Vaultless tokenization engine

US 10,389,688 B2
Filed: 08/22/2017
Issued: 08/20/2019
Est. Priority Date: 08/23/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of tokenization comprising the steps of:

receiving a request for tokenization from a user, the request containing a Session token, a token definition logically related to the user, and a received value, wherein the Session token includes a policy identifier logically related to the user and a unique key logically related to the user, and wherein the token definition comprises three or more of the following attributes;

a unique key;

a hashing algorithm;

an iteration count;

a token layout;

a token type;

one or more replacement values;

a token scope;

a token table version;

a masked character;

a force luhn check;

a language;

a mask layout;

a maximum token length;

a minimum token length;

a preserve case;

a preserve value type;

a unique token;

an attribute for whether or not to allow values to be replaced to a same value; and

one or more flags controlling how the resulting token should be formatted;

decoding and validating the Session token;

retrieving the token definition, a token key logically related to the token definition, and a security policy related to the user from a database logically relating the token definition, the token key, and the security policy to the user;

appending the user key and the token key to the received value to create an input value having more than one input value character;

replacing each input value character of the input value with a known character to create a replacement input value, where the known character is related within a lookup table to the input value character according to the token definition;

generating a cryptographically secure hash of the replacement input value to create a derived key;

substituting each character of the replacement input value with a character from one or more lookup tables to create a third input value, the one or more lookup tables being selected based on one or more of the received value, the position of the character being replaced within the replacement input value, and the derived key; and

returning the third input value to the user as a token.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method comprising the steps of receiving a request for tokenization from a user, the request including a Session Token; decoding and validating the Session Token; retrieving a token definition, a token key, and a security policy from a database; appending the user key and the token key to the received value to create an input value; replacing each input value character with a known character to create a replacement input value, where the known character is related within a lookup table; generating a secure hash of the replacement input value to create a derived key; substituting each character of the replacement input value with a character from lookup tables to create a third input value, the lookup tables being selected based on the received value, the position of the character being replaced within the replacement input value, and the derived key; and returning the input value to the user.

44 Citations

View as Search Results

25 Claims

1. A computer-implemented method of tokenization comprising the steps of:
- receiving a request for tokenization from a user, the request containing a Session token, a token definition logically related to the user, and a received value, wherein the Session token includes a policy identifier logically related to the user and a unique key logically related to the user, and wherein the token definition comprises three or more of the following attributes;
  
  a unique key;
  
  a hashing algorithm;
  
  an iteration count;
  
  a token layout;
  
  a token type;
  
  one or more replacement values;
  
  a token scope;
  
  a token table version;
  
  a masked character;
  
  a force luhn check;
  
  a language;
  
  a mask layout;
  
  a maximum token length;
  
  a minimum token length;
  
  a preserve case;
  
  a preserve value type;
  
  a unique token;
  
  an attribute for whether or not to allow values to be replaced to a same value; and
  
  one or more flags controlling how the resulting token should be formatted;
  
  decoding and validating the Session token;
  
  retrieving the token definition, a token key logically related to the token definition, and a security policy related to the user from a database logically relating the token definition, the token key, and the security policy to the user;
  
  appending the user key and the token key to the received value to create an input value having more than one input value character;
  
  replacing each input value character of the input value with a known character to create a replacement input value, where the known character is related within a lookup table to the input value character according to the token definition;
  
  generating a cryptographically secure hash of the replacement input value to create a derived key;
  
  substituting each character of the replacement input value with a character from one or more lookup tables to create a third input value, the one or more lookup tables being selected based on one or more of the received value, the position of the character being replaced within the replacement input value, and the derived key; and
  
  returning the third input value to the user as a token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of tokenization of claim 1 wherein the request for tokenization from a user further contains a user secret.
  - 3. The method of tokenization of claim 1 wherein the method is carried out by one or more tokenization servers and a security provider does not have access to any of the one or more tokenization servers.
  - 4. The method of tokenization of claim 1 wherein a customer manages how data is accessed and who can obtain the full clear text or partially masked data after combining all the “
    - partial-keys”
      
      from the various entities involved using one or more security policies.
  - 5. The method of tokenization of claim 1 wherein the cryptographically secure hash is SHA2.
  - 6. The method of tokenization of claim 1 wherein a security policy is required to be declared before a request for tokenization is made.
  - 7. The method of tokenization of claim 5 wherein a security provider audits and records every user interaction to know when, how and what data is accessed by who.
  - 8. The method of tokenization of claim 1 wherein a customer has an API key and access to a configuration management portal.
  - 9. The method of tokenization in claim 7 wherein the customer changes its service configurations.

