SYSTEMS AND METHODS FOR DECRYPTION AS A SERVICE

US 20150271150A1
Filed: 03/19/2015
Published: 09/24/2015
Est. Priority Date: 03/19/2014
Status: Active Grant

First Claim

Patent Images

1. A system for decryption of payloads, the system comprising:

a frontend server operatively connected to a read-only database, the frontend server configured for;

a) receiving a plurality of payloads from one or more third parties, wherein each of the payloads includes at least one encrypted element;

b) retrieving authentication data from the read-only database;

c) comparing the authentication data with each of the plurality of payloads to determine whether one or more of the payloads of the plurality of payloads has been compromised;

d) upon determining that one or more of the payloads of the plurality of payloads has not been compromised, transmitting the one or more payloads of the plurality of payloads to a hardware security module for decryption of the at least one encrypted element;

the read-only database operatively connected to the frontend server and configured for storing read-only authentication data for use in determining whether payloads have been compromised; and

the hardware security module operatively connected to the frontend server, the hardware security module configured for decrypting the one or more payloads of the plurality of encrypted payloads based on an encryption key and transmitting the decrypted one or more payloads to the one or more third parties.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for decryption of payloads are disclosed herein. In various embodiments, systems and methods herein are configured for decrypting thousands of transactions per second. Further, in particular embodiments, the systems and methods herein are scalable, such that many thousands of transactions can be processed per second upon replicating particular architectural components.

52 Citations

View as Search Results

77 Claims

1. A system for decryption of payloads, the system comprising:
- a frontend server operatively connected to a read-only database, the frontend server configured for;
  
  a) receiving a plurality of payloads from one or more third parties, wherein each of the payloads includes at least one encrypted element;
  
  b) retrieving authentication data from the read-only database;
  
  c) comparing the authentication data with each of the plurality of payloads to determine whether one or more of the payloads of the plurality of payloads has been compromised;
  
  d) upon determining that one or more of the payloads of the plurality of payloads has not been compromised, transmitting the one or more payloads of the plurality of payloads to a hardware security module for decryption of the at least one encrypted element;
  
  the read-only database operatively connected to the frontend server and configured for storing read-only authentication data for use in determining whether payloads have been compromised; and
  
  the hardware security module operatively connected to the frontend server, the hardware security module configured for decrypting the one or more payloads of the plurality of encrypted payloads based on an encryption key and transmitting the decrypted one or more payloads to the one or more third parties.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein each payload includes an identifier associated with a source of the payload.
  - 3. The system of claim 2, wherein retrieving authentication data from the read-only database comprises retrieving authentication data from the read-only database for each of the received plurality of payloads by each identifier associated with each of the plurality of payloads.
  - 4. The system of claim 3, wherein the identifier is a serial number or firmware identifier associated with a particular point of interaction device.
  - 5. The system of claim 3, wherein the identifier is an identifier associated with a mobile payments system.
  - 6. The system of claim 3, wherein the identifier is an identifier associated with an electronic health records system.
  - 7. The system of claim 1, wherein:
    - the read-only database is a first read-only database; and
      
      the system further comprises;
      
      a) a second read-only database operatively connected to the frontend server and configured for storing authentication data for use in determining whether a payload has been compromised; and
      
      b) a master read-only database operatively connected to the first and second read-only databases and a read/write backend database, the master read-only database configured for receiving the authentication data from the read/write backend database and refreshing the authentication data at each of the first and second read-only databases.
  - 8. The system of claim 7, wherein:
    - the system further comprises a third read-only database operatively connected to the frontend server and configured for storing authentication data for use in determining whether a payload has been compromised; and
      
      the master read-only database is operatively connected to the first, second, and third read-only databases and the read/write backend database, the master read-only database configured for receiving the authentication data from the read/write backend database and refreshing the authentication data at each of the first, second, and third read-only databases.
  - 9. The system of claim 8, wherein:
    - the hardware security module is a first hardware security module; and
      
      the system further comprises a second hardware security module operatively connected to the frontend server, the second hardware security module configured for decrypting the one or more payloads of the plurality of encrypted payloads based on an encryption key for the one or more payloads and transmitting the decrypted one or more payloads to the one or more third parties.
  - 10. The system of claim 9, wherein the system is configured to process up to about 1600 transactions per second.
  - 11. The system of claim 9, wherein the system is configured to process twice as many transactions by doubling the number of read-only databases and hardware security modules.
  - 12. The system of claim 11, wherein the system is configured to process up to about 3200 transactions per second.

