Increasing search ability of private, encrypted data

US 10,114,955 B2
Filed: 02/11/2016
Issued: 10/30/2018
Est. Priority Date: 02/11/2015
Status: Active Grant

First Claim

Patent Images

1. A method for searching a database to obtain data, comprising:

receiving, by a computer database system, a request for data comprising a search string;

determining a search column of a first table indicated in relation to the search string, the first table storing plaintext data of a particular type of personally identifiable information (PII) within the search column;

searching the search column of the first table of the computer database system using the search string to identify a matching string, wherein the first table includes an encrypted foreign key for each field, and the matching string is identified from the plaintext data;

obtaining at least one encrypted foreign key corresponding to the matching string identified using the search string;

sending the at least one encrypted foreign key to a decryption engine executing on one or more processors of the computer database system;

receiving from the decryption engine, at least one decrypted foreign key corresponding to the at least one encrypted foreign key, wherein the decrypted foreign key is generated by the decryption engine using a decryption key unique to the first table;

searching a second table of the computer database system using the at least one decrypted foreign key to obtain encrypted data, wherein the encrypted data comprises a different second type of PII;

sending the encrypted data to the decryption engine to decrypt the encrypted data; and

receiving, from the decryption engine, decrypted data resulting from decryption of the encrypted data, wherein the decrypted data comprises the requested data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided to allow full search for encrypted data within a database. In some embodiments, searchable data may be separated into different searchable tables in a database in such a way that encrypted data is stored as plaintext but has no usable link to other data within the source database. In some embodiments, performing a query on a particular user data may result in the retrieval of an encrypted identifier, which may then be decrypted via an encryption module. A second search based on the decrypted identifier may produce a set of relevant search results from a source table.

36 Citations

View as Search Results

16 Claims

1. A method for searching a database to obtain data, comprising:
- receiving, by a computer database system, a request for data comprising a search string;
  
  determining a search column of a first table indicated in relation to the search string, the first table storing plaintext data of a particular type of personally identifiable information (PII) within the search column;
  
  searching the search column of the first table of the computer database system using the search string to identify a matching string, wherein the first table includes an encrypted foreign key for each field, and the matching string is identified from the plaintext data;
  
  obtaining at least one encrypted foreign key corresponding to the matching string identified using the search string;
  
  sending the at least one encrypted foreign key to a decryption engine executing on one or more processors of the computer database system;
  
  receiving from the decryption engine, at least one decrypted foreign key corresponding to the at least one encrypted foreign key, wherein the decrypted foreign key is generated by the decryption engine using a decryption key unique to the first table;
  
  searching a second table of the computer database system using the at least one decrypted foreign key to obtain encrypted data, wherein the encrypted data comprises a different second type of PII;
  
  sending the encrypted data to the decryption engine to decrypt the encrypted data; and
  
  receiving, from the decryption engine, decrypted data resulting from decryption of the encrypted data, wherein the decrypted data comprises the requested data.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the decryption engine is a hardware security module (HSM).
  - 3. The method of claim 1, wherein the search string is received via a request for the decrypted data and includes a wildcard.
  - 4. The method of claim 1, further comprising:
    - searching the second table of the computer database system using the foreign key to obtain plaintext data;
      
      appending the obtained plaintext data to the decrypted data; and
      
      returning the appended decrypted data to a requestor device from which the search string was received.
  - 5. The method of claim 1, further comprising:
    - receiving a request to update the decrypted data with new data;
      
      sending the new data to an encryption engine;
      
      receiving, from the encryption engine, an encrypted new data; and
      
      replacing the encrypted data with the encrypted new data.
  - 6. The method of claim 1, further comprising:
    - searching at least one third table of the computer database system using at least one second search string to identify at least one second matching string, wherein the at least one third table includes a second encrypted foreign key for each field;
      
      obtaining at least one second encrypted foreign key corresponding to the matching string identified using the second search string;
      
      sending the at least one second encrypted foreign key to the decryption engine; and
      
      receiving, from the decryption engine, at least one second decrypted foreign key corresponding to the at least one second encrypted foreign key, wherein searching a second table of the computer database system comprises identifying encrypted data for which the at least one decrypted foreign key matches the at least one second decrypted foreign key.
  - 7. The method of claim 1, wherein the first table of the computer database system comprises a first column of encrypted foreign keys and a second column of plaintext data, wherein searching the first table of the computer database system using the search string to identify the matching string comprises searching the column of plaintext data for one or more values that match the search string, and wherein the at least one encrypted foreign key includes an encrypted foreign key for each of the one or more values that match the search string.

