parts of the patient data must be encrypted, for example the surname or the first name, with which algorithms and which key lengths the data must be encrypted, and with which precise keys the data parts and association data must be encrypted. Furthermore, this determines what dummy information must be entered in the data so that the data integrity is ensured in accordance with the predetermined data model, a suitable example of which is an HL7 model. To do this, a cryptohash table, which is known, can be used. The use of the encryption table makes the work simple, while any changes in the encryption mode can equally be carried out in a simple way, by editing the table. Changes in the algorithm, in the key length and the like can thus be carried out without any problems. Since each group preferably has its own encryption table, different encryption concepts are also possible between different groups.
According to a further version of the invention, the encryption table is stored in the first database and to be transmitted to the user when an authorized access is made to the data in the first database, which allows any changes to be carried out centrally on the first database. Alternatively, the encryption table can also be produced at the user end.