13. A computer-implemented method for decryption of payloads, the method comprising:
- providing a frontend server operatively connected to a read-only database, the frontend server configured for;
  
  a) receiving a plurality of payloads from one or more third parties, wherein each of the payloads includes at least one encrypted element;
  
  b) retrieving authentication data from the read-only database;
  
  c) comparing the authentication data with each of the plurality of payloads to determine whether one or more of the payloads of the plurality of payloads has been compromised;
  
  d) upon determining that one or more of the payloads of the plurality of payloads has not been compromised, transmitting the one or more payloads of the plurality of payloads to a hardware security module for decryption of the at least one encrypted element;
  
  providing the read-only database operatively connected to the frontend server and configured for storing read-only authentication data for use in determining whether payloads have been compromised; and
  
  providing the hardware security module operatively connected to the frontend server, the hardware security module configured for decrypting the one or more payloads of the plurality of encrypted payloads based on an encryption key and transmitting the decrypted one or more payloads to the one or more third parties.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The computer-implemented method of claim 13, wherein each payload includes an identifier associated with a source of the payload.
  - 15. The computer-implemented method of claim 14, wherein retrieving authentication data from the read-only database comprises retrieving authentication data from the read-only database for each of the received plurality of payloads by each identifier associated with each of the plurality of payloads.
  - 16. The computer-implemented method of claim 15, wherein the identifier is a serial number or firmware identifier associated with a particular point of interaction device.
  - 17. The computer-implemented method of claim 15, wherein the identifier is an identifier associated with a mobile payments system.
  - 18. The computer-implemented method of claim 15, wherein the identifier is an identifier associated with an electronic health records system.
  - 19. The computer-implemented method of claim 13, wherein:
    - the read-only database is a first read-only database; and
      
      the computer-implemented method further comprises;
      
      a) providing a second read-only database operatively connected to the frontend server and configured for storing authentication data for use in determining whether a payload has been compromised; and
      
      b) providing a master read-only database operatively connected to the first and second read-only databases and a read/write backend database, the master read-only database configured for receiving the authentication data from the read/write backend database and refreshing the authentication data at each of the first and second read-only databases.
  - 20. The computer-implemented method of claim 19, wherein:
    - the computer-implemented method further comprises providing a third read-only database operatively connected to the frontend server and configured for storing authentication data for use in determining whether a payload has been compromised; and
      
      the master read-only database is operatively connected to the first, second, and third read-only databases and the read/write backend database, the master read-only database configured for receiving the authentication data from the read/write backend database and refreshing the authentication data at each of the first, second, and third read-only databases.
  - 21. The computer-implemented method of claim 20, wherein:
    - the hardware security module is a first hardware security module; and
      
      the computer-implemented method further comprises providing a second hardware security module operatively connected to the frontend server, the second hardware security module configured for decrypting the one or more payloads of the plurality of encrypted payloads based on an encryption key for the one or more payloads and transmitting the decrypted one or more payloads to the one or more third parties.
  - 22. The computer-implemented method of claim 21, wherein the computer-implemented method enables processing of up to about 1600 transactions per second.
  - 23. The computer-implemented method of claim 21, wherein the computer-implemented method enables processing twice as many transactions by providing twice as many read-only databases and hardware security modules.
  - 24. The computer-implemented method of claim 23, wherein the computer-implemented method enables processing of up to about 3200 transactions per second.

25. A scalable system for fast decryption of payloads, the system comprising:
- at least one hardware security module operatively connected to one or more frontend servers and configured for decrypting encrypted elements of payloads;
  
  the one or more frontend servers configured to receive and authenticate payloads based at least in part upon retrieving authentication data from a particular read-only database of one or more read-only databases;
  
  the one or more read-only databases operatively connected to the one or more frontend servers, wherein the one or more read-only databases comprise the authentication data for authenticating payloads;
  
  a read-only master database operatively connected to the one or more read-only databases, the read-only master database configured to refresh the authentication data stored at the one or more read-only databases; and
  
  a backend read/write database for logging decryptions and authentications, the backend read-write database operatively connected to the at least one hardware security module and the read-only master database.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 26. The system of claim 25, wherein the system comprises a particular number of one or more frontend servers and a specific number of one or more read-only databases based on a ratio of read-only databases and frontend servers to a number of hardware security modules.
  - 27. The system of claim 26, wherein the system comprises three read-only databases for every two hardware security modules.
  - 28. The system of claim 25, wherein:
    - the at least one hardware security module is configured to decrypt encrypted elements of payloads at a particular number of payloads per second; and
      