8. A system comprising:
- one or more processors and a memory including instructions that, when executed by the one or more processors, cause the one or more processors to;
  
  receive a request for data comprising a search string;
  
  determine a search column of a first table indicated in relation to the search string, the first table storing plaintext data of a particular type of personally identifiable information (PII) within the search column;
  
  search the search column of the first table of the computer database system using the search string to identify a matching string, wherein the first table includes an encrypted foreign key for each field, and the matching string is identified from the plaintext data;
  
  obtain at least one encrypted foreign key corresponding to the matching string identified using the search string;
  
  send the at least one encrypted foreign key to a decryption engine executing on one or more processors of the computer database system;
  
  receive from the decryption engine, at least one decrypted foreign key corresponding to the at least one encrypted foreign key, wherein the decrypted foreign key is generated by the decryption engine using a decryption key unique to the first table;
  
  search a second table of the computer database system using the at least one decrypted foreign key to obtain encrypted data, wherein the encrypted data comprises a different second type of PII;
  
  send the encrypted data to the decryption engine to decrypt the encrypted data; and
  
  receive, from the decryption engine, decrypted data resulting from decryption of the encrypted data, wherein the decrypted data comprises the requested data.
- View Dependent Claims (9, 10, 11)
- - 9. The system of claim 8, wherein the at least one encrypted foreign key is decrypted using a decryption key associated with the first table.
  - 10. The system of claim 8, wherein the query is included in an update request that includes new data, and wherein the instructions further cause the one or more processors to:
    - update the decrypted set of source data to include the new data;
      
      encrypt the updated set of source data; and
      
      replace the set of encrypted source data with the encrypted updated set of source data in the second table.
  - 11. The system of claim 10, wherein the instructions further cause the one or more processors to update the first table to reflect the encrypted updated set of source data.

12. A non-transitory computer readable medium storing specific computer-executable instructions that, when executed by a processor, cause a computer system to at least:
- receive a request for data comprising a search string;
  
  determine a search column of a first table indicated in relation to the search string, the first table storing plaintext data of a particular type of personally identifiable information (PII) within the search column;
  
  search the search column of the first table of the computer database system using the search string to identify a matching string, wherein the first table includes an encrypted foreign key for each field, and the matching string is identified from the plaintext data;
  
  obtain at least one encrypted foreign key corresponding to the matching string identified using the search string;
  
  send the at least one encrypted foreign key to a decryption engine executing on one or more processors of the computer database system;
  
  receive from the decryption engine, at least one decrypted foreign key corresponding to the at least one encrypted foreign key, wherein the decrypted foreign key is generated by the decryption engine using a decryption key unique to the first table;
  
  search a second table of the computer database system using the at least one decrypted foreign key to obtain encrypted data, wherein the encrypted data comprises a different second type of PII;
  
  send the encrypted data to the decryption engine to decrypt the encrypted data; and
  
  receive, from the decryption engine, decrypted data resulting from decryption of the encrypted data, wherein the decrypted data comprises the requested data.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The computer readable medium of claim 12, wherein the encrypted data is decrypted to determine information related to the search string.
  - 14. The computer readable medium of claim 12, wherein the second table comprises a column of plaintext identifiers and multiple columns of encrypted data.
  - 15. The computer readable medium of claim 12, wherein the first table comprises a column of encrypted foreign keys corresponding to the search column including plaintext.
  - 16. The computer readable medium of claim 15, wherein at least one row relevant to the search string is identified as a row containing the matching string in the search column, and wherein the encrypted foreign key corresponding to the matching string is identified by virtue of being in the at least one row.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Visa International Service Association (Visa, Inc.)
Original Assignee
Visa International Service Association (Visa, Inc.)
Inventors
Conway, Adam
Primary Examiner(s)
Lynch, Sharon S

Application Number

US15/041,783
Publication Number

US 20160232362A1
Time in Patent Office

992 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/2455   Query execution

G06F 16/2458   Special types of queries, e...

G06F 16/2468   Fuzzy queries

G06F 16/90   Details of database functio...

G06F 21/602   Providing cryptographic fac...

G06F 21/6227   where protection concerns t...

Increasing search ability of private, encrypted data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

36 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Increasing search ability of private, encrypted data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links