10. A computer-implemented method of tokenization comprising the steps of:
- receiving a request for tokenization from a user, the request containing a Session token, a token definition logically related to the user, and a received value, wherein the Session token includes a policy identifier logically related to the user and a unique key logically related to the user, and wherein a customer has an API key and access to a configuration management portal;
  
  decoding and validating the Session token;
  
  retrieving the token definition, a token key logically related to the token definition, and one or more security policies related to the user from a database logically relating the token definition, the token key, and the security policy to the user, wherein a customer manages how data is accessed and who can obtain the full clear text or partially masked data after combining all the “
  
  partial-keys”
  
  from the various entities involved using one or more security policies;
  
  appending the user key and the token key to the received value to create an input value having more than one input value character;
  
  replacing each input value character of the input value with a known character to create a replacement input value, where the known character is related within a lookup table to the input value character according to the token definition;
  
  generating a cryptographically secure hash of the replacement input value to create a derived key;
  
  substituting each character of the replacement input value with a character from one or more lookup tables to create a third input value, the one or more lookup tables being selected based on one or more of the received value, the position of the character being replaced within the replacement input value, and the derived key; and
  
  returning the third input value to the user as a token.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of tokenization of claim 10 wherein the request for tokenization from a user further contains a user secret.
  - 12. The method of tokenization of claim 10 wherein the method is carried out by one or more tokenization servers and a security provider does not have access to any of the one or more tokenization servers.
  - 13. The method of tokenization of claim 10 wherein the cryptographically secure hash is SHA2.
  - 14. The method of tokenization of claim 10 wherein a security policy is required to be declared before a request for tokenization is made.
  - 15. The method of tokenization of claim 13 wherein a security provider audits and records every user interaction to know when, how and what data is accessed by who.
  - 16. The method of tokenization of claim 10 wherein the token definition comprises one or more of the following attributes:
    - a unique key;
      
      a hashing algorithm;
      
      an iteration count;
      
      a token layout;
      
      a token type;
      
      one or more replacement values;
      
      a token scope;
      
      a token table version;
      
      a masked character;
      
      a force luhn check;
      
      a language;
      
      a mask layout;
      
      a maximum token length;
      
      a minimum token length;
      
      a preserve case;
      
      a preserve value type;
      
      a unique token;
      
      an attribute for whether or not to allow values to be replaced to a same value; and
      
      one or more flags controlling how the resulting token should be formatted.
  - 17. The method of tokenization in claim 15 wherein the customer changes its service configurations.

18. A method of tokenization carried out by one or more tokenization servers comprising the steps of:
- receiving a request for tokenization from a user, the request containing a Session token, a token definition logically related to the user, a user secret, and a received value, wherein the Session token includes a policy identifier logically related to the user and a unique key logically related to the user, and a security provider does not have access to any of the one or more tokenization servers;
  
  decoding and validating the Session token;
  
  retrieving the token definition, a token key logically related to the token definition, and a security policy related to the user from a database logically relating the token definition, the token key, and the security policy to the user;
  
  appending the user key and the token key to the received value to create an input value having more than one input value character;
  
  replacing each input value character of the input value with a known character to create a replacement input value, where the known character is related within a lookup table to the input value character according to the token definition;
  
  generating a cryptographically secure hash of the replacement input value to create a derived key;
  
  substituting each character of the replacement input value with a character from one or more lookup tables to create a third input value, the one or more lookup tables being selected based on one or more of the received value, the position of the character being replaced within the replacement input value, and the derived key; and
  
  returning the third input value to the user as a token.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The method of tokenization of claim 18 wherein a customer manages how data is accessed and who can obtain the full clear text or partially masked data after combining all the “
    - partial-keys”
      
      from the various entities involved using one or more security policies.
  - 20. The method of tokenization of claim 18 wherein the cryptographically secure hash is SHA2.
  - 21. The method of tokenization of claim 18 wherein a security policy is required to be declared before a request for tokenization is made.
  - 22. The method of tokenization of claim 20 wherein a security provider audits and records every user interaction to know when, how and what data is accessed by who.
  - 23. The method of tokenization of claim 18 wherein a customer has an API key and access to a configuration management portal.
  - 24. The method of tokenization of claim 18 wherein the token definition comprises one or more of the following attributes:
    - a unique key;
      
      a hashing algorithm;
      
      an iteration count;
      
      a token layout;
      
      a token type;
      
      one or more replacement values;
      
      a token scope;
      
      a token table version;
      
      a masked character;
      
      a force luhn check;
      
      a language;
      
      a mask layout;
      
      a maximum token length;
      
      a minimum token length;
      
      a preserve case;
      
      a preserve value type;
      
      a unique token;
      
      an attribute for whether or not to allow values to be replaced to a same value; and
      
      one or more flags controlling how the resulting token should be formatted.
  - 25. The method of tokenization in claim 22 wherein the customer changes its service configurations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
PB Analytics, Inc.
Original Assignee
Nxt-Security, LLC
Inventors
Hatcher, Justin
Primary Examiner(s)
Zarrineh, Shahriar

Application Number

US15/682,651
Publication Number

US 20180062832A1
Time in Patent Office

728 Days
Field of Search

380 28
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6254   by anonymising data, e.g. d...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 67/146   Markers for unambiguous ide...

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

Vaultless tokenization engine

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

44 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Vaultless tokenization engine

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links