      the system comprises a number of read-only databases such that the read-only databases can authenticate the particular number of payloads per second.
  - 29. The system of claim 28, wherein the system comprises two hardware security modules and is configured to decrypt up to 3200 payloads per second.
  - 30. The system of claim 29, wherein the system comprises three read-only databases and is configured to authenticate up to 3200 payloads per second.
  - 31. The system of claim 28, wherein the system comprises four hardware security modules and is configured to decrypt up to 6400 payloads per second.
  - 32. The system of claim 31, wherein the system comprises six read-only databases and is configured to authenticate up to 6400 payloads per second.
  - 33. The system of claim 25 wherein the at least one hardware security module is configured to decrypt encrypted data in a 3DES format.
  - 34. The system of claim 25, wherein the at least one hardware security module is configured to decrypt encrypted data in a DUKPT format.
  - 35. The system of claim 25, wherein the at least one hardware security module is configured to decrypted encrypted data in a BPS format.
  - 36. The system of claim 25, wherein the at least one hardware security module is configured to decrypted encrypted data in a base64 encoded format.
  - 37. The system of claim 25, wherein the at least one hardware security module is configured to decrypted encrypted data in a hexadecimal encoded format.
  - 38. The system of claim 25, wherein the at least one hardware security module is configured to decrypted encrypted data in an encrypted value name format.
  - 39. The system of claim 25, wherein the at least one hardware security module is configured to decrypted encrypted data in any of the following formats:
    - 3DES, DUKPT, BPS, base64, hexadecimal encoded, or encrypted value name.

40. A system for fast decryption of one or more payloads, the system comprising a message queuing protocol operatively connected to a read-only database and a read/write database, the message queuing protocol configured for:
- receiving event notifications from a read-only database, wherein the event notifications each comprise one or more notifications regarding the authentication of one or more received payloads;
  
  queuing the event notifications received from the read-only database; and
  
  transmitting the event notifications to the read/write database upon determining that the read/write database is configured to accept event notifications.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47)
- - 41. The system of claim 40, wherein the message queuing protocol is further configured for receiving event notifications from the read-only database, wherein the read-only database is a master read-only database operatively connected to at least one slave read-only database.
  - 42. The system of claim 41, wherein the system further comprises a frontend server operatively connected to the at least one slave read-only database, the frontend server configured for receiving the one or more received payloads and authenticating each of the one or more received payloads by comparing data included in the one or more received payloads with data included in the at least one slave read-only database.
  - 43. The system of claim 42, wherein the system further comprises a hardware security module, wherein the hardware security module is operatively connected to the frontend server and is for decrypting encrypted portions of the one or more received payloads
  - 44. The system of claim 43, wherein the hardware security module is operatively connected to the frontend server via a hardware security module server.
  - 45. The system of claim 40, wherein the message queuing protocol is further configured for storing the event notifications upon determining the read/write database is not configured to accept event notifications.
  - 46. The system of claim 45, wherein upon determining the read/write database is configured to accept event notifications, transmitting the stored event notifications to the read/write database.
  - 47. The system of claim 40, wherein the read/write database is a P2PE manager.

48. A computer-implemented method for fast decryption of one or more payloads, the method comprising providing a message queuing protocol operatively connected to a read-only database and a read/write database, the message queuing protocol configured for:
- receiving event notifications from a read-only database, wherein the event notifications each comprise one or more notifications regarding the authentication of one or more received payloads;
  
  queuing the event notifications received from the read-only database; and
  
  transmitting the event notifications to the read/write database upon determining that the read/write database is configured to accept event notifications.
- View Dependent Claims (49, 50, 51, 52, 53, 54, 55)
- - 49. The computer-implemented method of claim 48, wherein the message queuing protocol is further configured for receiving event notifications from the read-only database, wherein the read-only database is a master read-only database operatively connected to at least one slave read-only database.
  - 50. The computer-implemented method of claim 49, wherein the computer-implemented method further comprises providing a frontend server operatively connected to the at least one slave read-only database, the frontend server configured for receiving the one or more received payloads and authenticating each of the one or more received payloads by comparing data included in the one or more received payloads with data included in the at least one slave read-only database.
  - 51. The computer-implemented method of claim 50, wherein the computer-implemented method further comprises providing a hardware security module, wherein the hardware security module is operatively connected to the frontend server and is for decrypting encrypted portions of the one or more received payloads.
  - 52. The computer-implemented method of claim 51, wherein the hardware security module is operatively connected to the frontend server via a hardware security module server.
  - 53. The computer-implemented method of claim 48, wherein the message queuing protocol is further configured for storing the event notifications upon determining the read/write database is not configured to accept event notifications.
  - 54. The computer-implemented method of claim 53, wherein upon determining the read/write database is configured to accept event notifications, transmitting the stored event notifications to the read/write database.
  - 55. The computer-implemented method of claim 48, wherein the read/write database is a P2PE manager.

