Secure generation and inversion of tokens

US 10,410,210 B1
Filed: 04/01/2015
Issued: 09/10/2019
Est. Priority Date: 04/01/2015
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a secure execution environment that comprises;

a processor; and

memory that is operably coupled to the processor, the memory loaded with instructions that, when executed by the processor, cause the processor to perform acts for generating a token that represents a string that conforms to a predefined format, the acts comprising;

receiving a request to generate the token that is representative of the string from a logically separate computing environment, the request comprising an encrypted tokenization function and the string;

decrypting the encrypted tokenization function based upon a decryption algorithm that is securely retained in the secure execution environment;

generating the token by executing the tokenization function over the string;

deleting the tokenization function and the string responsive to the token being generated;

outputting the token to the logically separate computing environment;

subsequent to outputting the token to the logically separate computing environment, receiving the encrypted tokenization function and the token from the logically separate computing environment;

decrypting the encrypted tokenization function based upon the decryption algorithm that is securely retained in the secure execution environment;

inverting the tokenization function;

executing the inverted tokenization function over the token to generate the string;

deleting the inverted tokenization function responsive to the string being generated; and

outputting the string to the logically separate computing environment.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described herein are various technologies related to secure generation of tokens and secure inversion of tokens. A tokenization system executes in a secure execution environment, and is configured to receive a string and an encrypted tokenization function. The tokenization system decrypts the encrypted tokenization function, and executes the tokenization function over the string to generate a token. The token is transmitted to a logically separate computing environment, and the tokenization system deletes the tokenization function and the string.

Citations

20 Claims

1. An apparatus, comprising:
- a secure execution environment that comprises;
  
  a processor; and
  
  memory that is operably coupled to the processor, the memory loaded with instructions that, when executed by the processor, cause the processor to perform acts for generating a token that represents a string that conforms to a predefined format, the acts comprising;
  
  receiving a request to generate the token that is representative of the string from a logically separate computing environment, the request comprising an encrypted tokenization function and the string;
  
  decrypting the encrypted tokenization function based upon a decryption algorithm that is securely retained in the secure execution environment;
  
  generating the token by executing the tokenization function over the string;
  
  deleting the tokenization function and the string responsive to the token being generated;
  
  outputting the token to the logically separate computing environment;
  
  subsequent to outputting the token to the logically separate computing environment, receiving the encrypted tokenization function and the token from the logically separate computing environment;
  
  decrypting the encrypted tokenization function based upon the decryption algorithm that is securely retained in the secure execution environment;
  
  inverting the tokenization function;
  
  executing the inverted tokenization function over the token to generate the string;
  
  deleting the inverted tokenization function responsive to the string being generated; and
  
  outputting the string to the logically separate computing environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The apparatus of claim 1, wherein the secure execution environment comprises a first virtual machine executing on the apparatus, the processor being a virtual processor and the memory being a virtual memory, and wherein further the logically separate computing environment comprises a second virtual machine executing on the apparatus.
  - 3. The apparatus of claim 1 being coupleable to a computing device that comprises the logically separate computing environment.
  - 4. The apparatus of claim 3 being a Universal Serial Bus stick.
  - 5. The apparatus of claim 1, the secure execution environment being a portion of an application specific integrated circuit.
  - 6. The apparatus of claim 1, the string being a credit card number or a debit card number.
  - 7. The apparatus of claim 1, the string being a number that identifies a person.
  - 8. The apparatus of claim 1, the acts further comprising encrypting the string prior to outputting the string to the logically separate computing environment.
  - 9. The apparatus of claim 1, wherein the string is encrypted, and wherein the acts further comprise decrypting the string prior to executing the tokenization function over the string.
  - 10. The apparatus of claim 1, wherein executing the tokenization function causes the token to have the predefined format.

11. A method for generating a token that represents a string that conforms to a predefined format, wherein the method is performed by a processor in a secure execution environment, the method comprising:
- receiving a request to generate the token that is representative of the string from a computing environment that is logically separate from the secure execution environment, the request comprising an encrypted tokenization function and the string;
  
  decrypting the encrypted tokenization function based upon a decryption algorithm that is securely retained in the secure execution environment;
  
  generating the token by executing the tokenization function over the string;
  
  deleting the tokenization function and the string responsive to the token being generated;
  
  outputting the token to the logically separate computing environment;
  
  subsequent to outputting the token to the logically separate computing environment, receiving the encrypted tokenization function and the token from the logically separate computing environment;
  
  decrypting the encrypted tokenization function based upon the decryption algorithm that is securely retained in the secure execution environment;
  
  inverting the tokenization function;
  
  executing the inverted tokenization function over the token to generate the string;
  
  deleting the inverted tokenization function responsive to the string being generated; and
  
  outputting the string to the logically separate computing environment.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The method of claim 11, wherein the secure execution environment comprises a first virtual machine executing on an apparatus that comprises the secure execution environment, the processor being a virtual processor and the memory being a virtual memory, and wherein further the logically separate computing environment comprises a second virtual machine executing on the apparatus.
  - 13. The method of claim 11, wherein an apparatus that comprises the secure execution environment is coupleable to a computing device that comprises the computing environment that is logically separate from the secure execution environment.
  - 14. The method of claim 13, wherein the apparatus is a Universal Serial Bus stick.
  - 15. The method of claim 11, the secure execution environment being a portion of an application specific integrated circuit.
  - 16. The method of claim 11, the string being a credit card number or a debit card number.
  - 17. The method of claim 11, the string being a number that identifies a person.
  - 18. The method of claim 11, further comprising encrypting the string prior to outputting the string to the computing environment that is logically separate from the secure execution environment.
  - 19. The method of claim 11, wherein the string is encrypted, and wherein the method further comprises decrypting the string prior to executing the tokenization function over the string.

20. A memory device in a secure execution environment of an apparatus, wherein the memory device comprises instructions for generating a token that represents a string that conforms to a predefined format, wherein the instructions, when executed by a processor in the secure execution environment of the apparatus, cause the processor to perform acts comprising:
- receiving a request to generate the token that is representative of a first the string from a computing environment that is logically separate from the secure execution environment, the request comprising an encrypted tokenization function and the string;
  
  decrypting the encrypted tokenization function based upon a decryption algorithm that is securely retained in the secure execution environment;
  
  generating the token by executing the tokenization function over the string;
  
  deleting the tokenization function and the string responsive to the token being generated;
  
  outputting the token to the logically separate computing environment;
  
  subsequent to outputting the token to the logically separate computing environment, receiving the encrypted tokenization function and the token from the logically separate computing environment;
  
  decrypting the encrypted tokenization function based upon the decryption algorithm that is securely retained in the secure execution environment;
  
  inverting the tokenization function;
  
  executing the inverted tokenization function over the token to generate the string;
  
  deleting the inverted tokenization function responsive to the string being generated; and
  
  outputting the string to the logically separate computing environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
National Technology & Engineering Solutions Of Sandia LLC (Honeywell International Inc.)
Original Assignee
National Technology & Engineering Solutions Of Sandia LLC (Honeywell International Inc.)
Inventors
Solis, John Hector
Primary Examiner(s)
Kim, Steven S
Assistant Examiner(s)
Sax, Timothy Paul

Application Number

US14/676,637
Time in Patent Office

1,623 Days
Field of Search

None
US Class Current
CPC Class Codes

G06Q 20/20   Point-of-sale [POS] network...

G06Q 20/367   involving electronic purses...

G06Q 20/382   insuring higher security of...

G06Q 20/3821   Electronic credentials

G06Q 20/38215   Use of certificates or encr...

G06Q 2220/00   Business processing using c...

Secure generation and inversion of tokens

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure generation and inversion of tokens

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links