56. A system for fast decryption of one or more payloads, the system comprising:
- a frontend server for receiving encrypted payloads;
  
  a plurality of read-only databases operatively connected to the frontend server;
  
  a master read-only database operatively connected to each of the plurality of read-only databases; and
  
  a read/write database operatively connected to the master database, the read/write database for transmitting event messages to the master read-only database, wherein the system is configured for;
  
  receiving event information at the read/write database;
  
  upon receiving the event information at the read/write database, automatically transmitting authentication data to the master read-only database, wherein the authentication data has been updated by the event information;
  
  refreshing the read-only master database to include the authentication data; and
  
  refreshing each of the plurality of read-only databases with authentication data matching the refreshed read-only master database, wherein the authentication data is for determining whether a payload has been transmitted by a tampered device.
- View Dependent Claims (57, 58, 59, 60, 61)
- - 57. The system of claim 56, wherein the authentication data is data for authenticating a particular payload.
  - 58. The system of claim 57, wherein the authentication data is a serial number or firmware identifier for a particular device configured to transmit the particular payload to the system.
  - 59. The system of claim 58, wherein the authentication data is an indication of a type of firmware running on a particular device configured to transmit the particular payload to the system.
  - 60. The system of claim 57 wherein the authentication data is for authenticating a particular partner associated with the particular payload.
  - 61. The system of claim 60, wherein the particular partner is a third-party payment processor configured to transmit the particular payload to the system.

62. A computer-implemented method for fast decryption of one or more payloads, the method comprising the steps of:
- providing a frontend server for receiving encrypted payloads;
  
  providing a plurality of read-only databases operatively connected to the frontend server;
  
  providing a master read-only database operatively connected to each of the plurality of read-only databases;
  
  providing a read/write database operatively connected to the master database, the read/write database for transmitting event messages to the master read-only database;
  
  receiving event information at the read/write database;
  
  upon receiving the event information at the read/write database, automatically transmitting authentication data to the master read-only database, wherein the authentication data has been updated by the event information;
  
  refreshing the read-only master database to include the authentication data; and
  
  refreshing each of the plurality of read-only databases with authentication data matching the refreshed read-only master database, wherein the authentication data is for determining whether a payload has been transmitted by a tampered device.
- View Dependent Claims (63, 64, 65, 66, 67)
- - 63. The computer-implemented method of claim 62, wherein the authentication data is data for authenticating a particular payload.
  - 64. The computer-implemented method of claim 63, wherein the authentication data is a serial number or firmware identifier for a particular device configured to transmit the particular payload to the system.
  - 65. The computer-implemented method of claim 63, wherein the authentication data is an indication of a type of firmware running on a particular device configured to transmit the particular payload to the system.
  - 66. The computer-implemented method of claim 63, wherein the authentication data is for authenticating a particular partner associated with the particular payload.
  - 67. The computer-implemented method of claim 66, wherein the particular partner is a third-party payment processor configured to transmit the particular payload to the system.

68. A system for decryption of one or more payloads, the system comprising:
- a hardware security module for decrypting encrypted elements of received payloads, the hardware security module operatively connected to at least one decryption server;
  
  the at least one decryption server, wherein the at least one decryption server is configured to;
  
  receive a particular payload, the particular payload comprising at least one encrypted element;
  
  transmit the particular payload to the hardware security module for decryption of the at least one encrypted element;
  
  upon receiving the particular payload from the hardware security module, parse the particular payload to determine whether the at least one encrypted element has been decrypted by the hardware security module;
  
  upon determining that the at least one encrypted element has not been decrypted by the hardware security module, transmit an error message to a read/write database operatively coupled to the frontend server.
- View Dependent Claims (69, 70, 71, 72)
- - 69. The system of claim 68, wherein the at least one decryption server is further configured to, upon determining that the at least one encrypted element has been decrypted by the hardware security module, transmitting the particular payload to the third-party partner.
  - 70. The system of claim 68, wherein:
    - the system further comprises at least one read-only database operatively connected to a frontend server, the at least one read-only database configured to store authentication data for payloads; and
      
      the frontend server is further configured to;
      
      1) retrieve authentication data associated with the particular payload;
      
      2) compare the authentication data to the particular payload to authenticate the particular payload before the particular payload is transmitted to the hardware security module.
  - 71. The system of claim 70, wherein the system further comprises a master read-only database operatively connected to the at least one read-only database, the master read-only database configured for refreshing the authentication data stored at the at least one read-only database.
  - 72. The system of claim 71, wherein the system further comprises a read/write database operatively connected to the master database, the read/write database configured for transmitting updated authentication data to the master database.

73. A computer-implemented method for decryption of one or more payloads, the method comprising:
- providing a hardware security module for decrypting encrypted elements of received payloads, the hardware security module operatively connected to at least one decryption server;
  
  providing the at least one decryption server,receiving a particular payload, the particular payload comprising at least one encrypted element;
  
  transmitting the particular payload to the hardware security module for decryption of the at least one encrypted element;
  
  upon receiving the particular payload from the hardware security module, parsing the particular payload to determine whether the at least one encrypted element has been decrypted by the hardware security module; and
  
  upon determining that the at least one encrypted element has not been decrypted by the hardware security module, transmitting an error message to a read/write database operatively coupled to the frontend server.
- View Dependent Claims (74, 75, 76, 77)
- - 74. The computer-implemented method of claim 73, wherein the computer-implemented method further comprises the step of, upon determining that the at least one encrypted element has been decrypted by the hardware security module, transmitting the particular payload to the third-party partner.
  - 75. The computer-implemented method of claim 73, wherein:
    - the computer-implemented method further comprises the step of providing at least one read-only database operatively connected to a frontend server, the at least one read-only database configured to store authentication data for payloads; and
      
      the frontend server is further configured to;
      
      1) retrieve authentication data associated with the particular payload;
      
      2) compare the authentication data to the particular payload to authenticate the particular payload before the particular payload is transmitted to the hardware security module.
  - 76. The computer-implemented method of claim 75, wherein the computer-implemented method further comprises the step of providing a master read-only database operatively connected to the at least one read-only database, the master read-only database configured for refreshing the authentication data stored at the at least one read-only database.
  - 77. The computer-implemented method of claim 76, wherein the computer-implemented method further comprises the step of providing a read/write database operatively connected to the master database, the read/write database configured for transmitting updated authentication data to the master database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bluefin Payment Systems LLC
Original Assignee
Bluefin Payment Systems LLC
Inventors
Barnett, Timothy William, Kasatkin, Alexander I., Miyata, Christopher Hozumi, Ruehle, Daniel

Granted Patent

US 9,461,973 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/0766   Error or fault reporting or...

G06F 16/23   Updating

G06F 16/2379   Updates performed during on...

G06F 16/955   using information identifie...

G06F 21/44   Program or device authentic...

G06F 21/6227   where protection concerns t...

G06F 21/6245   Protecting personal data, e...

G06F 21/73   by creating or determining ...

G06Q 10/10   Office automation; Time man...

G06Q 20/223   based on the use of peer-to...

G06Q 20/382   insuring higher security of...

G06Q 20/401   Transaction verification

G06Q 20/4014   Identity check for transact...

G06Q 2220/00   Business processing using c...

G16H 10/60   for patient-specific data, ...

G16H 70/00   ICT specially adapted for t...

G16H 70/60   relating to pathologies

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless network architectu...

H04L 63/0428   wherein the data content is...

H04L 63/0435 : wherein the sending and rec...

H04L 63/061 : for key exchange, e.g. in p...

H04L 63/08 : for authentication of entit...

H04L 63/0876 : based on the identity of th...

H04L 63/123 : received data contents, e.g...

H04L 63/20 : for managing network securi...

H04L 9/0861 : Generation of secret inform...

H04L 9/14 : using a plurality of keys o...

H04L 9/3226 : using a predetermined code,...

H04L 9/3234 : involving additional secure...

View All

SYSTEMS AND METHODS FOR DECRYPTION AS A SERVICE

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

77 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR DECRYPTION AS A SERVICE

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

77 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links